Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: malvertizement featuring Talbots

December 18th 2008 in Uncategorized

image   image  image

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=RC567srdR4afU35z

 

The malicious ad hits two URLs:

freegreenstats.com/c/index.php?id=<<snipped>> (79.135.187.95)

and

statisticsmanager.com/?cmpid=<<snipped>>  (76.74.249.30)

cookie dropped for adnetserver.com

From statisticsmanager.com we are redirected to:

onlinestatsmanager.com/ts/in.cgi?<<snipped>> (76.74.249.9)

to:

scan.freescanner-proas2009.com/<<snipped>> (78.26.179.130)  <– Directi registered domain

The Installer is downloaded from:

files.pro-antispyware-dl.com/load/<<snipped>>.exe <— Directi registered domain

 

Comment: I am beginning to wonder why it is that the criminals behind fraudware/betrayware/scareware/whatever you want to call it are still able to/still feel comfortable using Directi to register their most important domains?  For a Registrar that is allegedly proactive and alert, they sure do let bad stuff through far too often.

 

freegreenstats.com

ICANN Registrar: ENOM, INC
Created 14 October 2008
NS1, 2.FREEGREENSTATS.COM
IP: 79.135.187.95 – Turkey – Sistemnet Telekomunikasyon
Shares IP with of-ficialstat.net
Registrant: ITmeter Inc, Sergey Belonozhko (sergbelo@gmail.com)
ITMeter INC and sergbelo@gmail.com associated with 40 domains

 

statisticsmanager.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created 11 July 2008
NS1, 2, 3, 4.STATISTICSMANAGER.COM
IP: 76.74.249.30 – Virgin Islands, British – Soft.sol.inc

Shares IP with 39 other sites, being:

Ad2cash.net | Ad2profit.com | Adcomatoz.com | Adgurman.com | Adhokuspokus.com | Adnetserver.com | Adredired.com | Adsolutio.com | Adverdaemon.com | Adverlounge.com | Adzyclon.com | Astalaprofit.com | B2adz.com | Beststatsever.com | Bizadsonline.net | Bizadverts.com | Bizmarketads.com | Blessedads.com | Brandmarketads.com | Clickadnet.net | Friedads.com | Glorymarkets.com | Greatad.net | Hostadserve.com | Iddqdmarketing.com | Intervarioclick.com | Invulnerableads.com | Luckyadcoin.com | Luckyadsols.com | Moneycometrue.com | Mythmarketing.com | Popadprovider.com | Prevedmarketing.com | Rocktheads.com | Sharpadverts.com | Shivanetworking.com | Statisticsmanager.com | Statsreportserver.com | Waytotheprofit.com | Widestatsnow.com

Registrant: Jack Moor, Sagent Group Ltd (sergbelo@gmail.com) (adminsagent@gmail.com)
sergbelo@gmail.com associated with 40 domains
adminsagent@gmail.com associated with 86 domains
“Jack Moor” owns about 25 domains

 

adnetserver.com

ICANN Registrar: YESNIC CO. LTD
Created 21 September 2006
NS1, 2, 3, 4.ADNETSERVER.COM
IP: 76.74.249.30 – Virgin Islands, British – Soft.sol.inc

Shares IP with 39 other sites, being:

Ad2cash.net | Ad2profit.com | Adcomatoz.com | Adgurman.com | Adhokuspokus.com | Adnetserver.com | Adredired.com | Adsolutio.com | Adverdaemon.com | Adverlounge.com | Adzyclon.com | Astalaprofit.com | B2adz.com | Beststatsever.com | Bizadsonline.net | Bizadverts.com | Bizmarketads.com | Blessedads.com | Brandmarketads.com | Clickadnet.net | Friedads.com | Glorymarkets.com | Greatad.net | Hostadserve.com | Iddqdmarketing.com | Intervarioclick.com | Invulnerableads.com | Luckyadcoin.com | Luckyadsols.com | Moneycometrue.com | Mythmarketing.com | Popadprovider.com | Prevedmarketing.com | Rocktheads.com | Sharpadverts.com | Shivanetworking.com | Statisticsmanager.com | Statsreportserver.com | Waytotheprofit.com | Widestatsnow.com

Registrant: Emidio Rivello (selvascreensaver@yahoo.com)  associated with about 8 other domains.

 

onlinestatsmanager.com

ICANN Registrar: ENOM, INC
Created 3 July 2008
NS1, 2, 3, 4.ONLINEPROMOSTATS.COM
IP: 76.74.249.9 – Virgin Islands, British – Soft.sol.inc

Shares IP with NIL

Registrant: Namecheap.com (support@namecheap.com)

 

onlinepromostats.com

ICANN Registrar: ENOM, INC
Created 3 July 2008
NS1, 2, 3, 4.ONLINEPROMOSTATS.COM
IP: 84.243.252.86 – Netherlands – Gfx-cust-worldstream 

Shares IP with NIL

Registrant: Namecheap.com (support@namecheap.com)

 

scan.freescanner-proas2009.com

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD
Created 15 December 2008
NS: *.ORDERBOX-DNS.COM
IP: 78.26.179.130 – Ukraine, Odessa Renome Service 

Shares IP with NIL

Registrant: Johan Collado (johancollado@ymail.com) – owns 2 other domains

Comment: How long will it take before Directi start flagging domains that contain terms such as “freescanner”, and examine them closely *before* they are allowed to go live?  The bad guys don’t care if their domains are only effective for a few days – they can do a lot in those few days,and I, for one, am tired of Directi letting this stuff through.  Cleaning up after the fact, as often as they have to do, is simply not good enough!

 

files.pro-antispyware-dl.com

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD
Created 15 December 2008
NS: *.ORDERBOX-DNS.COM
IP: No website 

Shares IP with NIL

Registrant: Johan Collado (johancollado@ymail.com) – owns 2 other domains

Comment: Again, how long will it take before Directi start flagging domains that contain terms such as “antispyware”, and examine them closely *before* they are allowed to go live?  The bad guys don’t care if their domains are only effective for a few days – they can do a lot in those few days,and I, for one, am tired of Directi letting this stuff through.  Cleaning up after the fact, as often as they have to do, is simply not good enough!


Comments are closed.

Well well, people have been busy. Various documents were filed on the 17th, including: Entry of Appearance on behalf of Mark D’Souza by Counsel Russell D Duncan of Orrick, Herrington & Sutcliffe Entry of Appearance on behalf of Sam Jain by Counsel Edward Wisneski of Patton Boggs A joint Response to Order […]

Previous Entry

Back on 17 December 2008 I wrote about malvertizements being distributed by criminals impersonating the legitimate Koeppel Interactive (the legitimate site being koeppelinteractive.com). The fake site, koeppelinteractive.co.uk, is now inaccessible; its name servers have been changed to “ns1.suspended-domain.com” and “ns2.suspended-domain.com”. Koeppelinteractive.com have added an alert to their site warning about the impersonation. For […]

Next Entry

Archives