Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: malicious content (including malware via security exploit) seen via MySpace chat

December 31st 2008 in Uncategorized

Kimberley reports on the incident.

Userplane is a wholly owned subsidiary of AOL (yes, I have written to my contacts there), and Kimberley is getting in touch with the appropriate people at MySpace to try and get this shut down ASAP.

 

Some important notes for the curious.

The advertisement itself is a simple JPEG

You will not see the malicious script at the prolinar.com URL unless there an appropriate referrer detected (screenshots at end of report).

This means that if somebody sells you advertising, and they say, for example “here’s the URL – prolinar.com/?id=200811191551179”, you’d better make darned sure that you don’t just type the address into your web browser’s address bar and hit enter to view the URL – you need a referrer.  AND, even worse, sometimes the referrer needs to contain specific content to work.

The bad domains discovered in relation to this incident are newlyclickssystem.cn, virusandspywarescan.com, securedliveclicks.com, advanced-antivirus-scanner.com, test.3tmp3.com and media-drive.com.  Let’s see what we can discover about them – I ask you this, why do they feel confident enough to re-use the same email addresses, same Registrar, same name server, same IP address??  That would be because there are no useful checks and balances when domains are registered and sent live.  The bad guys can pretty much do whatever the heck they want whenever they want and it is you, gentle reader, that pays the price.

newlyclickssystem.cn
Registrar: 广东时代互联科技有限公司 (which translates to "Guangdong Time Interconnection Science and Technology Limited Company" according to Babel Fish)
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Administrative email: promasteryouth@gmail.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

promasteryouth@gmail.com aka "Andrey V Vernikov" (secured-live-scan.com and securedliveclicks.com and antivirusdefencescanner.com and securedprotectedclicks.com and liveantiviruspccheck.com and advancedantivirusscan.com and securedonlinewebspace.com)

promasteryouth@gmail.com aka "Nikolai V Chernikov" (antivirus-pc-full-scan.com)

*****

virusandspywarescan.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) – owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

securedliveclicks.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Andrey Vernikov (promasteryouth@gmail.com) – owns about 28 other domains

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

advanced-antivirus-scanner.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) – owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

***

3tmp3.com
Registrar: Directi Internet Solutions (why am I not surprised?)
Registered: 17 February 2008 !!!!
IP: 74.54.203.66 – Texas – Dallas – Theplanet.com Internet Services
Registrant: Konstantin Fetisov (akafitis@gmail.com) – owns about 165 other domains

Shares IP with brandapothecary.com, brandmedication.com, brandpharmacy.net, brandpharmacyworld.com, deepmp3.com, labelpharmacy.com, mp3mutant.cm, mp3rob.com, mp3tem.com

NS1.MUSICXHOST.COM
NS2.MUSICXHOST.COM

*****

media-drive.com
Registrar: Directi Internet Solutions (again)
Registered: 13 October 2008!
IP: 94.76.208.14 – United Kingdom – Poundhost
Registrant: Thomas Schultz (ts8317@googlemail.com) – owns about 40 other domains

Shares IP with 7realmedia.com, media-drive.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com, prolinar.com

*****

musicxhost.com
Registrar: Directi Internet Solutions (again)
Registered: 17 February 2008 !!!
IP: No web site
Registrant: Konstantin Fetisov (akafitis@gmail.com) – owns about 165 other domains

NS1.MUSICXHOST.COM (74.54.203.92 – Theplanet.com)
NS2.MUSICXHOST.COM (74.54.203.93 – Theplanet.com)

*****

freehostns.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: No web site
Registrant: Azer O Bestavros (azerbestavros@googlemail.com)

NS1.FREEHOSTNS.COM (91.211.64.47 – UralComp)
NS2.FREEHOSTNS.COM (78.46.205.70 – Berlin – Hetzner-rz-nbg-net)
NS3.FREEHOSTNS.COM (64.86.17.44 – Velcom)

No referrer
 image

Referrer:
image


2 comments to...
“ALERT: malicious content (including malware via security exploit) seen via MySpace chat”

Ed
wrote on January 9th, 2009      

Hello. What is the name of the software you are using with the “Gallery”, “Statistics”, “Inspectors”, etc. display? And where could I find this software for download and/or sale? Thanks.



sandi
wrote on January 12th, 2009      

Hello Ed,

The Software is Fiddler, available at this URL, for free:

http://www.fiddlertool.com/fiddler/

Sandi


No. Am I surprised? No. Why haven’t they fixed the problem yet? You tell me and we’ll both know.  Maybe they *like* the fact that all of the links on their Products page are broken.  The fact that the malicious URL is not working is no excuse. According to the […]

Previous Entry

ICANN has a web page which can be used to report domains with inaccurate (or blatantly false) WHOIS information. http://wdprs.internic.net/ Enjoy.

Next Entry

Archives