Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

I just knew I’d find DIRECTI in there somewhere…

February 2nd 2009 in Uncategorized

Sunbelt reports that there is a new fraudware domain, being ie-security.com.

Let’s look at the domain details for ie-security.com:

ICANN Registrar: BIZCN.COM, Inc (a name that is appearing far too often in association with malware)
Date created: 22 January 2009
NS1.IE-SECURITY.COM
NS2.IE-SECURITY.COM

IP: 216.240.151.135 – Los Angeles, Atmlink Inc

Shares IP with magavidon.cn, secured-software-order.com, webfreescan.cn and windefender2009.cn

Registrant:

Nexton Limited
Sergey Ryabov (director@climbing-games.com)
+79219270961
Scherbakova st., 6-38
Saint-Petersburg 197375
RU

*****

Ok, the email address in the WHOIS (director@climbing-games.com) is interesting.  Let’s have a look at the domain climbing-games.com:

ICANN Registrar: DIRECTI
Created: 23 October 2007
NS5.PUBLIC-NS.COM
NS6.PUBLIC-NS.COM

IP: 66.230.161.250 – Brooklyn, Reality Check Network Corp

Registrant:

Sigurd s.r.o
Sergey (sigurd@adultinter.com)
Scherbakova st., 6-38
St-Petersburg
null, 197349
RU
Tel: +79219270961

As you can see, there are very similar WHOIS details.

*****

Ok, so what about adultinter.com?

ICANN Registrar:  DIRECTI
Created: 22 January 2004
NS1.ADVANCEDHOSTERS.COM
NS2.ADVANCEDHOSTERS.COM

IP: 209.8.19.218 – Silver Spring – Beyond The Network America Inc

Shares IP with adult-gateway.com, adultbeerparty.com, alterinter.com, northvenice.ru

Registrant: Andrei Akalovich (sax@elitistclub.com)
ul. Zrzaveho 12/1083
Praha-6
null,16300
CZ
Tel: +42.0774532108

*****

Let’s look at elitistclub.com:

ICANN Registrar: DIRECTI
Created: 25 January 2007
NS5.PUBLIC-NS.COM
NS6.PUBLIC-NS.COM

IP: 205.252.166.170 – Washington, Beyond The Network America Inc

Registrant: Andrei Akalovich (sax@elitistclub.com)
ul. Zrzaveho 12/1083
Praha-6
null,16300
CZ
Tel: +42.0774532108

*****************************************************************************************

We find DIRECTI again when we take a look at another domain reported on Sunbelt, being total-defender.com.

The (now defunct?) total-defender.com (registered via ENOM INC) is listed at IP address 94.247.2.41 (the domain is currently not resolving), and that IP address is (was) shared with just two other domains, being webfreefind.com and rusexportal.com.

webfreefind.com (status ACTIVE)
ICANN Registrar: DIRECTI
Created 5 May 2006

NS1.TOTAL-DEFENDER.COM <— !!! (there is no denying an association now)
NS2.TOTAL-DEFENDER.COM

Registrant: DiabloCompany (info@gangstabros.com)
Garvand 2-10
Oklahoma
null,655158
ES
Tel: +91.2228797504

*****

rusexportal.com (status: ACTIVE)
ICANN Registrar: DIRECTI
Created 19 October 2008

NS1.REG.RU
NS2.REG.RU

Registrant: Pavel Antonov (petra-nova@yandex.ru)
Pyatnitskaya, 10, 4
Moska, 148952
Tel: +7 495 0000000

*****

gangstabros.com (status: ACTIVE)
ICANN Registrar: DIRECTI
Created 14 February 2006

NS1.GANGSTABROS.COM
NS2.GANGSTABROS.COM

Registrant: Yura Inc
Yuriy Vasilyev (diablo@divaporn.com)
Yubileynaya 2-10
Chernogorsk
Khakasia,655158
RU
Tel: +7.9061905092

(What a coincidence, gangstabros.com and webfreefind.com both have street number "2-10", both use the same code "655158" despite being, apparently, in different countries!  Methinks all three domains could be reported to ICANN for fake WHOIS information (what do you think the chances are that the phone number for rusexportal.com is legitimate?)


One comment to...
“I just knew I’d find DIRECTI in there somewhere…”

Sparsha

You will also find DIRECTI in most of the sites listed in the following post as well

http://sunbeltblog.blogspot.com/2009/02/new-rogue-xpyburner.html


Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit: admediastats.com/ts/in.cgi?{{redacted}} From there we end up at sg12scanner.com/{{redacted}} From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}} Javascript in use: sg12scanner.com/js/jquery-1.2.5.pack.js sg12scanner.com/js/jquery.timers.js (just for fun […]

Previous Entry
Next Entry

Archives