Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

More information about Olympic Media shenanigans

February 2nd 2009 in Uncategorized

Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit:

admediastats.com/ts/in.cgi?{{redacted}}

From there we end up at sg12scanner.com/{{redacted}}

From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}}

Javascript in use:

sg12scanner.com/js/jquery-1.2.5.pack.js
sg12scanner.com/js/jquery.timers.js (just for fun I will point out that that the JS contains the comment "Yeah this is major overkill…")
sg12scanner.com/js/file_names.js

Installer URL: 89.149.236.86/sysgd09/install.php?track_id={{redacted}}

Tries to download "SystemGuard2009.exe"

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

ns1.admediastats.com – 91.211.64.71 – Russian Federation Ural Industrial Limited Company
ns2.admediastats.com – 116.50.15.1 – Hong Kong Hostfresh
ns3.admediastats.com – 89.146.226.121 – Germany De-nic
ns4.admediastats.com – 212.117.162.90 – Luxembourg Root Esolutions

IP: 84.243.252.179 – Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

*****

sg12scanner.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 – Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Kire Serona (kiresl1540@yahoo.com) – owns 2 other domains
Ilichova 16, Ljubljana.

*****

dlsg09.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 – Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Damir Sbil (damirsbils791@gmail.com) – owns 6 other domains
Tavcarjeva 109, Skofja vas.

*****

89.149.236.86 – China Gibibits-Ltd (89-149-236-86.internetserviceteam.com – Netdirekt).  Known spam IP.


Comments are closed.

I’ve warned about Olympic Media several times – they continue to be active. The latest reports indicate they are claiming to be operating out of Canada and are supplying javascript code referring to admin.securityclick.net as follows:     Other domains being used are onlinepromostats.com and admediastats.com. This […]

Previous Entry

Sunbelt reports that there is a new fraudware domain, being ie-security.com. Let’s look at the domain details for ie-security.com: ICANN Registrar: BIZCN.COM, Inc (a name that is appearing far too often in association with malware) Date created: 22 January 2009 NS1.IE-SECURITY.COM NS2.IE-SECURITY.COM […]

Next Entry

Archives