ALERT: New malvertizement featuring Bausch & Lomb Softlens contact lenses
I have seen multiple, visually identical, versions of the malvertizement shown above, one of which has revealed a new name and domains. Please be on the look-out.
One sample that I received today is effectively neutralized because the malvertizement hits the domains of-ficialstat.com and securityclick.net, both of which are not resolving.
securityclick.net is a "Serg Moons" domain, which is currently "on hold" (aka locked) :o) The domain is no longer resolving, but its last IP address was 212.117.165.128.
212.117.165.128 currently hosts two well known domains, measurehits.com and waytotheprofit.com. waytotheprofit.com has been mentioned more times on this blog than I care to remember. measurehits.com (listed as owned by a Gabriel Jenks) was mentioned on this blog just the other day, here:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676761.aspx
of-ficialstat.com is also "on hold", and is listed as owned by a "Sergey Belonozhko (sergbelo@gmail.com). The domain is no longer resolving, but its last IP was 79.135.187.73
*********************************************************************************************
The next sample I examined hits the following domains – cosmotraf.net and pleaselinkmeto.com – two domains that I have not encountered before. This campaign is live.
Once the redirect is triggered we hit a URL at traff-direct.com. We are then redirected to go-uniq.com before we hit the fraudware domains removespywarethreats.com or desktoprepairpage.com or pcantimalwaresolution.com.
cosmotraf.net
ICANN Registrar: Communigal Communications Ltd
Created 5 March 2009
IP: 88.198.8.15 – Bayern – Gunzenhausen – Hetzner-rz-nbg-net
Hostnames sharing IP with A Records:
download.pcprivacycleaner.com
download.powerfulvirusremover2008.com
static.88-198-8-15.clients.your-server.de
sw.effectiveload.com
ydmstats.com
WHOIS information – how unhelpful of Communigal:
Domain Contact is Private
Address is private
Private
00000
972 9999999
972 9999999
pleaselinkmeto.com
ICANN Registrar: Communigal Communications Ltd
Created 5 March 2009
IP: 58.65.237.43 – Hong Kong (sar) – Hostfresh
WHOIS information – how unhelpful of Communigal:
Domain Contact is Private
Address is private
Private
00000
972 9999999
972 9999999
traff-direct.com
ICANN Registrar: YESNIC CO. LTD.
Created 16 February 2009
NS1.TRAFF-DIRECT.COM
NS2.TRAFF-DIRECT.COM
NS3.COMONDNS.COM
NS4.COMONDNS.COM
IP: 78.129.158.69 – United Kingdom – Eukhost Ltd
Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950
Note: "Preston Wasson" is also the Registrant of comondns.com above. "Preston Wasson" owns about 19 domains.
The address apparently does not exist, and the phone number is associated with an address in White Plains, NY.
Just out of interest, let’s take a look at the NS*.COMONDNS.COM – all discovered domains should, of course, be treated with extreme caution.
NS1.COMONDNS.COM – hostnames sharing IP with A records:
a.dnstut.com
ns1.go-uniq.com
ns1.removespywarethreats.com
ns1.thesurfdigest.com
ns2.comondns.com
ns2.dnstut.com
ns2.go-uniq.com
ns2.removespywarethreats.com
Domains using this name server under another name:
comondns.com
desktoprepairpackage.com
dnserror.org
fuckteencunt.com
go-uniq.com
mainfeedhere.com
pcantimalwaresolution.com
removespywarethreats.com
search-lasslorn.com
search-unassuetude.com
NS1.COMONDNS.COM – hostnames sharing IP with A records:
a.dnstut.com
ns1.comondns.com
ns1.go-uniq.com
ns1.removespywarethreats.com
ns1.thesurfdigest.com
ns2.dnstut.com
ns2.go-uniq.com
ns2.removespywarethreats.com
Domains using this nameserver under another name:
comondns.com
desktoprepairpackage.com
dnserror.org
find-allnot.com
fuckteencunt.com
mainfeedhere.com
pcantimalwaresolution.com
removespywarethreats.com
search-lasslorn.com
search-unassuetude.com
NS3.COMONDNS.COM – domains using this as a name server:
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
NS4.COMONDNS.COM – domains using this as name server:
comondns.com
desktoprepairpackage.com
go-uniq.com
pcantimalwaresolution.com
go-uniq.com
ICANN Registrar: YESNIC CO. LTD.
Created 16 February 2009
NS1.GO-UNIQ.COM
NS2.GO-UNIQ.COM
NS3.COMONDNS.COM
NS4.COMONDNS.COM
IP: 72.55.153.155 – Quebec – Iweb Dedicated Cl
Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950
removespywarethreats.com
ICANN Registrar: YESNIC CO. LTD
Created 24 February 2009
NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM
IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner
Shares IP with billgroups.com, cleanerpcsolution.com, desktoprepairpackage.com pcantimalwaresolution.com, pcsolutionshelp.com and removespywarethreats.com
Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950
desktoprepairpage.com
ICANN Registrar: YESNIC CO. LTD.
Created 24 February 2009
NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM
IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner
Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950
pcantimalwaresolution.com
ICANN Registrar: YESNIC CO. LTD.
Created 24 February 2009
NS1.COMONDNS.COM
NS2.COMONDNS.COM
NS3.COMONDNS.C0M
NS4.COMONDNS.COM
IP: 78.46.90.230 – Bayern – Gunzenhausen – Hetzner
Registrant:
Preston Wasson
wassonpreston@email.com
4532 Dancing Dove Lane
10011
US
347 526 4950
*********************************************************************************************
A third sample hits the following domains – googlesearchingweb.net and clickanalytic.com.
googlesearchingweb.net
ICANN Registrar: DIRECTI
Created 6 February 2009
IP: Suspended domain
Historical IP: 79.135.187.62 – Turkey Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti
Other suspicious sites in the same IP range include officialstat.net, statgroup.net, st-atetstr.com, staticglobalsources.net, station-appraisals.com, st-athisranch.net, s-tatetstr.com and of-ficialstat.net
WHOIS: Hidden behind privacyprotect.org (as far as I am concerned, once a domain has been suspended it should lose the protection of privacyprotect.org)
clickanalytic.com
ICANN Registrar: DIRECTI
Created 6 February 2009
IP: Suspended domain
Historical IP: 79.135.187.83 (Turkey Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti) then 212.117.165.128 (Luxembourg Root Esolutions)
As noted earlier, 212.117.165.128 is the IP of measurehits.com and waytotheprofit.com.
WHOIS: Hidden behind privacyprotect.org (again, as far as I am concerned, once a domain has been suspended it should lose the protection of privacyprotect.org)