Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Malvertizement featuring Phoenix University

April 23rd 2009 in Uncategorized

PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION

image

 

Adopstools scan results:
http://www.adopstools.net/index.asp?section=quicklink&id=36xxrvvFRC85pkp7

Malvertizement host:
perfect-banner.com

Hits the domains statcluster.com and enjoyspringtime.com

From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220.

—–

perfectbanner.com

ICANN Registrar: ENOM, INC.
Created 10 March 2009
NS1.PERFECT-BANNER.COM
NS2.PERFECT-BANNER.COM
NS3.PERFECT-BANNER.COM
NS4.PERFECT-BANNER.COM

IP: 89.149.244.137 – Hessen, Frankfurt Am Main, Netdirekt E.k

Shares IP with one other site, being 4netbanners.com – please treat the domain 4netbanners.com with extreme caution

Registrant:
Nexton Limited
Whois Agent
Irpinskaya 69
Kiev, 03142
UA

Registration service provided by:
Contact: director@climbing-games.com
ruler-domains.com
director@climbing-games.com has been mentioned on this blog before, in association with the fraudware domain ie-security.com:
http://msmvps.com/blogs/spywaresucks/archive/2009/02/02/1668084.aspx

Also associated with the malware domain xp-police-av.com:
http://www.precisesecurity.com/blogs/2009/02/17/xp-police-av/

—–

4netbanners.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created 9 April 2009
NS1.MYDOMAIN-IN.NET
MS2.MYDOMAIN-IN.NET

IP: 89.149.244.137 – Hessen, Frankfurt Am Main, Netdirekt E.k

Registrant:
Primak Vornen (primakvornen@myself.com
Punane 34
Tallin 13619
EE
37 263 176 2334

—–

ruler-domains.com
ICANN Registrar: ENOM INC
Created 17 November 2008
NS5.NAMESERVER01.COM
NS6.NAMESERVER01.COM

IP: 78.46.88.142 – Bayern, Gunzenhausen, Hetzner

Shares IP with 12 other sites being av-cash.com, billingpayment.net, gilded-youth.com, iloveyourbrain.com, loyalbox.biz, richisoftware2.com, ruler-cash.com, ruler-dating.com, ruler-domains.com, ruler-search.com, vashkont.com, vashkontakt.com, vkontaktev.com – all domains should be treated with extreme caution.

Registrant:
Sergey Ryabov (director@climbing-games.com)
7 921 927 0961
Fax: 7 921 927 0961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU

—–

statcluster.com
ICANN Registrar: YESNIC CO. LTD
Created: 3 April 2009
NS1.STATCLUSTER.COM
NS2.STATCLUSTER.COM

IP: 174.37.196.175 – Texas, Dallas, Softlayer Technologies Inc

Registrant:
Burt N Charlesworth (burtn@mail.com)
971 Hidden Valley Road
170742
US
2129887344 (this number traces to New York, and is not owned by Burt N Charlesworth, or anybody with the same or similar surname)

—–

enjoyspringtime.com
ICANN Registrar: COMMUNIGAL COMMUNICATIONS LTD
Created 20 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 38.99.168.101 – Ontario, Toronto, Psinet Inc

Registrar:
Robert Robinson (robertrobinson@mail.com)
4452 Dogwood Lane, Phoenix, 85012
602 520 553 9781

We’ve come across Robert Robinson before, that is the ID used to register the domain welovesandi.com (http://msmvps.com/blogs/spywaresucks/archive/2009/04/01/1683651.aspx)

—–

crustat.com
ICANN Registrar: COMMUNIGAL COMMUNICATIONS LTD
Created: 5 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 94.76.213.234 – UK, Hp3-right

Shares IP with one other domain, being tldst.com

Registrant details hidden behind WHOIS privacy service

—–

pnfzetnax.net
ICANN Registrar: INTERNET INVEST, LTD. DBA IMENA.UA
Created: 20 March 2009
NS1.IMENA.COM.UA
NS2.IMENA.COM.UA

IP: 85.10.243.126 – Hetzner, Germany

Registrant:
David Armstrong (avidarms@mail.com)
1785 Haul Road
Golden Valley
55427
1 6512387511 (traces to Minneapolis, MN)

—–

justwebsecurity.com
ICANN Registrar: REGTIME LTD
Created 20 April 2009
NS1.JUSTWEBSECURITY.COM
NS2.JUSTWEBSECURITY.COM

IP: 91.212.65.55 – Ukraine, Eurohost Llc

Shares IP with three other domains, being globalsecurityscan.com, onlinebrandsecurity.com and scanprotectiononline.com (all domains should be treated with extreme caution).

Registrant:
Rene Clay (renepclay@text2re.com)
1555 Lake Floyd Circle
Chevy Chase
MD 20815
US
1 301 941 5618


Comments are closed.

ALERT:  Please treat any content from these domains with suspicion, and be very careful about any credit reference you receive that refers to: yourdirectmedia.com, atlantmedia, traffichunters, olympicmedia.net ads2revenue, adsrepublic, truemedian.com, readadsolutions.com, adsmanagement.com ALERT: Watch out for the impersonation of legitimate businesses in credit reference checks.  Details below. —– It is fascinating […]

Previous Entry

  This one is using the same domains as the previous version (although it should be noted that, although visually identical, this one had a different Hash to the one I looked at yesterday). Victims end up at one of two fraudware sites, scanspywareonline.com or justwebsecurity.com. I have written […]

Next Entry

Archives