Spyware Sucks

SWF for malware deployment

Mea culpa: Marian is apparently male, not female.

Marian Radu of the Microsoft Malware Protection Center has written about SWF being used for malware.  She He states:

"What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors"

Yep, we know this ... that is why Flash is "the Typhoid Mary of the Internet".

I'm glad that Marian has written about the problem of malicious SWF, but I admit that this got my back up:

"More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry."

I don't know about you, but I am not too happy with the "special cases where the submitter was actually right" quip.

Regular readers of my blog will know that we have been fighting this problem for years - "we" being me, other security researchers such as Kimberley, every big advertising network there is (and lots of small ones), the web sites who have been victims, the end user victims themselves - every big name has been hit at some time or other - Microsoft, Google, Yahoo, AOL, Doubleclick, 247RealMedia and myriad advertising networks.   For Marian to call the examples that she he found "special cases" minimizes the existence of malicious SWF in a way that I find discomforting.

As for her his statement:

"I’ve been spending part of today tracking down some SWF files that are part of “the dark side”.

I wish she he had got in touch - I have thousands of samples available for her his viewing pleasure on this machine alone.

ALERT: please treat all content from metrixlab-tds.com with extreme caution

Courtesy of Kimberley

URLs used to facilitate the hijacking:

bannersrotator.com/fx22010/click.php
stl.0ups.com/stl/in.cgi?24&

Note that different SWF files are served to the potential victim, depending on the version of Flash being used...

I'll also emphasise that the malicious domain is not associated with the legitimate company Metrixlab at www.metrixlab.com.

AND, guess who is the ICANN Registrar.... DIRECTI.

I ask you, what possible excuse is there for accepting an WHOIS entry like the one for metrixlab-tds.com?

ad1.metrixlab-tds.com - 82.98.193.102
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sharing IP with A Record: tds1.onlineredirsystem.com
Registrant:
    n/a
    Josh Silver (metrixlab.uk@googlemail.com)
    n/a
    n/a
    n/a
    n/a
    ,000000
    US
    Tel. +999.999999999

bannersrotator.com - 82.98.193.165
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant:
    N/A
    Jonh Anderson (mailalexmail@gmail.com)
    Mulwar str.46
    New York
    null,12576
    US
    Tel. +534.347324774

stl.0ups.com - 82.98.193.166 and 82.98.235.104
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant:
    N/A
    Jonh Anderson (mailalexmail@gmail.com)
    Mulwar str.46
    New York
    null,12576
    US
    Tel. +534.347324774

Serg Moon hides a little more....

This time we see that he is tweaking the WHOIS for traveltray.com and workhomecenter.com.

To recap, so far he has tweaked mydwnld.info, matchservice.com, supportsvc.com, getfreecar.com and veritylimited.com in recent times:

Estdomains termination stayed: I knew this would happen :(

Details here:
http://www.icann.org/en/announcements/announcement-2-29oct08-en.htm

"On 28 October 2008, ICANN sent a notice of termination to EstDomains http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf [PDF, 76K]. Based on an Estonian Court record, ICANN has reason to believe that the president of EstDomains, Vladimir Tsastsin, was convicted of credit card fraud, money laundering and document forgery on 6 February 2008.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of Registrar is convicted or a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.

ICANN’s records indicate that EstDomains has approximately 281,000 domain names under its management. ICANN will take all reasonable measures to protect the interests of registrants during the stay period and the subsequent termination process that may follow.  For information regarding ICANN’s De-Accredited Registrar Transition Procedure, please go to: http://www.icann.org/processes/registrars/de-accredited-registrar-transition-procedure-01oct08.pdf [PDF, 119K]."

What does Poltev's response say?

"The decision to change the director of EstDomains, Inc was made in January 2008, before the Estonian Circuit Court brought a verdict for Vladimir Tsastsin on 6 February 2008.  However, due to some juridical aspects the change of EstDomains, Inc Director has been adjourned ad interim [meaning "in or for the meantime" or "temporarily"].  On June 16, 2008 Vladimir Tsastsin appealed to a Supreme Court of Estonia against the previous court decision as he considers that the decision of the Circuit Court brought in not in favor of him on the February 6, 2008 is unjust as the indictment against him was criminated unfoundedly.  In accordance with Estonian legislation the appeal to a Supreme Court cancels the previous verdict brought in against the convict until the appeal is satisfied or dismissed by a Supreme Court.  Please find attached the copy of the original appeal statement.  Please let us know if the translation from Estonian to English of this document is required, we will need some time to get it translated.

On June 25, 2008 Vladimir Tsastsin signed the Resignation of Director of EstDomains, Inc a Delaware Corporation and left his position of the President of the corporation.  The notification about the change of the EstDomains, Inc Director has not been sent to ICANN as we have not found this point to be obligatory for the registrar company in the Registrar Accreditation Agreement.  It is possible that we have missed something, please accept our sincere apologies for it, however, we would like to ask you to provide us with the precise direction to this particular paragraph.  We would also like to apply for the paragraph 5.4 of Agreement and ask you whether it is possible to renew the Registrar Accredited Agreement between ICANN and EstDomains, Inc and include all the appropriate information in there.  We hope for your understanding, as the present situation is critical and we do not wish to lose the greatly appreciated partnership with ICANN.

Best regards,

Konstontin Poltev
EstDomains, Inc CEO"

As I said earlier, "I suspect that the door has been left the tiniest bit ajar - what if EstDomains proves that Tsastin has/had been removed as President?  Would the decision be reversed?"

Request For Information: ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains

Announcement here:
http://www.icann.org/en/announcements/announcement-2-28oct08-en.htm

"As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains.

EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names. EstDomains, Inc. is organized in Delaware, United States

Registration data held in escrow is believed to be complete and in a proper format as described in the Registrar Data Escrow Specifications posted at http://www.icann.org/en/rde/rde-specs-09nov07.pdf [PDF, 33K]."

It will be interesting to see who takes on this particular can of worms...

Estdomains is to be terminated by ICANN - effective 12 November 2008

Well, now we know why EstDomains was posting to NANOG, and issuing press releases.

Its not very often that I say that you could knock me over with a feather, but, you could knock me over with a feather.

The RBN blog is the first place I saw the news (edit: it looks like Fergie got the word out first):
http://rbnexploit.blogspot.com/2008/10/rbn-farewell-to-estdomains.html

I quote:

"Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for Estdomains, Inc. (Customer No. 919, IANA No. 832) is terminated.  Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction.  This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008."

And....

"The attached Estonia Court records state that you were convicted of credit card fraud, money laundering and document forgery on 6 February 2008.  EstDomains' has submitted official documents to ICANN that state you are the President of EstDomains.  Absent receipt by ICANN of any document indicating that you were removed from the position of President, ICANN concludes that you maintained the position of President of EstDomains since the date of your conviction.  Estdomains' RAA is being terminated based on your conviction and your status as President of EstDomains."

The letter from ICANN to Mr Vladimir Tsastin, President, Estdomains Inc dated 28 October 2008 can be downloaded here:
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

I suspect that the door has been left the tiniest bit ajar - what if EstDomains proves that Tsastin has/had been removed as President?  Would the decision be reversed?

Be that as it may, I have this overwhelming desire to crack open the nice, cold bottle of Moet Champagne that is sitting in my fridge awaiting a special occasion.

Windows 7 Preview Video

For those of you who may be interested:

http://www.microsoft.com/downloads/details.aspx?familyid=26996ced-888d-4892-b1be-5141da8272bd&displaylang=en&tm

Note: only available for download via systems that pass Windows Genuine Validation

MS08-067 and NT Servers

Quote from the Patch Management Mailing List:

"Microsoft has created patches for NT4 Workstation, NT4 Server, and NT4 Terminal Server, however, these patches are only available to folks who have purchased an NT4 Custom Support Agreement from Microsoft."

There is a FAQ on the Securiteam blog, but at time of writing it doesn't mention anything about NT:
http://blogs.securiteam.com/index.php/archives/1150

Vista x64 and Internet Explorer

I received this email today:

"I bought a 64 bit HP PC with Vista Home Premium and ie7 installed. When I was at a website to view something today it said I needed an Adobe plugin and directed me to Adobe. But Adobe said it did not have a 64 bit version and to use a 32 bit browser. After a bit of searching on the internet I finally got back to looking at programs on the new PC and found that there are 64 bit programs in the Prigram folder and 32 bit programs in the Program (x86) folder. And in each program folder there were ie7 programs. I suspect the desktop ie7 is 64 bit. So can I install a 32 bit version of ie7 from the x86 folder and thus have two versions of ie7?"

Vista x64 comes with two versions of Internet Explorer, a 32 bit version and a 64 bit version.  The No Add-Ons version is simply the 32 bit version with a special switch added to the target path.

There is no need to install anything to get access to the 32 bit (x86) version of Internet Explorer.  Simply run the correct executable.  These are the target paths:

Vista (32 bit) = "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Vista (64 bit) = "C:\Program Files\Internet Explorer\iexplore.exe"
Vista (No Add-Ons) = "C:\Program Files (x86)\Internet Explorer\iexplore.exe"  -extoff

I have also created a special shortcut that opens Internet Explorer in InPrivate mode:

Vista (32 bit) InPrivate = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private

I have added a shortcut for each version of IE, as well as a shortcut with the -extoff switch and the -private switch to my QuickLaunch bar.

My correspondent was right when he pointed out that there is no x64 version of Flash - Flash is not unique when it comes to this restriction.

MS08-067 is being actively exploited...

Here is just one example:
http://vil.mcafeesecurity.com/vil/content/v_152898.htm

Threatexploit blog:
http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

You're patching, yes?

Watch out for crashes affecting svchost.exe and netapi32.dll.

ISC have raised their threat level to Yellow.

There are two more webcasts set up:

For the Thursday, 10/23/08, 5:00 PM Webcast, customers can register at:
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032394183&Culture=en-US

For the Friday, 10/24/08, 11:00 AM Webcast, customers can register at:
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032394179&Culture=en-US

A recording of the original webcast is now available:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032393978&EventCategory=4&culture=en-US&CountryCode=US

So far we know that the bad guys already using the vulnerability have been utilizing:

doradora.atzend.com (69.162.76.42)
perlbody.t35.com (66.45.237.219)
summertime.1gokurimu.com (59.106.116.229) (note: disog.org has mis-spelled this domain name)
59.106.145.58

Cite: http://www.disog.org/

Estdomain Press Release: aka "we're good guys, honest"

Here's the Press Release:
http://www.prweb.com/releases/2008/10/prweb1504344.htm

An Esthost representative also posted a message to NANOG a while back - as far as I know, there was only one public response:
http://www.gossamer-threads.com/lists/nanog/users/109300

Do I believe that Estdomains/Esthost are innocent victims?  Nah... too much has happened for too long.  Let's not forge these Washington Post articles:

Part 1:
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html

Part 2:
http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html

And SpamHaus:
http://www.spamhaus.org/news.lasso?article=636

And let's not forget the myriad mentions of Esthost/Estdomains on this very blog:
http://msmvps.com/blogs/spywaresucks/search.aspx?q=estdomains&o=Relevance
http://msmvps.com/blogs/spywaresucks/search.aspx?q=esthost&o=Relevance

ALERT: Please install critical out-of-band security patch

Edit: A detailed description of the vulnerability has been published here:
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx 

Of particular importance is this quote:

"This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday)."

We're all patched - I strongly recommend you ensure all of your computers are patched too.

Details here:
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

"This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None"

Note that even the Windows 7 Pre-Release beta is affected, although it should be noted that only authenticated users are affected.

Mitigations:

• Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
• On Windows Vista and Windows Server 2008, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated.

ADVANCE NOTIFICATION - October 23, 2008 (Out-of-Band) MSRC Security Bulletin Release

Quote:

Microsoft is scheduled to release a security bulletin (out-of-band) to address a vulnerability in all currently supported versions of Windows. The bulletin is scheduled for release at approximately 10 A.M. Pacific Time on Thursday, October 23, 2008.

This security update will be released outside of the usual monthly security bulletin release cycle in an effort to protect customers. Microsoft recommends customers prepare their systems and networks to apply this security bulletin immediately once released to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit http://www.microsoft.com/protect.

The purpose of this notification is to assist customers with resource planning for this security bulletin release. The information offered in this notification is purposely general in nature to provide enough information for customers to plan for deployment without disclosing vulnerability details or other information that could put them at risk. 

==================================
New Bulletin Summary
==================================

Bulletin Identifier: Windows Bulletin

Maximum Severity Rating: Critical

Impact of Vulnerability: Remote Code Execution

Detection: Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.

Restart Requirement: The update requires a restart.
Affected Software: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
==================================
Advance Notification Web Page
==================================

The full version of the Microsoft Security Bulletin Advance Notification for this month can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

It happens to the best of us...

What do you get when you combine a busy evening, an ongoing IM chat and a moment of inattention?  You get what you see to left of screen.

Note that I declined the download... don't play with with fire by downloading the virus, even if you know what it is and just want to experiment.

My infected correspondent is a high-calibre computer professional - right up there with the best of them - but as this incident shows, even the best of us make mistakes.

For what its worth, the PC was isolated from the internet within 5 minutes of the infection occurring.  No word, yet, on how easy or difficult it was to clean, or if it was given a name by the clean-up tools used, but from what I can see it was this one:

http://www.k7computing.com/virusdetails.asp?virusid=46459

Internet Explorer 8 Guidebook

Its all marketing spiel, but somebody may find it useful ;o)
http://www.microsoft.com/downloads/details.aspx?familyid=75973693-9a7f-4a42-9ddd-8b029361e766&displaylang=en&tm

ALERT: Malvertizement at allmusic.com and billboard.com

Note: the incident has been reported to a contact at allmusic.

Originally discovered by Kimberley.

Malicious SWF: web.checkm8.com/Ads/435513/bill_300x250-border.swf

Encrypted dynamic text within malvertisement:

From web.checkm8.com we hit clickmatter.net, which loads a "static.gif" which is actually an SWF.  From there I was bounced to windows-scannercenter.com to onlinetds.info and forcedscan.com.

web.checkm8.com were involved in other malvertizement outbreaks affecting allmusic:
http://msmvps.com/blogs/spywaresucks/search.aspx?q=checkm8&o=Relevance

checkm8.com - 65.216.116.106 - Massachusetts - Woburn - Mirror Image Internet
ICANN Registrar: Network Solutions Inc
Created: 3 July 1999
NS: DNS01.CHECKM8.COM
NS: DNS02.CHECKM8.COM

clickmatter.net - 216.195.59.78 - Oregon - Portland - Aps Telecom
ICANN Registrar: Estdomains Inc
Created 11 July 2008
NS: DNS251.3FN.NET
NS: NS2.3FN.NET

Shared IP:
1.  6incest.com
2.  Cash-traffic.com
3.  Clickmatter.net
4.  Comix6.com
5.  Delmy.com
6.  Dragondusk.net
7.  Fakerape.net
8.  Free-sex-webcams.net
9.  Freeringtonesplace.com
10. Full3gp.com
11. Happy-pearls.com
12. Hexinfo.com
13. Incest-team.com
14. Krasavcy.com
15. Listsitepro.com
16. Lyjine.com
17. Masculinaes.com
18. Mondakalendaro.org
19. Mylovegirls.com
20. Pariclub.com
21. Rusexvideo.org
22. Signweeklyhoroscopes.com
23. Sildenafilcitrato.info
24. Sis69.com
25. Sochiss.com
26. Unclezaebiz.com
27. Us-secured.com
28. Violence-action.com
29. Weatherstantion.com
30. Yadirect.com
31. Yourrealsex.com
32. Zadnic.net

windows-scannercenter.com - 83.229.251.28 - Moskva - Moscow - Mchost.ru Inc
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Creatd 21 Sept 2008
NS: NS1.WINDOWS-SCANNERCENTER.COM
NS: NS2.WINDOWS-SCANNERCENTER.COM

onlinetds.info - 216.240.134.211 - California - Irvine - Go2online Corp
ICANN Registrar: Estdomains Inc
Created: 16 Sept 2008
NS: NS1.FREEFASTDNS.COM
NS: NS2.FREEFASTDNS.COM

forcedscan.com - 64.86.17.44 - Ontario - Brampton - Velcom
ICANN Registrar: Onelinenic, Inc
Created: 26 Sept 2008
NS: NS1.FREEFASTDNS.COM
NS: NS2.FREEFASTDNS.COM

3FN.NET - 64.124.84.145 - California - San Jose - Aps Communication
ICANN Registrar: Intercosmos Media Group, Inc D/B/A directnic.com
Created: 2 Sept 2002
NS: NS5.3FN.NET
NS: NS8.3FN.NET

FREEFASTDNS.COM
ICANN Registrar: Onlinenic, Inc
Registrant, "Igor Goroshko", Moscow, RU
Created 17 Sept 2008
NS: NS1.FREEFASTDNS.COM (91.203.92.47)
NS: NS2.FREEFASTDNS.COM (77.244.220.138)

NS1.FREEFASTDNS.COM (91.203.92.47) - United Kingdom Isp Uatelecom
Reverse IP: protectiononlineinfo.com

protectiononlineinfo.com - 91.203.92.47 - United Kingdom - Isp Uatelecom
ICANN Registrar: Wild West Domains Inc
Created: 8 Sept 2008
NS: NS51.DOMAINCONTROL.COM
NS: NS52.DOMAINCONTROL.COM

NS2.FREEFASTDNS.COM (77.244.220.138) - Russian Federation St. Petersburg Allocation For Our Customer Primenet

77.244.220.%
1.  A-vxp2008.com
2.  Anti-virus-xp.com
3.  Anti-virusxp2008.net
4.  Antivir08.com
5.  Antivirxp.net
6.  Av-xp08.net
7.  Av-xp2008.net
8.  Avx08.net
9.  Eantivirus-payment.com
10.  Xp-protector.com
11.  Xpprotector.com
12.  Youpornzztube.com
13.  Counterlog.net
14.  Dumps4your.biz
15.  Optdns.org
16.  Google-analyzing.com
17.  Besenok.net
18.  Gibrportable.net
19.  Chronotimex.com
20.  Flagclubx.com
21.  Umanoid.org
22.  X0x0l.com

Adobe Flash 10 does NOT stop malvertizement hijacking

Adobe Flash keeps its title as the "Typhoid Mary of the Internet".

Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks.

You can read all about it here:
http://www.bluetack.co.uk/forums/index.php?s=f3bfcacbac0c1eba459283546fb127e9&showtopic=18064&st=150&p=89649&#

"A perfect Flash file is the one that is never loaded by your browser."

"In my eyes the "clipboard jacking" is a minor issue, when you paste some text into your browser, post, blog, document ... you never review what you did write? Redirects are still working, whether they lead to fake online scanners or download an executable. So what has changed ... NOTHING."

Ok, come on Adobe - when are you going to give us a way to turn redirects off ???  There are articles on this blog evidencing the use of crossdomain.xml dated August 2007, and you can be sure that the bad guys were using it before then - it is not a new trick.

Please excuse me while I repeat what I wrote back in February of this year.

"Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site."

Yes, the changes to Flash mean that "the meta-policy default will change from "all" to "master-only" but seriously, what difference does it make?  The moment that a Flash SWF redirects a victim to a domain controlled by the bad guys, the victim is at the mercy of the criminal because "all master policy files (any policy file saved in the root of the domain with the name crossdomain.xml, such as hxxp://example.com/crossdomain.xml) [will] continue to function as expected".

Malvertizing domains: go-scan-pro.com (and friends)...

Hit this one today:

go-scan-pro.com -78.157.143.184 -Latvia, Vdhost Ltd
ICANN Registar: REGTIME LTD.
Created on: 7 October 2008
NS: NS1.SITELUTIONS.COM
NS: NS2.SITELUTIONS.COM
Registrant:
   Petr Bernatzik
   Email: feetecho@gmail.com
   Organization: Bernatzik Co
   Address: Dobevska 877/4
   City: Praha
   State: Kamyk
   ZIP: 14300
   Country: CZ
   Phone: +420.60176712
   Fax:

Shared IP:
1.  Cokiran.com
2.  Go-iascan.com
3.  Go-scan-pro.com
4.  Goscanpc.com
5.  Ia-free-scanner.com
6.  Ia-install-pro.com
7.  Ia-installs.com
8.  Ia-payment.com
9.  Ia-scan-now.com
10.  Ia-scan-pro.com
11.  Ia-scanner-pc.com
12.  Ia-scanner-pro.com
13.  Ia-scannerpro.com
14.  Ia-scanpro.com
15.  Ia-stat-ia.com
16.  Ia-stat-pro.com
17.  Internet-antivirus-2008.com
18.  Wa-payment.com

SITELUTIONS.COM - 69.26.178.224 - New Jersey - Englishtown - Inforelay Online Systems Inc
ICANN Registrar: Enom, Inc
Created: 11 July 2002

Exposure via:
boldmoves.net/modulesBAK/mod_wrap/cnaeldr.html

Note: The browser hijack does not occur if the URL is accessed directly (404 Not Found error), but will occur if the site is accessed via a search engine.

Nasty code:

The directory boldmoves.net/modulesBAK/mod_wrap/ is wide open (see screenshot), revealing what must be hundreds of different html files, all dated 11 December 2007.  There is also a IMG subdirectory that contains a couple of image files, and a 0 byte PHP (xmlrpc.php).

The site's admin and technical contacts have been notified.

Fraudware via SQL injection?

Nope, no surprise there.

Cite: http://blogs.technet.com/mmpc/archive/2008/10/17/sql-injection-new-approach-for-win32-fakexpa.aspx

Check out the exploits being used:

* MDAC remote code execution (MS06-014)
* ShockwaveFlash.ShockwaveFlash.9 exploit
* WebViewFolderIcon setSlice() exploit (MS06-057)
* Msdds.dll exploit (MS05-052)
* Microsoft Works exploit (MS08-052)
* Creative Software AutoUpdate Engine exploit
* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
* Ourgame GLWorld GLIEDown2.dll exploit
* DirectAnimation.PathControl buffer overflow (MS06-067) 

 

As for the comment by the blog author, Yuhui Huang, that "when [he] tried the same exploit destination, it had already stopped serving malicious content. When [he] launched the first stage downloader, the control server stopped giving instructions to download the second stage installer. Strange…", some things come to mind.

* IP blocking (it has been known for fraudware/malware sites to only allow malicious behavior once per IP address)

* blocking via cookies

* other content caching

Another Directi registered fraudware domain

It seems to me that Directi is not even close to cleaning up its act, and they certainly don't seem to be keeping away from domains that are used to facilitate the distribution of fraudware.  Just over the past few days I have encountered quicktds.com (which had been registered since 16 Sept), pcvirusbuster.com (registered 7 October), vsemutorba.com (registered on 2 April 2008), quicktds.name (registered 16 September), trap17.com (registered 9 May 2004), orderbox-dns.com (registered 2 July 2004), computinghost.com, trusted-scanner.com (registered 30 September), antivirus-fullscan.com (registered 7 October), and now royalproscan.com.

Here's the problem - this domain was created on 13 October 2008.  It is now 16 October 2008.  The bad guys have had 3 days to make good use of their latest domain.

royalproscan.com (216.240.134.211 - California - Irvine - Go2online Corp)
ICANN Registrar: Directi Internet Solutions
Created: 13 October 2008
NS: DOMISHKO.EARTH.ORDERBOX-DNS.COM (has 37,446 domains)
NS: DOMISHKO.MARS.ORDERBOX-DNS.COM
NS: DOMISHKO.MERCURY.ORDERBOX-DNS.COM
NS: DOMISHKO.VENUS.ORDERBOX-DNS.COM
WHOIS: Hidden behind privacyprotect.org

Fraudware URL:
royalproscan.com/2009/1/freescan.php?id=<<snipped>>