November 2008 - Posts - Spyware Sucks

Saturday, November 29, 2008 9:53 AM

Spot the similarities

What I am trying to do is show my readers not only where malvertizements are coming from and what they look like, what they do and how they work, but also reveal the ties that bind between the various domains associated with the facilitation of malvertizing. You would be surprised how often the same names, the same Registrars, the same IP addresses (or IP range) are used, and even how often the same words are repeated on web pages at different web sites. The bad guys have always been, to put it bluntly, lazy ... and they were lazy because we let them get away with it.

Below is an example of duplicate content on just two web sites for domains that have been associated with facilitating the distribution of malware via malvertizement. Don't get me wrong - the people behind sites such as this one are not quite as lazy as they used to be, and their grasp of the English language is certainly improved...


Note: "Sunwell Corporation" appears elsewhere on the site, quoted as a "client" of Zappinads. Perhaps coincidentally, there is a Sunwell Corporation website at sunwellcorp.com that was registered via Yesnic (just like Zappinads).

zappinads.com

ICANN Registrar: YESNIC CO. LTD
Created: 29 March 2007
NS1.ZAPPINADS.COM (has 1 domains)
NS2.ZAPPINADS.COM
NS3.ZAPPINADS.COM
NS4.ZAPPINADS.COM
IP: 67.205.103.146 - Canada - Iweb Dedicated Cl
Registrant details: Zappinads Inc (zappinads@yahoo.com)

Reverse IP:

bestadmedia.com, elanads.com, favouriteshop.com, infyte.com, keywordcpv.com, zappinads.com

-----

adtraff.com

ICANN Registrar: TUCOWS INC
Created: 13 April 2007
NS1.ADTRAFF.COM (has 1 domains)
NS2.ADTRAFF.COM
NS3.ADTRAFF.COM
NS4.ADTRAFF.COM
IP: 84.243.252.84 - Netherlands - Gfx-cust-worldstream
Registrant details: Adtraff Inc, moon.serg@gmail.com

-----

Note: A check of the IP range reveals Onlinepromostats.com at IP 84.243.252.86 - that domain was implicated in a malvertizement at photobucket.com

Cite: malvertizing at photobucket.

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Saturday, November 29, 2008 9:46 AM

ALERT: change of domain details - newstat.net

Those of us who are regular readers of my blog will know that newstat.net has been associated with malvertizing in the past. Its WHOIS details have recently been changed.

Old details:

Serg
Moon
moon.serg@gmail.com
Krokus str.
Amsterdam
NL
31 334558757

New details:

John Brisbone (larsonown@gmail.com)
Active Solutions
8255 S Michigan Ave
Chicago, IL 60608
US
5676876812

John Brisbone is associated with 3 other domains: aboutstat.net, freeorangestats.com and newstat.net. Note that newstat.net's Website title, at time of writing, is "BurnadsHome", and aboutstat.net's Website title is Uniquads - both are names familiar to the world of malvertizing, as is the name Serg Moon. As you'll see later in this article, burnads.com is now defunct, as is uniqads.com (both have an IP address of 127.0.0.1) and it seems that whoever it was that created the sites for newstat.net and aboutstat.net didn't bother to properly edit the new sites' code :-D

larsonown@gmail.com (which is used in association with several pseudonyms) is associated with 6 domains: aboutstat.net, freeorangestats.com, getmosales.com, newstat.net, sexprofit.com and softwareprofit.com

Let's follow the bouncing ball for a while - take a little peek at the ties that bind the above domains using various tools and services and see what we can find.... for example, we discover a couple of email addresses - admiragroup@yahoo.com and burnads_c@yahoo.com that might be worth a closer look.

We find a copy of other email addresses during our investigation - admiragroup@yahoo.com and burnads_c@yahoo.com. admiragroup@yahoo.com is associated with 6 domains: admiragroup.com, antispyexpert.com, antispyexpertpro.com, getmosales.com, malwarecrash.com and malwarecrashpro.com. burnads_c@yahoo.com is associated with two domains: burnads.com and the infamous netmediagroup.net.

newstat.net	----- ICANN Registrar: TLDS, LLC DBA SRSPLUS Website title: BurnadsHome Created 1 February 2008 NS1.NEWSTAT.NET NS2.NEWSTAT.NET IP: 79.135.187.69 - Turkey - Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti Registrant: John Brisbone (larsonown@gmail.com) Reverse IP - several familiar names here: 7636071.ru \| 9796933.ru \| Advokatus.info \| Allmas.ru \| Audio-knigka.ru \| Audioknigka.ru \| Baza-inform.ru \| Bazainform.ru \| Casino-goldmoney.com \| Cd-dvd-diski.ru \| Dating-s.ru \| Dating-start.ru \| -mag.ru \| Disk-magaz.ru \| Dvdsbornik.net \| Help-nalog.ru \| Kvartira-na-kurorte.ru \| Mag-disk.ru \| Magazin-diskov.ru \| Money-company.ru \| Moneygold-casino.com \| Podarki1.ru \| Sbornikdvd.net \| Seowin.ru \| Site1day.ru \| Spalero.ru \| Spamsoft.ru \| Stkhouse.ru \| Storcvist.ru \| Super-disk.ru \| Vahdom.ru \| Vertu-elite.ru \| Zeuglhaus.ru \| 1000-ga.ru \| 1000site.ru \| Dispetcher.org \| Findfast.ru \| Horoshiy-rezultat.ru \| Kredkart.ru \| Newfindercards.ru \| Vam-pismo.ru \| Vam-pismo.su \| Vibiray-nas.ru \| Sotana.su \| Cashpopup.info \| Cashpopup.net \| Cashpopup.org \| Searchonlineweb.cn \| Casino2009.org \| Rx13.com \| Usdrugstorebest.com \| Abt5.biz \| Email-marketing-easy.com 1 listings 0 listings 1 listings \| Englo.net \| Lux-life.net \| Pornoplanet.biz \| Raskrutika.ru \| Seopaket.ru \| Sexzon.info \| Spytec.biz \| Ventilsys.net \| Pc-protection-center-2008.com \| Afrogruster.com \| Agiromentop.com \| Agrostergio.com \| Akierodentos.com \| Aportobrasok.com \| Atopresorgo.com \| Aviorebato.com \| Awrentoblasgo.com \| Beshragos.com \| Counterprise.com \| Diomertona.com \| Dresmondas.com \| Equalcrowd.ru \| Findsss.com \| Frododkoone.com \| Frododkotwo.com \| Hortesoda.com \| Kierodentos.com \| Kioretions.com \| Kironegas.com \| Kordanoser.com \| Krombustor.com \| Martobare.com \| Massachuret.com \| Miforbalo.com \| Morganiver.com \| Notifisarto.com \| Portobrasok.com \| Rx-online-order.com \| Sohurando.com \| Topresorgo.com \| Twopgoslyso.com \| Viorebato.com \| Wrentoblasgo.com \| Ypsss.com \| Bb-statistics.com \| Bucksbrothers.com \| Clean-master-2008.com \| Av-adv.com \| M-s-a-v-c.com \| Ms-avc.com \| Ms-avcc.com \| Sentrymasterpro.com \| Antivirussentry.com \| Av-ultima.com \| Power-avc.com \| Power-avcc.com \| Pvrantivirus.com \| S-a-v2009.com \| S-av2008.com \| Sav2008.com \| Sy-av.com \| Sysav-pro.com \| Systemavpro.com \| Security-updates-network.com \| Winsecupdates.com \| Hibucks.com \| Moviesforall.info \| Musicscollection.com \| Welovemovie.com \| Xpbooster.net \| Winsecurityupd.com \| Ab-outstat.com \| Index849.com \| Index938.com \| Aboutstat.net \| Newstat.net \| 69loadz.com \| Mloadsbiz.com \| Ab-outstat.net \| Officialstat.net \| Ne-wstat.net \| Of-ficialstat.com \| Statgroup.net \| Of-ficialstat.net \| St-at-diagnostic-imaging.net \| St-atgroup.net \| Staticglobalsources.net \| Mldsbiz.com \| Station-appraisals.com \| St-athisranch.com \| St-athisranch.net \| St-athome.net \| St-aticglobalsources.com \| St-aticglobalsources.net \| St-ation-appraisals.com \| St-ation-appraisals.net \| S-tatetstr.com \| St-atetstr.com \| S-tathisranch.com \| S-tathisranch.net \| S-tatgroup.net \| Freeorangestats.com ----------
aboutstat.net	ICANN Registrar: TLDS, LLC DBA SRSPLUS Website title: UniqAds Created 1 February 2008 NS1.ABOUTSTAT.NET NS2.ABOUTSTAT.NET IP: 79.135.187.68 - Turkey - Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti Registrant: John Bisbone, Active Solutions (larsonown@gmail.com) Reverse IP - see aboutstat.net. ----------
freeorangestats.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Website title: None given Created 3 October 2008 NS1.FREEORANGESTATS.COM NS2.FREEORANGESTATS.COM IP: 79.135.187.94 - Turkey - Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti Registrant: John Bisbone, Active Solutions (larsonown@gmail.com) Reverse IP - see aboutstat.net. ----------
getmosales.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Website title: GetMoSales - About Meta Description: SoftwareProfit - affiliate software application. Earn money with the leading security software WinAntiVirus PRO 2006 and WinAntiSpyware 2006 Created 7 April 2008 (note meta description refers to 2006 fraudware) NS1.GETMOSALES.COM NS2.GETMOSALES.COM NS3.GETMOSALES.COM NS4.GETMOSALES.COM IP: 67.205.102.229 - Canada - Iweb Dedicated Cl Registrant: Billy A Schmitt (admiragroup@yahoo.com) - associated with 6 other domains Admin Contact: Jason Lawrence (larsonown@gmail.com) ----------
sexprofit.com	ICANN Registrar: TUCOWS, INC Website title: Sexprofit v2.0 Created 11 May 2002 NS1.SEXPROFIT.COM NS2.SEXPROFIT.COM NS3.SEXPROFIT.COM NS4.SEXPROFIT.COM IP: 213.189.9.106 - Noord-holland - Amsterdam - Trancepitt Services Registrant: Adult Profit Inc, Carl Morrow (larsonown@gmail.com) ----------
softwareprofit.com	ICANN Registrar: TUCOWS, INC Website title: Free online security software affiliate program - Softwareprofit Meta Description: Free online affiliate program. Earn up to $30 per sale from your web site on any kind of traffic Created 12 July 2000 NS1.SOFTWAREPROFIT.COM NS2.SOFTWAREPROFIT.COM NS3.SOFTWAREPROFIT.COM NS4.SOFTWAREPROFIT.COM IP: 84.243.252.175 - Netherlands - Gfx-cust-worldstream Registrant: Softbuilder INC, Gary Berton (larsonown@gmail.com) ----------
burnads.com	ICANN Registrar: YESNIC CO. LTD Website title: None given Created 29 June 2006 NS1.BURNADS.COM NS2.BURNADS.COM NS3.BURNADS.COM NS4.BURNADS.COM IP: 127.0.0.1 Registrant: Ines Hadden (burnads_c@yahoo.com) ----------
uniqads.com	ICANN Registrar: TUCOWS INC Website title: None given Created 27 April 2007 NS1.UNIQADS.COM NS2.UNIQADS.COM NS3.UNIQADS.COM NS4.UNIQADS.COM IP: 127.0.0.1 Registrant: UniqAds, moon.serg@gmail.com ----------
admiragroup.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Created: 19 October 2007 NS1.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM (has 261 domains) NS2.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM NS3.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM NS4.ADMIRAGROUP.COM.LAMEDELEGATIONSERVERS.COM IP: Domain On Hold Registrant details: Billy A. Schmitt (admiragroup@yahoo.com) -----
antispyexpert.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Created: 2 April 2008 NS1.ANTISPYEXPERT.COM (has 1 domains) NS2.ANTISPYEXPERT.COM NS3.ANTISPYEXPERT.COM NS4.ANTISPYEXPERT.COM IP: 89.18.181.13 - Noord-holland - Amsterdam - Ion Registrant details: Billy A. Schmitt (admiragroup@yahoo.com) IP Range: 89.18.181.% - lots of fraudware-esque domains: Advancedprivacyguard.com \| Advancedprivacyguard2008.com \| Advancedprivacyguardpro.com \| Advancedprivacyguardsolution.com \| Advancedprivacyguardtool.com \| Advancedprivacysuite.com \| Advancedprivacysuite2008.com \| Advancedprivacysuite2009.com \| Advancedprivacysuitepro.com \| Antispyexpert.com \| Antispyexpertpro.com \| Antispywareexpert-scanner.com \| Antispywareexpert-solution.com \| Antispywareexpert-system.com \| Antispywareexpertpro.com \| Bestpcprivacycleaner.com \| Cyberadvancedprivacysuite.com \| Globaladvancedprivacyguard.com \| Globaladvancedprivacysuite.com \| Pc-cleanerpro.com \| Pcadvancedprivacyguard.com \| Pcadvancedprivacysuite.com \| Pcprivacycleaner.com \| Pcprivacycleanerpro.com \| Personalpccleaner.com \| Spywareremover2009pro.com \| Swiftpcprivacycleaner.com \| Yourpcprivacycleaner.com -----
antispyexpertpro.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Created: 2 April 2008 NS1.ANTISPYEXPERTPRO.COM (has 1 domains) NS2.ANTISPYEXPERTPRO.COM NS3.ANTISPYEXPERTPRO.COM NS4.ANTISPYEXPERTPRO.COM IP: 89.18.181.13 - Noord-holland - Amsterdam - Ion Registrant details: Billy A. Schmitt (admiragroup@yahoo.com) -----
malwarecrash.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Created: 2 April 2008 NS1.MALWARECRASH.COM (has 1 domains) NS2.MALWARECRASH.COM NS3.MALWARECRASH.COM NS4.MALWARECRASH.COM IP: 89.238.137.75 - United Kingdom - Paradigm Systems Inc Registrant details: Billy A. Schmitt (admiragroup@yahoo.com) Reverse IP: antimalwareguard.com, antimalwareguardpro.com, antimalwaremasterpro.com, antispywareguard.com, antispywareguardpro.com, malwarecrash.com, malwarecrashpro.com -----
malwarecrashpro.com	ICANN Registrar: TLDS, LLC DBA SRSPLUS Created: 2 April 2008 NS1.MALWARECRASHPRO.COM (has 1 domains) NS2.MALWARECRASHPRO.COM NS3.MALWARECRASHPRO.COM NS4.MALWARECRASHPRO.COM IP: 89.238.137.75 - United Kingdom - Paradigm Systems Inc Registrant details: Billy A. Schmitt (admiragroup@yahoo.com) -----
netmediagroup.net	ICANN Registrar: YESNIC CO. LTD Created: 2 June 2006 NS1.NETMEDIAGROUP.NET (has 1 domains) NS2.NETMEDIAGROUP.NET NS3.NETMEDIAGROUP.NET NS4.NETMEDIAGROUP.NET IP: 127.0.0.1 Registrant details: Martin Such (burnads_c@yahoo.com) -----

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Wednesday, November 26, 2008 10:18 AM

Directi has taken over Estdomains' Registrar operations

Announcement:
http://www.icann.org/en/announcements/announcement-25nov08-en.htm

It is important to note that Estdomains designated Directi as its successor. This is despite the fact that Directi apparently dumped Estdomains as a client a while back (see "Historical Stuff" below).

It will be very interesting to watch developments going forward. What Registrar will the fraudsters use from now on? Will Directi audit the domains that have been passed on to them? How fast (or slow) will takedowns be? Will they red flag and audit domains associated with email addresses which use multiple pseudonyms, or pseudonyms that use multiple email addresses (like these?) (btw, don't assume that these are used for Estdomain/Directi registered domains - they're examples of what the bad guys do):

Historical stuff:

28 August 2008
Washington Post - Hostexploit - Report slams US host as major source of badware (Atrivo) - mentions Directi
http://hostexploit.blogspot.com/2008/08/report-slams-us-host-as-major-source-of.html

3 September 2008
The Register - Anonymous domain registration nixed amid fraud complaints
http://www.theregister.co.uk/2008/09/03/directi_strikes_back/

6 September 2008
Hostexploit - Atrivo - Cyber Crime US Report - update 090608 - Directi take action
http://hostexploit.blogspot.com/2008/09/atrivo-cyber-crime-usa-report-update.html

7 September 2008
Hostexploit - Joint statement from Directi, HostExploit and Kunujon
http://hostexploit.blogspot.com/2008/09/joint-statement-from-directi.html

8 September 2008
A Superlative Scam and Spam Site Registrar - includes a section entitled "The Role of Directi"
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html

Domains registered at Directi that have been listed in URIBL - URIBL lists domains that appear in spam (Note: 830 domains have been listed in my URIBL RSS Feed of Directi domains that have appeared in spam since the afternoon of 18 September 2008)
http://rss.uribl.com/nic/DIRECT_INFORMATION_PVT_LTD_D_B_A_PUBLICDOMAINREGISTRY_COM.html

18 October 2008
Directi blog - Action against registry services abuses
http://blog.directi.com/0-directi/actions-against-registry-services-abuse-%E2%80%93-report-oct-2008-hostexploit-and-directi/

Various dates
Mention of Directi at rbn.blogspot.com
http://rbnexploit.blogspot.com/search?q=directi

Various dates
Mention of Directi at knujon.com
http://www.knujon.com/news.html#directi

Posted by sandi with no comments

Filed under: Technology

Monday, November 24, 2008 8:54 AM

ALERT: Malvertizement at Expedia.com

Expedia have been alerted.

Details here:
http://www.mikeonads.com/2008/11/23/malvertisement-on-expediacom/

It looks identical to the malvert at allrecipes.com discussed here:
http://www.bluetack.co.uk/forums/index.php?s=6152c183e90c1f780588775106ba8be6&showtopic=18064&st=180&p=89945&#

Some of the same domains are used, prolinar.com and clicksoverview.com. The fraudware domain is also the same, antivirusdefense.com.

prolinar.com	ICANN Registrar: ESTDOMAINS Created: 18 November 2008 NS57.1AND1.COM NS58.1AND1.COM IP: 74.208.131.124 - United States - 1&1 Internet Inc Registrant: Thomas Schultz (ts8317@googlemail.com)
vernariostar.com	ICANN Registrar: NETFIRMS INC Created: 20 November 2008 NS1.NETFIRMS.COM NS2.NETFIRMS.COM IP: 38.113.185.172 - United States - Performance Systems International Inc Registrant: No WHOIS details <?>
triesto.com	ICANN Registrar: ESTDOMAINS INC Created: 20 November 2008 NS57.1AND1.COM NS58.1AND1.COM IP: 74.208.131.124 - United States - 1&1 Internet Inc Registrant: Andy Borman, Copress (andyborm@googlemail.com)
clicksoverview.com	ICANN Registrar: BIZCN.COM, INC Created: 11November 2008 NS1.FREEFASTDNS.COM NS2.FREEFASTDNS.COM IP: 69.10.44.207 - United Kingdom - Innovation It Solutions Corp Registrant: Arina Zubina (cndomainz@yahoo.com)
antivirusdefense.com	ICANN Registrar: BIZCN.COM, INC Created: 13 November 2008 NS1.FREEYOURDNS.COM NS2.FREEYOURDNS.COM IP: 64.20.38.90 - Arizona - Phoenix - Interserver Inc Registrant: Aleksey Kononov (cndomainsz@yahoo.com)
freeyourdns.com	ICANN Registrar: BIZCN.COM, INC Created: 4 November 2008 NS1.FREEYOURDNS.COM (84.243.196.136) (Netherlands Grafix Internet B.v) NS2.FREEYOURDNS.COM (64.86.17.44) (Canada Brampton Velcom) IP: 64.20.38.90 - Arizona - Phoenix - Interserver Inc Registrant: Evgeny Makarov (cndomainz@yahoo.com) 84.243.196.136: antivirus-scan-online.com ns1.freeyourdns.com privateinfoclick.com protectionlive-scan.com quickscanpc.com totalantivirusscan.com 64.86.17.44: clickwww2.com forcedscan.com ns2.freefastdns.com ns2.freeyourdns.com
freefastdns.com	ICANN Registrar: ONLINENIC, INC Created: 17 September 2008 NS1.FREEFASTDNS.COM (91.203.92.47) (United Kingdom Isp Uatelecom ) NS2.FREEFASTDNS.COM (64.86.17.44) (Canada Brampton Velcom) IP: "On Hold" Registrant: Goroshko Igor (alexvasiliev1987@cocainmail.com) 91.203.92.47: liveupdateservice.cn ns1.mysecuritysupport.com protectiononlineinfo.com totalantivirusscan.com travelmaxinside.cn 64.86.17.44: clickwww2.com forcedscan.com ns2.freefastdns.com ns2.freeyourdns.com

I also see that a domain 247-realmedia.com is sharing IP address with prolinar.com - it is also sharing Registrant details - could it be that the purpose of the domain is to impersonate the real 247realmedia?

ICANN Registrar: ESTDOMAINS
Created: 18 November 2008
NS57.1AND1.COM
NS58.1AND1.COM
IP: 74.208.131.124 - United States - 1&1 Internet Inc
Registrant: Thomas Schultz (ts8317@googlemail.com)

Posted by sandi with 2 comment(s)

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Saturday, November 22, 2008 9:30 AM

The Julie Amero saga is finally over

But, she had to agree to plead guilty to a misdemeanor charge of "disorderly conduct", to finally see an end to her nightmare. She had to pay a fine of $100 and give up her license to teach in Connecticut.

Cite: http://sunbeltblog.blogspot.com/2008/11/breaking-julie-amero-horror-is-over.html

The Prosecutor, David Smith, added insult to injury by saying to the Court that he felt that they still had a case and that they were only allowing an end to proceedings because of Julie's declining health. It seems to me that Mr Smith is doing one of two things - he is trying to save face (good luck with that) or he still really doesn't get it. The way that this sage ended makes me fear that what happened to Julie may happen again.

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet, Technology

Friday, November 21, 2008 9:53 AM

Fraudware detected on 994,061 computers

As reported by Microsoft:
http://blogs.technet.com/mmpc/archive/2008/11/19/msrt-review-on-win32-fakesecsen-rogues.aspx

The figures relate to what Microsoft has labelled "Win32/FakeSecSen". That figure does not (I think) encompass all of the fraudware (fake security software) products that are out there.

Just imagine, if you will, if just 1% of the owners of those detected machines were fooled into buying the fraudware software at $40 a pop - that's $397,624.40 in illicit income garnered by the crooks. When we take into account the fact that billing services such as the (now defunct?) Bucksbill were regularly accused of double-charging victim's credit cards, then we're looking at an illicit income of $795,248.80.

Scary, isn't it. Is it any wonder the crooks behind malvertizing are so persistent?

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Friday, November 21, 2008 6:12 AM

ALERT: Malvert at allrecipes.com

Kimberley isn't happy... and I can understand her frustration:
http://www.bluetack.co.uk/forums/index.php?s=7d7ef61461f02f49b016aa0af2e61fce&showtopic=18064&st=180&p=89945&#entry89945

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Thursday, November 20, 2008 9:18 AM

Update about plans for Internet Explorer 8

This announcement was posted to the IE Team Blog a short while ago:

"We will release one more public update of IE8 in the first quarter of 2009, and then follow that up with the final release. Our next public release of IE (typically called a “release candidate”) indicates the end of the beta period. We want the technical community of people and organizations interested in web browsers to take this update as a strong signal that IE8 is effectively complete and done. They should expect the final product to behave as this update does. We want them to test their sites and services with IE8, make any changes they feel are necessary for the best possible customer experience using IE8, and report any critical issues (e.g., issues impacting robustness, security, backwards compatibility, or completeness with respect to planned standards work). Our plan is to deliver the final product after listening for feedback about critical issues.

We will be very selective about what changes we make between the next update and final release. We will act on the most critical issues. We will be super clear about product changes we make between the update and the final release.
The call to action now for the technical community is to download beta 2 (if you haven’t already) and let us know about your experience. Next, please prepare for final testing with public update so you can let us know – quickly, loudly, and clearly – if you find absolutely critical issues with it before the release of the final product."

Cite: http://blogs.msdn.com/ie/archive/2008/11/19/ie8-what-s-after-beta-2.aspx

Where to report problems:

The newsgroups:
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.internetexplorer.beta&cat=en_us_2BAF8EC5-645C-4477-A380-0F1CF6C102F9&lang=en&cr=us

Report a web page problem:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a950a427-d16c-4379-b641-2f319a69f70d&displaylang=en

The IE8 Beta Feedback web site (you will need to log in):
http://connect.microsoft.com/

Posted by sandi with 1 comment(s)

Filed under: Internet Explorer 8

Thursday, November 20, 2008 8:18 AM

Software Package Supplied By Lenovo Contained Malware

Yep, yet another quality assurance/security procedure breakdown.

Via Cyberinsecure:
http://cyberinsecure.com/software-package-supplied-by-lenovo-contained-malware/

And ZDNET:
http://blogs.zdnet.com/security/?p=2203

"The malicious file was identified by Microsoft as Win32/Meredrop, a Trojan dropper that is used to install and execute multiple malicious executables on an infected computer. Other anti-virus vendors are detecting the threat as a virus or a porn dialer."

Posted by sandi with no comments

Filed under: Vulnerabilities, viruses and exploits

Wednesday, November 19, 2008 7:10 AM

ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail...

Edit: BTW, it is Spaces and Hotmail - I haven't seen the malvert at Skydrive yet.

Kimberley saw the first one, a malvertizement featuring perfectmatch.com:

I have discovered another malvertizement featuring IMIN - we have seen this advert several times in recent days in different places:

Details of hijack:

IMIN malvertizement undetectable using adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=j5WPzf37aZeMUVbT

Encrypted dynamic text in use

Hash: 11c8f432a9e70c56a171ddfa9df43a3a

Refers victims user to this URL (SWF disguised as GIF)
optimizedby.net/__utm.gif?<<snipped>>

Scans malicious at adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=8010nJ21nJm6q02M

Hash: d730fba801a56311f9cf73587826821a

Leads victim fraudware domains, including windows-scannercenter.com/?id=<<snipped>>

optimizedby.net

ICANN Registrar: Regtime Ltd
Created 26 August 2008
NS1.OPTIMIZEDBY.NET (has 1 domain)
NS2.OPTIMIZEDBY.NET
Registrant: Sergey Bolshakov (serg.bolshakov@mail.ru)
IP: 212.95.32.166 - Netdirekt E.k

windows-scannercenter.com

ICANN Registrar: Directi
Created 21 September 2008
NS1.WINDOWS-SCANNERCENTER.COM (has 1 domain)
NS2.WINDOWS-SCANNERCENTER.COM
Registrant: Ali Said (kanobeliz@googlemail.com)
IP: 83.229.251.28 - Moskva - Moscow - Mchost.ru Inc

Domains sharing IP range 83.229.251.%

Posted by sandi with 2 comment(s)

Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits

Tuesday, November 18, 2008 5:30 PM

Would you class this as a threat?

I received an interesting email via the contact facility for this blog. You can see a screenshot of the email to the left of screen.

A Russian-speaking associate tells me that the email text translates as:

"You, dummy, aren't you worried about your skin? F u c k you."

Nice. It seems that I may have upset somebody.

What is ironic is that the email was filtered to my junk mail folder. The only reason I saw it is because the amount of spam that I receive is so low at the moment, thanks to the shutdown of McColo, and Atrivo/Intercage before them, that I have time to take a quick look at what is in the junk mail folder before emptying it. Normally stuff in that folder is deleted sight unseen.

Posted by sandi with 4 comment(s)

Filed under: Admin announcements, Off topic

Tuesday, November 18, 2008 3:37 PM

ALERT: Malvertizement being displayed by photobucket

Kimberley wrote about a malvertizement featuring apartmentguide.com the other day that was/is being displayed on photobucket.com. In that case, the malvert was touching the domains st-ation-appraisals.com, profitabill.com, webstatsmaster.com, windowslovingyou.com and antivirusonlivescan.com.

I found another sample today (screenshot above) that was being displayed elsewhere - photobucket is certainly not the only victim (Adopstools test results).

The malvertizement touches a URL at of-ficialstat.net. This URL, in turn, will (if the victim's computer passes various checks) redirect the victim to profitabill.com/?cmpid=violencein. From there we end up at various fraudware sites:

scanner.rapidantivir.com
pro-scan-online.com
scan.scannerantispyware.com (this one is particularly nasty - it is impossible to close without shutting down the IE process using Task Manager, and it displays multiple pornographic pictures - I have moved the dialogue box to obscure most of what was on display at the time the screenshot)
sgscanner.com

Other domains that used to facilitate the hijacking include:

soft-traff6.com
softwareclicks3.com
srv1.e-statist.com

Let's take a close look at all of the domains associated with the domains that are facilitating browser hijackings, and the distribution of fraudware. All domains should be treated with extreme caution.

There is a lot of information in the table below, and it makes for interesting reading if you happen to be tracking malvertizing and those behind it. For example, our old friend Serg Moon is moving a lot of stuff to sistemnet, and he seems to be devoid of inspiration when it comes to thinking up new domain names - many are simply pre-existing domains with a hypen added, and WHOIS details are being tweaked to remove or hide any reference to Serg (unless you happen to have access to historical WHOIS records, of course).

of-ficialstat.net	ICANN Registrar: Enom Inc Created 10 October 2008 NS1.of-ficialstat.net NS2.of-ficialstat.net IP: 79.135.187.75 (Turkey - Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti) Registrant: Sergey Belonozhko, ITmeter Inc, sergbelo@gmail.com (owns 40 domains)
profitabill.com	ICANN Registrar: Enom Inc Created 25 March 2008 NS1.PROFITABILL.COM NS2.PROFITABILL.COM NS3.PROFITABILL.COM NS4.PROFITABILL.COM IP: 213.189.9.228 (Noord-holland - Amsterdam - Trancepitt Services ) Registrant: Serg Moons, noo (owns 75 domains) moon.serg@gmail.com (associated with 104 domains)
scanner.rapidantivir.com	ICANN Registrar: INTERNET.BS CORP Created 17 November 2008 NS1.RAPIDANTIVIR.COM NS2.RAPIDANTIVIR.COM IP: 91.208.0.200 (Russian Federation - Still Trade Ltd) Registrant: Private Whois Service (owns about 1,047 other domains) Reverse IP: extraantivir.com, rapid-antivirus.com, rapidantivirus.com
pro-scan-online.com	ICANN Registrar: BIZCN.COM, INC. Created 4 November 2008 NS1.FREEFASTDNS.COM NS2.FREEFASTDNS.COM IP: 89.149.237.151 (Germany - Netdirekt E.k) Registrant: Fedor Ibragimov, cndomainz@yahoo.com
scan.scannerantispyware.com	ICANN Registrar: REGTIME LTD Created 23 September 2008 NS1.NAMESELF.COM NS2.NAMESELF.COM IP: 195.161.113.218 (Russian Federation Moscow Rtcomm.ru Network) Registrant: Mychal Loughran (mychal.loughran@gmail.com) - owns 1 other domain Reverse IP: bashservice.com, med4u.ru, risku.net, spasibo.net, tempstroi.com
sgscanner.com	ICANN Registrar: REGTIME LTD Created 24 October 2008 NS1.SGSCANNER.COM NS2.SGSCANNER.COM IP: 116.50.14.185 (Hong Kong - Hostfresh) Registrant: Vrenk Tihomil (gray444371@gmail.com) - owns 1 other domain Reverse IP: getsq2008.com, gosq2008.com, sqscanner.com, spyguard2008.com
soft-traff6.com	ICANN Registrar: INTERNET.BS CORP Created 24 October 2008 NS1.SOFT-TRAFF6.COM NS2.SOFT-TRAFF6.COM IP: 91.208.0.224 (Russian Federation - Still Trade Ltd) Registrant: Private Whois Service Reverse IP: soft-traff2.com, soft-traff3.com, soft-traff4.com, soft-traff5.com, soft-traff6.com, soft-traffic.com
softwareclicks3.com	ICANN Registrar: BIZCN.COM, INC. Created 6 November 2008 NS1.FREEFASTDNS.COM NS1.FREEFASTDNS.COM IP: 78.157.142.222 (Latvia - Vdhost Ltd) Registrant: Vitaly Skvorcov (gpdomains@yahoo.com - associated with 39 domains)
srv1.e-statist.com	ICANN Registrar: INTERNET.BS CORP. Created 10 September 2008 NS1.E-STATIST.COM NS2.E-STATIST.COM IP: 207.226.175.78 (Virginia - Mc Lean - Beyond The Network America Inc) Registrant: Sawert Alliance (seodancer@gmail.com)
Still Trade Ltd IP Range: 91.208.0.%	55 domains - all of which should be treated with extreme caution. Still-trade.com \| Extraantivir.com \| Rapid-antivirus.com \| Rapidantivirus.com \| Erocub.ru \| Foto4u.biz \| Foto4u.org \| Meta31.com \| Seresult.com \| Micro-antiv2009.com \| Micro-antivir-2009.com \| Micro-antivir2009.com \| Micro-antivirus-2009.com \| Micro-av-2009.com \| Micro-av2009.com \| Microantivir-2009.com \| Microantivir2009.com \| Microantivirus-2009.com \| Microantivirus2009.com \| Microav2009.com \| Ultraantivirus2009.com \| Soft-traff2.com \| Soft-traff3.com \| Soft-traff4.com \| Soft-traff5.com \| Soft-traff6.com \| Soft-traffic.com \| Milstroncorporation.com \| Myspacesmiley.net \| Ms-scan.com \| Ms-scanner.com \| Msscanner.com \| Msantivirus-xp.com \| Free-host4u.com \| Vit-x-scan.com \| Vit-x-scanner.com \| Spywatchepromo.com \| Vav2008.com \| Privat-watcher.com \| Blog-antivirus.com \| Spyware-blog.com \| Pornonod.com \| Softtraff.com \| Software-traff.com \| Software-traffic.com \| Softwaretraff.com \| Vav-scan.com \| Vav-scanner.com \| Vav-x-scan.com \| Vav-x-scanner.com \| Vavscan.com \| Softsellout.com \| Defender-scan.com \| Anvi-scan.com \| Vistaguard.com
Hostfresh IP Range: 116.50.14.%	8 domains - all of which should be treated with extreme caution quicksilverscreen.com, getsq2008.com, gosq2008.com, sqscanner.com, spyguard2008.com, em-globalnet.com, em-pay.com, isk118.net
Netdirekt IP Range: 89.149.237.%	159 domains: Optidee.net \| Promo-company.com \| Promo-company.net \| Promo-company.org \| Promotion-network-company.de \| Pronetcom.de \| 1000fondosescritorio.com \| 1diccionario.com \| 1trucosjuegos.com \| 8888casinos.com \| A9euros.com \| Animea9euros.net \| Aquibisexuales.com \| Aquicasinos.com \| Aquijovencitas.com \| Aquilesbianas.com \| Aquisexoanal.com \| Aquitransexuales.com \| Aquiwebcams.com \| Audicionporno.net \| Avataresmix.com \| Bajarpeliculasx.com \| Bajarvideosxxx.com \| Britneyspearspage.com \| Bromeate.com \| Buscadorsex.com \| Buscarcontactos.com \| Buscarsexogratis.com \| Buscarvideosgratis.com \| Buscarvideosporno.com \| Buscoamigos.net \| Camarasmsn.com \| Casinofreemix.com \| Casinopokerocean.com \| Casinosdeeuropa.com \| Casinosen.com \| Casinostrucos.com \| Casinotitanpoker.com \| Cassino888.com \| Daniela-ricky.com \| Descargadvds.net \| Descargarvideosyoutube.com \| Donwloadsoft.com \| Dvd-explorer.org \| Dvdboys.net \| Dvdshentai.net \| Encuentrosmix.com \| Encuentrosmsn.net \| Famosas.ws \| Fiestaentaxi.com \| Fondoseroticos.com \| Forodeprogramas.com \| Forosdecasinos.com \| Forumsexe.net \| Fotosdebeckham.com \| Fotosdekeyra.com \| Fotosdemoviles.com \| Fotosdepollas.org \| Fotosmsn.com \| Galeriasprivadas.com \| Galleriesview.com \| Gayasiaticos.com \| Gayfollando.es \| Hotelesen.net \| Itopcasinos.com \| Jovencitas9euros.com \| Jovencitasconwebcam.com \| Juegosgratisporno.com \| Juegospornogratis.com \| Maduraswebcam.net \| Megapollas9euros.com \| Negras9euros.com \| Negrosperforandorubias.net \| Paginasdecasinos.com \| Paginasdecasinos.net \| Paseinlimitado.com \| Pelisdejaponesas.net \| Pollasygay.com \| Pornopeliculasx.com \| Programas.us \| Putasconwebcam.net \| Putasconwebcam.org \| Queculomorena.net \| Quevideochat.com \| Quierofollar.net \| Recherchefree.com \| Recherchexsexe.com \| Red7000.com \| Resetas.us \| Ruletatrucos.com \| Sado9euros.com \| Salidasx.com \| Searchfreecasino.com \| Searchofsearch.com \| Sepuedeganaralcasino.com \| Sexoconvisa.com \| Sexoeneltaxi.com \| Sexoregratis.com \| Smsx.us \| Solonegrosgays.com \| Solopenes.com \| Superbingos.com \| Tangas.us \| Testadsl.com.es \| Tiosfollando.es \| Tragaperrastrucos.com \| Transexualeswebcam.es \| Trucosderuleta.com \| Turismoviajar.com \| Tuvideogratis.com.es \| Tvredmix.com \| Verfamosas.com \| Vervideosxxx.com \| Videochatinteractivo.net \| Videochatporno.com.es \| Videosdesexo.com.es \| Videosmaduras.com.es \| Videosmotoscoches.com \| Videospornoenmp4.net \| Videospornomp4.com \| Videospornoslargos.com \| Videosywebcams.com \| Votamisfotos.com \| Webcamsdelmessenger.org \| Webdehoteles.com \| Webdemujer.com \| Websdecasinos.com \| Willy2003.com \| X-es.net \| Yaagle.com \| Zhostx.com \| Zonaprivadax.com \| Tansien.net \| Addleader.de \| Gas-vermittlung.de \| Reporter24.de \| Stromvermittlung.de \| Denisio.net \| Fuffacorp.com \| Linuxcdstore.it \| Margheritadisavoia.org \| Mattyleroy.com \| Patessa.org \| Simonevendemia.com \| Benzera.info \| Curveri.info \| Decevest.info \| Deseront.info \| Ducele.info \| Ectais.info \| Fiertrio.info \| Fiteri.info \| Grumoan.info \| 12attach.net \| Ehappyhalloween.com \| Searchsiteis.net \| Sidingofuniq.com \| Zar.kim.name \| Rss-portal.de
Vdhost Ltd IP Range: 78.157.142.%	386 domains: Ahuetdoor.biz \| Ahuetdoor.net \| Ahuetdoor.us \| Alconaftov.net \| Alternativedoors.us \| Answerdoors.net \| Answerdoors.us \| Atlanta-doors.net \| Atlanta-doors.us \| Atom-x-doors.net \| Atom-x-doors.us \| Awesome-doors.net \| Awesome-doors.us \| Axrenitel-mozga.net \| Axrenitel-mozga.us \| Best-of-traff.net \| Best-of-traff.us \| Bestdomen47.com \| Bestdomen47.net \| Bestdoor.info \| Bestdoordown.com \| Bestdoorsite.com \| Besthappy.net \| Bestmoneymake.info \| Bestprohost.com \| Besttomoney.com \| Besttomoney.net \| Betatraff.info \| Bfmdoors.net \| Bfmdoors.us \| Bwsttraffick.com \| Bwsttraffick.us \| Carsdoor.com \| Cashdoor.info \| Citysearchonline.net \| Coolcarsportal.com \| Cooldoorsite.com \| Cooldoorworld.com \| Cooltraff.info \| Corp-inc.net \| Detailed-search.com \| Domenmoney.net \| Domenstar47.com \| Domenstar47.net \| Doordoors.com \| Doorppcpc.com \| Doors-neutron.net \| Doors-neutron.us \| Doors-proton.net \| Doors-proton.us \| Doors-x-atom.net \| Doors-x-atom.us \| Doorsfromatlanta.net \| Doorsfromatlanta.us \| Doortestdomain.com \| Doorway47.net \| Doorwaydomains.net \| Dreads47.net \| Dreads47.us \| Ebladoor.biz \| Ebladoor.net \| Ebladoor.us \| Fastbaks.com \| Find4money.info \| Findnf.net \| Gavnodoor.biz \| Gavnodoor.net \| Gavnodoor.us \| Genericviagraman.com \| Gggtraff.info \| Goblin-zlo.net \| Goblin-zlo.us \| Gooddoors.info \| Greatbiz47.com \| Greatbiz47.net \| Happymanual.com \| Heradoor.biz \| Heradoor.net \| Heradoor.us \| Hrenppc.com \| Huynyadoor.com \| Inherein.com \| Iwillhappy.com \| Iwillrich.com \| Iwillrichy.com \| Iwillrichy.net \| Justmake-money.net \| Justmake-money.us \| Money47.net \| Moneydomen.com \| Moneyforcar47.com \| Moneyforcar47.net \| Moneyggtraff.info \| Moredoors.info \| Mozg-na-polke.net \| Mozg-na-polke.us \| Mycoolportal.com \| Neutron-doors.net \| Neutron-doors.us \| Paper-keyword.net \| Paper-keyword.us \| Pcppcdoor.com \| Pharmacy-cheap.net \| Pizdadoor.biz \| Pizdadoor.net \| Pizdadoor.us \| Poebendoor.com \| Populardoor.com \| Ppc-materials.com \| Ppcdooerrr.com \| Ppcdoorway.com \| Ppcedoor.com \| Ppcsdoor.com \| Proton-doors.net \| Proton-doors.us \| Rabbit-speed.net \| Rabbit-speed.us \| Rabota-volk.net \| Rabota-volk.us \| Selltocash.net \| Septembermoney.com \| Septembermoney.net \| Showmoney47.com \| Showmoney47.net \| Speed-rabbit.us \| Sportsppc.com \| Starbiz47.com \| Starbiz47.net \| Stardomen.net \| Stardomen47.com \| Stardomen47.net \| Stimultowork.net \| Stokekey.info \| Stolppc.com \| Stopthewar-x.net \| Stopthewar-x.us \| Storyofdoors.net \| Storyofdoors.us \| Supercoolportal.com \| Sweettraff.info \| Thecoolportal.com \| Thedoorservice.com \| Trackdoors.net \| Trackdoors.us \| Traffick-x-doors.net \| Traffick-x-doors.us \| Triton-doors.net \| Triton-doors.us \| Troy-doors.net \| Troy-doors.us \| Willhappy.net \| X-aristoteldoors.net \| X-aristoteldoors.us \| X-corn.com \| X-die.com \| X-dish.com \| X-farming.com \| X-improve.com \| X-money-doors.net \| X-money-doors.us \| X-proton-x.net \| X-proton-x.us \| X-provisions.com \| X-question-x.net \| X-question-x.us \| X-reader.com \| X-recreation.com \| X-transite.com \| Ximprove.com \| Xprovisions.com \| Xrecreation.com \| Xtransite.com \| Xx-agency.com \| Xx-boost.com \| Xx-drift.com \| Xx-find.com \| Xx-have.com \| Xx-parts.com \| Xx-promotion.com \| Xx-table.com \| Xxorganic.com \| Xxusb.com \| Zaebatiydoor.com \| Archivepacker.com \| Winpacker.com \| Directitfast.com \| N63.ru \| Rupoisk.in \| Yourtraf2.ru \| Antispywarepro2009.com \| Sysoptimizer.com \| Winoptimizerxp.com \| Morozim.cn \| Omerigatam.cn \| Pendosamkonec.cn \| Slyvip.com \| Pornmoviesvideos.com \| 1000messages.net \| 12-00.am \| 2479595.com \| 2u-yewa.com \| 2ueva.com \| 2uyewa.com \| 3glass.ru \| 4u-eva.com \| 4u-yewa.com \| 4ueva.com \| 7140654.net \| Abus-host.ru \| Agentam007.net \| Aliot-kiev.ru \| Conference-service.biz \| Conference-service.org \| Dorogie-podarki.com \| Enigmapro.ru \| Eva-2u.com \| Eva-4u.net \| Eva2u-chat.com \| Eva4u-chat.com \| Evachat-now.com \| Evanow-online.com \| Ewa2u-chat.com \| Ewa4u-chat.com \| Extraclass.biz \| Girls-4you.net \| Inet-reclama.ru \| Kohbept.biz \| Mail-reclama.ru \| Mkc05.com \| Myelitehosting.ru \| Online-chat-4u.com \| Onlinespymarket.com \| Ops044.com \| Podarokbossu.com \| Podaviteli.com \| Rest-4u.com \| Russianchasy.ru \| Seminar-ua.com \| Seminar-ua.info \| Seminar-ua.net \| Seminar-ua.org \| Seminar.pl.ua \| Sendermail.ru \| Sorry-babushka.me \| Sweet-chat4u.net \| Tikitak.com.ua \| Tpax.tv \| Videoruchka.ru \| Vip-podarunok.com \| Vruku.ru \| Vsembossam.com \| Yourelitehosting.ru \| Sajt.com.ua \| Newlinecash.com \| Soft-billing.com \| Adfolder.ru \| Xxxonlinedating.net \| Meetadultlove.com \| Hotxxxgirls.net \| Vdhost.info \| Xxxlovegirls.com \| Sexgirlsstore.com \| Mature-galls.net \| Infotimer.net \| Porno-desires.com \| Ultrafiles.net \| Astrosms.ru \| Bar-moscow.ru \| Coolmagazin.ru \| Dream-life.ru \| Hentaixxx.ru \| Videoallxxx.ru \| Zvezdiludi.ru \| Abilitybehind.com \| Abilitycourse.com \| Aboutstation.com \| Achievementtalk.com \| Achievementtiny.com \| Actwhy.com \| Addelse.com \| Advocacyquick.com \| Againcame.com \| Againselect.com \| Ageopen.com \| Agomore.com \| Agreecourse.com \| Agreeintegrity.com \| Alldoes.com \| Allowmove.com \| Allowstood.com \| Alsocondition.com \| Animalsuggest.com \| Appleability.com \| Appreciationexcept.com \| Appreciationpicture.com \| Appreciationshore.com \| Areahow.com \| Arriveday.com \| Artneck.com \| Aspirationcall.com \| Aspirationlady.com \| Atmilk.com \| Dayarrive.com \| Gaveanimal.com \| Holeminute.com \| Momentfelt.com \| Pastproperty.com \| Roadfraction.com \| Runstring.com \| Suddenseveral.com \| Surebefore.com \| Thickwhile.com \| Advertising-directory.ru \| Workabledirectory.ru \| Ophaco.com \| Totalacces.net \| In-source.net \| Manufacturingsystemsoftware.com \| Softlean.com \| Almomiz.com \| Golsoftware.com \| Mp3time.net \| Pcworldweb.net \| Super-shoppes.com \| Top4seo.com \| 3judyrealtor.com \| Amishselect.com \| Barneycrete.com \| Buycheapsoft.net \| Harboragchurch.com \| Antivirus--plus.com \| Plus-antivirus.com \| Goodcatalogue.ru \| Boomfeed.org \| Ehomarketing.com \| Centeroftraining.ru \| All-advertisements.ru \| Lvhost.cn \| Letiter.cn \| Cars-repairs.ru \| Domiktvoy.ru \| Posicat.ru \| Rusexportal.com \| Filescanner-online.com \| Energysavecenterpro.com \| Hypersecurefileshredder.com \| Founds.ru \| Discoverfolder.ru \| Gotome.ru \| Homebizz.ru \| Housebiz.ru \| Id-auto.ru \| Oil-stats.ru \| Anti-captcha.com \| Kolotibablo.com \| Buaga.com \| Burumba.com \| Emranbd.com \| Faszd.com \| Hamevaser.org \| Lokdeas.com \| Nobmer.com \| Scuki.com \| Supernerd.org \| Biztoforex.ru \| Stroj-portal.ru \| Strojka-biz.ru \| Bestsearchdir.com \| Ccbillhelp.com \| Ccbillservice.com \| Ccbillsvc.com \| Extremetube09.com \| Myrealtube.net \| Rserv18.com \| Searchdirpro.com \| Softupdate09.com \| Avto-gmc.ru \| Cottadje.ru \| Dol4e-wita.ru \| Searchlibrary.ru \| Ad-search.ru \| Agro-site.ru \| Baby-hood.ru \| Nncredit.ru \| Statbank.ru \| Bz-realty.ru
sistemnet IP Range: 79.135.187.%	115 domains, including some old, familiar faces - all should be treated with extreme caution 1000-ga.ru \| 1000site.ru \| Dispetcher.org \| Findfast.ru \| Horoshiy-rezultat.ru \| Kredkart.ru \| Newfindercards.ru \| Vam-pismo.ru \| Vibiray-nas.ru \| Sotana.su \| Searchonlineweb.cn \| Casino2009.org \| Rx13.com \| Usdrugstorebest.com \| Email-marketing-easy.com \| Eng25cadrs.info \| Intereshop.net \| Lencom.com \| Lux-life.net \| Pornoplanet.biz \| Seopaket.ru \| Englinhous.net \| Pc-protection-center-2008.com \| Pcprotectioncenter08.com \| Afrogruster.com \| Agiromentop.com \| Agrostergio.com \| Akierodentos.com \| Aportobrasok.com \| Atopresorgo.com \| Aviorebato.com \| Awrentoblasgo.com \| Beshragos.com \| Counterprise.com \| Diomertona.com \| Dresmondas.com \| Equalcrowd.ru \| Findsss.com \| Frododkoone.com \| Frododkotwo.com \| Hortesoda.com \| Kierodentos.com \| Kioretions.com \| Kironegas.com \| Kordanoser.com \| Krombustor.com \| Martobare.com \| Massachuret.com \| Miforbalo.com \| Morganiver.com \| Notifisarto.com \| Portobrasok.com \| Searchesss.com \| Sohurando.com \| Topresorgo.com \| Twopgoslyso.com \| Viorebato.com \| Wrentoblasgo.com \| Ypsss.com \| Bb-statistics.com \| Bucksbrothers.com \| Clean-master-2008.com \| Av-adv.com \| M-s-a-v-c.com \| Ms-avc.com \| Ms-avcc.com \| Sentrymasterpro.com \| Antivirussentry.com \| Av-ultima.com \| Power-avc.com \| Power-avcc.com \| Pvrantivirus.com \| S-a-v2009.com \| S-av2008.com \| Sav2008.com \| Sy-av.com \| Sysav-pro.com \| Systemavpro.com \| Security-updates-network.com \| Winsecupdates.com \| Hibucks.com \| Xpbooster.net \| Winsecurityupd.com \| Ab-outstat.com \| Index849.com \| Index938.com \| Aboutstat.net \| Newstat.net \| 69loadz.com \| Mloadsbiz.com \| Ab-outstat.net \| Officialstat.net \| Ne-wstat.net \| Of-ficialstat.com \| Statgroup.net \| Of-ficialstat.net \| St-at-diagnostic-imaging.net \| St-atetstr.com \| St-atgroup.net \| Staticglobalsources.net \| Mldsbiz.com \| Station-appraisals.com \| St-athisranch.com \| St-athisranch.net \| St-athome.net \| St-aticglobalsources.com \| St-aticglobalsources.net \| St-ation-appraisals.com \| St-ation-appraisals.net \| S-tatetstr.com \| S-tathisranch.com \| S-tathisranch.net \| S-tatgroup.net \| Freeorangestats.com \| Freegreenstats.com
Trancepitt Services IP Range: 213.189.9.%	2,151 domains - way too many to list
rtcomm.ru IP Range: 195.161.113.%	628 domains - too many to list
Beyond The Network America Inc IP Range: 207.226.175.%	193 domains: Paymentbillingonline.com \| Pandora-software.info \| Secure-softwaretools.com \| Boys-planet.com \| Free-nylon-porn.com \| Free-teenagers-porn.com \| Freematureporn.org \| Gallfans.com \| Mature-shop.com \| Maturearchive.org \| Matureguide.com \| Matureplanet.org \| Matureworld.org \| Nylon-master.com \| Porn-matures.com \| Sexy-gay.org \| Smutincest.com \| Thematures.org \| Time4nylon.com \| Twink-planet.com \| Bestporngalleries.org \| Naxersoft.com \| Headpay.com \| Man-prison.com \| Afat-host.com \| Colindrury.com \| Fanppc.com \| Fat-host.com \| Klickadult.com \| Klickadvertising.com \| Rx-prom.com \| Dragrevenue.com \| Klickrevenue.com \| Klickvip.com \| N-sex.net \| Onlinedrugstore.eu \| Searchforporn.org \| Thebestpornsites.org \| Unaxlogin.com \| Pornobserver.net \| Sportyteens.net \| Pure-porn.net \| -zone.com \| Topmatureporn.org \| Colinsdialer.com \| Amateurs-next-door.net \| Asianbooties.net \| Burningebonyhell.com \| Bustyhello.com \| Countryside-matures.com \| Cryinganal.net \| Fetishhotels.net \| Fistingtheory.com \| Animalwhorehouse.com \| Farmsexworld.com \| Sex-teacher.ru \| Vipxxx-party.ru \| Allpornpicsandvids.com \| Pornnetworkonline.com \| Sexpicsandvids.com \| Secret-video.ru \| 1style.ru \| Island-fever.ru \| Www-porno-sex.ru \| Zapretnoe.net \| Mobiles5.com \| Blogcomplex.info \| Dadasa.info \| Luckindeal.net \| Purposes.name \| Systemkaonline.info \| Treaser.info \| Freshfreeringtones.com \| My-ip.info \| Mukla.info \| Virtuped.info \| Jukalsaz.info \| Muhtanga.info \| Trustana.com \| Chellyblogs.info \| Miklopkax.info \| Anal-mpg.net \| Analfuckmpg.com \| Drunkenchick.net \| Fistingmovies.net \| Girlsfuckmovies.com \| Shockteen.net \| Sashablond.ru \| Bollywoodmp3.info \| Newmeeting.net \| Club-mp3.org \| Diggit.org.ua \| Searchlayouts.net \| Cool-mp3.org \| Seeklayouts.net \| Socialarticles.org.ua \| Wordaramanights.com \| Yourlayoutsgenerator.com \| Adviceyou.com \| Dance-mp3.info \| Everythingfind.net \| Sexualdating.net \| Yourspace.org.ua \| Articlepedia.org.ua \| Azlyrics.org.ua \| Downloadsmp3.info \| Singlemeet.net \| Gaylovecall.com \| Bestallporn.com \| Besttranssexual.com \| Hotandplump.com \| Sweetbigboys.com \| Obitex.com \| Cuteasuanfucking.com \| Asian-girls-porn-movies.com \| Cameltoesexybabes.com \| Footjobabes.com \| Free-sex-laboratory.com \| Nylon-pages.com \| Pornarm.com \| Assfistingporn.com \| Free-sex-station.com \| Handjobpornvideo.com \| Sexy-babes-porn-movie.com \| Bizarreinsertionsporn.com \| Latinsexibabes.com \| Undina.net \| Blackfuckingdolls.com \| Freepornroll.com \| Sextoypornvideo.com \| Answerupon.com \| Anthrogeeks.com \| Linedating.net \| Mp3shit.info \| Answeryou.net \| Lookforlayouts.com \| Maznoonan.com \| Mp3shits.info \| Musiclyricsearch.org.ua \| Articledump.net \| Lovefield.biz \| Mp3step.com \| Atriclecheck.com \| Lovehomegame.com \| Mp3unlimited.info \| Atriclezine.com \| Interludic.com \| Lovehomematch.com \| Muiscsfind.org \| Search-lyrics.org.ua \| Umequestrian.com \| Boactsystems.com \| Doctorxcash.com \| Talorysystems.com \| Boilysystems.com \| Eccprocessing.com \| Ic-support.com \| Iq-support.com \| Jienttrading.com \| Olibexcorporation.com \| E-statist.com \| Axueno.net \| Besporno.info \| Beysbool.com \| Cofemolky.info \| Avfr.net \| Smsk.biz \| Autosignalka.info \| Humor-basni.net \| Porna.net.ru \| Geisterwald.com \| Mazuta.net \| Receptbar.com \| Tur-vsem.com \| Footbol.biz \| Pornofile.info \| Sossband.com \| Enter-porno.com \| Fotoporno.net.ru \| Smehota.com \| Goliedevki.com \| Koney.net.ru \| Skalolas.com \| Smeh.biz \| Zadporno.com \| Superfoto.org \| Estate-invest.info \| Flat-design.info \| Guruporno.com \| Pornophoto.info \| Znam.biz \| Condycionery.info \| Ssporno.com

Posted by sandi with 1 comment(s)

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Tuesday, November 18, 2008 1:26 PM

Phishing?

spam-complaint.net	ICANN Registrar: ONLINENIC, INC. Created: 6 October 2008 NS1.DNS-DIY.NET NS2.DNS-DIY.NET IP: 63.216.206.242 (District Of Columbia - Washington - Gaa-la) Registrant: Rob Robinson (paul@targetron.com - associated with 545 domains), Wild Zest Domains (yes, Zest)
spamreport-abuse.com	ICANN Registrar: ONLINENIC, INC. Created: 6 October 2008 NS1.DNS-DIY.NET NS2.DNS-DIY.NET IP: 63.216.206.242 (District Of Columbia - Washington - Gaa-la) Registrant: Rob Robinson (paul@targetron.com - associated with 585 domains), Wild Zest Domains (yes, Zest)
antispamm.net	Account suspended by web site host ICANN Registrar: DIRECTI INTERNET SOLUTIONS Created: 28 January 2003 NS1.PORTALHUMEDO.COM NS2.PORTALHUMEDO.COM (has 5 domains) IP: 64.191.104.98 (Pennsylvania - Scranton - Network Operations Center Inc) Registrant: Registro de Dominios, DigitalServer, Mexico Info: previously defaced: http://www.zone-h.org/index.php?option=com_mirrorwrp&Itemid=160&id=6330749
portalhumedo.com	ICANN Registrar: DIRECTI INTERNET SOLUTIONS Created: 25 July 2007 NS1.PORTALHUMEDO.COM NS2.PORTALHUMEDO.COM (has 5 domains) IP: 64.191.104.86 (Pennsylvania - Scranton - Network Operations Center Inc) Registrant: Registro de Dominios, DigitalServer, Mexico

Posted by sandi with 1 comment(s)

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Tuesday, November 18, 2008 12:13 PM

Remember how I wrote about "Heart of Joanne's Kitchen" yesterday?

The index page has been cleaned up. Somebody's paying attention to my blog ;o)

Posted by sandi with no comments

Filed under: Vulnerabilities, viruses and exploits

Tuesday, November 18, 2008 7:03 AM

PRESS RELEASE: Attorney General's investigation finds MyLuvCrush a not-so-sweet nothing

SEATTLE – Money can’t buy love. But that didn’t stop a Washington-based company from tempting Internet users with the chance to learn the identity of a secret admirer. Unfortunately, any lonely hearts or curious souls who may have bit at Tatto Media, Inc.’s promotion lost out. According to the Washington Attorney General’s Office, the company’s promise to reveal your “LuvCrush” was a sham to sign consumers up for a horoscope text-messaging service.

“Tatto Media’s ‘MyLuvCrush’ promo was nothing but a tease that may have crushed the hearts of hopeful romantics,” said Senior Counsel Paula Selis, an assistant attorney who heads up the office’s Consumer Protection High-Tech Unit.

The company, which has offices in Seattle and Boston and promotes itself as a behavioral advertising service, reached an agreement with the AG that restricts how it can advertise in the future.

The Attorney General’s Office does not know how many Internet users may have been duped by the promotion but opened an investigation after discovering negative comments about MyLuvCrush on blogs and discussion sites. The office also received a written complaint from a consumer who did not know why her cell phone bills included a fee for a horoscope subscription.

Selis said the office’s investigation showed that Tatto’s promo included a string of teasers. The Attorney General’s Office alleged that:

Users of social-networking sites including Reunion.com, Facebook and MySpace were shown an ad resembling an e-mail message that suggests someone in their community is interested: “1 New LuvCrush from Seattle!”
Clicking on the ad directed users to the MyLuvCrush Web site, found at www.myluvcrush.com and www.perfectcrush.com. A phony pop-up message on the site proclaimed, for example, “IMPORTANT: YOUR CRUSH FROM SEATTLE IS TRYING TO CONTACT YOU AT THIS VERY MOMENT. FIND OUT WHO NOW.”
Users were then taken to a Web page instructing them to enter their cell phone number. The page included an agreement to purchase a $9.99 monthly subscription to the horoscope service.
After subscribing, users received a text message with a fictitious name of the alleged crush.

Under the Assurance of Discontinuance filed today in King County Superior Court, Tatto Media agrees that it won’t misrepresent that a real person has an existing romantic interest in the computer user or that the computer user will lose the opportunity to learn the identity unless they take action. The company also agrees not to misrepresent the existence of a personal e-mail message or falsely imply that a promotional offer will expire.

The company will pay $20,262 to reimburse the state’s attorneys’ fees and costs.

Tatto Media AOD

MyLuvCrush screenshots

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Monday, November 17, 2008 3:11 PM

Now that's just not nice....

For a moment there I thought I'd found a legitimate, albeit uber-kitsch, website amongst my bad-site Directi alerts... until I looked at the page source. Why would a nice, grandma type of lady who has used a site theme supplied by a web site that is a member of the Christian Banner Exchange and The Christian Web Ring, have this sort of code in her page source? Rest assured the URLs in question are dead.

As I noted, the Registrar is Directi, and the domain was created on 11 February 2007. WHOIS details are hidden behind PrivacyProtect.

Is this a hacked site? A site created by a miscreant with a warped sense of humour? Who knows. It just goes to show - you never can tell where you may discover stuff.

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Sunday, November 16, 2008 9:29 PM

ALERT: Malvertizements at foxnews.com - treat all content from adserver.adtechie.net with extreme caution

Malvertizements - lots of them - from adtechie.net. And some are being served via AdMeld.

Here's an interesting snippet for you - as we know from this article's title, malvertizements from adtechie.net via AdMeld have been spotted on Fox news (see Kimberley's report). Guess who is CEO at AdMeld - none other than somebody who is apparently an ex employee of Fox Media Interactive - a Michael Barrett - "who was most recently Executive Vice President, Chief Revenue Officer for Fox Interactive Media. Mr. Barrett has previously held senior level positions at AOL, Yahoo, Disney Online and more over his 25-year career".

Cite: http://www.admeld.com/news.html

Now, I don't have a contact at AdMeld, but I *do* have a contact at Fox... let's see if we can get a dialogue going.

Now, who does Fox Media Interactive own? None other than MySpace - let's hope that they don't share advertising.

adtechie.net was registered on 3 October 2008 via none other than Directi. Their IP is 212.95.37.206 (Germany, Netdirekt E.k - another name appearing more often in association with malvertizement domains).

Let's take a look at WHOIS. The declared Registrant, "SD", apparently owns 294 other domains, and apparently goes by the name of Dietmar Hebels (hebels@gmx.ch).

The IP range, 212.95.37.% is shared with some charmingly named domains such as pornosupermodels.info, buyrxgeneric.com, cheapgenericrx.com and thegenericpills.com. That alone should raised alarm bells for AdMeld.

The full list of domains:

Oh yes, the malvertizements from adtechie - here they are. All of them use the encrypted dynamic text trickery that became common with the appearance of malvertizements created using Fuse.

Here is the AdMedl announcement about Michael Barrett.

Posted by sandi with 6 comment(s)

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Friday, November 14, 2008 8:19 AM

ALERT: False positive affecting Spyware Doctor

It seems that Spyware Doctor was erroneously reporting Zlob infections on computers, and killing Norton Internet Security in the process. Reported here:

http://www.temerc.com/forums/viewtopic.php?f=5&t=6092

Also reported on the Spyware Doctor forums:
http://www.pctools.com/forum/showthread.php?p=195342#post195342
http://www.pctools.com/forum/showthread.php?t=54603

Symantec ain't gonna be happy...

Posted by sandi with 1 comment(s)

Filed under: Security, safety and privacy on the Internet

Thursday, November 13, 2008 11:06 AM

Estdomain's stay of execution has been lifted :o)

Details here - Estdomain will lose their ICANN accreditation on 24 November 2008:
http://www.icann.org/en/announcements/announcement-12nov08-en.htm

"The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains' then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.
Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, "Any officer or director of Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances."
ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains' RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal.
On 7 November 2008, EstDomains was informed that, based on ICANN's findings, ICANN was proceeding with the termination of EstDomains' RAA, effective 24 November 2008.
ICANN's records indicate that EstDomains manages approximately 281,000 domain names. To protect the interests of registrants, on 28 October 2008, ICANN published a Request for Informations seeking expressions of interest from registrars to receive a bulk transfer of the domain names managed by de-accredited registrar EstDomains.
ICANN is analyzing the responses to that request and will take measures to effectuate a smooth transition of the domain names managed by EstDomains to a qualified ICANN- accredited registrar.
For information regarding ICANN's De-Accredited Registrar Transition Procedure, please go to: http://www.icann.org/processes/registrars/de-accredited-registrar-transition-procedure-01oct08.pdf [PDF,121K].
Registrants interested in immediately transferring their domain names are encouraged to read ICANN's Inter-Registrar Transfer Policy http://www.icann.org/en/transfers/policy-12jul04.htm for guidance regarding the transfer process.

Related links:
Original notice of termination:
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf [PDF,77K]
EstDomains response to notice of termination:
http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 857K]
Letter to EstDomains concerning decision to proceed with termination:
http://www.icann.org/correspondence/burnette-to-poltev-07nov08-en.pdf [PDF, 57K]"

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Wednesday, November 12, 2008 9:54 PM

Spam levels are remaining low since McColo was king-hit...

Look good gang... looking good.

By the way, HOSTEXPLOIT.COM have released a report about McColo:
http://hostexploit.com/downloads/Hostexploit%20Cyber%20Crime%20USA%20v%202.0%201108.pdf

Hopefully we will soon see a report about ONLINENIC, ESTDOMAINS and REGTIME ;o)

Posted by sandi with no comments

Filed under: Security, safety and privacy on the Internet

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

My Web Sites

Internet Explorer Resources

Fighting Malware

SBS Links...

News