LimeLight Networks and connecting the dots

winhelp2002 — Fri, 07 Dec 2007 07:28:00 GMT

Often times you have to look hard to connect the dots ... however it now seems LimeLight has been affiliated with the "Innovative Marketing Group" (aka WinFixer) for some time. And as of today they are still hosting files that almost every major Antivirus/Antispyware programs detect as malware ...

Landing on the below site you can see from the Microsoft Fiddler output the parties involved including LimeLight ...

As you can see the majority are blocked (Result 502) by the HOSTS file, but you can plainly see the locations involved.

[Limelight Networks (United States) - Netrange: 69.28.128.0 - 69.28.191.255]

69.28.154.167 download.cdn.winsoftware.com
69.28.154.167 bsa.safetydownload.com
69.28.154.167 setuphost.vo.llnwd.net
69.28.154.167 cdn.drivecleaner.com
69.28.154.167 cdn.downloadcontrol.com
69.28.154.237 sec.storageguardsoft.com
69.28.154.237 software.protectdownloads.com
69.28.154.237 content.onerateld.com
69.28.154.237 locator.contentsvc.com

All of the above are aliases for "setuphost.vo.llnwd.net" and there is no doubt that LimeLight is serving up these files from their network. In the above example run today the download was from:

hxxp://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2006FreeInstall.exe

Here are a few more examples (URLs disabled) you can find thousands more via a Google search ...
hxxp://bsa.safetydownload.com/winpcdoctor.com/WinPCDoctor/setup_en.exe
hxxp://content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
hxxp://content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
hxxp://content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
hxxp://content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
hxxp://content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

As you can see every one of the above products are Rogue/Suspect and all are detected as such ... so let's connect the dots and leave no doubt who LimeLight is dealing with ...

Innovative Marketing, Inc.(innovativemarketing.com)
1876 Hutson Street
Belize City, BZ (aka: cdn.downloadcontrol.com)

SellMoSoft (anonymbrowser.com)
1876 Hutson Street
Belize City, BZ

SetupAHost (locator.contentsvc.com)
Admin 2135 A des Laurentides Blvd., Suite 170
Laval, QC, H7M 4M2, CA (aka: setuphost.vo.llnwd.net)

Back in October I posted some info and the above connection, but I thought it was worth another look ...

Notice the two entries I highlighted in red above - SellMoSoft and Setup a Host ... this is the [choke] secure site that is used to purchase these bogus products. So as you can see this type activity has been going on for quite a while.

Remember the "locator.contentsvc.com" entry from above? Well back in March, Sandi Hardmeier blogged about flash ads and being redirected to these same type sites ...

hxxp://locator.contentsvc.com/sites/winantivirus.com/main/img/en/flash_world_end.swf

Even ExploitLabs posted similar info about infected ads and the redirects:

"mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com" [emphasis mine]

Again this content is being served up by LimeLight's networks ... so I gotta ask "What are you thinking"!!
Hopefully LimeLight which seems to be a legit company, will sever their ties with Innovative Marketing Group.

Hosts News : Innovative Marketing Group

LimeLight Networks and connecting the dots