Fraudware via Blogspot - no advertising required...

Actually, it could be fraudware or it could be a p0rn site trying to tempt you into installing a fake media codec depending on the luck of the draw...

Anyway, part of my 'day job' nowadays is keeping an eye on the programs that have been whitelisted by TRUSTe's Trusted Download Program (hence my official title of "Online Compliance Researcher").  There I was, trawling the net, searching for signs of trouble when my PC was broadsided by an unexpected browser hijack...

*** !!!WARNING WARNING WARNING!!! - DO NOT VISIT ANY OF THE FOLLOWING URLS WITHOUT THE PROTECTION OF REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE, AND A WILLINGNESS TO REFORMAT YOUR COMPUTER TO GET RID OF THE CRUD IF YOUR REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE HAPPENS TO FAIL - !!!WARNING WARNING WARNING!!***

Ok, hopefully that warning is big enough and flashy enough and scary enough that *all* of my readers will PAY ATTENTION to the warning.

By a combination of circumstances I ended up at a malicious blog being:
spyware-doctor-2008.blogspot.com/2008/06/desktop-spyware-block-spyware-reduce.html. 

(BTW, I should make it clear that the blog in question has *NOTHING* to do with any whitelisted application. The blog page simply happens to mention the name of an application that I was checking on and I stumbled across it thanks to the wonders of modern search engines.  There is no association between any TRUSTe whitelisted application and the blog in question.  There.. we're clear on that? Good!)

That fun little page has a piece of javascript in the source code that redirects visitors to c1_spyware-doctor-2008_2336_bs.oughtworld.com/images/header.php.

The bs.oughtworld.com site, in turn, pushes us to spyware-doctor-2008_2336_bs.oughtworld.com/index.html, and from there things get a bit random.

Every time I re-tested the oughtworld.com/index.html page, I was redirected to a different site, being one of the following:

grander5.com/soft.php?aid=0253&d=2&product=XPA which redirected to
freewebscanner.com/2009/1/freescan.php?aid=880253

-or-

grander5.com/soft.php?aid=0253&d=2&product=XPC  which redirected to online-xpcleaner.com/2/freescan.php?aid=880253

-or-

onlinestreamvide.com/freemovie/541/1/ (which tries to trick visitor into installing a fake video codec)

-or-

avwav.com/2099.htm (this site has some encrypted javascript that I haven't bothered to decode)

-or-

windows-scannernv.com/2008/3/_freescan.php?aid=880218 (a fraudware (fake security software) page)

-or-

getmyvideonow.com/exclusive5/id/3913044/5/black/white/0/Video/ (another site that tries to trick visitors into installing a fake video codec) - WARNING: graphic content via pop-up window

After a certain number of visits to the bs.oughtworld.com/index.html page, we start hitting an Error 404 - there is some IP tracking going on, and once you've had what the bad guys consider to be your fair share of web content, well, they lock you out.

Incidents such as this one make it too easy to draw a connection between various fraud activities, in this case fraudware and online porn and fake video codecs.  Yay them.

DOMAIN INFORMATION

oughtworld.com - created 3 June 2008, Registrar DIRECTI INTERNET SOLUTIONS PVT LTD.  Its Name Server (itsfreedns.com) Registrar is none other than the infamous ESTDOMAINS.

grander5.com - created 7 July 2008, Regisrar DIRECTI INTERNET SOLUTIONS PVT LTD. WHOIS hidden behind privacyprotect.org.  I note that "australianembassy.ru" shares IP address with mynick.name - somebody has a sense of humour.

onlinestreamvide.com - created 17 May 2008, Registrar ESTDOMAINS (why are we not surprised?)

avwav.com - created 5 April 2008, Registrar ESTDOMAINS.

windows-scannernv.com - created 22 July 2008, Registrar DIRECTI INTERNET SOLUTIONS, name servers supplied by MYNICK.NAME.  WHOIS hidden behind privacyprotect.

getmyvideonow.com - created 7 July 2008, Registrar ESTDOMAINS.  Contact email "iedefender@gmail.com" - those with long memories will remember a fraudware called IEDEFENDER.  Coincidentally (yes, I am being facetious) the Registrar for iedefender.com is, can you guess?   Yep, ESTDOMAINS.

While we are on the topic of iedefender@gmail.com

Other sites/fraudware associated with iedefender@gmail.com, discovered after just a few minutes digging include:

free-viruscan.com
getvideoc.com
downloaditrightnow.com
files-secure.com
fast-viruscanner.com

My gentle readers may take some amusement from this URL - "IE Defender Folks Playing Games"
http://blog.malwareteks.com/ie-defender-folks-playing-games/

The following is very interesting - the language is, apparently, Ukranian.  Promonaut is talking about malwarebytes.  Anybody want to translate? I have an archive of the whole page, just in case it disappears ;o)

URL: http://promonaut.livejournal.com/223473.html