Fraudware via Blogspot - no advertising required...
Actually, it could be fraudware or it could be a p0rn site trying to tempt you into installing a fake media codec depending on the luck of the draw...
Anyway, part of my 'day job' nowadays is keeping an eye on the programs that have been whitelisted by TRUSTe's Trusted Download Program (hence my official title of "Online Compliance Researcher"). There I was, trawling the net, searching for signs of trouble when my PC was broadsided by an unexpected browser hijack...
*** !!!WARNING WARNING WARNING!!! - DO NOT VISIT ANY OF THE FOLLOWING URLS WITHOUT THE PROTECTION OF REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE, AND A WILLINGNESS TO REFORMAT YOUR COMPUTER TO GET RID OF THE CRUD IF YOUR REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE HAPPENS TO FAIL - !!!WARNING WARNING WARNING!!***
Ok, hopefully that warning is big enough and flashy enough and scary enough that *all* of my readers will PAY ATTENTION to the warning.
By a combination of circumstances I ended up at a malicious blog being:
(BTW, I should make it clear that the blog in question has *NOTHING* to do with any whitelisted application. The blog page simply happens to mention the name of an application that I was checking on and I stumbled across it thanks to the wonders of modern search engines. There is no association between any TRUSTe whitelisted application and the blog in question. There.. we're clear on that? Good!)
The bs.oughtworld.com site, in turn, pushes us to spyware-doctor-2008_2336_bs.oughtworld.com/index.html, and from there things get a bit random.
Every time I re-tested the oughtworld.com/index.html page, I was redirected to a different site, being one of the following:
grander5.com/soft.php?aid=0253&d=2&product=XPA which redirected to
grander5.com/soft.php?aid=0253&d=2&product=XPC which redirected to online-xpcleaner.com/2/freescan.php?aid=880253
onlinestreamvide.com/freemovie/541/1/ (which tries to trick visitor into installing a fake video codec)
windows-scannernv.com/2008/3/_freescan.php?aid=880218 (a fraudware (fake security software) page)
getmyvideonow.com/exclusive5/id/3913044/5/black/white/0/Video/ (another site that tries to trick visitors into installing a fake video codec) - WARNING: graphic content via pop-up window
After a certain number of visits to the bs.oughtworld.com/index.html page, we start hitting an Error 404 - there is some IP tracking going on, and once you've had what the bad guys consider to be your fair share of web content, well, they lock you out.
Incidents such as this one make it too easy to draw a connection between various fraud activities, in this case fraudware and online porn and fake video codecs. Yay them.
oughtworld.com - created 3 June 2008, Registrar DIRECTI INTERNET SOLUTIONS PVT LTD. Its Name Server (itsfreedns.com) Registrar is none other than the infamous ESTDOMAINS.
grander5.com - created 7 July 2008, Regisrar DIRECTI INTERNET SOLUTIONS PVT LTD. WHOIS hidden behind privacyprotect.org. I note that "australianembassy.ru" shares IP address with mynick.name - somebody has a sense of humour.
onlinestreamvide.com - created 17 May 2008, Registrar ESTDOMAINS (why are we not surprised?)
avwav.com - created 5 April 2008, Registrar ESTDOMAINS.
windows-scannernv.com - created 22 July 2008, Registrar DIRECTI INTERNET SOLUTIONS, name servers supplied by MYNICK.NAME. WHOIS hidden behind privacyprotect.
getmyvideonow.com - created 7 July 2008, Registrar ESTDOMAINS. Contact email "firstname.lastname@example.org" - those with long memories will remember a fraudware called IEDEFENDER. Coincidentally (yes, I am being facetious) the Registrar for iedefender.com is, can you guess? Yep, ESTDOMAINS.
While we are on the topic of email@example.com
Other sites/fraudware associated with firstname.lastname@example.org, discovered after just a few minutes digging include:
My gentle readers may take some amusement from this URL - "IE Defender Folks Playing Games"
The following is very interesting - the language is, apparently, Ukranian. Promonaut is talking about malwarebytes. Anybody want to translate? I have an archive of the whole page, just in case it disappears ;o)