Spyware Sucks

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

"The Biblical wisdom “pride comes before a fall” needs to be foremost in the minds of security professionals. There are several aspects to this truth, but it starts with believing it is true. For one, the bad guys are always getting better and trying to get in. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and when you are “done". What worked today may not work tomorrow. In this light, be careful about the promises you make to others regarding security and the protections you are deploying." - Dan Lohrmann

ALERT: malvertizement featuring diamondharmony.com

We saw malvertizements featuring diamondharmony.com back in June of this year.

The malvertizement code is similar to that used for the malvertizement that appeared on newsweek.com back in August of this year. This malvertizement is also created using Fuse, and references adoptserver.info.

Adoptserver.info's IP address is currently 64.28.187.77, hosted in California by Cernel. It is, apparently, registered to a Javier Vega, email softjoda@yahoo.com.

Interestingly, I noted back in August that adoptserver.info's name servers were supplied by the infamous "estboxes". That has now changed, with the domain name servers being NS.ADOPTSERVER.INFO and NS2.ADOPTSERVER.INFO. It looks like the transfer occurred back in September of this year, with the name servers being transferred from estboxes.com to hghost.net, and then from hghost.net to its current resting place.

IP address for the domain changed at the same time, from 64.28.187.77 (Cernel) to 88.214.202.221 (United Kingdom Real International Business Corp), and from there back to to 64.28.187.77.

The WHOIS for this domain was, until on or about 24 June 2008, protected by privacyprotect.org, and the sponsoring Registrar at that time was listed as ESTDOMAINS.

The Sponsoring Registrar is currently listed as Regtime Ltd. (R455-LRMS)

It is interesting that these changes are occurring, and that the ICANN Registrar is now listed as Regtime Ltd. Yes, the bad guys are diversifying and have learned not to "hide all their eggs in one basket" but sadly for those behind the domains that facilitate malvertizing, historical WHOIS and IP records are preserved and accessible.

We already know to keep a close eye on Regtime. That name is appearing in association with more and more malvertizing domains, for example:

premium-pc-scan.com
antivirus-pc-scan.com
securityfullscan.com
antivirus-live-scan.com
updateyourprotection.com
antivirus-premiumscan.com
securitylivescan.com
security-full-scan.com
secured-liveupdate.com
livepcupdate.com
protection-update.com
antivirus-scan-online.com
go-scan-pro.com
internet-antivirus-2008.com
ia-stat-ia.com
ia-scanner-pro.com
ia-scanner-pro.com
ia-scanpro.com
ia-scannerpro.com
online-antivirus.net
virus-scan-online.com
online-virus-scanning.com
scanner-protection.com
xpas2009.com

Published Mon, Nov 10 2008 22:37 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

ALERT: malvertizement featuring diamondharmony.com