More information about Olympic Media shenanigans

Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit:

admediastats.com/ts/in.cgi?{{redacted}}

From there we end up at sg12scanner.com/{{redacted}}

From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}}

Javascript in use:

sg12scanner.com/js/jquery-1.2.5.pack.js
sg12scanner.com/js/jquery.timers.js (just for fun I will point out that that the JS contains the comment "Yeah this is major overkill...")
sg12scanner.com/js/file_names.js

Installer URL: 89.149.236.86/sysgd09/install.php?track_id={{redacted}}

Tries to download "SystemGuard2009.exe"

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

ns1.admediastats.com - 91.211.64.71 - Russian Federation Ural Industrial Limited Company
ns2.admediastats.com - 116.50.15.1 - Hong Kong Hostfresh
ns3.admediastats.com - 89.146.226.121 - Germany De-nic
ns4.admediastats.com - 212.117.162.90 - Luxembourg Root Esolutions

IP: 84.243.252.179 - Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

*****

sg12scanner.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Kire Serona (kiresl1540@yahoo.com) - owns 2 other domains
Ilichova 16, Ljubljana.

*****

dlsg09.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Damir Sbil (damirsbils791@gmail.com) - owns 6 other domains
Tavcarjeva 109, Skofja vas.

*****

89.149.236.86 - China Gibibits-Ltd (89-149-236-86.internetserviceteam.com - Netdirekt).  Known spam IP.

Published Mon, Feb 2 2009 15:54 by sandi
Filed under: , ,