Spyware Sucks

FTC versus Innovative Marketing et al - developments re Sam Jain

Regular readers of this blog will know that Sam Jain filed a motion for protective order requiring deposition to proceed by written questions, a motion which was DENIED on 22 July 2009.

Sam Jain has now refused to be deposed, even refusing an offer from the FTC to be deposed by video-conference from a location of his choosing (an offer that was made by the FTC to allay any fears held by Jain that a deposition would lead to his arrest).

Jain has a history in the courts that is less than complimentary.  As has been mentioned on this blog (and elsewhere) before, Jain was sued by Symantec in 2004 for pirating Symantec’s computer security software. He evaded service during those proceedings, and basically ignored the whole thing until judgment was entered in default. Then he tried to have the default judgment overturned. As noted by the FTC in its latest motion, the Court at that time described Jain's action as a “cynical and intentional manipulation of the[] proceedings”, and rejected the application.  I have tried to find out if Jain ever paid the default judgment in the Symantec case but have been unable to find out for sure, one way or the other.

Also, let's not forget that Jain is a fugitive.  He had a bench warrant issued against him in the United States District Court for the Central District of California early this year - a warrant that remains in effect.

The FTC now seeks sanctions against Jain (that sanction being default judgment), and has filed a MOTION for Sanctions Pursuant to Rule 37(d).  Any responses must be filed by 17 August 2009.

FTC versus Innovative Marketing et al - developments

A win for Marc D'Souza.

The preliminary injunction is to be modified as followed (the FTC indicated that it had no objections to the language of the amendments):

"F. The Assets affected by this Paragraph shall include existing Assets of any Corporate Defendant, Individual Defendant (with the exception of Assets referenced in paragraph G), or Relief Defendant and Assets acquired after the effective date of this Order that are derived from conduct prohibited in Paragraphs I and II.

G. With respect to Defendant Marc D’Souza, the Assets affected by this Paragraph do not include Assets acquired after December 31, 2006 that were generated independently of the IMI Defendants (other than Marc D’Souza) and are not derived from any conduct prohibited in Paragraphs I and II."

Kristy Ross may move for a similar amendment.

FTC versus Innovative Marketing et al - developments

Innovative Marketing and Daniel Sundin continue to ignore proceedings and are unrepresented.

Maurice D’Souza

Maurice D'Souza's motion to dismiss for lack of jurisdiction (paper number 90) has been DENIED WITHOUT PREJUDICE.

Sam Jain

Sam has been busy, filing a motion for protective order requiring deposition to proceed by written questions (paper number 121).  It was claimed in the Motion that "Given the significant Fifth Amendment privilege objections Mr. Jain is compelled to raise, or risk waiving, in response to Plaintiff’s substantive questions, proceeding initially with the deposition by written questions will present the cleanest possible record and will permit full briefing and argument on the complex factual and legal bases underlying his privilege claims".  The Motion also claimed "significant criminal jeopardy" because of the ongoing investigation by the US Attorney's Office (Northern District of Illinois) for alleged wire fraud and computer fraud and, amazingly, because he is is a fugitive (he has had a bench warrant issued against him in "unrelated proceedings" in the US District Court (Northern District of California)).

The motion has been DENIED.  Now we wait to see if Jain actually turns up for an oral deposition.  The notice of deposition attached to Jain's motion recorded that the deposition was due to commence on 20 July 2009 at 10 a.m. Eastern Time.  Obviously that needs to be rescheduled.

The motion to modify the preliminary injunction filed by Sam Jain (paper number 58) was also DENIED.

As a reminder, Jain and his cohorts had a bad day back on 9 June 2009 when:

• Sam Jain's Motion to Stay (Paper No. 45) was DENIED;
• Kristy Ross's Motion to Temporary Stay (Paper No. 48) was DENIED;
• FTC's Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) was DENIED;
• Kristy Ross's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) was declared MOOT;
• Sam Jain's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) was declared MOOT;
• Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58) was DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;
• Sam Jain's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) was DENIED;
• Kristy Ross's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) was DENIED;
• Marc D'Souza's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) was DENIED; and
• Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) was DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

Ok, onward and upward.  Hopefully the deposition of Sam Jain will be scheduled to take place as soon as possible.

More DIRECTI

I have expressed concerned about DIRECTI in the past few posts, and I now have even more cause for concern.

Paul Ferguson of TrendMicro let me know about a slew of DIRECTI registered domains which are serving up exploits.  How is this for a list (all of which were registered on 22 July 2009):

IP 78.47.25.168:
q0i.in, u1w.in, u1y.in, u3h.in, u3j.in, u3v.in, u3y.in, u4w.in, u5c.in, u5k.in, u5m.in, u5t.in, u5w.in, u6d.in, u6l.in, u6n.in, u6v.in, u6x.in, u7f.in, u8b.in, u8j.in, u8t.in, u9b.in, u9c.in, u9j.in, q1b.in, q1l.in, q1m.in, q1w.in, q3b.in, q3c.in, q3o.in, q5a.in, q5k.in, q5m.in, q5u.in, q0a.in, q0k.in, q0l.in, q0v.in, q0w.in, q0x.in, q5v.in, u1j.in, u3m.in, u5d.in, u7o.in, u8v.in, q1e.in, u1m.in, u6c.in, u0s.in

IP 91.121.174.19:
u7e.in

IP 91.121.141.101:
q1k.in, q1v.in

IP 91.121.167.41:
u0c.in, u5e.in, u5v.in, u7p.in, u8i.in, u9i.in, u9k.in,

IP 80.93.90.88:
x9d.in, q1d.in, q0c.in, u7g.in, u7z.in,

To be fair, there were some domains at the same IP address that were registered via "Vivesh Infotechnics Ltd", also based in India (just like Directi).   I’ll leave it to others to try and find if there is any connection between DIRECTI and Vivesh Infotechnics Ltd.

IP 78.47.25.168:
x0c.in, x0v.in, x1i.in, x3a.in, x6q.in, x6r.in, x7c.in, x7l.in, x8c.in, x8e.in, x8f.in, x8m.in, x8n.in, x8v.in, x9e.in, x9f.in, x9g.in, x9o.in, x9u.in, x9w.in, x9y.in, x3y.in, x7d.in, x8y.in, x1h.in, x6i.in, x8w.in

IP 91.121.174.19:
x8u.in

IP: 91.121.167.41:
x7k.in, x8o.in

IP 80.93.90.88:
x1v.in

As always, the above domains should be treated with EXTREME CAUTION.

Edit:  there are reports that 78.47.25.168 has been replaced (in some cases?) by 87.252.2.86.

DIRECTI action… or lack thereof…

Directi have “suspended” masters-woodworks.com, but NOT the almost identical masterwood-works.net, or the sites awiron-work.com, freshy-girls.com or sleazy-dreams.net  (all of which are on the same IP and have the same Registrant).

They have also “suspended” viorfjoj-1.com (different IP, same registrant), but have NOT suspended viorfjoj-2.com or viorfjoj-3.com (again, same IP, same Registrant)

Too little, too late.

Bearing in mind my comments here about adclickmate.net and adburau.net, I am beginning to wonder (again) just what is going on at DIRECTI.  It seems to me that they could do more to protect the Internet as a whole by investigating and suspending domains that are closely associated with bad behaviour – especially when there are multiple incidents of bad behaviour as dangerous as that we have been documenting these past few days.

More bad stuff from content.bannersulike.com, r.banner0709.com, worwink.com

Kimberley wrote about a couple of incidents on 18 July 2009 and again yesterday – they are not the same incidents as I have written about:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=240#

Update re digitalspy.co.uk

My apologies for the delay.  For what its worth, I received an email within 3 hours of my report to the ad network in question, advising me that the malicious creatives had been identified and deactivated.

So, now to the details.  Technically, the incident was very similar to that which I wrote about here, but there were some new domains involved, all of which should be treated with extreme caution.

content.bannersulike.com
r.banner0709.com (Response = 302 Found moved to "masters-woodworks.com" and “worwink.com”)
masters-woodworks.com
worwink.com
xn-18ba.example.com (example.com is a domain reserved for use in documentation and not available for registration (RFC 2606, Section 3))
viorfjoj-1.com

There are screenshots of the advertisements displaying during a hijack, and other events, at the end of this article.

masters-woodworks.com
ICANN Registrar: DIRECTI
Created 8 June 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia - Grinvich3 - Vladimir Gubarenko

Shares IP with awiron-work.com, freshy-girls.com, masterwood-works.net, sleazy-dreams.net

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

viorfjoj-1.com
ICANN Registrar: DIRECTI
Created: 8 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 221.5.74.34 - Guangdong, Guangzhou, China Unicom Guangdong Province Network

Shares IP with 24-stunden-voegeln.com, Leevitra-viaagra.com, Original-vjiagra.com, Originalpillen.com, P0tenz-pillen.com, P0tenzpillen-bestellung.com, P0tenzpillen.com, Pillensh0p.com, Potent-hart-guenstig.com, Potenz-pillen-dienst.com, Potenzpillen-24.com, Potenzpillen-einkaufen.com, Potenzpillen-service.com, Potenzpusher-bestellen.com, Sichere-viagra-bestellung.com, Viaagra-bestellung.com, Viaagra-kaufen.com, Viagra-ohne-zoll.com, Viorfjoj-1.com, Viorfjoj-2.com, Viorfjoj-3.com, Vjiagra-einkaufen.com, Vjiagra-ohne-zoll.com, Vsalso-dkgj1.com, Vsalso-dkgj2.com, Vsalso-dkgj3.com

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

worwink.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created: 15 July 2009
NS1.WORWINK.COM
NS2.WORWINK.COM

IP: 212.95.37.186 - Netdirekt E.k

Registrant:
Mark Vinson (mvinson98@count.com)
8 Panorama Cir
Kunkletown PA US
Phone: 6106817173

*****

r.banner0709.com
ICANN Registrar: GODADDY.COM, INC
Created: 29 June 2009
NS37.DOMAINCONTROL.COM
NS38.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale, Godaddy.com Inc

Registrant:
Bryan Hunter (bryan@modenainc.com)
921 SW Washington Street
Suite 228
Portland, Oregon, 97205

*****

content.bannersulike.com
ICANN Registrar: GODADDY.COM, INC
Created: 13 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale - Godaddy.com Inc

Registrant:
Modena Inc
921 SW Washington St
Suite 228
Portland, Oregon 97205

*****

modenainc.com (because of its association with bannersulike.com and banner0709.com)
ICANN Registrar: GODADDY.COM, INC.
Created: 21 February 2001
NS15.DOMAINCONTROL.COM
NS16.DOMAINCONTROL.COM

IP: 38.100.208.45 - Oregon, Portland, Psinet Inc

Shares IP with 117 other sites

Registrant:
Incorporated, Modena (domains@modenainc.com)
921 SW Washington St
Suite 228
Portland, Oregon, 97205
Tel: 5032411091

Malware downloaded – analysis results:
http://www.virustotal.com/analisis/3c9b52614c508cd168c3bd1d96dff6b3a6374a63d2334c754a31463bad791a5a-1248226154 

Another incident….

ALERT: please be extremely cautious when visiting digitalspy.co.uk

There are malvertizements being displayed on digitalspy.co.uk that attempt to take advantage of various security vulnerabilities.  Research and evidence-gathering is happening as I type, and the appropriate parties will be contacted on an urgent basis.

For the time being, be extremely cautious when visiting the web site.  There is a thread warning of malicious content that started back on 30 May 2009 which I found, coincidentally, while researching antventure.com.

I’ll post more information soon.

BTW, the incident is technically identical to the yieldmanager incident that I reported on a few days ago, but there are a few new domains in the mix – no antventure.com but there is a visually identical advertisement featuring Expedia, and an Acer advert, and an iPhone advert and one for contact lenses.

ALERT: malvertizement featuring “Blue Nile”

The SWF advertisement pictured above retrieves content from the domain adburau.net.  That content is yet another SWF.  At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.

The “Blue Nile” SWF contains the easily recognizable encrypted dynamic text:

Let’s take a close look at adburau.net – we dig up some interesting information.

adburau.net
ICANN Registrar: DIRECTI
Created: 21 September 2008
NS1.ADBURAU.NET
NS2.ADBURAU.NET

IP: 212.95.37.133 - Netdirekt, E.k

Registrant:
Al Jabber
Said Fahtihma (saidfahtih@gmail.com)
A. Kodiri, 65
Tashkent
Kishlak, 100060
UZ
Tel: 998.348.754.198

Hostnames sharing IP with a-records:

212-95-37-133.internetserviceteam.com
adclickmate.net
ns1.adclickmate.net
ns2.adclickmate.net

Historical information about adclickmate.net

A known "bad actor" reported on here:

http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=180

adclickmate.net is currently "suspended" by Directi.  The Registrant is noted as:

Mark Haagland (markhaagland@gmail.com)
Harjumaa str. 546-5
Tallin
Harjumaa,13514
EE
Tel: 37.262.01114

Previous Registrant details – adclickmate.net:

Hidden by privacyprotect for a while, but before that was registered to:

Jacob Tua (jackyouthere@gmail.com) (a well known malvertizing associated name/email address)
Maltiskam 12-67
Belgrade
Belgrade,11008
RS
Tel: 381.113114094

I find it concerning that DIRECTI allowed a “bad actor” domain (adburau.net) to replace one that they had suspended (adclickmate.net).  I also find it concerning that adburau.net replaced adclickmate.net so rapidly. See screenshots below.  According to domaintools.com, adclickmate.net was suspended from IP address 212.95.37.133 on or about 19 February 2008.  adburau.net appeared at the same IP address on or about 23 February 2009.

Call me a cynic, but it seems that the bad guys are finding it too easy to use/abuse Directi.

ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution

Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware).  In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit by that one).

Today I saw a malvertizement that did not expose victims to fake security software, or unwanted pornography.  Instead, it exposed victims to a web site that tried, via various security exploits, to infect computers.

If a victim is exposed to the dangerous content via the malvertizing discovered today, a malicious PDF is downloaded, which takes advantage of two exploits affecting Adobe Acrobat and Adobe Reader (CVE-2008-2992 and CVE-2009-0927).  These vulnerabilities are used to try to download even more malicious software via a web page.

Anyway, here is how it happened. 

ad.yieldmanager.com loaded content in an iframe from served.antventure.com. 

served.antventure.com in turn pulled content, again in an iframe, from ad.antventure.com.  The ad.antventure.com content was a slew of script that brought us back to ad.yieldmanager.com.

Then there was some back and forth between ad.yieldmanager.com and ad.adventure.com in iframes until, eventually, ad.antventure.com content loaded, you guessed it, ad.yieldmanager.com content.

From here on in it gets really interesting. 

ad.yieldmanager.com loaded content from banner.yellowlinebanner.com. 

The banner.yellowlinebanner.com content is a 728x90 banner advertisement featuring expedia.com.au. The HREF for the banner advertisement is an expedia.com.au URL but the graphic for the advertisement (a GIF) is pulled from creatives.redhousebanner.com. 

The URL hosting the gif from creatives.redhousebanner.com contains an iframe that loads content from t.banner0709.com.

t.banner0709.com is where things get real nasty.  The t.banner0709.com URL is redirected to knocklis.com (HTTP response code 302 - “temporary” move), and it is the knocklis.com web page that exposes the victim to the malicious PDF via an iframe in a PHP page. 

The knocklis.com page also tries (and fails) to load a graphic (test.gif) and (unsuccessfully) to load other content from the knocklis.com domain, as well as content from xn--18ba.example.com (this, too, fails).

You will have to forgive my obscuring the URLs – the content is simply too dangerous for curiosity.  The exploits being utilized by the malicious PDF is known as “win32/pdfjsc.av”:
http://www.securityhome.eu/malware/malware.php?mal_id=5738206704a311ed2d81c38.88824099

As a final note, if we visit the creatives.redhouse.com URL directly, the iframe does not appear.  Also, antventure.com has been problematic in the past:

http://www.bluetack.co.uk/forums/lofiversion/index.php/t19489.html

http://gigablast.com/get?c=main&d=109162469411&q=antventure.com&

The redhousebanner.com GIF

The banner.yellowlinebanner.com content with the iframe content:

FTC versus Innovative Marketing et al – Sam Jain and Kirsty Ross respond (and other developments)

Sam Jain

I would have loved to shine a light on some nice juicy arguments but, alas, it wasn’t to be.  The entirety of Jain’s answer compromised just a few types of response, as follows:

Paragraph text version 1)

“Paragraph X of the Complaint contains legal conclusions to which no response is required”

Paragraph text version 2)

“Paragraph X of the Complaint contains legal conclusions to which no response is required.  To the extent Paragraph X of the Complaint contains factual allegations to which a response is required, Mr Jain lacks sufficient information to admit or deny the allegations and therefore denies those allegations”

Paragraph text version 3)

“The subject matter of the Complaint in this case is the basis for an ongoing investigation conducted by the U.S. Attorney for the Northern District of Illinois.  Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in paragraph X on the ground that his answer might tend to incriminate him.  Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

Paragraph text version 4)

“Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in Paragraph X on the ground that his answer might tend to incriminate him.  Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

And so it goes on, with variations to the same theme such as “Mr Jain lacks sufficient information to admit or deny the allegations... and therefore denies those allegations”.

Finally, Mr Jain puts forth three Affirmative Defenses:

"Plaintiff has failed to state a claim upon which relief can be granted", and

"Any injury allegedly incurred was not caused by Mr Jain, and any injury resulted from superseding or intervening events outside the knowledge or control of Mr Jain", and

"Mr Jain expressly reserves the right to assert any and all other defenses to the Amended Complaint as they become known".

In short, it is 17 pages saying pretty much nothing at all…

Kristy Ross

Kristy Ross has also filed her Answer (31 pages long).  It, too, contains various denials and coy Fifth Amendments incrimination demurs, but she does admit (aka agree) that the FTC is an independent agency of the US Government created by statute, that it enforces Section 5(a) of the FTC Act and is authorized to initiate federal district court proceeding.

Her defenses are:

“The statement of any defense does not assume the burden of proof for any issue as to which applicable law places the burden upon plaintiff. Defendant expressly reserves the right to amend and/or supplement her defenses or assert any matters in avoidance of plaintiff's claim which may become appropriate as discovery proceeds in this case”; and

“Plaintiff has failed to state a claim upon which relief can be granted”; and

“Any injury allegedly incurred was not caused by Defendant Ross and any injury resulted from superseding or intervening events outside the knowledge or control of Defendant Ross”.

Innovative Marketing, Inc and Daniel Sundin

The FTC has lodged a Motion for Entry of Default for want of answer or other defense, with responses due by 13 July 2009.  Bearing in mind both parties have ignored the proceedings so far, and are unrepresented, I doubt that IM or Sundin are going to acknowledge the FTC's lawsuit now.

Marc D'Souza

Arguments via Motion and Reply continue as D'Souza attempts to have the complaint against him dismissed.

James Reno and ByteHosting

The Judge has signed the Reno Orders, so that is all over and done with.