Spyware Sucks

FTC versus Innovative Marketing et al – developments

The FTC's Renewed Motion for Rule 37 Sanctions against Sam Jan was granted on 19 January 2010.

It was further ordered that Default be entered against Jain pursuant to Rule 37(d) and that the FTC shall submit evidence to the Court as to the total consumer injury resulting from the allegations in the Complaint.

The Court will review the evidence of total consumer injury and then enter default judgment.

Now we wait to see what sort of monetary and other penalties the Court will impose upon Jain.  The FTC’s second motion claimed that “Jain perpetrated one of the largest online frauds ever prosecuted by the FTC, with a total consumer injury figure that – as the Court will soon hear – exceeds $150 million”, which gives you some idea of the sort of fiscal penalty Jain now faces.

****

In other developments, Marc D'Souza had disputed the scope of discovery being sought by the FTC. 

Because of a concern that "broad enquiries from the FTC aimed at each of Mr D'Souza's business partners could result in significant disruption to Mr D'Souza's new business" the Court has decided that the FTC can conduct discovery regarding D'Souza's post January 1, 2007 activities, but only if the FTC has identified a particular company as having done business with D'Souza prior to January 1, 2007.  The FTC is also free to seek discovery from D'Souza about any continued use of "computer scans" to sell security software.

Dynamoo finds malvertizing at ebuddy.com

Cite: http://www.dynamoo.com/blog/2010/01/zoombannercom-yieldmanager.html

The domain cited by Dynamoo as the end of the legitimate chain, zoombanner.com, is worth a closer look.  It may be registered to “Domain Owner” (trafficbuyer.@gmail.com) of 15156 SW 5th of Scottsdale, Arizona *now*, but it used to be registered to a name with a far older, nefarious, history - Modena Inc.

Modena Inc have a dubious history, with complaints as far back to 2005 about "spyware infested filesharing programs", site scraping and 302 domain poisoning:

http://www.freedomcrowsnest.org/forum/viewtopic.php?t=1416
http://forum.abestweb.com/showthread.php?p=456066&mode=threaded#post456066

Modena Inc domains were also part of the malvertizing incident that hit digitalspy.co.uk:
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

And was implicated in malvertizing that attempted to infect computers via PDF exploit:
http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx

There is also a dishonorable mention at bluetack.co.uk (**10** different security exploits were used in that incident) - domains used were banners.exitexchange.com and count.exit1208.com:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&

It is interesting that ashoping.com was part of the incident recorded at bluetack.co.uk. The registrant, helen.nikolson@gmail.com, has been seen myriad times, in association with traffichunters.net (which we can tie to Innovative Marketing in the Ukraine):
http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

Since we can follow the bouncing ball back from zoombanner.com to Innovative Marketing in the Ukraine it occurs to me that I should check to see if there has been any progress with the FTC versus Innovative Marketing Lawsuit.  My regular readers will know that Sam Jain's lawyers, Patton Boggs, asked for permission to withdraw as Jain's lawyers.  That request was granted on the 15th of January.

A telephone conference regarding "Discovery Dispute" was held on the same day - sorry, I have no further information about that.

The second motion for sanctions against Sam Jain, filed on 22 October last year, remains outstanding:

10/22/2009
Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Federal Trade Commission.

"Sam Jain has made a mockery of this proceeding and has demonstrated nothing but contempt for this Court and the American judicial system as a whole. Together with his codefendants, Jain perpetrated one of the largest online frauds ever prosecuted by the FTC, with a total consumer injury figure that – as the Court will soon hear – exceeds $150 million. After being caught red-handed by the FTC, Jain promptly fled the United States, leaving his lawyers behind to delay the FTC’s efforts to redress the massive consumer injury Jain helped inflict. After nearly a year of delay, Jain has reached the end of the road. Unwilling to comply with this Court’s command that he participate in discovery, Jain has no further ability to stall this litigation. As a result, Jain has washed his hands of this matter, and simply disappeared. Given these facts, it is difficult to imagine a case that better supports the imposition of terminating sanctions, or an individual more deserving of such an outcome than Jain."

Off topic:

Personally, I think that people who use services such as ebuddy.com, which asks you to hand over your username and password for MSN, Yahoo, AIM, GTalk, Facebook, ICQ and MySpace, are very foolish.  There’s no way I’m ever going to do that – no how, no way.

Don’t forget what happened to RockYou (to cite a recent example):
http://www.rockyou.com/help/securityMessage.php

bootcampmedia – some problems have been cleaned up, but others continue

Cite: http://www.dynamoo.com/blog/2010/01/more-malvertisment-domains.html

Dynamoo noticed that bonnapet.com is not resolving at the moment

Check out the Host names sharing ip (217.20.114.40) with a-records – what do you think the chances are that any of those sites are legitimate?

*.p2doctors.com
*.p2drugstore.com
*.p2eudrugs.com
*.p2menhealth.com
*.p2peoplehealth.com
*.p2pharmacy.com
*.p2ultram.com
*.p2usadrugs.com
*.p2usapills.com
*.p2versus.com
*.p2womanhealth.com
*.p2yourpills.com
ad115.unix-server.com
mail.bonnapet.com
mail.fairhyip.com
ns1.bonnapet.com
ns2.bonnapet.com
p2block.com
p2doctors.com
p2drugstore.com
p2eudrugs.com
p2medicine.net
p2menhealth.com
p2mypills.net
p2peoplehealth.com
p2pharmacy.com
p2pillsru.net
p2tramadol.net
p2ultram.com
p2usadrugs.com
p2usapills.com
p2versus.com
p2womanhealth.com
p2yourhealth.net
p2yourpills.com
fairhyip.com

Yeah, we love Netdirekt – they’re such a clean host (not).

Attack of the psycho server

Hmm, it seems that my mail server has learned a foreign language – that or it is swearing at me ;o)

Ok, so what’s the diagnosable problem? 

0x800CCC6C SMTP_452_NO_SYSTEM_STORAGE No space to store

>sigh<  I blame the IMAP accounts.

Malvertizing at boingboing.net

Original source: Dynamoo
http://www.dynamoo.com/blog/2010/01/boingboingnet-bootcampmediacom-ad-leads.html

We have seen problems at bootcampmedia for a LONG time (at least a year) – Jamie Dalgetty needs to start cleaning up bootcampmedia.

Historical evidence:
http://www.google.com/cse?cx=007665253733268001951:qtjb7x6vodw&ie=UTF-8&q=bootcampmedia&sa=Search&siteurl=www.google.com/cse/home%3Fcx%3D007665253733268001951:qtjb7x6vodw

Now, I’ve been able to reproduce Dynamoo’s findings, but I saw a different advertisement (I’m sure I’ve seen that fake craigslist advert before), and different domains.

I bounced from bootcampmedia.com to firedogred.com to deliver.azrielwhereincozen.com (which hosted the advert itself) to content.bookletjigsawsenam.com (which redirected us to bonnapet.com).  bonnapet.com is the domain that was used to attempt to download malicious content to my test machine (an attempt that was easily thwarted, thanks to IE8’s infobar).

Domain details are below the screenshot.

The malicious behaviour has been reported to Right Media (Yieldmanager) with supporting evidence.

bootcampmedia.com
ICANN Registrar: GODADDY
Created: 11 dECEMBER 2007

IP: 69.163.209.214 - New Dream Network LLC

Shares IP with 26 other sites.

Registrant hidden by domainsbyproxy.com

*****

firedogred.com
ICANN Registrar: GODADDY
Created:15 September 2009

IP: 68.178.232.100 - Godaddy.com, inc.

Registrant - anonymised...
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
USA

Aren't 555 phone numbers always fake? 800 555 1212

*****

azrielwhereincozen.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 74.207.232.202 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bookletjigsawsenam.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 69.164.196.55 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bonnapet.com
ICANN Registrar: ENOM, INC
Created: 11 January 2010

IP: 217.2.114.40 - Berlin - Netdirekt E.K.

Registrant:
Wade Cook (wade.cooke@yahoo.com)
12 Hull Street
Boston MA 02113
US

An excellent improvement to Adobe Reader security

The most important piece of advice that is generally given to users of Adobe Reader to protect them from malicious exploits in PDF documents is to disable JavaScript, but it has always been an “all or nothing” situation – the chances that somebody would heed our advice, disable JavaScript, only to need to turn it on again (and forget to turn it off) was high.

The October update of Reader, though, offers a new feature which I quite like – note how you can enable JavaScript for just the one document and, if you so desire, for just one time.

So my new advice is to disable JavaScript and enable “Enhanced Security”.

Now, if only they would give us a way to turn off the functionality that allows criminals to use Flash advertisements to hijack web browsers…

Old dialogue – JavaScript disabled

New dialogue – JavaScript disabled

 New dialogue – blacklisted JavaScript encountered

Source: http://blogs.adobe.com/asset/2010/01/a_few_words_on_the_january_201.html
Source: http://kb2.adobe.com/cps/504/cpsid_50432.html

softwarespam.net and stablemates

A friend was hit by a redirect to softwarespam.net when she clicked on a Google search result for timesheets compatible with MYOB - the site exhibited classic scareware/fraudware behavior.

Domain details:

softwarespam.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

IP: 93.190.140.165 - Netherlands, Wordstream

Shares IP with softwareanti.com, softwarejar.com, softwarerising.com, softwaresecure.net, softwarespyware.net, softwarethe.net, softwarethreats.com, softwarethreats.net, softwarexp.net

Registrant:
P-SNG999
Stanislav Gladishev (glad1shev@mail.ru)
pr Andropova 27-8
Moskva 115487
Russia
7.4996156560

*****

softwareanti.com
ICANN Registrar: Arsys Internet, S.L. D/B/A NICLINE.COM
Created: 22 December 2009

Registrant:
Stanislav Gladishev (glad1shev@mail.ru)
pr Andropova 27&#8206-8
Moskva 115487
Russia
7.4996156560

*****

softwarejar.com
ICANN Registrar: Arsys Internet, S.L. D/B/A NICLINE.COM
Created: 22 December 2009

Registrant:
Same as softwareanti.com

*****

softwarerising.com
ICANN Registrar: Arsys Internet, S.L. D/B/A NICLINE.COM
Created: 22 December 2009

Registrant:
Same as softwareanti.com

*****

softwaresecure.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

Registrant:
Same as softwarespam.net

*****

softwarespyware.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

Registrant:
Same as softwarespam.net

*****

softwarethe.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

Registrant:
Same at softwarespam.net

*****

softwarethreats.com
ICANN Registrar: Arsys Internet, S.L. D/B/A NICLINE.COM
Created: 22 December 2009

Registrant:
Same as softwareanti.com

*****

softwarethreats.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

Registrant:
Same at softwarespam.net

*****

softwarexp.net
ICANN Registrar: Key-Systems GMBH
Created: 21 December 2009

Registrant:
Same at softwarespam.net

“GodMode”?

There is some “excitement” over at CNET, thanks to an article about the so-called “GodMode” published by Ina Fried:
http://news.cnet.com/8301-13860_3-10423985-56.html

Ina Fried says that “Windows enthusiasts are excited over the discovery” (well, this one isn’t, thank you). 

Putting aside the fact that the information has actually been around since 2008 or so (sorry Ina), y’all may be interested to know that you can name the folder anything you want – all you need to do is ensure that the folder name ends with the correct GUID – ie:

{ED7BA470-8E54-465E-825C-99712043E01C}

And, don’t forget to include the full stop as well, eg:
This_is_the_folder_name.{ED7BA470-8E54-465E-825C-99712043E01C}

So have fun gang.  Perhaps you’re an athiest….

Perhaps you’re a fan of Sesame Street…

Or if you’re feeling disillusioned with the popular press….

ALERT: Please treat these domains with extreme caution

Hat tip to phishlabs (www.phishlabs.com) for the heads up :)

There have been reports of potential malvertizing activity in association with dowsonandco.com and vertfi.com.

dowsonandco.com

Created 8 November 2009

Registrar: BIZCN.COM, INC (notoriously problematic)

IP: 217.23.7.177 (Faro - Worldstream)

Server is running nginx (Software preferred by the miscreants)

Registrant: Timothy Davis (davist@yahoo.com) of 4786 Nutters Barn Lane, Des Moines IA 50317 (I can’t find evidence that this address exists)

Business address is listed as 1221 Brickell Ave Miami, FL, which is the address of some executive offices.  Note that you won’t find Dowson and Co at that address according to this web site:
http://www.corporationwiki.com/Florida/Miami/1221-Brickell-Ave-Miami-FL-33131-a4202.aspx

Shares IP with advert-ex.com, bradeymedia.com and lemanmarketing.com as well as mail.parsok.com.

*****

advert-ex.com

Created 8 November 2009

Registrar: BIZCN.COM. INC

Registrant: Johnny Johnson (johnj@dnsconsulting.com), 4765 Horner Street, Montgomery AL 36107

*****

bradeymedia.com

Created 8 November 2009

Registrar: BIZCN.COM, INC

Registrant: Travis Davis (davis@vipdomains.com), 1728 Rafe Lane, Memphis MS 38118

*****

lemanmarketing.com

Created 8 November 2009

Registrar: BIZCN.COM, INC

Registrant: Curtis Bridges (curtisdomains@yahoo.com), 2674 Ryder Avenue, Seattle WA 98101

******************************************************************************

vertfi.com

Created 20 December 2009

Registrar: BIZCN.COM, INC

IP: 217.23.7.83 (Faro, Worldstream) Note that there is also a vertfi.info registered.

Shares IP with febring.com, indrine.com and schnine.com

Registrant:  Kenneth Mcdonald (dns@vertfi.com), 33 Tibbs Ave, Superior MT 59872

*****************************************************************************

Other stuff:

A search of IP 217.23.7.% reveals some worrying web sites, eg:

1. abercrombielife.com (which displays a series of fake security seals purporting to be issued by BBB, Verisign, McAfee and Security Metrics).
2. googie-anaitlcs.ws, googie-analytics.ws
3. A series of 'advertising' type domains such as 4livemarket.com, bellwayinteractive.com, goldbaymedia.com, revoltechmedia.com, smartmediaway.com (several of which have been seen before in association with IP addresses of domains used to facilitate the distribution of malvertizing).

I find it interesting that some domains (bellwayinteractive.com, goldbaymedia.com, revoltechmedia.com and smartmediaway.com) used to be within IP range 212.117.175.% – they were IP stablemates with spark-smg.com which was the domain used to trick Gawker Media into accepting malvertizing.

I have also spotted the domain vigana-media.com and yewomedia.com (IP: 217.23.7.175)

vigana-media.com is sharing IP address with yewomedia.com.  yewomedia.com's web site is visually identical to vigana-media except for a few minor textual changes to make the blurbs suit the different domains.

Vigana-media.com claims to have been around since 1997 and yewomedia.com claims to have been around since 2002, which is quite interesting, considering both domains were not registered until late 2009.  Both sites also claim to have been "ranked by AdvertisingAge as a "Top 100 Interactive Agency Nationwide".  Despite the extensive similarities between the web sites, there is no similarity when it comes to the Registrants.

vigana-media.com
ICANN Registrar: BIZCN.COM, INC
Created 15 October 2009

Registrant:
Gene West (genetwest@gmail.com)
510-696-1538
4014 Clifford Street
San Leandro CA 74578

yewomedia.com
ICANN Registrar: BIZCN.COM, INC
Created 30 November 2009

Registrant:
FreeBiofuel
Christopher Penaflor (christopherpenaflor@gmail.com)
503-361-4762
988 Mattson Street
Salem OR 97301

Alert: please treat these domains with extreme caution

Originally spotted via this blog entry (you’ll see SpywareSucks cited in the comments).

Putting aside the fact that the author of the blog is completely wrong to claim that Google was blocking biggovernment.com because of “bad publicity”, we can be grateful that the author has brought some malvertizing domains to our attention.

Ironically, redstate.com has been having problems with malicious content itself…

If you look at the screenshot of the Google Chrome alert posted at redstate.com, you will see that biggovernment.com was being blocked, but not because of any “bad publicity”, but rather because Google detected that biggovernment.com was serving content from statsistat.com – and yes, statsistat.com is definitely bad news.

Let’s try to answer a few of the gentleman’s questions:

Why would Google be marking BigGovernment.com as a page that has malware on it?

Because content from statsistats.com was detected.

I have never before received this warning from Google when going to BigGovernment. I suppose it is possible that BigGovernment did have malicious code on it. Of course, I would then also have to believe that in the following two hours BigGovernment isolated the malicious code and removed the code. Why?

biggovernment.com may not have detected or cleaned up anything at all.  It may be that the malicious code only appears once per IP address (or once per computer if browser/flash cookies are being used to control behaviour), which is a very common trick the bad guys use to make it difficult to prove that malicious content exists, or existed.  It may be that the malicious code only appears if the correct referrer is detected (another very common trick).

Well, how else would Google Chrome now be allowing you to go to BigGovernment.com without a warning?

Because the malicious code is no longer being detected.  See above.

Is their product malfunctioning?

No. See above.

Also, Safari uses the same system as Chrome for detecting malicious sites, why didn’t Safari give the same warning when I attempted to use it?

See above.

Now, let’s take a look at that domain…

statsistats.com
ICANN Registrar: DIRECTI
Created 26 December 2009

IP: 193.104.22.153 - Malta, Kratosweb-net

Sharing IP with statcstat.com, statdstat.com and (previously) statbstat.com.

Registrant hidden behind privacyprotect.org

*****

The IP range 193.104.22.% is an absolute treasure trove of potential danger - take a look at the following domains - all of them should be treated with extreme caution:

Bestcards.biz  | Nationaltravel.biz  | Advancepublicsafety.com  | An-ty-virusstore.net  | Antivirussoftdrink.com  | Antyvirustoolshop.net  | Bestscanada.com  | Biohomesecurity.com  | Cheapreadweb.com  | Eessentialoil.com  | Homevirusscan.com  | Malwareexamination.com  | Onlinewebstie.com  | Scaninternetworld.com  | Socialsecurityimaging.com  | Antispywaresofttoday.com  | Antivirussoftstore.com  | Antyspywaretoolnow.com  | Freeremovevirustool.com  | Onlinecheckdirect.com  | Onlineantivirusdirect.com  | Onlinesecurtydirect.com  | Virtualespywareremove.com  | Rootcollection.com  | Internetnonmalware.com  | Antivirusscanblog.com  | Antyspyvarescanblog.com  | Illnessremover.com  | Malwaredrop.com  | Antysoftwarestudy.com  | Scan-online-website.com  | Scanspiritonline.com  | Bestporncity.com  | Mediaboxvideo.com  | Mediafilmonline.com  | Pornmovieshot.com  | Statcstat.com  | Statdstat.com  | Statsistats.com  | Print-design.cn  | Beatthebearblackhole.com  | Chinaaaredarmy.com  | Thepoweblessninja.com  | Powertraffstakes.com  | 2009antispyware.net  | Againstspyware.com  | Anti-spyware-2010.net  | Antispycenterprof.com  | Antispyware24x7.com  | Antispywareglobal.com  | Antispywareonline.net  | Antispywaresnet.com  | Antispywarets.com  | Antispywareweb.net  | Antispyworldwideint.com  | Antisspywarescenter.com  | Antivirplatinum2009.com  | Antivirplatinum2010.com  | Antivirus-live.net  | Antivirus-service.net  | Antiviruscenter.net  | Antivirusexpert.net  | Antiviruslive-pro.com  | Antiviruslive2010.com  | Antiviruslivepro.com  | Antivirustop.net  | Bestantispysoft2010.com  | Eliminater2009pro.com  | Intsecureprof2010.com  | Itsafetyonline.com  | Ivirusidentify.com  | Iwebantispyware.com  | Iwebpcdoctor.com  | Iwebpcprotect.com  | Myprivatesoft2009.com  | Netantivirus.net  | Onlineantispysoft.com  | Osadwarekill2010.com  | Owndefender.com  | Pcdoctorz2010.com  | Pcprotect2010.com  | Pcsafety2009pro.com  | Pcsafetyplatinum.com  | Protection2010.com  | Protectorservice.com  | Security2010.net  | Securityprosoft.com  | Securityztop.com  | Spydetector2009.com  | Spywaredetect24pro.com  | Superantivirus.net  | System-deffender.com  | Systemprotector.net  | Threat-detector.com  | Threat-finder.com  | Viridentifycenter.com  | Virus-detector.net  | Virusdetect24.com  | Virusermoverpro2009.com  | Virusermoverpro2010.com  | Viruskill2010.com  | Virusremoveonline.com  | Web-antispyware.com  | Webantispysoftpro.com  | Websantispyware.com  | Webspydetectunlim.com  | Winguard2009.com  | Winguard2010.com  | Winshield2010.com  | Winvantivirus.com  | World-antispyware.com  | Worldantispyware1.com  | Worldprotection.net  | Worldsantispysoft.com  | 812jid.com  | 89364.net  | Nsrdomain.com  | Stpxy.com  | Carsaudioforum.com  | Clubusamusicguide.com  | Alphaprogressgroup.com  | An-ty-virustoday.net  | Antivirussoftspoken.com  | Antyvirustoolonline.net  | Bestinternetportal.com  | Bestsecuritylawyers.com  | Bestsecuritytool.net  | Bestsecurityworld.com  | Bordersecuritytools.net  | Buyonlineinternet.com  | Essentialoilharmony.com  | Greatbillingupdate.com  | Readnetbooks.com  | Scanbankonline.com  | Scanchinanet.com  | Superscanjet.com  | Trojanscansite.com  | Yourscantool.com  | Antispywareeasy.com  | Antispywaresoftonline.net  | Antyillegalsoftware.com  | Antyillegalsoftwaretool.com  | Antyspywaresonline.com  | Antyspywaretoolblog.com  | Ewebcheck.com  | Supersecurty.com  | Pianetaspywareremove.com  | Rootkiteraser.com  | Antiageonline.com  | Virusscanersite.com  | Antivirusscanimages.com  | Antyspyvarescapean.com  | Malwareremovesite.com  | Thebossremover.com  | Legacyvirusscan.com  | Newscanlifeonline.com  | Scanonlinesitenow.com

ALERT: Please treat the following domains with extreme caution

advertisingcommunity-s.com
ICANN Registrar: DIRECTI
Created 2 November 2009

IP: 217.23.10.16 - Worldstream, Netherlands.

Registrant hidden behind Privacy Protect, dedicated hosting.

Implicated in malvertizing incidents before:
http://www.mywot.com/en/scorecard/advertisingcommunity-s.com

*****

adrime.net
ICANN Registrar: ENOM, INC
Created 18 November 2009

IP: 64.27.26.81 - Calpop.com Inc, Los Angeles

Registration Service: director@climbing-games.com (www.ruler-domains.com) - a familiar name and email address; see here for an example of past history: http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690203.aspx

Registrant: Pol Andersson (pol@hiparis.fr)
70, Rue Hautpoul
Paris, 75019
FR

Sharing IP with ad-spenser.com, adendum.net, colorednews.com, eu-planning.com, exanza.net, ie-adv.com, inclick-eu.com, maps-europe.net

Digging around I find a NS connection with impressionsreport.com, advunit.com