Spyware Sucks

ALERT: Out of band security update to be released on August 2

Details here:
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

“This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on August 2, 2010. The bulletin addresses a security vulnerability in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, that is currently being exploited in malware attacks.”

Please install this patch as soon as you can once it is released.

If you used the workaround to mitigate the vulnerability (that is, if your shortcuts look like this or this , then you will need to undo that workaround before installing the security update.

Microsoft released a “fixit” to automatically apply, or remove, the workaround that broke *.LNK files – you can find the “fixit” here:
http://support.microsoft.com/kb/2286198

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com

Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com

Malicious content (note the 1x1 iframe):

Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js

Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13

Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50

85.234.190.13 is in Latvia - Latvia Riga Docsis Ip Pool For Cable Customers

Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227

Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361

Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50

There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)

ALERT: Please treat content from Ad-Amazing.com and associated domains with extreme caution

We already know about the comment posted to my blog about adamazing.com – now we can add ad-amazing.com (notice the added hypen) to the list.

ad-amazing.com have been caught distributing tags that spoof legitimate companies in a way similar to that described in this article about subdomains.

The ad-amazing.com representative supplied the following references to various parties - these pseudonyms should also be treated with extreme caution.

Kerb Consulting (shares IP range with ad-amazing.com, newtonad.com and kolosolutions.com)
1061 Mill Park Dr. Bldg 2, Lancaster, OH 43130 Ray Kerbson
Ray@kerbconsult.com
(740) 205-6909

Newton Advertising LLC
12 Langley Road, office #3, Newton, MA 02459 James Franco
franco@newtonad.com
(617)340-2126

KOLO Solutions
5267 Commerce Rd, Flint, MI 48507
Mark Hamilton
Hamilton@kolosolutions.com
(810) 250-7321

Mind Ads International (mindadsint.com) (shares IP range with flamingonetwork.com and red-ads.com)

Flamingo Network (flamingonetwork.com)

Red-Ads.com (snap quiz: what’s wrong with this paragraph, copied from the red-ads.com website?)

*****

ad-amazing.com
ICANN Registrar: BIZCN.COM (people, seriously, avoid any domain name registered via BIZCN.COM like the plague, please???)

Created 3 June 2010

IP: 93.174.92.188 - Amsterdam, As29073 Ecatel Ltd

Registrant:  Sparkle Coleman (dns@ad-amazing.com)

Reverse DNS for 93.174.92.188 = mail.ptsupport.info

*****

ptsupport.info - currently inactive but previously at IP 93.174.92.187 - shared IP with kerbconsult.com (which, of course, was put forward as a "referee" for ad-amazing.com) and vipps-nabp.net

Previously registered to "aldo santini" (boldospaz@yahoo.com)

*****

kerbconsult.com
ICANN Registrar: BIZCN.COM

Created 26 May 2010

IP: 93.174.92.187 - Amsterdam, As29073 Ecatel Ltd

Registrant: IT Admin (it@kerbconsult.com)

*****

newtonad.com
ICANN Registrar: BIZCN.COM

Created 3 June 2010

IP: 93.174.92.198 - Amsterdam, As29073 Ecatel Ltd

Registrant: Claire Ferrell (newtonad@registar.com)

*****

kolosolutions.com
ICANN Registrar: BIZCN.COM

Created 3 June 2010

IP: 93.174.92.197

Registrant: IT Admin (it@kolosolutions.com)

*****

red-ads.com
ICANN Registrar: BIZCN.COM
Created 12 July 2010

IP: 94.102.55.110 - Amsterdam, Ecatel Ltd

Registrant: Red Ads Contractors, Charles Mclaughlin (domains@red-ads.com)

*****

flamingonetwork.com
ICANN Registrar: BIZCN.COM
Created 12 July 2010

IP: 94.102.55.105 - Amsterdam, Ecatel Ltd

Registrant: Registar Services, Harold Pinner (registar@flamingonetwork.com)

*****

mindadsint.com
ICANN Registrar: BIZCN.COM
Created 11 July 2010

IP: 94.102.55.107

Registrant: Registar Services, Sarah Avallone (registar@mindadsint.com)

*****

Domains in the IP range 93.174.92.% , that should be treated with extreme caution (especially if selling advertising) include the following:

Blueglad.com, Greenhad.com, Hadsplash.com, Lackstack.com, Ladwhite.com, Mashslack.com, Thehyipzone.com, Highyieldpros.com, Danafund.com, Web-wizard-solution.com, Opprutinv.com, Drunkbots.com, Hacklabonline.com, Indeshawadenaw.com, Indeshawadenaw.net, Onlineaddons.com, Outsistem.net, Rapiddownloads.eu, Steamcomnnity.com, Steamstuff.info, Nettoolz.info, Edskahn.com, Hourluck.com, Deliver2.net, Runelive.org, Vkasse.com, Fap247.com, Fckn.tv, Coraladnetwork.com, Welconetwork.com, Vipps-nabp.net, Kerbconsult.com, Ad-amazing.com, Hyipjurists.com, Imperialex.com, Kolosolutions.com, Newtonad.com, Livebroad.com, Maskbrown.com, Labteh-td.com, Labteh-td.ru, Scriptmafia.org, Ulgsm.net, Vpnshield.net, Nlkoddos.com, Legion-x.com, Hababam.biz, Download--limewire.com, New-limewire-2010.com, Jaamerp.com, Hyip-status.net, Hyipcourt.com, Y-action.com, Yahooaction.com, Yahooaction.net, Yahooaction.org, Bahtimos.com, Hababam.org, Letsvisittrabzon.com, Gratt.net, Abpp.biz, Actpopcorn.com, Adle.info, Aint.biz, Cozzle.com, Fbpnet.com, Forexbotpro.com, Freehondakybs.com, Generationxinvestment.com, Genxclub.com, Hyipalert.com, Hyiptrainwreck.com, Iwwleads.com, Make200bucks.com, Make30bucks.com, Someguyslife.com, Stainlesstoaster.info, Unitedforexfund.com, Woodrefinishing.us, Worldroi.com, Stevehell.com, Childrenofchile.org, Media-beau.com, Intercomm2.com, Intercommweb.com, Intercomp2.com, Lciinternational.com, Mysteryshopnet.com, Veritybuilding.com, Veritybuildingco.com, Bstbuilding.com, Bstbuildingco.com, Netxs.sc, Silverblue.cc, W00h00.nl, Woohoo.nl, Cumhitz.com.

Domains in the IP range 94.102.55.%, that should be treated with extreme caution (especially if selling advertising) include the following:

Innovyxinc.com, 4revenuegroup.com, Lacekgroup.com, Flamingonetwork.com, Mindadsint.com, Sunnnysidemedia.com, Red-ads.com, Calinet.info, Casey-computing.com, Casey-consulting.com, Adrenalinepoker.com, Adrenalinepoker.net, Teamvisionz.com, Gamekeys.us, Pleasehack.me, Embedsports.com, Ichuj.be, Bassline-nation.info, Ultimate-shoutcasts.com, Iafst.ir, Mobilestanshop.net, Optical-digital-camera.info, Alasebook.com, Thehappywalrus.org, Nacoobags.com, Cheapgoogleshop.com, Cheapgooglestore.com, Nfljerseysky.com, Packyours01.com, Porn99.info, Transientattack.com, Proebook.net, Icctv.info, Hqsports.info, Cn-puma.com, Discount-puma.com, Picksheepskinboot.com, Sunglasseshats.com, Usapuma.com, A-puma.com, Productsfrominternet.com, Sell-replicawatch.com, Jerseyinus.com, Tigersupermall.com, Serverorigin.nl, Feelshock.com, Dexingzy.com, Chinahandbagssupplier.com, Cn-jersey.com, Webcheapshop.com, Edhardyretail.com, Replicachinese.com, Edhardyshipping.com, Discountrosetta-stone.com, Rosetstones.com, Edhardystock.com, Edhardysuppliers.com, Gemreplica.com, Gemswiss.com, Embedtv.in, Wsm.co.in, Youngnnmodels.biz, Mobilereplicas.com, Tec-cart.com, Watchandbag.com, Sale-ugg.co.uk, Madden-leagues.com, Pllug.com, Ftaboys.com, Softtorrents.net, 7buae.info, Alkhaja-style.com

ALERT: Please treat content from adamazing.com with extreme caution

Brought to light via a comment on this blog.

adamazing.com
ICANN Registrar: Nameking.com
Created 19 April 2010

Current IP: 208.73.210.28

Registrant: "Oversee Research and Development, LLC" (admin@overseedomainmanagement.com)

Domain is currently "parked", but previously was hosted at IP 69.64.155.14 (Enom Incorporated).

A cached copy of adamazing.com contains code that eventually leads us to this URL - proceed with caution:

dsnextgen.com/?domainname=adamazing.com&a_id=101687

Malvertizing at Tweetmeme (again)

You may recall that Wayne Small of SBSFAQ contacted me to warn that there was malvertizing at tweetmeme back in December 2009 – well, tweetmeme have a problem again.

This time I see no openx.  Instead, we bounce from ads.tweetmeme.com to y5-media.com, to 173.244.173.133 to www3. luckfind42td.in to www2. guardhere5.in (thanks to Kimberley for the heads up)

y5-media.com
ICANN Registrar: EVOPLUS LTD
Created 7 June 2010

IP: 178.162.133.226 - Netdirekt E.K

Registrant hidden behind evoprivacy.com

*****

173.244.173.133 - Enet Inc (85.ad.f4.static.xlhost.com)

*****

luckfind42td.in
ICANN Registrar: DIRECTI
Created 13 July 2010

Registrant: Kooken Garritt (gkook@checkjemail.nl) -- That email address is associated with 2,939 domains!

*****

guardhere5.in
ICANN Registrar: DIRECTI
Created 14 July 2010

Registrant: Kooken Garritt (gkook@checkjemail.nl)

*****

Also seen:

wareforyou10.in
ICANN Registrar: DIRECTI
Created 14 July 2010

Registrant: Kooken Garritt (gook@checkjemail.nl)

*****

206.217.206.111 - Providence Hosting Services - noptr.midphase.com

178.162.133.218 - Netdirekt E.k

Innovative Marketing - slowly the old domains fall away

I still keep an eye on known Innovative Marketing pseudonyms; information continues to trickle in about domains that they have registered in the past.

Old bad domains have been expiring, and sometimes the protection of services such as Moniker Privacy Services falls away.

For example, on 24 May 2010 the domains tolerli.com and vollende.com lost the protection of Moniker Privacy Services, exposing their Registrant as "Helen Nikolson", helen.nikolson@gmail.com.  A few days before that the registrant details for ausgebl.com were also exposed.

That being said, sometimes it goes the other way.  codeconline.com, for example, used to be registered to "noo" (aka the infamous Serg Moons).  That domain's registrant details are now hidden behind whoisservices.cn and it's current domain details are as follows:

codeconline.com
ICANN Registrar: BIZCN.COM, INC (previously tucows and enom)
Created: 8 June 2010

IP: 194.8.251.162 - Paraguay - Donstroy.Ltd

Sharing IP with codecmicrosoft.com, maremot.com, missing-codecs.com, missing-codecs.net, missing-codecs.org, moviemoto.org, video-files.org, vidscentral.net - I think that we can assume that all of those domains should be treated with extreme caution.

codecmicrosoft.com is registered to a "Sean", domains@theraged.org
maremot.com is registered to a "Cliffad", domains@theraged.org
missing-codecs.com is registered to a "David Roberts", hansaprom@live.co.uk
missing-codecs.net is registered to a "David Roberts", hansaprom@live.co.uk
missing-codecs.org is registered to a "David Roberts", hansaprom@live.co.uk
moviemoto.org is registered to "Sean Cruz", domains@theraged.org
video-files.org is registered to a "Ben Born", "born.ben28@yahoo.com"
vidscentral.net is hidden behind privacypost.com

A quick update regarding James Reno

In what I can only describe as a display of optimism, Reno has hired an attorney and entered a plea of "not guilty" to all counts of the indictment filed by the Special March 2010 Grand Jury which charged him, Bjorn Daniel Sundin and Shaileshkumar P Jain (aka Sam Jain) with one count of computer fraud and conspiracy to commit computer fraud.  Bond has been set in the amount of $10,000.

Details of the indictment are here:
http://msmvps.com/blogs/spywaresucks/archive/2010/05/31/1770693.aspx

The conditions of Reno's release, and his financial affidavit, have been sealed.

Oh, and while we’re on the topic of Reno’s woes, I’ll take the chance to let everybody know that a Consent Motion to stay proceedings for 60 days to allow the FTC to pursue settlement with Mark D'Souza and Maurice D'Souza was filed in the FTC versus Innovative Marketing action on 27 May 2010 and granted the same day.

Sam Jain's girlfriend, Kristy Ross, is not a party to the motion, but also does not object.

A settlement with Mark and Maurice D'Souza has been reached, in principle, but because the settlement requires the D'Souza's to get their hands on funds that "are not immediately available" (how much, I don't know) the D'Souza's and the FTC agreed to the 60 days stay.

Hopefully we'll know more by the end of this month...