Spyware Sucks : Security, safety and privacy on the Internet

ALERT: Adobe Flash and Air have been updated

sandi — Wed, 09 Dec 2009 02:11:28 GMT

Security updates have been released – details here:
http://www.adobe.com/support/security/bulletins/apsb09-19.html

After updating your Flash version should be 10.0.42.34 and your Air version should be 1.5.3

A frightening tale of computer infection and its consequences

sandi — Wed, 29 Apr 2009 13:22:44 GMT

“It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.”

Yep, that one simple act turned into an infection nightmare lasting three weeks. I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as well as warning whoever it is that is distributing the infected drivers.

The entire sorry tale is at www mickyj com / blog htm (link deliberately broken because I'm not sure that I want anybody going there yet).

To save you from the need to visit, I'll copy Micky's tale of woe verbatim. Micky’s message to everybody is “Make sure to point out that no matter how cluey you are with IT (I have 20 years experience) these things are getting nasty.”

Reproduced with permission.

“Where have I been for almost 3 weeks? - 26 April 2009 - mickeyj.com

Virux/Virut
Keywords: PE_VIRUX.E-2, PE_VIRUX.C-2, Win32/Virut, Cryp_Virux, W32.Virut, PE_VIRUX.G-1, PE_VIRUX.F

... Offline. I am lucky enough to be one of the two people in Australia/New Zealand to have been infected with a rare strain of the Virux/Virut virus on my home PC. This is according to Trend Micro's Statistics. If you get this virus, be very afraid. It infected every EXE, SCR, DLL, HTM, HTML, ASPX file (And more). It copied itself to every USB device including my Camera flash cards and USB keys. It infected my Outlook email signatures (So I need to contact people I have emailed), Outlook stationary and more. I started seeing a pattern where infected executable files were about 20 kb larger than the originals and my internet would slow down (Due to incoming IRC connections). It was almost impossible to beat.

If I am like you, I have a whole heap of downloads on my PC that contains all my setup files. That included service packs, video drivers, scanner and printer drivers. All were infected. As I tried to reinstall my hardware I got reinfected. If I plugged in a memory card, I got reinfected. I even found the virus on my media centre and Xbox shared folders. It got everywhere. (Even played with my firmware on my router).

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

I reinstalled Windows XP Pro and all my additions at least 20 times between 26/3/09 - 16/4/09 before I finally got online again. I know this as I can no longer activate my Microsoft software. I have exceeded the install number allowed for a retail version of the product.

I got to the point of throwing out USB keys and starting to install everything fresh, from fresh downloads. Finally, I have myself back up and running (Minus all my data). Both AVG and Trend Micro could not protect me from reinfection. The virus is encrypted. It hides in space within exe files and nothing can detect is due to the encryption. Trend Micro etc can only detect it once the "exe" has started modifying other files. It happens so fast and Trend Micro and others can't clean it. I think I had 50 infections per second once the virus broke free. The virus targets all files in C:\Windows and C:\Windows\System32 first so basically, Windows becomes one big virus. It becomes especially hard to handle when AVG and Trend Micro start quarantining the virus, removing essential Windows files out of your system so ... Your system can't reboot. I also had the virus in system restore so the OS was completely tainted.

I got to the point where as soon as Trend or AVG triggered, I pressed the workstations reset button, shoved in my XP disk and started reformatting. I think my earlier mistake was trying to clean the virus. The more I tried, the more I got infected. I tried the Symantec removal tools and many others. They all did not deal with this particular strain of the virus.

If you see this virus, run away. Be very, very afraid. Format your PC. Get your files back from backups. Don't trust any files off your old system as the virus is encrypted and could be in any file. Certainly antivirus can detect this virus when it starts running, but by then, it is too late.

The virus detected was:
PE_VIRUX.E-2
PE_VIRUX.C-2
Win32/Virut
Cryp_Virux
W32.Virut
PE_VIRUX.G-1
PE_VIRUX.F

The virus downloaded and installed the following strains:
Virus.Virut.r
W32.Virut.CF
W32/Virut.n
PE_VIRUT.BO.
TROJ_VIRUX.A.

It also downloaded:
TROJ_AGENT.CHB
TROJ_MAILBOT.CN
TROJ_SMALL.NAX
TROJ_AGENT.ZNH

Google blocked my website
Keywords: Google, Website, Harm, iFrame

.. And rightly so. I have been hacked. It has been a shocking month for me thus far. My home PC covered in Viruses for the first half of the month, 1 week to breath and then my website hacked in the second half of the month.

When you Google mickyj.com you get a result that lists "This site may harm your computer" under my website. When you click the link for my website, you get a google page warning viewers not to go to my website. Obviously I wanted to find out more so I downloaded the code for my website and found 4 iFrame infections had been injected into the code.

I contacted Google Support through their help system, after fixing my website. It took a little bit to explain to them what I found, how I had cleaned it all and how the infection had likely occurred, then they "verified" and "reviewed" my website and it is up again in all it's glory. Thanks Google Guys. You were awesome. I was unable to request verification of my website through the web interface as my Domain name holder has some restrictions in place that I could not get around. The Google guys understood this and did an awesome job helping me through their help system. I can't stress enough how fantastic these guys were. Especially Johnathon at Google. you guys rock.

Website up and running, safe again on the 25th April.

New Wrinkle
Keywords: Twitter, Suspended

Twitter have blocked me for suspicious activity. 26th April Twitter suspended my account. What ?? I hope that this is related to the virus I had earlier and can be easily explained and then unblocked. This has not been a good month.

Maybe things will be better tomorrow as it is my Birthday !”

For what its worth Micky, Happy Birthday!

And… change all your passwords!

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

sandi — Mon, 09 Mar 2009 01:04:03 GMT

I received this email a short while ago:

“We have been getting a lot of ads accessing scripts from this domain statisticsishere.com. So far there is no malware redirect or download but this domain looks suspicious having been created less than a week.”

I have to agree that the domain is suspicious.

Before we get started, it is important that I remind you that the fact that there is no suspicious behavior *at the moment* is of no comfort. The crooks behind malvertizing have been known to establish a relationship with potential victims by running one or more “clean” campaigns, thereby building a level of trust between them and their victims, before hitting their victims with malvertizing.

Let’s look at the WHOIS information for statisticsishere.com:

ICANN Registrar: YESNIC CO. LTD.
Created: 5 March 2009
NS1.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS2.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS3.STATISTICSISHERE.COM - IP 89.149.226.121 (Netdirekt)

IP: 195.62.37.14 - Sardegna, Olbia, Geonic.net Ltd

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

First of all, HostFresh and Netdirekt have both been problematic in the past but, more importantly, the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico. I cannot find a "Cooks Mine Road" in Clovis. Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

Now, let’s look at the NS for the domain statisticsishere.com:

IP of NS1.STATISTICSISHERE.COM - 116.50.15.1
IP of NS2.STATISTICSISHERE.COM - 116.50.15.1

Hostnames sharing IP with A Records - you will see some very familiar domains....

mail.xxx-online.in
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using NS1.STATISTICSISHERE.COM as nameserver: statisticsishere.com

Domains using NS1.STATISTICSISHERE.COM as nameserver under another name (again, you're going to see some familiar names):

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

IP of NS3.STATISTICSISHERE.COM - 89.149.226.121

PTRS of IP numbers: 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A Records (again, lots of familiar names):

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver: statisticsishere.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

According to a Registrant search, “Gabriel Jenks” owns another domain, being measurehits.com, which should also be treated with extreme caution.

ICANN Registrar: YESNIC CO. LTD.
Created: 26 February 2009

NS1.MEASUREHITS.COM (116.50.15.1)
NS2.MEASUREHITS.COM (89.149.226.121

IP: 212.117.165.128 - Luxembourg, Root Esolutions

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

Shares IP address with the following domains, all of which should be treated with extreme caution.

advertpanda.com, clickanalytic.com, extrabigad.com, greatad.net, securityclick.net, waytotheprofit.com, whoisadvert.com

NS1.MEASUREHITS.COM

Hostnames sharing IP with A-Records:

mail.xxx-online.in
ns1.statisticsishere.com
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

NS2.MEASUREHITS.COM

PTRS of IP numbers - 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A-Records:

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.statisticsishere.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Did you know that it is National Zombie Awareness Week in Australia?

sandi — Thu, 05 Mar 2009 06:04:39 GMT

I didn’t …

http://www.iia.net.au/index.php/zombieweek.html

Now this is scary…. :(

sandi — Sat, 28 Feb 2009 19:37:49 GMT

We can only hope that the following was a joke – if not, the implications are very worrying…

“Our computers at the hospital are crashing all the time now. There are so many extra programs, virus and outdated programs running that the operating system is unable to handle them. Their power supplies can not handle all the extra hardware that is plugged in to them. Being a surgeon, I wanted to to fix them by operating on them. I wanted to debride all the devitalized and parasitic stuff like viruses and spyware; delete all the outdated programs that suck up memory and cpu; amputate all the un-needed hardware and then cleanse the operating systems by refreshing them to the earliest point at which they seemed to work.

I was out voted, We are going to use Obama tech support. We are going to tell the computer that it has more vitual {sic} memory than it really has, add hundreds of new programs to further tie up the cpu, ignore all the viruses and spyware that clog up the whole system and lastly we will get rid of any backups.”

Seen at Throckmorton’s other signs.

Interesting comment – Best Western malvertizing

sandi — Thu, 26 Feb 2009 15:46:17 GMT

The comment was posted here. I quote:

“My company was approached by a client claiming to represent Best Western with a lower tech version of this. We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image.

I ran the code in AddOps tools and it did nothing. Getting suspicious I checked the src URL for the Javascript which was "http:// st-aticglobalsources.com" and found a lot of trouble associated with it.

We refused to run the ad with the code. Client claimed ignorance saying code came from their client and would provide new tags. New tags arrived, similar to the first but sourcing the J-script from "http:// st-ation-appraisals.net" this time. Running this code through AdOps tools at least generates a Best Western banner, but I ran the URL through search engines, found associated with ITmeter INC, and did not run the ad.”

As my regular readers will know, both of the URLs are well known to those of us who study malvertizing. I hope that the commentator will tell us the name and email addresses used by the person who tried to sell them the malicious advertisement.

st-aticglobalsources.com (79.135.187.86 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

st-ation-appraisals.net (79.135.187.89 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

It is important to note that although both bad domains have “dedicated hosting” and unique IP addresses, they are both hosted by the same company, and are within the same IP range. A check of the entire IP range, 79.135.187.% reveals 266 domains, all of which should be treated with extreme caution.

Please do NOT advise your users to turn off automatic updates because of one problem update

sandi — Sat, 14 Feb 2009 05:24:00 GMT

The latest “Rollup for ActiveX Killbits for Windows” (KB960715) is causing problems for some third party applications that are dependent on the disabled controls.

One application that has problems, “Office Tools Professional”, is advising its users to not only uninstall the Killbit patch (thereby restoring the broken functionality), but also to “turn off automatic updates”. Please do not turn off automatic updates. Simply uninstall the problem patch.

Office Tools Professional is wrong to tell its customers to “turn off automatic updates” just because *their* program has been negatively impacted by *one* patch. Yes, they should tell their customers warn them of the problem and to uninstall 960715 until OTP has been updated to resolve the problem - yes they should put an alert up on their support site and a new article in their Knowledge Base about the issue – BUT THEY SHOULD ALSO tell their clients to read the relevant Security Advisory so that their clients understand what they are doing, are aware of the impact that removing the update will have, and are aware of any available workarounds that can be used in place of the patch. They should also make sure to tell their clients that if they “turn off automatic updates” they may be exposed to elevated risk because future security updates will not be installed unless their clients remember to go out and get them manually.

I can understand that OTP may be worried that users who have set their systems to automatically download and install patches may be impacted again next month, but there is no reason why they cannot supply step by step instructions to their customers to show them how to change their patching protocols to “download but do not install” and then selectively install all but the problem patch.

What happens to their customers next month if/when the next round of security patches come out if automatic updates has been turned off completely? What if there is a patch for a show-stopper security vulnerability that is actively being exploited? What if their clients don’t install *that* patch because of OTP’s advice, and they then get hit by a nasty? Historically, I have seen plenty of software companies tell customers to “turn off automatic updates” when a problem with a particular patch is discovered that affects their software, but I cannot remember a single time when the same company has sent out another email later saying “ok, problem fixed, turn AU back on again”. Nor have I seen software companies send out emails to say “we told you to turn off AU last month; please make sure you manually download and install this months patches but don’t install patch X”.

Lifestyles of the Rich and Infamous, and an update about the status of the FTC versus Innovative Marketing et al lawsuit

sandi — Tue, 10 Feb 2009 08:42:48 GMT

I'll include some history of events so that you can get a sense of perspective with regards to the time frame around these events. It is especially important to note that the FTC lawsuit is not the only problem that Jain is facing. He has been indicted in the State of California and is facing several criminal charges there, and there are pending charges against him in Illinois. Events relevant to the California criminal charges and the Illinois investigation are highlighted.

You’ll see that the lifestyle enjoyed by Kristy Ross as revealed by her credit card statements was nothing if not lavish.

Defendants Kristy Ross and Sam Jain (who were (are?) boyfriend and girlfriend):

26 March 2008 - US District Court, San Jose, California: USA v Shaileshkumar Jain - four counts being criminal copyright infringement, trafficking in counterfeit goods, wire fraud and mail fraud (for activities that took place in 2003) (CR-08-00197-HRL) (charges relate to events on 12 and 26 January and the sale of fake Symantec software). The Grand Jury indictment requests the forfeiture of "approximately $13,522,080 in United States currency or after acquired assets traceable thereto". Sam Jain's full name is Shaileshkumar Jain.

"late September" 2008 - Ted W Cassman (he and his firm Arguedas, Cassman & Headley LLP represent(ed) Jain in the ongoing California criminal proceedings and the ongoing investigation in Illinois) met with Assistant US Attorney and two agents of the FBI in Chicago, Illinois. The Assistant US Attorney "unequivocally stated that Mr Jain will be indicted for wire fraud and computer fraud charges as a result of the Illinois Investigation 'sooner rather than later.' " (cite: Declaration of Ted W Cassman dated 18 December 2008)

2 December 2008 - FTC requests and receives a temporary restraining order.

12 December 2008 - temporary restraining order expires. The defendants did not turn up in Court and they failed to comply with the TRO. Order to show cause issued.

17 December 2008 - appearances entered for Mark D'Souza and Sam Jain. Joint response to order to show cause filed by Jain and Ross, promising to "fully comply with the terms of the TRO and PI by 23 December 2008" Mark D'Souza also files a response, promising to comply with the requirements of the TRO and PI by 4.00pm on 23 December 2008.

18 December 2008 - Cassman declaration signed describing the events of "late September" 2008.

23 December 2008 - a letter was sent to FTC on 23 December by the law firm Patton Boggs explaining that Jain had no intention of complying with the Court orders because to do so "would require Jain to incriminate himself" (the letter stated that Jain "is the target of a criminal investigation in the Northern District of Illinois covering the same conduct as the Commission's suit" and claimed that Jain cannot take any steps in relation to the FTC lawsuit without "waiving his Fifth Amendment privilege and making admissions that could be used against him in the criminal case"). Kristy Ross made the same argument.

(Sandi note: bearing in mind the events of "late September" 2008 as described by Ted Cassman and detailed in his declaration signed 18 December 2008, why did Jain promise to "fully comply with the terms of the TRO and PI by 23 December 2008” – he must have known about the Illinois investigation and the possibility of criminal charges? I do not know if criminal charges have yet been laid in Illinois)

29 January 2009 - the FTC filed a "memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets". I quote:

"Defendant Ross, for example, spent the year 2008 visiting the world's finest resorts (including multiple visits to the Four Seasons Resort in Nevis, as well as the British Colonial Hilton in the Bahamas, enjoying extravagant meals (including multiple $800+ meals), and gorging herself on luxury items from the world's most exclusive retailers, including Harrods of London (nearly $30,000 spent in 2008), Louis Vuitton (more than $23,000 spent in 2008) and Dolce & Gabbana (more than $13,000 spent in 2008).

...

To date, despite extensive efforts, the FTC has been unable to locate a single dollar of domestic assets held by either Jain or Ross."

The above information was taken from credit card statements for Kristy Ross that were submitted to the FTC by JP Morgan Chase and BMW Bank of North America - the "extravagant meals" included a series of meals totaling over $500 as well as at least two meals totaling more than $800. The charges were incurred by Ross in locations all over the world including London, Toronto, Kiev, Brussels, Zurich, Nevis, Frankfurt and Montreal. Ross stopped using the credit cards in or about September 2008. (cite: declaration of Sheryl Drexler dated 29 January 2009)

Two credit card accounts held by Kristy Ross and a safe deposit box held by Sam Jain have been discovered but apart from that "after weeks of searching, the FTC has located only $174,000 of the defendants' assets. ... The bulk of these funds belong to James Reno. To date, the FTC has not located a single dollar of domestic assets held by either Jain or Ross." (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009)

According to documents filed in the Canadian litigation (the "Canadian litigation" being the lawsuit filed by Innovative Marketing against Marc D'Souza and Maurice D'Souza in the Ontario Superior Court of Justice), the defendants' income from the sale of their products between 2004-2006 totaled more than $74 million! (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009).

The FTC have requested that "this Court hold Jain and Ross in civil contempt, and order them incarcerated until such time as they comply with the PI...".

5 January 2009 - a completed Consent to Release of Financial Records form was finally received from Ross (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

12 January 2009 - Jain failed to appear in court to face criminal charges (Criminal Minute Order, USA v Shaileshkumar Jain, CR-08-00197-RMW). Bench Warrant issued, and stayed until 26 January 2009.

14 January 2009 - a completed Consent to Release of Financial Records form was finally received from Jain (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

26 January 2009 - Jain requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

26 January 2009 - Sam Jain became a fugitive after the Bench Warrant stay was lifted. Jain forfeited a $250,000 cash bond.

(Sandi note: Bearing in mind the fact that the FTC claims that Jain/Ross were able to achieve revenues in excess of $100 million, the amount of $250,000 would seem a small price to pay (even after taking into consideration the fact that Ross was going through money hand over fist in 2008).

29 January 2009 - Ross requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

5 February 2009 - Ross files a "Motion to Strike or, in the alternative, for extension of time to respond", moving for the Court to strike the FTC's motion for an order holding Jain and Ross in contempt of court and requiring repatriation of their assets "as premature and procedurally improper".

5 February 2009 - Jain joins Ross's motion to strike

(Sandi note: Isn't it interesting that Jain, who has been a fugitive since 26 January 2009 and whose whereabouts are apparently unknown (see FTC document filed 9 January 2009), was able to join Kristy Ross's Motion to Strike on 5 February 2009?).

9 January 2009 - The FTC opposed the Motion to Strike, filing a "consolidated opposition to motion of defendants Kristy Ross and Sam Jain to strike or in the alternative for an extension of time" on 9 January 2009. The FTC notes in that document that "to allow these defendants to flaunt the Court's orders, and then escape the consequences of these actions by pointing to a possible criminal proceeding, would set bad precedent and invite similar conduct from future defendants.".

The FTC document notes that Jain is a fugitive, and that his whereabouts are (were?) unknown.

Defendants: James Reno and Bytehosting Internet Services

Bytehosting/Reno are now represented. A further extension of time was granted, pushing out the deadline from 23 January to 30 January 2009.

Reno/Bytehosting then filed a Motion to dismiss for lack of personal jurisdiction (claiming the court has no jurisdiction) on 30 January 2009. Reno/Bytehosting claim to have been "merely under contract to provide services, namely technical support and a call center, to Defendant Innovative Marketing". It is also claimed that their "involvement with Innovative Marketing was limited to internal technical support and post-sale support for customers through a call center".

Reno swore an affidavit which basically says the same thing on 30 January 2009.

(Sandi note: Uh, yeah – where I come from being aware that something bad is going on via my business because of a rogue client and not doing anything about it is as bad as being the rogue client, and there’s no way Reno could NOT have known what Innovative Marketing et al were doing, especially after the Symantec lawsuit that Reno was a party to)

BTW, I have come across the name eFront a few times in association with Reno and Jain – a couple of comments have been posted referring to them ... would anybody like to share what they know about *that* story?
http://www.google.com/search?hl=en&q=efront+reno+jain (eFront CEO was Sam Jain, CTO was James Reno?) Why do I get the feeling that the association between Reno and Jain is more than the typical “arms length, he just walked in off the street, wouldn’t know him from Adam” client/supplier relationship?

Defendants: Daniel Sundin, Maurice D'Souza, Innovative Marketing Inc

These defendants are still unrepresented and silent in this action. Also, I have found no evidence that Innovative Marketing has paid any of the $8,000 per day fine that was imposed after it failed to comply with the Temporary Restraining Order.

Upcoming deadlines:

12 February 2009 (Response)
17 February 2009 (Response x3)
23 February 2009 (Response x2 and reply x1)

I just knew I'd find DIRECTI in there somewhere...

sandi — Mon, 02 Feb 2009 08:49:36 GMT

Sunbelt reports that there is a new fraudware domain, being ie-security.com.

Let's look at the domain details for ie-security.com:

ICANN Registrar: BIZCN.COM, Inc (a name that is appearing far too often in association with malware)
Date created: 22 January 2009
NS1.IE-SECURITY.COM
NS2.IE-SECURITY.COM

IP: 216.240.151.135 - Los Angeles, Atmlink Inc

Shares IP with magavidon.cn, secured-software-order.com, webfreescan.cn and windefender2009.cn

Registrant:

Nexton Limited
Sergey Ryabov (director@climbing-games.com)
+79219270961
Scherbakova st., 6-38
Saint-Petersburg 197375
RU

*****

Ok, the email address in the WHOIS (director@climbing-games.com) is interesting. Let's have a look at the domain climbing-games.com:

ICANN Registrar: DIRECTI
Created: 23 October 2007
NS5.PUBLIC-NS.COM
NS6.PUBLIC-NS.COM

IP: 66.230.161.250 - Brooklyn, Reality Check Network Corp

Registrant:

Sigurd s.r.o
Sergey (sigurd@adultinter.com)
Scherbakova st., 6-38
St-Petersburg
null, 197349
RU
Tel: +79219270961

As you can see, there are very similar WHOIS details.

*****

Ok, so what about adultinter.com?

ICANN Registrar: DIRECTI
Created: 22 January 2004
NS1.ADVANCEDHOSTERS.COM
NS2.ADVANCEDHOSTERS.COM

IP: 209.8.19.218 - Silver Spring - Beyond The Network America Inc

Shares IP with adult-gateway.com, adultbeerparty.com, alterinter.com, northvenice.ru

Registrant: Andrei Akalovich (sax@elitistclub.com)
ul. Zrzaveho 12/1083
Praha-6
null,16300
CZ
Tel: +42.0774532108

*****

Let's look at elitistclub.com:

ICANN Registrar: DIRECTI
Created: 25 January 2007
NS5.PUBLIC-NS.COM
NS6.PUBLIC-NS.COM

IP: 205.252.166.170 - Washington, Beyond The Network America Inc

Registrant: Andrei Akalovich (sax@elitistclub.com)
ul. Zrzaveho 12/1083
Praha-6
null,16300
CZ
Tel: +42.0774532108

*****************************************************************************************

We find DIRECTI again when we take a look at another domain reported on Sunbelt, being total-defender.com.

The (now defunct?) total-defender.com (registered via ENOM INC) is listed at IP address 94.247.2.41 (the domain is currently not resolving), and that IP address is (was) shared with just two other domains, being webfreefind.com and rusexportal.com.

webfreefind.com (status ACTIVE)
ICANN Registrar: DIRECTI
Created 5 May 2006

NS1.TOTAL-DEFENDER.COM <--- !!! (there is no denying an association now)
NS2.TOTAL-DEFENDER.COM

Registrant: DiabloCompany (info@gangstabros.com)
Garvand 2-10
Oklahoma
null,655158
ES
Tel: +91.2228797504

*****

rusexportal.com (status: ACTIVE)
ICANN Registrar: DIRECTI
Created 19 October 2008

NS1.REG.RU
NS2.REG.RU

Registrant: Pavel Antonov (petra-nova@yandex.ru)
Pyatnitskaya, 10, 4
Moska, 148952
Tel: +7 495 0000000

*****

gangstabros.com (status: ACTIVE)
ICANN Registrar: DIRECTI
Created 14 February 2006

NS1.GANGSTABROS.COM
NS2.GANGSTABROS.COM

Registrant: Yura Inc
Yuriy Vasilyev (diablo@divaporn.com)
Yubileynaya 2-10
Chernogorsk
Khakasia,655158
RU
Tel: +7.9061905092

(What a coincidence, gangstabros.com and webfreefind.com both have street number "2-10", both use the same code "655158" despite being, apparently, in different countries! Methinks all three domains could be reported to ICANN for fake WHOIS information (what do you think the chances are that the phone number for rusexportal.com is legitimate?)

More information about Olympic Media shenanigans

sandi — Mon, 02 Feb 2009 07:54:48 GMT

Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit:

admediastats.com/ts/in.cgi?{{redacted}}

From there we end up at sg12scanner.com/{{redacted}}

From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}}

Javascript in use:

sg12scanner.com/js/jquery-1.2.5.pack.js
sg12scanner.com/js/jquery.timers.js (just for fun I will point out that that the JS contains the comment "Yeah this is major overkill...")
sg12scanner.com/js/file_names.js

Installer URL: 89.149.236.86/sysgd09/install.php?track_id={{redacted}}

Tries to download "SystemGuard2009.exe"

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

ns1.admediastats.com - 91.211.64.71 - Russian Federation Ural Industrial Limited Company
ns2.admediastats.com - 116.50.15.1 - Hong Kong Hostfresh
ns3.admediastats.com - 89.146.226.121 - Germany De-nic
ns4.admediastats.com - 212.117.162.90 - Luxembourg Root Esolutions

IP: 84.243.252.179 - Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

*****

sg12scanner.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Kire Serona (kiresl1540@yahoo.com) - owns 2 other domains
Ilichova 16, Ljubljana.

*****

dlsg09.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Registrant: Damir Sbil (damirsbils791@gmail.com) - owns 6 other domains
Tavcarjeva 109, Skofja vas.

*****

89.149.236.86 - China Gibibits-Ltd (89-149-236-86.internetserviceteam.com - Netdirekt). Known spam IP.

Olympic Media are still active

sandi — Mon, 02 Feb 2009 05:50:25 GMT

I’ve warned about Olympic Media several times – they continue to be active.

The latest reports indicate they are claiming to be operating out of Canada and are supplying javascript code referring to admin.securityclick.net as follows:

Other domains being used are onlinepromostats.com and admediastats.com.

This type of trickery, supplying javascript pointing to malicious domains under the control of the fraudsters, is becoming more and more common. From there, the bad guys control who does (or does not) see malicious code (see this blog entry for an example).

And, they still haven’t fixed their site typos :)

securityclick.net (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 25 March 2008

NS1.SECURITYCLICK.NET - 208.79.82.50 - Tranquil Hosting
NS2.SECURITYCLICK.NET - 208.79.82.66 - Tranquil Hosting
NS3.SECURITYCLICK.NET - 77.73.98.2 - Belgium Nucleus Bvba
NS4.SECURITYCLICK.NET - 77.73.98.4 - Belgium Nucleus Bvba
NS5.SECURITYCLICK.NET - 89.149.244.29 - Germany Netdirekt E.k (internetserviceteam.com)
NS6.SECURITYCLICK.NET - 217.20.116.59 - Germany Netdirekt E.k (finnzi.com)
NS7.SECURITYCLICK.NET - 88.198.62.171 - Germany Hetzner-rz-nbg-net

IP: 76.74.249.30 - Virgin Islands, Soft.sol.inc

Registrant contact:
Serg Moons (moon.serg@gmail.com)

Inaccurate WHOIS report submitted via ICANN on 27 January 2009

Sharing IP with adnetserver.com, adverlounge.com, beststatserver.com, bizadsonline.net, bizmarketads.com, greatad.net, iddqdmarketing.com, intervarioclick.com, invulnerableads.com, luckyadcoin.com, moneycometrue.com, statisticsmanager.com, statsreportserver.com, waytotheprofit.com and widestatsnow.com - all of these domains should be treated with extreme caution.

*****

onlinepromostats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 3 July 2008

NS1.ONLINEPROMOSTATS.COM - 208.79.82.50 - Tranquil Hosting
NS2.ONLINEPROMOSTATS.COM - 208.79.82.66 - Tranquil Hosting
NS3.ONLINEPROMOSTATS.COM - 77.73.98.2 - Belgium Nucleus Bvba
NS4.ONLINEPROMOSTATS.COM - 77.73.98.4 - Belgium Nucleus Bvba
NS5.ONLINEPROMOSTATS.COM - 89.149.244.29 - Germany Netdirekt E.k (internetserviceteam.com)
NS6.ONLINEPROMOSTATS.COM - 217.20.116.59 - Germany Netdirekt E.k (finnzi.com)
NS7.ONLINEPROMOSTATS.COM - 213.133.100.58 - Germany Hetzner-rz-nbg-net
NS8.ONLINEPROMOSTATS.COM - 88.198.62.172 - Germany Hetzner-rz-nbg-net

IP: 84.243.252.86 - Berlin, Gfx-cust-worldstream

Registrant: namecheap.com

*****

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

IP: 84.243.252.179 - Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

DIRECTI responds re inaccurate WHOIS complaint time frames

sandi — Tue, 27 Jan 2009 01:42:53 GMT

15 days, so they say:

My response?

“This is not good enough. The domains can be used to facilitate fraud for 15 days?

At the very least, posnerpromotion.com should have been isolated before now.

posnerpromotion.com redirects to posneradv.com, AND posneradv.com is displaying an alert warning that posnerpromotion.com is being used to impersonate posneradv.com. This alone is sufficient evidence to suspend posnerpromotion.com immediately for abuse, and I am surprised that as part of your inaccurate WHOIS investigations that you did not at least look at posneradv.com - you would have seen the alert if you had done so.

”

Just what does it take to get DIRECTI to take action?

Oh dear, oh dear, oh dear…

sandi — Mon, 26 Jan 2009 06:08:16 GMT

Its amazing what we find sometimes…

WARNING: I am assuming that my readers are smart enough to *NOT* visit the victim site, or the malicious URLs, without hefty protection in place, yes? In fact, don’t go there at all unless you are willing to reformat your computer, potentially without being able to back up your data (yes, some nasties out there are killing the ability to copy data to USB and whatnot). You have been warned!

I was taking a look at one of the recent SQL injection incidents the other day when I came across an interesting web site that had been affected (millerscitax.com). Here is a screenshot of an obvious problem:-

If we click on a “Read More” link, we see the following:-

So, anyway, being a good netizen ‘n’ all that, I decided to use the “Contact Us” page to warn the site owners that they had a problem (it should be noted that the News page is not hyperlinked as far as I can see – you need to know that it is there, and guess the URL, to find it). When I clicked on the “Submit” button on the “Contact Us” page, this is what I saw:-

<sigh> You would think that that is bad enough, yes? But, it gets even better (err, worse)… when we view the page source on the “Contact Us” page for the taxi site we find the following:

So, the next question is – why does the Millers City Taxis “Contact Us” page have code that references the gillibrand.co.uk web site? A potential explanation may be found in the fact that the Registrant for millerscitax.com is “eBusiness UK Ltd” (Capricorn House, Capricorn Park, Blakewater Road, Blackburn, Lancashire - 44.1254.279.998), and the fact that the “Web design” for gillibrand.co.uk is listed as having been completed by, you guessed it, eBusiness UK Ltd which lists its Lancashire address as Capricorn House, Capricorn Park, Blackburn, Lancashire - 01254.279.998.

Umm, oops.

DIRECTI finally agree to act

sandi — Thu, 22 Jan 2009 14:05:39 GMT

I sent an email to DIRECTI on the same day that I wrote this blog post:
http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx

The email said, essentially, the same thing that I said in that blog post.

As you can see, they have initiated a “whois inaccuracy complaint” against the domains quigley-simpson.net, hyundai-inc.com, mediavest-corp.com, posnerpromotion.com & singlesnet-inc.com.

Frankly, they should have taken such steps immediately upon receiving the impersonation complaint but at least they say they have taken action now.

It will be interesting to see what happens next, and how long it takes for something to happen.

By the way, there is something screwy about the date and time of the email. See the screenshot which shows that the displayed sent date and time of the email above is in the future!

DIRECTI responds to my complaint about the impersonation of domains/businesses

sandi — Wed, 21 Jan 2009 05:19:48 GMT

As you can see from their email, DIRECTI advise that they suspended prolinar.com on 19 January for “Inaccurate whois details”. It should be noted that I reported on 16 January that prolinar.com had already disappeared from its previous IP address, and not reappeared with a new IP. So, no kudos for DIRECTI - they suspended a domain that was already dead in the water.

Not only that – they state that “quigley-simpson.net” is “the legitimate website”. No, it is not – it is the fake site – it is quigleysimpson.com that is the legitimate site!!

The impersonating domains that I complained about in article 1661206 and to which DIRECTI refer have been registered using doubtful WHOIS details (and some have been caught trying to sell malvertizing by impersonating a legitimate business) therefore DIRECTI’s refusal to take action against the impersonating domains, unless the impersonated domains “file UDRP case at WIPO”, makes no sense.

My opinion is that DIRECTI should not refuse to act on complaints of impersonation until they receive notification of a “UDRP case at WIPO”.

I refer to these URLs:

http://www.icann.org/en/announcements/advisory-10may02.htm
http://www.icann.org/en/announcements/advisory-03apr03.htm

Note ICANN writes that:

“where a registrar encounters a severe Whois inaccuracy being exploited by a registrant to evade responsibility for fraudulent activity being carried out through use of the domain name, prompt action by the registrar is appropriate”

and…

"Once a registrar receives notification of an inaccuracy, Subsection 3.7.8 requires the registrar to take "reasonable steps" to investigate and correct the reported inaccuracy. The term "reasonable steps" is not defined within the agreement; precisely what constitutes reasonable steps to investigate and correct a reported inaccuracy will vary depending on the circumstances (e.g., accepting unverified "corrected" data from a registrant that has already deliberately provided incorrect data may not be appropriate). At a minimum, "reasonable steps" to investigate a reported inaccuracy should include promptly transmitting to the registrant the "inquiries" concerning the accuracy of the data that are suggested by RAA Subsection 3.7.7.2. The inquiries should be conducted by all commercially practicable means available to the registrar: by telephone, e-mail, and postal mail.”

and…

In summary, registrars have the right to cancel a registration if a customer fails to respond within 15 days to an inquiry concerning Whois data accuracy, but registrars also have flexibility to decide when to use that right depending on factors including whether the inaccuracy appears intentional and whether third parties are being harmed by maintaining the registration with inaccurate data. Registrars are obligated to take reasonable action to correct reported Whois inaccuracies, but are not bound to a fixed timetable."

RAA Subsection 3.7.7.2 states that:

“A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.”

RAA Subsection 3.7.8 states that:

“Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”

If a legitimate business/domain is being impersonated, and the impersonating domain is using WHOIS details identical to the victim business/domains, that, in my opinion, is a “severe Whois inaccuracy”; I believe that DIRECTI is wrong to refuse to act on complaints of impersonation unless an impersonated business/website “file UDRP case at WIPO".

At the very least, when somebody complains about domain impersonation to DIRECTI, DIRECTI should contact the legitimate domain to ascertain whether the fake domain was authorized to duplicate the legitimate domain's WHOIS information. If not, the complained of domain should be suspended for "Inaccurate whois details". AND, if a fake domain has been used to sell malvertizing by impersonating another business, the domain should immediately be suspended for abuse. AND, if other domains are reported or discovered that exhibit similar features, especially if they are hosted at the same IP address as other known bad sites, then those domains should also be suspended pending further investigation, even if there is no direct evidence of fraudulent activity.

Note that DIRECTI claim to have “already investigated” the following domains:

FAKE DOMAIN:
quigley-simpson.net (STATUS: LOCKED)

IP: 94.247.3.17
Registrant: Gerald Bagg Quigley (gbagg@earthlink.net)
Los Angeles, CA 90049
310 470 4753

LEGITIMATE DOMAIN:
quigleysimpson.com

IP: 64.202.123.183
Registrant: Gerald Bagg (gbagg@earthlink.net)
PO Box 49935
Los Angeles, CA 90049-0935
310 470 4753

quigleysimpson.com is displaying an alert about quigley-simpson.net
quigley-simpson.net was being used to sell malvertizing by impersonating the real Quigley Simpson business

*****

FAKE DOMAIN
hyundai-inc.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Hyundai Motor Company (domain@hyundai-motor.com)
231, Yangjae-dong, Seocho-gu, Seoul
Yanggang-do, 137130
Tel: 02 3464 1924

LEGITIMATE DOMAIN:
hyundai-motor.com

IP: 58.87.36.11
Registrant: Hyundai Motor Company (domain@hyundai-motor.com)
231, Yangjae-dong, Seocho-gu, Seoul
Tel: 02 3464 1924

*****

FAKE DOMAIN:
mediavest-corp.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Publicis Group S.A. (support@us-resources.com)
3310 West Big Beaver Rd
Troy, Michigan 48084
Tel: 248 458 8214 (note that they have used the legitimate domain’s fax number as their telephone number)

LEGITIMATE DOMAIN:
mediavest.net

IP: 63.115.250.19
Publicis Group S.A. (network.support@us-resources.com)
3310 West Big Beaver Rd
Suite 107
Troy, MI 48084
248 458 8100 (fax: 248 458 8214)

*****

FAKE DOMAIN:
posnerpromotion.com (STATUS: ACTIVE – why, when the other site the subject of an impersonation alert (quigley-simpson.net) has been locked?)

IP: 94.247.3.17
Registrant: Posner Advertising (wm@posneradv.com)
30 Broad Street, New York
Tel: 212 480 3440 (note that they have used the legitimate domain’s fax number as their telephone number)

LEGITIMATE DOMAIN:
posneradv.com

IP: 64.13.251.53
Registrant: Posner Advertising (wm@posneradv.com)
30 Broad Street, New York
Tel: 212 867 3900 (Fax: 212 480 3440)

posneradv.com is displaying an alert about posnerpromotion.com
posnerpromotion.com was (is?) being used to sell malvertizing by impersonating the real Posner Advertising

*****

FAKE DOMAIN
singlesnet-inc.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Quinn Lipin (cc2xq6yb3fm@networksolutionsprivateregistration.com)
PO Box 447, Herndon 20172-0447
Tel: 570 708 8780

LEGITIMATE DOMAIN:
singlesnet.com

IP: 67.108.223.22
Registrant: Quinn Lipin
PO Box 477, Herndon 20172-0447
Tel: 570 708 8780 (ze6gz9cg8zs@networksolutionsprivateregistration.com)

*****

Also, note that some new domains have appeared at the same IP address (94.247.3.17 - Latvia - Zlkon) being feelyouinside.com and J1j2j34.cn. A fraudware domain previously registered at that IP, Av10antivir.com, is gone (STATUS: suspended).

J1j2j34.cn
ICANN Registrar: Chinese Registrar, 厦门华融盛世网络有限公司
Registrant: TokioElectro (grishanizov@gmail.com)

The domain has already been reported as hosting malicious content:
https://safeweb.norton.com/report/show?name=j1j2j34.cn

Registrant address seen in association with several incidents:

t1ssot.cn
http://www.bluetack.co.uk/forums/lofiversion/index.php/t18052.html

stoneholl.cn
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=150#

*****

feelyouinside.com (STATUS: ACTIVE)
ICANN Registrar: DIRECTI
Registrant: Mali (maliasiat@gmail.com)
London paker str 23b, London
Tel: 004 072687799

I cannot find a Paker Street in London.

Spotting the bad guys…

sandi — Mon, 19 Jan 2009 13:59:48 GMT

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to dangerous domains which can be built into our reputational assessments and other due diligence checks.

By way of example, let's take the example of a series of fraudware domains as highlighted by the PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/Rash-of-Rogue-Security-Malware.aspx

As we take a closer look at the domains it becomes clear that there a high likelihood of danger, not just because of the domains themselves (my personal opinion is that any new domain names that can be used to infer antivirus, or antispyware, or scanning, or security or similar themes should immediately be flagged for closer examination by Registrars as a matter of course) but because the Registrant details are suspicious. What we see below is 24 domains that can be gathered into 7 distinct "groups". Nearly all of the domains are registered via the same Registrar, and are shared between six different Registrants. There is also a lot of what I can best describe as "cross pollination" between the various "groups" and Registrants.

I have sorted the 24 domains, using various criteria, to make it easier to see the “ties that bind” between the various Registrants and groups. I see no reason why Registrars cannot implement similar checks and balances – checks that could be triggered by particular symptoms, such as a series of similar domains being registered, or when certain key words make up part of a domain name, or when “cross pollination” is detected via automated cross-checks.

Sorted by domain:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

The two “Robert Flork” registrations above seems innocuous from the perspective of WHOIS information and domain “group”, until we realise that the name and email address is used in association with other suspicious domains (below), which then leads us to wonder if the various names we see are nothing more than pseudonyms.

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by Registrant:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plus6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha

newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by IP:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel        (66.101.58.54)
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel       (66.101.58.54)
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel         (66.101.58.54)

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                      (194.165.4.41)
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                       (194.165.4.41)
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                    (194.165.4.41)
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)

newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI (78.159.99.66)

bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

*****

These last few domains highlighted by PandaLabs exhibit identical Registrants and (for the most part) different IP addresses (by the way, I would look askance at WHOIS which records a USA street address but a Russian email address):

best2008-scan-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.1.203)
av-pcscan-comp.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
forpc-av-scanner.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
best-scanner-pc.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)
quickly-scan-no-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)

sg10scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (78.26.179.253)
sg11scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (94.247.2.39)
sg12scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI

*****

Who are REGTIME, and UK2 GROUP?

UK2 Group Ltd, Suite 2C, Eurolife Building 1, Corral Road, Gibraltar

Regtime Ltd, 1 Krasnoarmeyskaya Street, Samara, Russian Rederation

"Regtime Ltd was the first Russian ICANN-accredited registrar to offer a full service of cyrillic domains to Russian companies and individuals. Russian is the native or second language for more than 230 million people, so the decision to launch cyrillic language domains in 2001 was an important stage in the ability of Russian-speakers to access the Internet and the World Wide Web. Regtime continues to play a key role in the development of the Internet in Russia, including its work with the Cyrillic Languages Internet Names Consortium (CLINC)."

CITE: http://www.nic.aero/news/2008-06-30-03

ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution - do we find DIRECTI? Yes we do!

sandi — Fri, 16 Jan 2009 14:42:14 GMT

I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows:

osmedlin.com/?id=<<removed>>

To quote my correspondent, topstarmedia’s approach had "ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc."

topstarmedia.net
ICANN Registrar: Oneandone
Created: 31 August 2008
nserver: ns2.3fn.net 216.195.48.10

nserver: dns346.3fn.net 216.195.56.230

IP: 216.195.57.52 - Oregon - Portland - Aps Telecom

WHOIS hidden behind "Private Registration"

According to Google Maps, topstarmedia.net shares its stated address (518 W 6th St, Los Angeles, CA 90014 United States) with a pizza shop and locksmith :-)

osmedlin.com is especially interesting. At time of writing it is hosted at IP 94.76.208.14, an IP with a problematic history:

osmedlin.com
Registrar: Directi Internet Solutions (Are we surprised? No, we are not)
Created: 2 January 2009
NS1.OSMEDLIN.COM
NS2.OSMEDLIN.COM
IP: 94.76.208.14 - United Kingdom - "Canonical Range For 27w"

Shares IP with 7realmedia.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com

WHOIS:
Registrant Tim Robertson (jlmrtdgf@gmail.com)
81 Hayden Street, Toronto, Ontario

Note, listed phone number for osmedlin.com, +001.4163657775, apparently belongs to Keys Plus, 100 King W, Toronto:
http://www.yellowpages.ca/bus/Ontario/Toronto/Awards-Engraving-At-Keys-Plus/3084017.html?adid=14457680aa&what=Trophies-Retail&where=Toronto+ON

Here is where it gets even more interesting ... there used to be two other domains at IP 94.76.208.14, being media-drive.com and the infamous prolinar.com.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/31/1658179.aspx

Both domains are no longer at that IP address.

media-drive.com - now "on hold" (suspended domain) according to WHOIS

prolinar.com - no longer has a web site but is still listed as ACTIVE according to WHOIS – you may recall that Kimberley and I have been questioning why prolinar.com has not been suspended when its stable-mate has been – both have the same Registrant details (see end of article for WHOIS screenshots). I’m sure that I read somewhere that Directi had promised to investigate *all* domains associated with a rogue Registrant back when it was getting all the negative press about Atrivo/Intercage.

Dig prolinar.com@ns2.prolinar.com (94.76.192.188) ...
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
prolinar.com NS (Nameserver) ns1.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns1.prolinar.com
ns1.prolinar.com A (Address) 94.76.208.14
ns2.prolinar.com A (Address) 94.76.192.188

Dig prolinar.com@ns1.prolinar.com (94.76.208.14) ...
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
prolinar.com NS (Nameserver) ns1.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns1.prolinar.com
ns1.prolinar.com A (Address) 94.76.208.14
ns2.prolinar.com A (Address) 94.76.192.188

Could it be that osmedlin.com is a replacement/stablemate for prolinar? If so, it is very revealing that the bad guys still feel confident enough to continue to use Directi, and even use the same IP address.

The identical IP address is not the only similarity.

See this screenshot of the prolinar javascript used as part of the MySpace chat malicious redirect? I used it for my article about the MySpace Chat incident.

Let's compare it to an osmedlin.com javascript... please forgive my need to obscure identifying code on this occasion, but I'm sure that you can still see lots of similarities – everything from the format of the URL to the software running on the server, to the folder path for the adverts, to the script itself. Note that there is no referrer in the screenshot, therefore if we assume identical behavior to prolinar.com incidents, it is to be expected that there is no malicious code to be seen in this experiment, because there is no referrer. But what would happen if the correct referrer was present?

Glowing brain malvertizement – and, once again, we find DIRECTI

sandi — Thu, 15 Jan 2009 04:49:53 GMT

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=26gBv5P94L5CW849

Touches the domain adclickmate.net

Registrar: DIRECTI (yet again)
Created 24 March 2008
NS1.ADCLICKMATE.NET
NS2.ADCLICKMATE.NET

IP: 212.95.37.133 - Germany, Netdirekt
WHOIS hidden behind privacy protect

Domain originally registered via ESTDOMAINS - WHOIS protection temporary removed around late August 2008, which revealed:

Domain Corp.
Jacob Tua (jackyouthere@gmail.com)
Maltiskam 12-67
Belgrade
Belgrade, 11008
RS
Tel: +381.113114094

Later changing to:

Domain Names copr.
markhaagland@gmail.com
Tallin
Harjumaa, 13514
EE
Tel. +37.26201114

WHOIS was again hidden behind PrivacyProtect on or about 9 January 2009.

Interesting info re jackyouthere@gmail.com and markhaagland@gmail.com:

See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

It is not surprising that jackyouthere@gmail.com was removed from WHOIS after it become public information that the email address was associated with the clipboard hijackings. But, changing to markhaagland@gmail.com has not made much of a difference – all it did was add another pointer towards guilt.

The email address markhaagland@gmail.com was discovered in association with malvertizing domains, including statscontroller.net (registered via Directi - no surprise there). statscontroller.net is associated with a malvertizing incident that hit MSN Encarta back in early December 2008.

I want to know why DIRECTI allowed an obviously bad domain to once again hide behind privacyprotect.org. Information was made available to the public on 20 August 2008 and 8 December 2008 that both email addresses mentioned in the WHOIS details, jackyouthere@gmail.com and markhaagland@gmail.com, were associated with bad domains and malicious behaviour, yet despite this DIRECTI allowed an obviously bad domain to regain the protection of privacyprotect.org after this information became public … WHY?????

Potential malvertizement featuring the Disney movie “Bolt”

sandi — Thu, 15 Jan 2009 04:03:55 GMT

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=YNgNHCUFU1pAgA94

Directi Internet Solutions strikes again

sandi — Tue, 13 Jan 2009 00:09:32 GMT

I ask you – just how obvious does the impersonation of a legitimate company have to be before Directi notices and stops a site from going live *before* it can do harm???

quigley-simpson.net
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, quigleysimpson.com

Domain discovered after it was used to fraudulently sell malvertizing, purportedly on behalf of the legitimate Quigley Simpson company:
(http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#)

The fraudulent domain shares IP address with several domains that are also a cause for concern, being:

hyundai-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, hyundai-motor.com

*****

mediavest-corp.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website not yet live, but WHOIS refers to support@us-resources.com, which is the same email address as is registered for "mediavest.net".

*****

posnerpromotion.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, posneradv.com

*****

singlesnet-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, singlesnet.com

*****

I, for one, am sick to death of Directi letting this stuff through. Do they *really* believe that a high profile company like Hyundai is going to register a domain through them, and then host the domain in Latvia? Come on!!

I don't care that Directi are suspending domains **after the fact**. The bad guys can do a lot of damage with domains such as those above, even in the space of a few days.

Impersonation of legitimate domains is not the only behavior which leads us to Directi. Reseller Club (aka Directi) and Directi continue to be involved in the registration of domains used to facilitate the distribution of fraudware - Kimberley has details of a recent incident:

http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#

Spyware Sucks : Security, safety and privacy on the Internet

ALERT: Adobe Flash and Air have been updated

A frightening tale of computer infection and its consequences

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

Did you know that it is National Zombie Awareness Week in Australia?

Now this is scary…. :(

Interesting comment – Best Western malvertizing

Please do NOT advise your users to turn off automatic updates because of *one* problem update

Lifestyles of the Rich and Infamous, and an update about the status of the FTC versus Innovative Marketing et al lawsuit

I just knew I'd find DIRECTI in there somewhere...

More information about Olympic Media shenanigans

Olympic Media are still active

DIRECTI responds re inaccurate WHOIS complaint time frames

Oh dear, oh dear, oh dear…

DIRECTI finally agree to act

DIRECTI responds to my complaint about the impersonation of domains/businesses

Spotting the bad guys…

ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution - do we find DIRECTI? Yes we do!

Glowing brain malvertizement – and, once again, we find DIRECTI

Potential malvertizement featuring the Disney movie “Bolt”

Directi Internet Solutions strikes again

Please do NOT advise your users to turn off automatic updates because of one problem update