Spyware Sucks : Vulnerabilities, viruses and exploits, Fraudware

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

sandi — Thu, 29 Jul 2010 10:05:13 GMT

Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com

Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com

Malicious content (note the 1x1 iframe):

Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js

Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13

Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50

85.234.190.13 is in Latvia - Latvia Riga Docsis Ip Pool For Cable Customers

Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227

Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361

Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50

There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

sandi — Mon, 09 Mar 2009 01:04:03 GMT

I received this email a short while ago:

“We have been getting a lot of ads accessing scripts from this domain statisticsishere.com. So far there is no malware redirect or download but this domain looks suspicious having been created less than a week.”

I have to agree that the domain is suspicious.

Before we get started, it is important that I remind you that the fact that there is no suspicious behavior *at the moment* is of no comfort. The crooks behind malvertizing have been known to establish a relationship with potential victims by running one or more “clean” campaigns, thereby building a level of trust between them and their victims, before hitting their victims with malvertizing.

Let’s look at the WHOIS information for statisticsishere.com:

ICANN Registrar: YESNIC CO. LTD.
Created: 5 March 2009
NS1.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS2.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS3.STATISTICSISHERE.COM - IP 89.149.226.121 (Netdirekt)

IP: 195.62.37.14 - Sardegna, Olbia, Geonic.net Ltd

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

First of all, HostFresh and Netdirekt have both been problematic in the past but, more importantly, the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico. I cannot find a "Cooks Mine Road" in Clovis. Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

Now, let’s look at the NS for the domain statisticsishere.com:

IP of NS1.STATISTICSISHERE.COM - 116.50.15.1
IP of NS2.STATISTICSISHERE.COM - 116.50.15.1

Hostnames sharing IP with A Records - you will see some very familiar domains....

mail.xxx-online.in
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using NS1.STATISTICSISHERE.COM as nameserver: statisticsishere.com

Domains using NS1.STATISTICSISHERE.COM as nameserver under another name (again, you're going to see some familiar names):

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

IP of NS3.STATISTICSISHERE.COM - 89.149.226.121

PTRS of IP numbers: 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A Records (again, lots of familiar names):

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver: statisticsishere.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

According to a Registrant search, “Gabriel Jenks” owns another domain, being measurehits.com, which should also be treated with extreme caution.

ICANN Registrar: YESNIC CO. LTD.
Created: 26 February 2009

NS1.MEASUREHITS.COM (116.50.15.1)
NS2.MEASUREHITS.COM (89.149.226.121

IP: 212.117.165.128 - Luxembourg, Root Esolutions

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

Shares IP address with the following domains, all of which should be treated with extreme caution.

advertpanda.com, clickanalytic.com, extrabigad.com, greatad.net, securityclick.net, waytotheprofit.com, whoisadvert.com

NS1.MEASUREHITS.COM

Hostnames sharing IP with A-Records:

mail.xxx-online.in
ns1.statisticsishere.com
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

NS2.MEASUREHITS.COM

PTRS of IP numbers - 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A-Records:

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.statisticsishere.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Interesting comment – Best Western malvertizing

sandi — Thu, 26 Feb 2009 15:46:17 GMT

The comment was posted here. I quote:

“My company was approached by a client claiming to represent Best Western with a lower tech version of this. We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image.

I ran the code in AddOps tools and it did nothing. Getting suspicious I checked the src URL for the Javascript which was "http:// st-aticglobalsources.com" and found a lot of trouble associated with it.

We refused to run the ad with the code. Client claimed ignorance saying code came from their client and would provide new tags. New tags arrived, similar to the first but sourcing the J-script from "http:// st-ation-appraisals.net" this time. Running this code through AdOps tools at least generates a Best Western banner, but I ran the URL through search engines, found associated with ITmeter INC, and did not run the ad.”

As my regular readers will know, both of the URLs are well known to those of us who study malvertizing. I hope that the commentator will tell us the name and email addresses used by the person who tried to sell them the malicious advertisement.

st-aticglobalsources.com (79.135.187.86 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

st-ation-appraisals.net (79.135.187.89 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

It is important to note that although both bad domains have “dedicated hosting” and unique IP addresses, they are both hosted by the same company, and are within the same IP range. A check of the entire IP range, 79.135.187.% reveals 266 domains, all of which should be treated with extreme caution.

Lifestyles of the Rich and Infamous, and an update about the status of the FTC versus Innovative Marketing et al lawsuit

sandi — Tue, 10 Feb 2009 08:42:48 GMT

I'll include some history of events so that you can get a sense of perspective with regards to the time frame around these events. It is especially important to note that the FTC lawsuit is not the only problem that Jain is facing. He has been indicted in the State of California and is facing several criminal charges there, and there are pending charges against him in Illinois. Events relevant to the California criminal charges and the Illinois investigation are highlighted.

You’ll see that the lifestyle enjoyed by Kristy Ross as revealed by her credit card statements was nothing if not lavish.

Defendants Kristy Ross and Sam Jain (who were (are?) boyfriend and girlfriend):

26 March 2008 - US District Court, San Jose, California: USA v Shaileshkumar Jain - four counts being criminal copyright infringement, trafficking in counterfeit goods, wire fraud and mail fraud (for activities that took place in 2003) (CR-08-00197-HRL) (charges relate to events on 12 and 26 January and the sale of fake Symantec software). The Grand Jury indictment requests the forfeiture of "approximately $13,522,080 in United States currency or after acquired assets traceable thereto". Sam Jain's full name is Shaileshkumar Jain.

"late September" 2008 - Ted W Cassman (he and his firm Arguedas, Cassman & Headley LLP represent(ed) Jain in the ongoing California criminal proceedings and the ongoing investigation in Illinois) met with Assistant US Attorney and two agents of the FBI in Chicago, Illinois. The Assistant US Attorney "unequivocally stated that Mr Jain will be indicted for wire fraud and computer fraud charges as a result of the Illinois Investigation 'sooner rather than later.' " (cite: Declaration of Ted W Cassman dated 18 December 2008)

2 December 2008 - FTC requests and receives a temporary restraining order.

12 December 2008 - temporary restraining order expires. The defendants did not turn up in Court and they failed to comply with the TRO. Order to show cause issued.

17 December 2008 - appearances entered for Mark D'Souza and Sam Jain. Joint response to order to show cause filed by Jain and Ross, promising to "fully comply with the terms of the TRO and PI by 23 December 2008" Mark D'Souza also files a response, promising to comply with the requirements of the TRO and PI by 4.00pm on 23 December 2008.

18 December 2008 - Cassman declaration signed describing the events of "late September" 2008.

23 December 2008 - a letter was sent to FTC on 23 December by the law firm Patton Boggs explaining that Jain had no intention of complying with the Court orders because to do so "would require Jain to incriminate himself" (the letter stated that Jain "is the target of a criminal investigation in the Northern District of Illinois covering the same conduct as the Commission's suit" and claimed that Jain cannot take any steps in relation to the FTC lawsuit without "waiving his Fifth Amendment privilege and making admissions that could be used against him in the criminal case"). Kristy Ross made the same argument.

(Sandi note: bearing in mind the events of "late September" 2008 as described by Ted Cassman and detailed in his declaration signed 18 December 2008, why did Jain promise to "fully comply with the terms of the TRO and PI by 23 December 2008” – he must have known about the Illinois investigation and the possibility of criminal charges? I do not know if criminal charges have yet been laid in Illinois)

29 January 2009 - the FTC filed a "memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets". I quote:

"Defendant Ross, for example, spent the year 2008 visiting the world's finest resorts (including multiple visits to the Four Seasons Resort in Nevis, as well as the British Colonial Hilton in the Bahamas, enjoying extravagant meals (including multiple $800+ meals), and gorging herself on luxury items from the world's most exclusive retailers, including Harrods of London (nearly $30,000 spent in 2008), Louis Vuitton (more than $23,000 spent in 2008) and Dolce & Gabbana (more than $13,000 spent in 2008).

...

To date, despite extensive efforts, the FTC has been unable to locate a single dollar of domestic assets held by either Jain or Ross."

The above information was taken from credit card statements for Kristy Ross that were submitted to the FTC by JP Morgan Chase and BMW Bank of North America - the "extravagant meals" included a series of meals totaling over $500 as well as at least two meals totaling more than $800. The charges were incurred by Ross in locations all over the world including London, Toronto, Kiev, Brussels, Zurich, Nevis, Frankfurt and Montreal. Ross stopped using the credit cards in or about September 2008. (cite: declaration of Sheryl Drexler dated 29 January 2009)

Two credit card accounts held by Kristy Ross and a safe deposit box held by Sam Jain have been discovered but apart from that "after weeks of searching, the FTC has located only $174,000 of the defendants' assets. ... The bulk of these funds belong to James Reno. To date, the FTC has not located a single dollar of domestic assets held by either Jain or Ross." (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009)

According to documents filed in the Canadian litigation (the "Canadian litigation" being the lawsuit filed by Innovative Marketing against Marc D'Souza and Maurice D'Souza in the Ontario Superior Court of Justice), the defendants' income from the sale of their products between 2004-2006 totaled more than $74 million! (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009).

The FTC have requested that "this Court hold Jain and Ross in civil contempt, and order them incarcerated until such time as they comply with the PI...".

5 January 2009 - a completed Consent to Release of Financial Records form was finally received from Ross (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

12 January 2009 - Jain failed to appear in court to face criminal charges (Criminal Minute Order, USA v Shaileshkumar Jain, CR-08-00197-RMW). Bench Warrant issued, and stayed until 26 January 2009.

14 January 2009 - a completed Consent to Release of Financial Records form was finally received from Jain (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

26 January 2009 - Jain requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

26 January 2009 - Sam Jain became a fugitive after the Bench Warrant stay was lifted. Jain forfeited a $250,000 cash bond.

(Sandi note: Bearing in mind the fact that the FTC claims that Jain/Ross were able to achieve revenues in excess of $100 million, the amount of $250,000 would seem a small price to pay (even after taking into consideration the fact that Ross was going through money hand over fist in 2008).

29 January 2009 - Ross requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

5 February 2009 - Ross files a "Motion to Strike or, in the alternative, for extension of time to respond", moving for the Court to strike the FTC's motion for an order holding Jain and Ross in contempt of court and requiring repatriation of their assets "as premature and procedurally improper".

5 February 2009 - Jain joins Ross's motion to strike

(Sandi note: Isn't it interesting that Jain, who has been a fugitive since 26 January 2009 and whose whereabouts are apparently unknown (see FTC document filed 9 January 2009), was able to join Kristy Ross's Motion to Strike on 5 February 2009?).

9 January 2009 - The FTC opposed the Motion to Strike, filing a "consolidated opposition to motion of defendants Kristy Ross and Sam Jain to strike or in the alternative for an extension of time" on 9 January 2009. The FTC notes in that document that "to allow these defendants to flaunt the Court's orders, and then escape the consequences of these actions by pointing to a possible criminal proceeding, would set bad precedent and invite similar conduct from future defendants.".

The FTC document notes that Jain is a fugitive, and that his whereabouts are (were?) unknown.

Defendants: James Reno and Bytehosting Internet Services

Bytehosting/Reno are now represented. A further extension of time was granted, pushing out the deadline from 23 January to 30 January 2009.

Reno/Bytehosting then filed a Motion to dismiss for lack of personal jurisdiction (claiming the court has no jurisdiction) on 30 January 2009. Reno/Bytehosting claim to have been "merely under contract to provide services, namely technical support and a call center, to Defendant Innovative Marketing". It is also claimed that their "involvement with Innovative Marketing was limited to internal technical support and post-sale support for customers through a call center".

Reno swore an affidavit which basically says the same thing on 30 January 2009.

(Sandi note: Uh, yeah – where I come from being aware that something bad is going on via my business because of a rogue client and not doing anything about it is as bad as being the rogue client, and there’s no way Reno could NOT have known what Innovative Marketing et al were doing, especially after the Symantec lawsuit that Reno was a party to)

BTW, I have come across the name eFront a few times in association with Reno and Jain – a couple of comments have been posted referring to them ... would anybody like to share what they know about *that* story?
http://www.google.com/search?hl=en&q=efront+reno+jain (eFront CEO was Sam Jain, CTO was James Reno?) Why do I get the feeling that the association between Reno and Jain is more than the typical “arms length, he just walked in off the street, wouldn’t know him from Adam” client/supplier relationship?

Defendants: Daniel Sundin, Maurice D'Souza, Innovative Marketing Inc

These defendants are still unrepresented and silent in this action. Also, I have found no evidence that Innovative Marketing has paid any of the $8,000 per day fine that was imposed after it failed to comply with the Temporary Restraining Order.

Upcoming deadlines:

12 February 2009 (Response)
17 February 2009 (Response x3)
23 February 2009 (Response x2 and reply x1)