Saturday, February 25, 2006

How spyware gets installed (2)


Misspell "pot roast" as "poy roast" when searching for pot roast recipes. Notice that the web sites returned were designed to match misspelled words.

If you are unfortunate enough to select pot-roast-recipes.ioust.behavest.net, you find yourself trapped in a loop that tries to install software from WinSoftware Corporation, Inc.

WHOIS behavest.net



Andreas Tores andreas@winouxis.com
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte Moduna 3102
Managua, Nicaragua



behavest.net insists you install WinAntiSpyware.
WinAntiSpyware will report that you have serious system errors and insist you buy and install WinFixer.
Instead, use Task Manager to close the browser window. Do not install this particular WinAntiSpyware.

There could be a legimate WinAntiSpyware.com. The WinAntiSpyware web site agrees (in their terms and conditions) to agree to settle disputes according to the laws of Nevada. The General section of their license agreement indicates that the laws of the state of Nevada govern their agreement. There are two different "license agreement" web pages and two different "terms and conditions" web pages. The home page has links to "Terms and Conditions" and "License Information" and "Buy Now". "Buy Now" has different "Terms and Conditions" and "License Agreement" links. Other than references to Nevada, there is no reference to where WinAntiSpyware might be located.

The domain name WinAntiSpyware.com is registered using an address in Kiev.

winantivirus.com = [ 66.244.254.64 ]
winantispyware.com = [ 66.244.254.64 ]
winantiviruspro.com = [ 66.244.254.63 ]


Note: The next day pot-roast-recipes.ioust.behavest.net was not available. Instead, pot-roast-gravy.toms.frcollect.org had an equivalent effect.

WHOIS frcollect.org

Shuratani Laskari
1859/14 Salcedo Street
Legaspi Village Makati City
Manila
Phillipines


Registration information created a few days earlier and updated that day.

On March 3 the equivalent URL was cooking-pot-roast.buseon.seenfussy.com.

WHOIS seenfussy.com


Andreas Tores (andreas@winouxis.com)
Direccion General de Areas Protegidas
Km 12.5 Carretera Norte, Moduna # 3102
Managua
,3289
NI
Tel. +505.2331279


Registration was created 27-Feb-2006.

See also: Symantec description of WinAntiSpyware

Thursday, February 23, 2006

Block traffmoney.biz, traffnew.biz, traffbest.biz, traffweb.biz, traffdollars.biz, traffsale1.biz, traffbucks.biz & traffcool.biz

traffmoney.biz, traffnew.biz, traffbest.biz, traffweb.biz, traffdollars.biz, traffsale1.biz, traffbucks.biz and traffcool.biz deliver threats. All three web sites are at one address: 85.249.23.119



traffmoney.biz/dl/fillmemadv640.htm (JS_ONLOADXPLT.G)
traffmoney.biz/dl/java.jar (JAVA_BYTEVER.S inNewSecurityClassLoader.class & JAVA_BYTEVER.S inNewURLClassLoader.class)
traffmoney.biz/dl/bag.htm
traffmoney.biz/dl/loaderadv640.jar (JAVA_BYTEVER.A in Dummy.class)
traffmoney.biz/dl/adv640.php

traffnew.biz/dl/java.jar (JAVA_BYTEVER.S inNewSecurityClassLoader.class & JAVA_BYTEVER.S in NewURLClassLoader.class)
traffnew.biz/dl/bag.htm
traffnew.biz/dl/loaderadv640.jar (JAVA_BYTEVER.A in Dummy.class)
traffnew.biz/dl/adv640.php

traffbest.biz/dl/adv438.php (JS_AGENT.BXY)
traffbest.biz/dl/fillmemadv438.htm (JS_ONLOADXPLT.G)
traffbest.biz/dl/bag.htm (JS_ONLOADXPLT.A)
traffbest.biz/dl/loaderadv438.jar (JAVA_SHINWOW.E in Matrix.class)
traffbest.biz/dl/bag.htm JS_ONLOADXPLT.A
traffbest.biz/dl/fillmemadv428.htm JS_ONLOADXPLT.G
traffbest.biz/dl/loaderadv428.jar
traffbest.biz/dl/adv428.php
traffbest.biz/dl/java.jar (NewURLClassLoader.class) JAVA_BYTEVER.S

traffweb.biz/dl/fillmemadv774.htm (JS_ONLOADXPLT.G)
traffweb.biz/dl/loaderadv774.jar
traffweb.biz/dl/GetAccess.class
traffweb.biz/dl/adv799.php
traffweb.biz/dl/java.jar
traffweb.biz/dl/bag.htm
traffweb.biz/dl/Counter.class
traffweb.biz/dl/adv774.php
traffweb.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S (NewURLClassLoader.class) JAVA_BYTEVER.S
traffweb.biz/dl/fillmemadv798.htm JS_ONLOADXPLT.G
traffweb.biz/dl/loaderadv798.jar (Dummy.class) JAVA_BYTEVER.A
traffweb.biz/dl/adv798.php
traffweb.biz/dl/bag.htm JS_ONLOADXPLT.A
traffweb.biz/dl/adv764.php
traffweb.biz/dl/loaderadv764.jar (JAVA_BYTEVER.A)
traffweb.biz/dl/fillmemadv764.htm (JS_ONLOADXPLT.G)
traffweb.biz/dl/adv799.php

traffdollars.biz/dl/fillmemadv598.htm JS_ONLOADXPLT.G
traffdollars.biz/dl/loaderadv598.jar (Dummy.class) JAVA_BYTEVER.A
traffdollars.biz/dl/bag.htm JS_ONLOADXPLT.A
traffdollars.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S (NewURLClassLoader.class) JAVA_BYTEVER.S
traffdollars.biz/dl/adv598.php

traffcool.biz/dl/fillmemadv542.htm JS_ONLOADXPLT.G
traffcool.biz/dl/adv542.php
traffcool.biz/dl/loaderadv542.jar (Dummy.class) JAVA_BYTEVER.A
traffcool.biz/dl/java.jar (NewSecurityClassLoader.class) JAVA_BYTEVER.S
traffcool.biz/dl/java.jar (NewURLClassLoader.class) JAVA_BYTEVER.S
traffcool.biz/dl/bag.htm JS_ONLOADXPLT.A






"traffmoney", "traffnew" and "traffdollars" use the same IP address and the registration information.



WHOIS traffmoney.biz, traffnew.biz, traffdollars.biz?




traffmoney.biz = [ 85.249.23.119 ]
Domain Name: TRAFFMONEY.BIZ
Domain ID: D12368897-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6510552-SRSPLUS
Registrant Name: Jason Coffman
Registrant Organization: Private person
Registrant Address1: 908 Alder St
Registrant City: Philadelphia
Registrant State/Province: PA
Registrant Postal Code: 19147
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: 1.74952171179
Registrant Email: admin@toolbarbest.biz

WHOIS traffbest.biz [ = 85.249.23.119 = sr-customers-23-119.justdns.org]
Jason Coffman of Philadelphia, PA AKA admin@toolbarbest.biz





OK, then WHOIS toolbarbest.biz?



toolbarbest.biz = [ 85.249.23.117 ]
Domain Name: TOOLBARBEST.BIZ
Domain ID: D11890133-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6488994-SRSPLUS
Registrant Name: Alexander Pushkin
Registrant Organization: Home Home
Registrant Address1: Pushkina str. - 1 - 1
Registrant City: Moscow
Registrant Postal Code: 123456
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: 78.462788201
Registrant Email: admin@newtoolbar.biz




Literary giant Alexander Sergeevich Pushkin (1799-1837)? I wonder if Jason Coffman is a real person, and if he has registered any other domain names?


WHOIS newtoolbar.biz? (Ezhi Brozkevitsh Warszawa, Polandadmin@buytraff.biz)
WHOIS buytraff.biz (Ezhi Brozkevitsh Warszawa,Poland darkgt@mail.ru)
There that trail ends.

Reverse name resolution of 85.249.23.119 shows it belongs to Sergey Shishkin of Sergedjus Vlasovas in Klaipeda LT (Lithuania) sergedjus@eexhost.com

Saturday, February 18, 2006

How spyware gets installed

Search (using, for example, Google) for "midi file." One of the suggested destinations is musicrobot.com.

musicrobotTo make some money, musicrobot works with "advertising networks." Note, for example, the Google ads down the right side.

The banner at the top is a Macromedia Flash presentation from the advertising network FASTCLICK.COM.

When the musicrobot home page was opened, a pop-under ad window was also opened.


The pop-under ad is also a Macromedia Flash presentation from the advertising network FASTCLICK.COM.
popunder
(Note: Whenever you encounter an ad like this, always close the window using the "X" in the upper right-hand corner.)

FASTCLICK.COM provided to musicrobot the following HTML code to include on their web page:




[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com (12 hour) --]
[script language="javascript"][!--
var dc=document; var date_ob=new Date();
dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(dc.cookie.indexOf('e=llo') [= 0 && dc.cookie.indexOf('2=o') ] 0){
dc.write('[scr'+'ipt language="javascript" src="http://media.fastclick.net');
dc.write('/w/pop.cgi?sid=2924&m=2&tp=2&v=1.8&c='+bust+'"][/scr'+'ipt]');
date_ob.setTime(date_ob.getTime()+43200000);
dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // --]
[/script]
[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com --]

[/head]
[body bgcolor="#FFFFFF" text="#000000" onload="document.forms[0].terms.focus()"]
[center]
[center]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[script language="javascript" src="http://media.fastclick.net/w/get.media?sid=2924&m=1&tp=5&d=j&t=n"][/script]
[noscript][a href="http://media.fastclick.net/w/click.here?sid=2924&m=1&c=1" target="_blank"]
[img src="http://media.fastclick.net/w/get.media?sid=2924&m=1&tp=5&d=s&c=1"
width=728 height=90 border=1][/a][/noscript]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[/center][br]

All you need to recognize is that musicrobot.com is running javascript that links you to fastclick.com.



If you use musicrobot to search for "we will rock you", the among the results is a link to http://www.geocities.com/SouthBeach/Strand/2372/soundmidi.html. By itself, this web site is harmless.
The actual link from musicrobot.com is of the form http://media.fastclick.net/w/get.media?sid=2924&m=5&url=http%3A//www.geocities.com/SouthBeach/Strand/2372/soundmidi.html


That is, you are sent to media.fastclick.net first, where you are confronted with an offer from cdn.fastclick.net, the same source as the earlier pop-under ad. The fastclick.net ad is usually for smileys, ecards, cursors, screensavers or some other thing cute and not obviously malicious.

If you accept the offer, you are asked if you want to install this software. Carefully review what you are accepting. The terms will insist that the software does not gather any personally identifiable information. The terms will also say that the software gathers your IP address. You should know that the IP address is used to identify you and your habits. Carefully consider whether you consider this to be personal identification.