What’s the best way to protect your windows computer while checking risky sites? Like spamvertized sites.
Those who want to study what the malware does, tend to use a virtual machine. Such as VMware. Also check out the Wikipedia article on virtual machines. There’s also something called a Browser Appliance from VMware.
Regular people who just want to protect their computers seem to like Sandboxie.
What do you guys use?
I started out reporting a comment spammer to Intercage. He was spamming from 216.255.190.66.
The spam contained a URL at mytcentral.com, which is at 216.255.185.10.
I checked the URL in my browser, and my anti-virus woke up and nuked a trojan.
So I checked some more. Can’t say for sure I found the infectious stuff, but here’s what I think I found:
There was an advertizing banner at se-v.com (69.50.177.38), which among other things, produced an iframe of one pixel width and height. That one was on
ps500.com (85.255.116.246)
From then on, I found a string of 302 redirects on the same domain: 24hwebsex.com (85.255.116.246), ending up at a very risky looking (nb, I’ve munged it to avoid accidental infections):
http://24hwebsex.com*/demo.php
I tried that URL directly anyway, and got this (blank) URL in return:
http://www.24hwebsex.com*/cgi-bin/ie0606.cgi?type=MS06-006
When I try that with a text browser and redact the type, I get this- munged both code and some detail:
Web-Attacker Control panel
Your IP is: (munged)
Your Browser is: Firefox 1.5.0.6
Your Operation System is: Windows XP
Current Date and Time: 31-Aug-2006 12:8
Please enter the password to access the statistics
FORM action - http://24hwebsex.com*/cgi-bin/ie0606.cgi
INPUT type “password” name “password”
INPUT type “submit” value “Enter”
I found mention of this software at the Bleedingedge forums.
And it might be the same software Sophos wrote about in March. Wikipedia entry.
——————
Whois:
08/31/06 12:22:27 whois mytcentral.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
none
Serg (serg78@pisem.net)
Lesnay 1-54
Pushkino
msk,687120
RU
Tel. +321.96478521
Creation Date: 21-Feb-2006
Expiration Date: 21-Feb-2007
Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
08/31/06 12:23:09 whois se-v.com
whois -h whois.estdomains.com se-v.com …
Registration Service Provided By: ANUNAH LLC
Registrant:
N/A
Abdula Khaled-Mamed Dzibah (glac@crybits.com)
Shaytanhasy Obdukurlasy 2
Islamabad
Islamabad,54000
PK
Tel. +763.2784936
Creation Date: 17-Mar-2006
Expiration Date: 17-Mar-2007
Domain servers in listed order:
ns15.crybits.com
ns14.crybits.com
08/31/06 12:21:21 whois ps500.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
none
Alex Zudov (work@vnukovo.net)
Uralskay 14
Zarechensk
Msk,095437
RU
Tel. +78.63798524
Creation Date: 03-Aug-2006
Expiration Date: 03-Aug-2007
Domain servers in listed order:
ns1.dns-parking.com
ns2.dns-parking.com
08/31/06 12:20:46 whois 24hwebsex.com
Registration Service Provided By: ESTDOMAINS INC
Registrant:
n/a
Alex Ferietko (websex24hour@yahoo.com)
Hrushevsky str 16, ap 26
Ivano-Frankivs
Ivano-Frankivs’ka Oblast’,252033
UA
Tel. +38.0342225216
Creation Date: 16-Jul-2006
Expiration Date: 16-Jul-2007
Domain servers in listed order:
ns2.24hwebsex.com
ns1.24hwebsex.com
Update: Check out the Spamhaus record for 85.255.116.246
I had a visit from a spammer that spams every special page that I’ve never heard of on MediaWiki. Pages with weird names. Pages that didn’t exist, because most of them were talk pages for possibly existing pages. I have no idea how many pages he spammed. More than 30, would be my guess. He also tagged some talk pages for existing users. And he completely filled them with porn links.
So, here’s a short rundown. I’ve got more, but will try to condense it some.
IP addresses used to spam for. Interesting, because the first five I checked, were all Asian:
58.79.206.53
58.226.83.170
58.230.250.23
59.19.214.176
59.21.210.203
59.150.200.40
61.33.174.189
61.35.176.77
61.248.35.110
67.15.42.29
124.49.135.22
124.61.111.177
163.180.200.211
165.229.48.30
194.117.134.196
202.54.61.99
203.81.136.101
203.236.103.196
210.91.187.248
210.92.103.94
210.92.158.98
211.38.113.101
211.38.191.144
211.50.92.91
211.104.149.173
211.113.213.132
211.178.129.104
211.195.40.226
211.217.137.77
211.219.6.246
211.221.210.158
211.213.131.228
218.25.163.18
218.52.58.26
218.108.24.117
218.145.101.210
218.152.81.57
218.209.42.100
218.209.208.189
219.238.187.3
219.248.66.109
220.3.92.45
220.72.163.175
220.87.148.37
220.124.118.210
220.124.234.54
220.231.30.34
221.149.59.96
221.153.11.138
221.165.123.131
221.165.193.67
222.108.150.107
222.118.179.165
222.111.167.19
The spamvertized domains were:
1domiks.org
1ebalo.org
1foleks.org
1golod.org
1hrens.org
1ibanusiks.org
1jolla.org
IP addresses of webhosts:
74.52.17.161
74.52.17.162
74.52.17.163
The pages all had iframes that showed an affiliate page at 100 % og width and 5000 pixels height.
Affiliate: yourfreevids.com id=751
These e-mail addresses were used:
krun@mail333.com
letuns@mail333.com
stoker@mail333.com
Whois info is most likely fake, but here it is, in case someone’s searching for exactly that data:
Registrant Name:Bilanov
Registrant Organization:1dil
Registrant Street1:Vore 67543
Registrant City:Blin
Registrant State/Province:0
Registrant Postal Code:15478
Registrant Country:MX
Registrant Phone:+746.786546786
Registrant Name:Kakauya raznica
Registrant Organization:1hren
Registrant Street1:ddd 15
Registrant City:Fedor city
Registrant State/Province:0
Registrant Postal Code:76454
Registrant Country:BR
Registrant Phone:+764.768456456
Registrant Name:Pizdec komuto
Registrant Organization:Pizdec
Registrant Street1:debilov 98746354
Registrant City:blya
Registrant State/Province:0
Registrant Postal Code:47852
Registrant Country:AR
Registrant Phone:+452.48678654467
——-
I checked Google for the e-mail addresses, and hit paydirt. One of the e-mail addresses had been used to spamvertize a subdomain on dia-host.com January 2005.
The website is no longer active, but the whois is:
DiabloCompany
Diablo (admin@new-incest.com)
Garvard 2-10
Oklahoma
null,655158
ES
Tel. +91.2228797504
I found that exact whois info on coolsearcher.net, which has been found to contain malicious downloads (see the Description pane here). I also found references to new-incest.com at sites warning about CoolWebSearch hijackers.
If you think you may have a trojan on your system, or lots of popups or lots of adware, you can check out this forum:
HijackThis is a tool that checks what processes your computer is running, and what your browser is bogged down with. Do NOT delete stuff with HijackThis on your own, unless you’re a professional at IT-security! And even then, I know a few IT-consultants who wouldn’t do it on their own… But HijackThis is a wonderful tool for others to help you clean your computer.
BBC NEWS | Technology | Three held over virus e-mail plot
Spamming and virusing in one neat bundle, targetted to businesses.
Heady stuff…
But the important bit was at the end:
He said he hoped the arrests would send a “clear signal” that national borders would not stop the authorities taking action over malicious computer software.
I’ve been reading a Register story about disabling botnets.
The story writer advocates disabling of botnets. Essentially hacking them and shutting them down. But wouldn’t those bots get herded into another botnet pretty quickly? Unless the hole was patched, of course. But machines belonging to people who allow their machines to get infected, would probably get infected with something else pretty quickly.
Would it be possible for anyone who’s good enough to log into a botnet to send a big popup to the computer, telling the owner that it’s infected, and exhorting him/her to do a full reinstall? Maybe a link to an article at a very prestigious site where they could read more?
Just a theory…
We just got a customer computer in for a once over.
That poor thing had caked dust in every orifice, though the insides were relatively clean - what got in got stuck in the processor fan…
And it’s filled with popups. Several different parasites are producing popups insisting the user download and install programs to clean the computer. The start page in Internet Explorer is hijacked by a site insisting that the computer has a trojan.
Which it has, of course.
We found a few dialers, along with other assorted parasites. And some viruses, though the scans aren’t complete yet.
I had no idea it was this bad out there!
How on earth are clueless newbies able to even USE their computers, much less keep them clean?
I’ve been warning about forwarded mails. Hoaxes, chainmails etc. I’ve said they’ll eventually end up with spammers.
And I forgot one thing: It’s probably too much work to manually collect all those e-mail addresses.
Enter viruses.
We know they check address books. I don’t positively know there are viruses scanning through the bodies of e-mail on a victim’s harddrive, but I wouldn’t be surprised.
So being a recipient twice removed of a hoax, may theoretically compromise your e-mail address.
Comments?
I was checking out a referrer on a forum where someone had gotten help with an HP computer.
Then I get a popup talking about the Bloodhound virus, and pushing an antivirus solution that’s unknown to me. It was a popup with an alert. The only way out for most people would be to click on OK, because the window didn’t respond. I used alt F4 to get out of it.
But even when I did, I was led to the next window. Apparently this company had popups with the Windows security center logo in the past, but it’s been removed now. I wasn’t about to download some unknown software. I suspected it was malware of some sort.
Sunbelt BLOG: Another fake security site.
But my question is, has my Firefox been infected by something, or did this popup get triggered by something on the pro-networks.org forum?
I checked the code, and although the forum is apparently ad free, there’s some code there that pops under ads from fastclick.com. I suspect this is the reason for the popup!
So, fastclick probably let in some rogue player. Maybe they should check their advertisers more thoroughly?
amaena.com whois:
Hostmaster, Amaena hostmaster@amaena.com
P.O. box1048
Chernigov, NA 14032
UA
+380 96 381 4557
IP:
66.244.254.64
66.244.254.63
MX records show a host from Quebec, Canada: setupahost.net
December 8, 2005, I told a guy that he was virus infected and should get his computer cleaned.
He interrogated me on what my interest was in telling him this. Verry suspicious of me.
I verified at the time that it really was his computer that was infected. And assumed he’d fix it.
Today, I did a random sweep through my logs, looking for Norwegian mailservers with wrong configuration.
And find one mail with a HELO that mimics that of my own server. So I immediately knew the mail was generated by malware of some kind.
The e-mail address is his. And the IP address is the same as several months ago…
Gee, you’d think he’d clean his computer after being handed the solution on a silver platter? I guess not. Next call will go to his ISP, demanding he’s shut off…