Results 1 to 8 of 8
  1. #1
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    There's a couple of very good diary articles at the Internet Storm Cetnter (the second part published today) about how malware gets loaded onto PCs, including a whole host of sites hidden behind anonymous domain registration services. You'll note that Lycos is involved in this malware thing, through it's association with Addictive Technlogies.

    The articles are:
    http://isc.sans.org/diary.php?date=2004-07-23
    http://isc.sans.org/diary.php?date=2004-08-23

    Domains mentioned:
    addictivetechnologies.net
    f1organizer.com
    lovemynet.com
    default-homepage-network.com
    addictivetechnologies.net
    yahoogamez.com
    smartbotpro.net
    passthison.com

    Co-hosted on servers listed above:
    f1organizer.net
    favorites1.com
    favorites1.net
    100topdownloads.net
    addictivetechnologies.com
    broadspring.com
    freebiesareus.com
    freebiesrus.com
    giantfreebies.net
    mindseti.com
    mindsetinteractive.com
    myprizes.net
    netpalnow.com
    vistainteractivemedia.com
    vistainteractivemedia.net
    xtreemfreebies.com
    66.98.229.16
    at-games.com
    netpalgames.com

    Addictive Technologies business partners (typically malware-friendly):
    enconfidence.com
    lycos.com (!!)
    404search.com
    spywarelabs.com
    toprebates.com
    abetterinternet.com
    2020search.com
    shopnav.com
    shopathomeselect.com
    sirsearch.com

    Co-hosted on yahoogamez.com (which is where the malware trail started):
    007arcadegames.com
    2dplay.net
    8thd.net
    9qa.com
    actionflash.net
    addictinggames.org
    addictingjokes.com
    addictinglinks.com
    adn100.com
    aimbuddyicons.org
    alexagames.com
    animes100.com
    animespin.com
    arcadetown.us
    best-debt-consolidation-company.net
    biganime.net
    britneyspears4u.com
    buddyiconmania.com
    car-accident-lawyer-attorney.net
    cheap-web-hosting-unlimited.com
    conference-calling-service.net
    coolaimicons.net
    coolbuddyicons.net
    creativestudios.org
    cvkn.com
    cyberanonymous.net
    db100.net
    dbzrk.com
    dojo100.net
    dragongamez.net
    free-online-games-4u.com
    frostedx.com
    hugeanime.com
    illegalbuddyicons.com
    kiddlegames.com
    matrix100.net
    mesothelioma-treatment-cancer.com
    myshorturl.com
    nemag.org
    neman.net
    nexusplanet.com
    nlanime.com
    nlnetwork.com
    nolimit100.com
    otakuland100.com
    planetfreehost.com
    planetzoog.com
    pride100.com
    roxygames.com
    secureanonymous.net
    secureprivacy.net
    serragames.com
    silvereffect.com
    silverx.net
    starlighthosting.com
    supershocked.com
    thematrix-movie.com
    ultimate100.com
    universalanonymous.com
    unlimited100.com
    womentop50.com
    x2-movie.net
    xgenplanet.com
    xt100.net
    xtbb.com
    xtremebb.com
    yahoogamez.com
    zu9.net
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  2. #2
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Just like the drug dealers and pedophiles the malware infestation perps hang around the schoolyards passing out freebees and kwell crap laced with system killing Adware. This was the very first infestation point attacked by the BHO companies knowing the affiliate community is rife with sleezeballs who'd eat their pets if the price was right to carry out their dirty work.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    By reading thiese articles and not following the authors advice my system was infected with adware/spyware even though the screens were up. The 3 I visited were.....

    Whois Server: whois.aaaq.comAAAQ Whois Server Version 1.0
    Domain Name: yahoogamez.com
    Registrar: AAAQ.COM
    Whois Server: whois.aaaq.com
    Referral URL: http://www.aaaq.com
    Name Server: ns1.cyberanonymous.net
    Name Server: ns2.cyberanonymous.net
    Status: Registrar_LOCK
    Updated Date 2004-07-31
    Creation Date: 2004-01-09
    Expiration Date: 2005-01-09

    Registrant:
    Cyber Anonymous dnsspam@cyberanonymous.net
    Via Santa Marina 117

    Milano, Milano 00048
    IT
    (206) 202-9051 +244 Fax:

    Administrative Contact:
    Cyber Anonymous dnsspam@cyberanonymous.net
    Via Santa Marina 117

    Milano, Milano 00048
    IT
    (206) 202-9051 +244 Fax:

    Technical Contact:
    Cyber Anonymous dnsspam@cyberanonymous.net
    Via Santa Marina 117

    Milano, Milano 00048
    IT
    (206) 202-9051 +244 Fax:

    Billing Contact:
    Cyber Anonymous dnsspam@cyberanonymous.net
    Via Santa Marina 117

    Milano, Milano 00048
    IT
    (206) 202-9051 +244 Fax:

    END WHOIS RECORD ------


    Registrant:
    MFC RCC
    147 Pasadena Town Square
    Houston, Texas 77560
    United States

    Registered through: GoDaddy.com
    Domain Name: BRITNEYSPEARS4U.COM
    Created on: 10-Oct-03
    Expires on: 10-Oct-04
    Last Updated on: 09-Jan-04

    Administrative Contact:
    RCC, MFC jack@frostedx.com
    147 Pasadena Town Square
    Houston, Texas 77560
    United States
    7134735139 Fax --
    Technical Contact:
    RCC, MFC jack@frostedx.com
    147 Pasadena Town Square
    Houston, Texas 77560
    United States
    7134735139 Fax --

    Domain servers in listed order:
    NS1.STARLIGHTHOSTING.COM
    NS2.STARLIGHTHOSTING.COM

    END WHOIS RECORD ------

    Registrant:
    Domains by Proxy, Inc.
    15111 N Hayden Rd., Suite 160
    PMB353
    Scottsdale, Arizona 85260
    United States

    Registered through: GoDaddy.com
    Domain Name: XTREEMFREEBIES.COM
    Created on: 06-Aug-03
    Expires on: 06-Aug-05
    Last Updated on: 12-Aug-03

    Administrative Contact:
    Private, Registration XTREEMFREEBIES.COM@domainsbyproxy.com
    Domains by Proxy, Inc.
    15111 N Hayden Rd., Suite 160
    PMB353
    Scottsdale, Arizona 85260
    United States
    (480) 624-2599 Fax --
    Technical Contact:
    Private, Registration XTREEMFREEBIES.COM@domainsbyproxy.com
    Domains by Proxy, Inc.
    15111 N Hayden Rd., Suite 160
    PMB353
    Scottsdale, Arizona 85260
    United States
    (480) 624-2599 Fax --

    Domain servers in listed order:
    NS1.VEL.NET
    NS2.VEL.NET
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  4. #4
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    I've already been onto DomainsByProxy complaining that some of these sites violate their policies. DBP is usually pretty good on these things in my experience.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  5. #5
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    WTF are we doing sitting on the edge of our seats waiting for Todd & Stephen to poo-poo the networks cookie vs proprietary tracking when we can be reading the contents of these to links. A very familar name pops up on this and thousands of other malware bundles. ShopatHomeSelect.com ....not a merchant folks... a network darling Duper affiliate stealing commissions from affiliates and other merchants via hidden BHO bundling.

    http://isc.sans.org/diary.php?date=2004-08-23

    ...."So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he’ll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn’t worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy. "

    Incidently nCase/180Solutions and ezUla rear their ugly heads again in the disection.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  6. #6
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Lets lock and load ABWers and turn our outrage on a enity that has posed as a Linkshare merchant since 2000. ShopatHomeSelect.com and their DMA info peddling front ShopatHome.com brag they have 25,000 affiliates helping to infest shoppers with their rogue Golden retriever BHO. This one is incideous and employs it's own drive-bys and backdoor bundling to set it's own affiliate codes to 1200 merchants for cash back rebates. Just like Gator at BeFree, and WhenU and 180Solutions everywhere, these guys are part of that DMA den of thieves.

    I run into multiple installs of this SAHS malware on all systems I've had to clean in the last 2 weeks at client offices. Time to roast Linkshare on letting this multi-million $$$ commission thief pose as a trusted merchant on their network. I smell the dirty underworld of the DMA all over this Belarco group of Adwhores.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  7. #7
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    The other part of that equation is that for it to worthwhile shopathome.com to be running an affiliate program on LS, someone has to participating in their affiliate program.

  8. #8
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Don't forget that Lycos have a hand in this - I keep coming across that damned Lycos BHO on these backdoored machines.

    Passthisone.com is one that we blocked access to in my real life work a couple of months back as it kept trying to install a trojan through an IE vulnerability.

    Their site now says: "Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004.".. however, the object.passthison.com/vu083003/newobject1.cgi (do NOT visit this URL) mentioned STILL tries to download what my AV scanner identified as "JS.Defhome.A" which is a homepage hijacker. So clearly passthison.com are lying - but since they're a bunch of criminals anyway (unauthorised access to a computer is a criminal offence in the UK and most other countries) they won't care.

    Laughably, passthison.com has a WHOIS entry of

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR> Administrative Contact, Technical Contact:
    Admin, Anti-Spam (SW10300) personal@SMARTBOTPRO.NET
    SmartBot.Net, Inc. - ZERO TOLERANCE SPAM POLICY!
    3 COBBLESTONE CT
    RICHBORO, PA 18954-1374
    US
    215-953-7291 fax: 215-942-4338 <HR></BLOCKQUOTE>

    smartbotpro.net also hijacked the search function in IE in this example, using 7search to provide results.

    PestPatrol (recently bought by CA - woo!) says:

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>
    Origins
    Author:Key players in this spamming project appear to be:
    # Sanford Adam Wallace (215-953-7291) of 3 Cobblestone Court, Richboro, PA 18954, phone: 215-953-7291, fax: 215-942-4338
    # Mike Cayer of Seismic Entertainment Productions, Inc./li&gt;,
    Group:
    Seismic Entertainment Productions, Inc.
    Mailing Address:
    Cayer, Mike Seismic Entertainment Productions, Inc. 11 Farmington Road Rochester, NH 03867 US
    Phone:
    603-664-5777 <HR></BLOCKQUOTE>

    A quick search on Google shows them to be *real* scumbags.

    What I don't understand is why aren't these guys in jail already?.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  9. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Follow "Work from No Home" System or Follow my Heart?
    By Seraffa in forum Newbie Affiliate FAQs & Helpful Articles
    Replies: 5
    Last Post: January 15th, 2013, 02:36 PM
  2. "Follow the Bouncing Malware" - Part 4
    By Dynamoo in forum Midnight Cafe'
    Replies: 1
    Last Post: November 25th, 2004, 06:41 AM
  3. Follow the Bouncing Malware III
    By Dynamoo in forum Midnight Cafe'
    Replies: 4
    Last Post: November 5th, 2004, 06:19 AM
  4. Follow the bouncing camera merchants
    By Nature Boy in forum Rakuten LinkShare - LS
    Replies: 5
    Last Post: January 30th, 2003, 02:54 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •