Results 1 to 2 of 2
November 25th, 2004, 02:10 AM #1
There's another update to "Follow the Bouncing Malware" at the ISC.
The article fingers Sanford Wallace as being one of the people implicated in spreading malware. Sanford Wallace was known as the "Spam King" by some, but claims that he's gone legitimate. My arse.
If you haven't read the FTBM series I'd advise you do..
November 25th, 2004, 05:41 AM #2
- Join Date
- January 18th, 2005
- St Clair Shores MI.
Reads like a good mystery book where the scum of the earth team up with the suits to shove Adware up the worlds unsuspecting collective butt.
"It’s that "something" that’s been slowly pecking away at my subconscious since this whole trip began and has finally surfaced into consciousness only recently. Here it is:
1) Joe goes to "yahoogamez.com" and gets served up a banner ad from aim4media.com
2) That ad contains an IFRAME that loads mynet-MML.html from 220.127.116.11
3) mynet-MML.html contains a script that loads hp2.htm from 18.104.22.168
4) hp2.htm whacks Joe’s box with a CHM exploit named (originally enough) hp2.chm
5) hp2.chm goes out and grabs a file called (seeing a pattern?) hp2.exe
6) hp2.exe installs "TV media display" on Joe’s machine.
1) A trip to Joe’s new default home page (changed in FTBM-1 to "http://default-homepage-network.com"... no one ever said that these guys were creative when it came to names...) results in the display of "http://default-homepage-network.com/newspynotice.htm," a warning that Joe’s computer might be (well, duh!) infected with spyware.
3) hp1.html then whacks Joe's box with a CHM exploit named (originally enough) hp1.chm
4) hp1.chm goes out and grabs a file called (once again, seeing a pattern?) hp1.exe
Hey... HEY... HEY! What the heck is that all about?
Well, obviously, the folks who put mynet-MML.html on 22.214.171.124 and newspynotice.htm on "http://default-homepage-network.com" share the same stunted imagination when it comes to filenames.
Or something like that...
Therefore, our goal for today is to try to tie "http://default-homepage-network.com", 126.96.36.199, and 188.8.131.52 together.
So... where do we begin ....it just gets better?
Infestation is the game the NETWORKS refuse to address. Any thieft knows you gotta beak windows to steal the family jewels.
I CHARGE CUSTOMERS $25.00 EXTRA IF THEY DOWNLOAD YAHOOGAMESZ.COM
...."Well, if my little excursion into spyware-land has taught me anything, it’s that very little in this ever-shifting terrain stays static. The anti-spyware battle is fought with many of the same "rules" as the anti-virus battle: he who adapts the fastest survives. If you present a fixed target, you get filtered or blocked or "signatured" out of existence. At this point, many of the sites that I’ve mentioned in this chronicle are no longer spyware dumps, having long since been tossed aside once their useful lifetime had expired. In all likelihood, both the Canada and Texas sites are simply innocent hosting companies who were used for connectivity.
So it appears that the people in the spyware industry have taken a cue from the spammers and they use throwaway accounts and hosting services to do their dirty work. And just like with the spammers, by the time we get around to filtering and blocking a server, they’ve moved on to another.
While IP addresses may come and go, domain names are forever... So! What can we find out about "default-homepage-network.com"?
The domain name is registered to:
Seismic Entertainment Productions, Inc.
11 Farmington Road
Rochester, NH 03867
...read the whole series...it's an eyeopener!
Todays top TURKEY!
http://www.annonline.com/interviews/...biography.htmlWebmaster's... Mike and Charlie
"What have you done today to put real value into a referral click...from a shoppers viewpoint!"
By Seraffa in forum Newbie Affiliate FAQs & Helpful ArticlesReplies: 5Last Post: January 15th, 2013, 01:36 PM
By Dynamoo in forum Midnight Cafe'Replies: 4Last Post: November 5th, 2004, 05:19 AM
By Dynamoo in forum Midnight Cafe'Replies: 7Last Post: August 24th, 2004, 07:49 AM
By Nature Boy in forum Rakuten LinkShare - LSReplies: 5Last Post: January 30th, 2003, 01:54 AM