Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Mr Clean Gets the Spyware Treatment

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spyware/Adware in the News
View previous topic :: View next topic  
Author Message
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 28 Mar 2014
Posts: 3913
Location: California

PostPosted: Mon Dec 18, 2006 8:37 pm    Post subject: Mr Clean Gets the Spyware Treatment Reply with quote

The latest fake security program from the Smitfraud crooks takes no shame and rips off good old Mr Clean, the household cleaner. Mr Antispy may look like Mr Clean, but the only thing that this rogue program will clean out is your wallet.

Details and comparison pictures at Sunbelt Blog.

Spread the news, Digg it too.
_________________
Nick's Security Ticker

Back to top
View user's profile Send private message
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Tue Dec 19, 2006 11:26 am    Post subject: Re: Mr Clean Gets the Spyware Treatment Reply with quote

Nick wrote:
The latest fake security program from the Smitfraud crooks takes no shame and rips off good old Mr Clean, the household cleaner. Mr Antispy may look like Mr Clean, but the only thing that this rogue program will clean out is your wallet.

Details and comparison pictures at Sunbelt Blog.

Spread the news, Digg it too.


MrAntispy is from the old fast web search (CWS) affiliated in this one with the Spywareno rogues. Smitfraud began from the John Miller Liber Inc/Cactus vxgame/ Darkgt IframeDollars malware groups who where/are affiliates of the Spywareno-spysheriff group.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Wed Dec 20, 2006 7:30 am    Post subject: Reply with quote

MrAntispy has friends .

hxxp://breakspyware.com/

hxxp://www.mrantispy.com/

hxxp://www.spymarshal.com/

hxxp://www.malwarealarm.com/

hxxp://www.curepcsolutions.com/

hxxp://www.protectwin.com/
Back to top
View user's profile Send private message
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Thu Dec 21, 2006 5:12 am    Post subject: Reply with quote

nosirrah wrote:
MrAntispy has friends .

hxxp://breakspyware.com/

hxxp://www.mrantispy.com/

hxxp://www.spymarshal.com/

hxxp://www.malwarealarm.com/

hxxp://www.curepcsolutions.com/

hxxp://www.protectwin.com/


curepcsolutions.com is a different animal from a new source and breakspyware.com is from the Klikrevenue group whereas, mr antispy is from the spywareno rogues family.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Thu Dec 21, 2006 3:46 pm    Post subject: Reply with quote

It is odd then that I found all of them by doing google string searches using the same rogue page (pest capture) as a base .

Using recycled text makes these easy to find .

I think that this is another new one : hxxp://contra-virus.com/ .

It was new to me at least .
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 20 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Thu Dec 21, 2006 5:49 pm    Post subject: Reply with quote

That one's new to me too. Good find. Brought to us by our friends Rolling Eyes at InterCage/Atrivo and Estdomains.

http://whois.domaintools.com/contra-virus.com

Quote:
Server Type: Apache/2.2.2 (Fedora)
(Spry.com also uses Apache)
IP Address: 69.50.168.42
IP Location: - California - Covina - William Lu
Response Code: 200
Blacklist Status: Clear (history)
SSL Cert: No valid SSL on this Host
Website Status: Active

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: CONTRA-VIRUS.COM

Registrant:
N/A
Anthony Hong ()
Pattaya 2nd Rd
Pattiya
Phatthaya,61745
TH
Tel. +66.53344077

Creation Date: 19-May-2006
Expiration Date: 19-May-2007

Domain servers in listed order:
ns1.xname.org
ns0.xname.org


Search Results for 69.50.168.42 [no reverse DNS set]
6 Results for 69.50.168.42 (Contra-virus.com)

Website
1. contra-virus.com
2. contra-virus.net
3. contravirus.biz
4. contravirus.net
5. foxp2p.com
6. kanyxo.com
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Fri Dec 22, 2006 10:04 am    Post subject: Reply with quote

for contra-virus.com, you will notice the email in the whois record:
anth.hong @ gmail.com. The use of a first name (DOT) second name @ gmail.com is consistant with some of the Spyaxe rogues family of sites.


This also leads to the payment center of eshop5.com which leads to paymenter.com with many sites I already list which I have found to be a part of the ibill, oxbill, gspay limited group.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Fri Dec 22, 2006 12:11 pm    Post subject: Reply with quote

webhelper wrote:
for contra-virus.com, you will notice the email in the whois record:
anth.hong @ gmail.com. The use of a first name (DOT) second name @ gmail.com is consistant with some of the Spyaxe rogues family of sites.


This also leads to the payment center of eshop5.com which leads to paymenter.com with many sites I already list which I have found to be a part of the ibill, oxbill, gspay limited group.


Ok, found the actual site the credit card transactions are transmitted to:
% Information from TLD .lv whois service.
% Please visit http://www.nic.lv/DNS/ for more information. So eshop5.com group uses a bank in Latvia to handle credit card transactions for their rogues.


domain: firstdata.lv
descr: SIA "First Data Latvia"
admin-c: 37538-LUMII
tech-c: 54324-LUMII
nserver: ns.apollo.lv
nserver: ns2.apollo.lv
changed: dns-reg@nic.lv 20060102
source: LUMII

person: Andris Konovalovs
address: none
phone: +371-7092582
fax-no: +371-7092509
e-mail: andris.konovalovs@firstdata.lv
nic-hdl: 54324-LUMII
source: LUMII

person: Valdis Eiduks
address: none
phone: +371 26322202
e-mail: valdis.eiduks@firstdata.lv
nic-hdl: 37538-LUMII
source: LUMII
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Sat Dec 23, 2006 8:19 am    Post subject: Reply with quote

As to the ContraVirus Anti Spyware. I just ran some testing and I think we need to take a closer look at this one as it is not only new, it also does not run nap screens and after running it on some of my file collections I have seen no FP. Also, it allows you to run an update, view logs, etc. Only when clicking to clean it takes you to eshop5.com which is under the control of GSPay.

Here is a sample of their log:


Quote:

New objects: 0
Objects found so far: 11

Hosts file scan started
-----------------------------------------------------------

Object recognized
Type : File
Object : c:\Documents and Settings\Administrator\Desktop\cactus-vxgame\vxgame11232006\www.wsfgfdgrtyhgfd.net\adv\soft1\search.exe
Created on : 11/23/2006 9:31:47 AM
Last accessed : 12/23/2006 11:00:22 AM
Last modified : 10/27/2006 7:05:03 PM

Object recognized
Type : File
Object : c:\Documents and Settings\Administrator\Desktop\cactus-vxgame\vxgame11232006\www.wsfgfdgrtyhgfd.net\adv\soft1\winlogon.exe
Created on : 11/23/2006 9:31:46 AM
Last accessed : 12/23/2006 11:00:23 AM
Last modified : 10/27/2006 7:05:00 PM



I think we need to run tests and also take a look at adaware as this log seems very close to what theirs use to be.

So until we can test and have Eric H take a look, I don't think we can classify this one as a Rogue.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 20 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Sat Dec 23, 2006 8:38 am    Post subject: Reply with quote

From the Rogue/Suspect page:

Quote:
"Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection.


IMO, this one is "suspect" by association because:

It is registered through Estdomains and hosted at InterCage. That alone make is suspect in my mind. Also, who in their right mind would trust that group with their credit card info?
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
webhelper
SWW Expert


Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090

PostPosted: Sat Dec 23, 2006 9:34 pm    Post subject: Reply with quote

suzi wrote:
From the Rogue/Suspect page:

Quote:
"Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection.


IMO, this one is "suspect" by association because:

It is registered through Estdomains and hosted at InterCage. That alone make is suspect in my mind. Also, who in their right mind would trust that group with their credit card info?


We should still run a few infestations and their app and look at the logs. This software is totally different than the normal rogues and I think we need to look at adaware scans as this new software logs seem too close as copies of what an adaware log shows.

They have other features not found in the fly by night rogues, so whoever the programmer is, is not one with the other rogues. For them to catch every vxgame and other pets I keep tells me they are not just scanning cookies as the rest.

Now in the same IP is the foxp2p.com. I installed it and it has the same gui interface as that of limewire and uses the same network. I think we need to watch them but need more complete testing of the antispyware apps from each of the sites with different types of infestations and see what the results are. Also, I had not found any nag screens, only the opeing to the site to buy when clicking the clean button.

Let's put them on a list for further research and even maybe some email to them asking questions about the apps to see what comes back. Until then I cannot myself call them a rogue and put them into my sites list until I have further evidence that they are not on the up and up.

Om the side of common characteristics I find the following that does set off red flags:

1. They are registered thru esthost/estdomains. 5 points against them.

2. The whois email anth.hong @ gmail.com. The ones I find using two names seperated with a DOT and using gmail has been the spyaxe family of rogues.

3. The dns servers for their 4 sites are xname.org and mydomain.com.
Also they list their location as thailand (TH) and the phone number country code of +66 is thailand. This is different than most I have found so far.

With number 1 and 2 I will keep and open mind but I think we still need some further tests with the software. Keep them for now as suspect.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004
Back to top
View user's profile Send private message Visit poster's website
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Sun Dec 24, 2006 7:48 am    Post subject: Reply with quote

Why would a legit AV/AS use both graphics and text from other known rogue pages to advertise their app ?

Bug is cross hairs : hxxp://pimasoft.com/ .

Red bug under moving magnifying glass : hxxp://www.adprotect.com/ . Now that I have taken a second look these two pages were obviously designed by the same person/group .

This is a google string search for text from their page :

http://www.google.com/search?as_q=&hl=en&num=100&btnG=Google+Search&as_epq=Spyware%2C+like+a+virus%2C+is+a+malicious+software+planted+on+your+PC+by+a+third+party+in+order+to+secretly+monitor+what+you+do+online.&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images .

Totally loaded with rogues .
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spyware/Adware in the News All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group