| View previous topic :: View next topic |
| Author |
Message |
Nick
Site Admin
Joined: 27 Feb 2004
Last Visit: 28 Aug 2012
Posts: 3913
Location: California
|
 Posted: Mon Dec 18, 2006 8:37 pm Post subject: Mr Clean Gets the Spyware Treatment |
 |
|
The latest fake security program from the Smitfraud crooks takes no shame and rips off good old Mr Clean, the household cleaner. Mr Antispy may look like Mr Clean, but the only thing that this rogue program will clean out is your wallet.
Details and comparison pictures at Sunbelt Blog.
Spread the news, Digg it too.
_________________
Nick's Security Ticker
 |
|
| Back to top |
|
 |
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Tue Dec 19, 2006 11:26 am Post subject: Re: Mr Clean Gets the Spyware Treatment |
|
|
| Nick wrote: |
The latest fake security program from the Smitfraud crooks takes no shame and rips off good old Mr Clean, the household cleaner. Mr Antispy may look like Mr Clean, but the only thing that this rogue program will clean out is your wallet.
Details and comparison pictures at Sunbelt Blog.
Spread the news, Digg it too. |
MrAntispy is from the old fast web search (CWS) affiliated in this one with the Spywareno rogues. Smitfraud began from the John Miller Liber Inc/Cactus vxgame/ Darkgt IframeDollars malware groups who where/are affiliates of the Spywareno-spysheriff group.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
nosirrah
Warrior
Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160
|
|
| Back to top |
|
|
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Thu Dec 21, 2006 5:12 am Post subject: |
|
|
curepcsolutions.com is a different animal from a new source and breakspyware.com is from the Klikrevenue group whereas, mr antispy is from the spywareno rogues family.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
nosirrah
Warrior
Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160
|
| Posted: Thu Dec 21, 2006 3:46 pm Post subject: |
|
|
It is odd then that I found all of them by doing google string searches using the same rogue page (pest capture) as a base .
Using recycled text makes these easy to find .
I think that this is another new one : hxxp://contra-virus.com/ .
It was new to me at least . |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Thu Dec 21, 2006 5:49 pm Post subject: |
|
|
That one's new to me too. Good find. Brought to us by our friends  at InterCage/Atrivo and Estdomains.
http://whois.domaintools.com/contra-virus.com
| Quote: |
Server Type: Apache/2.2.2 (Fedora)
(Spry.com also uses Apache)
IP Address: 69.50.168.42
IP Location: - California - Covina - William Lu
Response Code: 200
Blacklist Status: Clear (history)
SSL Cert: No valid SSL on this Host
Website Status: Active
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: CONTRA-VIRUS.COM
Registrant:
N/A
Anthony Hong ()
Pattaya 2nd Rd
Pattiya
Phatthaya,61745
TH
Tel. +66.53344077
Creation Date: 19-May-2006
Expiration Date: 19-May-2007
Domain servers in listed order:
ns1.xname.org
ns0.xname.org |
Search Results for 69.50.168.42 [no reverse DNS set]
6 Results for 69.50.168.42 (Contra-virus.com)
Website
1. contra-virus.com
2. contra-virus.net
3. contravirus.biz
4. contravirus.net
5. foxp2p.com
6. kanyxo.com
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Fri Dec 22, 2006 10:04 am Post subject: |
|
|
for contra-virus.com, you will notice the email in the whois record:
anth.hong @ gmail.com. The use of a first name (DOT) second name @ gmail.com is consistant with some of the Spyaxe rogues family of sites.
This also leads to the payment center of eshop5.com which leads to paymenter.com with many sites I already list which I have found to be a part of the ibill, oxbill, gspay limited group.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Fri Dec 22, 2006 12:11 pm Post subject: |
|
|
| webhelper wrote: |
for contra-virus.com, you will notice the email in the whois record:
anth.hong @ gmail.com. The use of a first name (DOT) second name @ gmail.com is consistant with some of the Spyaxe rogues family of sites.
This also leads to the payment center of eshop5.com which leads to paymenter.com with many sites I already list which I have found to be a part of the ibill, oxbill, gspay limited group. |
Ok, found the actual site the credit card transactions are transmitted to:
% Information from TLD .lv whois service.
% Please visit http://www.nic.lv/DNS/ for more information. So eshop5.com group uses a bank in Latvia to handle credit card transactions for their rogues.
domain: firstdata.lv
descr: SIA "First Data Latvia"
admin-c: 37538-LUMII
tech-c: 54324-LUMII
nserver: ns.apollo.lv
nserver: ns2.apollo.lv
changed: dns-reg@nic.lv 20060102
source: LUMII
person: Andris Konovalovs
address: none
phone: +371-7092582
fax-no: +371-7092509
e-mail: andris.konovalovs@firstdata.lv
nic-hdl: 54324-LUMII
source: LUMII
person: Valdis Eiduks
address: none
phone: +371 26322202
e-mail: valdis.eiduks@firstdata.lv
nic-hdl: 37538-LUMII
source: LUMII
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Sat Dec 23, 2006 8:19 am Post subject: |
|
|
As to the ContraVirus Anti Spyware. I just ran some testing and I think we need to take a closer look at this one as it is not only new, it also does not run nap screens and after running it on some of my file collections I have seen no FP. Also, it allows you to run an update, view logs, etc. Only when clicking to clean it takes you to eshop5.com which is under the control of GSPay.
Here is a sample of their log:
| Quote: |
New objects: 0
Objects found so far: 11
Hosts file scan started
-----------------------------------------------------------
Object recognized
Type : File
Object : c:\Documents and Settings\Administrator\Desktop\cactus-vxgame\vxgame11232006\www.wsfgfdgrtyhgfd.net\adv\soft1\search.exe
Created on : 11/23/2006 9:31:47 AM
Last accessed : 12/23/2006 11:00:22 AM
Last modified : 10/27/2006 7:05:03 PM
Object recognized
Type : File
Object : c:\Documents and Settings\Administrator\Desktop\cactus-vxgame\vxgame11232006\www.wsfgfdgrtyhgfd.net\adv\soft1\winlogon.exe
Created on : 11/23/2006 9:31:46 AM
Last accessed : 12/23/2006 11:00:23 AM
Last modified : 10/27/2006 7:05:00 PM
|
I think we need to run tests and also take a look at adaware as this log seems very close to what theirs use to be.
So until we can test and have Eric H take a look, I don't think we can classify this one as a Rogue.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sat Dec 23, 2006 8:38 am Post subject: |
|
|
From the Rogue/Suspect page:
| Quote: |
| "Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection. |
IMO, this one is "suspect" by association because:
It is registered through Estdomains and hosted at InterCage. That alone make is suspect in my mind. Also, who in their right mind would trust that group with their credit card info?
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
webhelper
SWW Expert
Joined: 11 Apr 2004
Last Visit: 16 Jul 2011
Posts: 1090
|
| Posted: Sat Dec 23, 2006 9:34 pm Post subject: |
|
|
| suzi wrote: |
From the Rogue/Suspect page:
| Quote: |
| "Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection. |
IMO, this one is "suspect" by association because:
It is registered through Estdomains and hosted at InterCage. That alone make is suspect in my mind. Also, who in their right mind would trust that group with their credit card info? |
We should still run a few infestations and their app and look at the logs. This software is totally different than the normal rogues and I think we need to look at adaware scans as this new software logs seem too close as copies of what an adaware log shows.
They have other features not found in the fly by night rogues, so whoever the programmer is, is not one with the other rogues. For them to catch every vxgame and other pets I keep tells me they are not just scanning cookies as the rest.
Now in the same IP is the foxp2p.com. I installed it and it has the same gui interface as that of limewire and uses the same network. I think we need to watch them but need more complete testing of the antispyware apps from each of the sites with different types of infestations and see what the results are. Also, I had not found any nag screens, only the opeing to the site to buy when clicking the clean button.
Let's put them on a list for further research and even maybe some email to them asking questions about the apps to see what comes back. Until then I cannot myself call them a rogue and put them into my sites list until I have further evidence that they are not on the up and up.
Om the side of common characteristics I find the following that does set off red flags:
1. They are registered thru esthost/estdomains. 5 points against them.
2. The whois email anth.hong @ gmail.com. The ones I find using two names seperated with a DOT and using gmail has been the spyaxe family of rogues.
3. The dns servers for their 4 sites are xname.org and mydomain.com.
Also they list their location as thailand (TH) and the phone number country code of +66 is thailand. This is different than most I have found so far.
With number 1 and 2 I will keep and open mind but I think we still need some further tests with the software. Keep them for now as suspect.
_________________
Wächter der Geschichten:
http://www.webhelper4u.com/thewatcher.html
Member of ASAP Since 2004 |
|
| Back to top |
|
|
nosirrah
Warrior
Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160
|
|
| Back to top |
|
|
|
