Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 23 May 2010

Eset, Star Wars, and rogues ....

On the hunt as usual, I came across yet another rogue, again using etc via blackhat SEO, but using .tk domains (surprise surprise). What I did find rather humorous however, was a javascript file that was loaded.

The javascript contained a lovely little snippet, and a note for the folks over at Eset (though evidently, the bad guys got their Star Wars and Star Trek mixed up, as it was the Borg that said Resistance is futile - not anyone from Star Wars);

/*hello nod32 guys; the force is strong with u, young Padawans, but u won't defeat us; any resistance is futile;*/

The file in question;


I did some checking, and not surprisingly, there's alot more than this one that's been created (I've already dropped abuse reports to, including;

I've got a verification going to ID any more of these. Until change their policy of not taking down domains that the registrant has paid them for, I feel pretty confident that we're going to see more and more .tk domains involved in criminal activity.

As far as the IPs involved, you'll no doubt have guessed that it's the usual suspects;

31252 STARNET-AS StarNet Moldova
47869 NETROUTING-AS Netrouting Data Facilities

If you've not already, feel free to blackhole the lot of them (and until change their policy, you might want to consider a blanket block on the entire Tokelau TLD - money should never come before user safety).

References Use and abuse us as you wish

Crimeware friendly ISPs:

No comments: