Blog for hpHosts, and whatever else I feel like writing about ....

Friday 13 November 2009

Warning: malwareabytes.com & hotpmail.com

Seems Malwarebytes have gotten themselves a fan, alongside the fans already out for MalwareDomainList et al. Just with malwaredomainlist2.com (which sporadically redirects via domains such as ask.com now by the way), this one is currently parked.

Referred to: whois.above.com
By: whois.internic.net

Registration Service Provided By: ABOVE.COM, INC.
Contact: +613.95897946

Domain Name: MALWAREABYTES.COM

Registrant:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Creation date: 2009-11-11
Expiration Date: 2010-11-11

Domain servers in listed order:
ns1.mid-2.com
ns2.mid-2.com

Administrative Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Technical Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757
Fax.

Billing Contact:
Lu Lan
1187/28-601 Nam Natou road
Shanghai

200125
CN
lulan@hotpmail.com
Tel. +86.13671866757


Yep, I noticed the "p" in hotpmail.com too, in the registrants e-mail address. The site certainly isn't registered to Microsoft, nor hosted on a Microsoft owned IP.

Referred to: whois.PublicDomainRegistry.com
By: whois.internic.net

Domainname: HOTPMAIL.COM
Creation date: 11-Dec-2008
Expiry date: 11-Dec-2014
Domain status: ACTIVE

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Administrative:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Technical:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Nameservers:
ns7.ns0.com
ns188.pair.com


It did however, redirect to hotmail.com;

#       Result       Protocol       Host       URL       Body       Caching       Content-Type       Process       Comments       Custom
1       301       HTTP       hotpmail.com       /       0              text/html       avant:4476
2       302       HTTP       www.hotmail.com       /       314       no-cache Expires: -1       text/html; charset=utf-8       avant:4476
3       200       HTTP       login.live.com       /login.srf?wa=wsignin1.0&rpsnv=11&ct=1258135091&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=2057&id=64855&mkt=en-gb       2,306       no-cache Expires: Fri, 13 Nov 2009 17:57:14 GMT       text/html; charset=iso-8859-1       avant:4476
4       200       HTTP       login.live.com       /pp700/images/LiveID16nc.gif?1258135090920       388       no-cache        image/gif       avant:4476


A little research shows the chap that registered these domains, also owns a few others, including;

forumactivationlink.com
boysfoog.com
telcelcom.com
dcbdc.com
uncdf.com
data-bg.net
iraklis-fc.com
horse-gams.com
croyscabin.com
filehopo.com
lacasadelpayaso.com

... and I'm sure if I spent more time looking, I could find a heck of alot more, based on what I've seen thus far. Indeed, given the URL's the above take you through, being alot similar (and in some cases, identical), to those malwaredomainlist2.com takes you to, coupled with the same registrar being involved, I don't think it's a stretch to say the same person is responsible for this one too.

Special thanks to Anthony at MalwareURL for informing me about malwareabytes.com.

No comments: