Help - Search - Members - Calendar
Full Version: removespyare.ru copies PCworld site and adds their own A record to DNS
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
Moore
Jul 20 2008, 06:20 AM
Got asked about why removespyware.ru resolves to 70.42.185.10 - PC World.com and looked into it a bit more .. here is some info on what I dug up so far..

My first thought was something like DNS cache poisoning was being used - http://en.wikipedia.org/wiki/DNS_cache_poisoning -

A lot of systems are currently vulnerable - http://www.kb.cert.org/vuls/id/800113

Either that or someone hacked the domain control panel and just added it the normal way biggrin.gif

QUOTE
removespyware.ru IN A 70.42.185.10 86400s (1.00:00:00)
10.185.42.70.in-addr.arpa IN PTR www.pcworld.com 900s (00:15:00)


I can't imagine PCworld would go and add something like that on their own.

We have removespyware.ru listed in the hosts file and the last record for it in the spyware blocklist was from 2005:

QUOTE
67.18.129.154 - removespyware.ru
Active, Approved Spyware Related 2005-01-21


Visiting removespyware.ru gives you an identical site that appears to be pcworld, and even the cookies are being set from pcworld..

Doing a reverse IP search from domain tools doesn't show anything for the domain hosted on that IP address, and doesn't connect removespyware with pcworld,

QUOTE
Search Results for 70.42.185.10 [reverse DNS - www.pcworld.com]
9 Results for 70.42.185.10

1. Digitalworldonline.com
2. Filesworld.com
3. Fileworld.com
4. Pcworld.com
5. Pcworlddownload.com
6. Pcworlddownload.net
7. Webshopper.com
8. Worldbench.com
9. Savedos.com



Robtex picks it up though:

http://www.robtex.com/dns/pcworld.com/shared.html

QUOTE
hostnames sharing ip with a-records
pcworlddownload.com
pcworlddownload.net
removespyware.ru
webshopper.com
worldshopper.com
www.pcworld.com



looking up the .ru domain directly brings up the info.

QUOTE
canonical name removespyware.ru.
addresses 70.42.185.10

domain: REMOVESPYWARE.RU
type: CORPORATE
nserver: ns3.ringtone-phone.com.
nserver: ns4.about-blank.biz.
nserver: ns2.valu-health.com.
nserver: ns1.trulit.com.
state: REGISTERED, DELEGATED
person: Dmitry V Shipulin
phone: +7 8129627864
e-mail: nettime @ jps.ru
registrar: RUCENTER-REG-RIPN
created: 2004.05.11
paid-till: 2009.05.11
source: TC-RIPN

Last updated on 2008.07.20 10:38:18 MSK/MSD.


Last update was today.. can't be too good whatever is going on there.

Here's another widespread exploit that guy "dmitry" was connected to :
http://koffix.com/research/blog/2005/judin.ru-exploit/

More on the pc world thing here, this time it was spywiper copying pc world:
http://sunbeltblog.blogspot.com/2008/05/ra...g-pc-world.html

So what are they up to ?
Kimberly
Jul 20 2008, 09:36 AM
Peeking around a little bit at robtex gave some other interesting results. No idea since when these have been going around.

Started from http://www.robtex.com/dns/removespyware.ru/shared.html

domains sharing nameservers
  1. about-blank.biz
  2. attrezzi.biz
  3. awmguild.com
  4. babylille.com
  5. defunct.in
  6. exetrafflc.com
  7. gunbrethren.com
  8. malware-alert.com
  9. mp3artistdirect.com
  10. nzpr.com
  11. onlineclick.net
  12. pclem.com
  13. people-info.com
  14. phpbbscript.com
  15. prisonandjail.org
  16. queenshussars.com
  17. ritdegree.com
  18. slimpartners.com
  19. spyware-wiper.com
  20. squareonerecords.com
  21. tocsite.com
  22. trasferimento.biz
  23. trulit.com
  24. valu-health.com
http://www.robtex.com/dns/awmguild.com/shared.html gives a couple of other sites sharing nameservers.

domains sharing nameservers
  1. about-blank.biz
  2. adslim.com
  3. attrezzi.biz
  4. babylille.com
  5. defunct.in
  6. exetrafflc.com
  7. flashcodec.com
  8. gunbrethren.com
  9. literaryaccess.com
  10. malware-alert.com
  11. mezzicodec.net
  12. movie2b.net
  13. mp3artistdirect.com
  14. nzpr.com
  15. onlineclick.net
  16. pclem.com
  17. people-info.com
  18. phpbbscript.com
  19. prisonandjail.org
  20. queenshussars.com
  21. removespyware.ru
  22. ritdegree.com
  23. slim-cash.com
  24. slimcash.biz
  25. slimpartners.com
  26. spyware-wiper.com
  27. squareonerecords.com
  28. tocsite.com
  29. trasferimento.biz
  30. trulit.com
  31. ttoam.com
  32. valu-health.com
There might be even more of them ...
______________________________

National Archives of Australia

www.naa.gov.au - awmguild.com
IPB Image
______________________________

White Pages, Yellow Pages, Maps and Directions on AnyWho

www.anywho.com - people-info.com
IPB Image
______________________________

Office of Justice Programs

www.ojp.usdoj.gov - prisonandjail.org
IPB Image

IPB Image
______________________________

RIT Institute of Technology

web01www01.rit.edu - ritdegree.com
IPB Image
______________________________

University of Michigan

www1.sph.umich.edu - valu-health.com
IPB Image
______________________________

CNNMoney

money.cnn.com - ttoam.com
IPB Image
Moore
Jul 20 2008, 04:39 PM
Thanks Kim, good hunting.. Looks like they have been busy. wonder how extensive and widespread this problem is.

203.7.140.0/22 National Archives Australia

http://www.robtex.com/dns/ns3.awmguild.com.html

awmguild.com a 203.7.140.32 archivenet.gov.au 203.7.140.0/22

And no surprise that the masters of malware hosting, Atrivo / Intercage are involved as well:

QUOTE
ns ns3.pclem.com 64.28.182.91 64-28-182-91-rev.cernel.net 64.28.176.0/20 Atrivo AS27595 ATRIVO AS Atrivo
ns3.searchmeta.net 64.28.182.93 64-28-182-93-rev.cernel.net
ns4.onlineclick.net 64.28.178.19 64-28-178-19-rev.cernel.net
ns4.tocsite.com 64.28.178.20 64-28-178-20-rev.cernel.net
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.