101 replies to this topic

[Suzi]

estMate, on Sep 11 2008, 02:07 AM, said:

hedgehog: These domains have been suspended, thank You

Suzi: We've suspended vids365.com. As for the false whois information - we don't allow this and even if there wasn't any Zlob on this domain name it'd be suspended after the investigation.
In case there really was some identity theft, we'll definitely deal with this. Please give me all information you have regarding the issue, why do you think that there was any identity theft, and we'll investigate this.
http://sunbeltblog.blogspot.com/2008/09/sc...-update_10.html all domains were already suspended

Regarding domains registered with stolen IDs, I have not contacted these people to confirm this, although I know someone who often does that. But, using some common sense, think about.. a domain serving rogue AV or malware, on an IP address with a number of other domains serving malware, and the other domains are registered to individuals in RU, Estonia, or CN, etc. then you have one or two registered to someone like a "John Jones at 123 Main St., Smalltown, USA" -- it's not likely that John Jones *really* registered that domain. In every similar case I'm aware of, when the registrant was called, they were confrimed to be ID theft victims.

Regarding false whois information, I used to report such domains with obviously false info here:
http://wdprs.internic.net/
In every case when the registrar was Estdomains, reporting it had no effect. So Igave up. I have not reported any there recently because in the past nothing was done.

Here is another domain being used to serve malware:
updatepanel.us/ctl/crfiles/tdssadw
updatepanel.us/ctl/crfiles/tdssl
updatepanel.us/ctl/crfiles/tdsslog
updatepanel.us/ctl/crfiles/tdssmain
updatepanel.us/ctl/crfiles/tdsspopup
updatepanel.us/ctl/crfiles/tdssserv
etc.
tdssserv is part of a nasty rootkit that makes many severe changes to the infected computer.

http://whois.domaint.../updatepanel.us <--- note the registrant information -- possibly another ID theft victim, unless it's false info.

[Suzi]

Another one.
http://whois.domaint...stlistrated.net <--- TrojanDropper:Win32/Agent.UM

There are 8 other domains in the IP (Layered Tech), not all registered with Estdomains, but these are:
Besttrackday.net
fasttracklink.net
freetrackonline.net
supertrackday.net
thetrackstar.net

This is an example of what researchers see. We find one malware site, and on the IP are a bunch of others. It never ends.

[Suzi]

Well, imagine this. Yet another rogue/scam site from Estdomains, just registered Sept. 11, 2008.

http://whois.domaint...ilyhomesite.com

Found on the Sunbelt blog.

http://sunbeltblog.blogspot.com/2008/09/sc...-update-ii.html

There are probably more from the list, but I don't have time to check them.

This leads to another question. estMate, I appreciate what you are trying to do here, but it's really not the security researchers' job to monitor your domain registrations and report them. I'd like to know what Estdomains is doing to check for them yourselves, and stop new ones from being registered.

By now, you should know who you customers are, and know the ones who are registering domains for the purpose of spreading malware and running scam sites. So what is the plan to stop this? The domains reported here are merely the tip of the iceberg. We know that, and you should know that.

Thank you.

[Jaxryley]

Antivirus 2009 Protection:

hxxp://googlescanners-360.com/

Domain Name: googlescanners-360.com

Status: ok

Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru

Expiration Date: 2009-09-05
Creation Date: 2008-09-05
Last Update Date: 2008-09-05

Name Servers:
ns1.nameself.com
ns2.nameself.com

[estMate]

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains.

[hedgehog]

EstMate, a few more domains for you:
best3xvideo.com
fullhd-videos.com
clipdwnld.com (http://www.clipdwnld...=4136&n=blowjob)
how-to-tie-shoe-laces.com (how-to-tie-shoe-laces.com/tds/out.php?s_id=2)
tube28.net (tube28.net/load.php?aff=5006&/HDVideoCodec_ver1.5006.0.exe)
pornotube30.net

[estMate]

hedgehog, on Sep 12 2008, 04:00 PM, said:

EstMate, a few more domains for you:
best3xvideo.com
fullhd-videos.com
clipdwnld.com (http://www.clipdwnld...=4136&n=blowjob)
how-to-tie-shoe-laces.com (how-to-tie-shoe-laces.com/tds/out.php?s_id=2)
tube28.net (tube28.net/load.php?aff=5006&/HDVideoCodec_ver1.5006.0.exe)
pornotube30.net

Suspended

[Tigger93]

Nevermind, got suspended.

[hedgehog]

they keep coming:
fucked-pussies.net
gallz4free.com
porno-passion.net
protectionsofts.com
Nowtubez.net
sexy-dream.net
sex24you.com
tubelized.com (tubelized.com/index.php?id=4178)
yellow-bucks.com (affiliate site, promots malware)
videosfreefresh.com (videosfreefresh.com/l/color/id/3913289/white/)
nichedportal.com (nichedportal.com/bigtits/index.php?id=1526)
club-adult.net

[hedgehog]

Cleanthe.net reports that online-av-scan.com spreads malware and that these domains are on the same ip:
1. 1st-tube.com
2. Anothersoftportal.net
3. Anothersoftportal08.net
4. Anothersoftportal09.net
5. Best-cracks.com
6. Celebs-on-video.com
7. Cleansoftportal.net
9. Codecupgrade.com
10. Crack-land.com
11. Crackundeground.com
13. Hot-porn-tube2007.net
14. Hot-porn-tube2009.net
15. Just-tube.com
16. Karachun.net
17. Muzdownload.com
18. Oldpromoz.net
19. Oldsoftupd.net
20. Online-av-scan.com
21. Porn-tube-2008.com
23. Scanner-tool.com
24. Showconz.com
25. Softupdat.com
27. Updatehost.com

I've removed the ones that were already suspended or registered through a different registrar.

[hedgehog]

A few more:
Bestpornox.com
yourlizsite.com
Youjizzsite.com

[estMate]

All suspended. Thank you, hedgehog.

P.S. I will be out of my desk for a couple of days. In case you'll have anything to report kindly raise the support ticket

[hedgehog]

Ok, thanks estMate..

I've submitted these through https://support.estdomains.com/:

ticketblack.com (http://ticketblack.c...etblack2006.exe)
virtualceck.com (virtualceck.com/in.cgi?pipka)
superceck.com (http://superceck.com...MShiM/index.php)
Nowmoviez.net (http://www.nowmoviez.../free_sex_video)
win-antivirus-2008.com

[cryptodan]

I'd like to say thank you for suspending the offensive domains for the community, and making the internet a much safer place.

[hedgehog]

The domains I reported yesterday are now suspended, thanks Estdomains.

But there seems to be always more of them, here are a few more that I've discovered today and reported to support.estdomains.com
Antispywareprotect.com
Antivirus2008a.com
Free-virus-check.com
Maxspywareprotect.com
Pcantivirus2008.com
Vip-antivirus.com

[hedgehog]

I've submitted these too to suppport.estdomains.com today:
eantivirus-payments.com
celebsporntube.com
porntubs.org
Porntubefilms.com
Youttube.info
yourstarstube.com
Zzzyoutube.com
cracksserialnumbersddl.net
Crackssiteddl.com
1-cracks-planet.com
Freecracksdirectdownloads.biz
Pass2crack.com
Protoolscracksddl.com
amaturecuties.info/littlesluts/asian-slut-teen.html
embededfiles.com (embededfiles.com/movie1.php?id=1715)
goodwelll.net (goodwelll.net/rd_gg.php?v=21)
myhotfind.com (myhotfind.com/in.cgi?4)
http://downloadtorun.com/ (http://downloadtorun...xe2/3913289.exe)

[hedgehog]

EstMate, perhaps you should have a look at this blogpost:
http://msmvps.com/blogs/spywaresucks/archi...17/1648037.aspx

[Jahewi]

I have summitted the following site:
hxxp://www.freesexxxx4u.com/

It's one of the download-site for fake Codecs (which ofcourse, in turn, install ZLob )

More to come soon

Edited by JeanInMontana, 17 September 2008 - 09:14 PM.
Mung link

[hedgehog]

I've submitted these so far today:
Amateur-adultvideo.com
Amateur-pornmovie.com
brakeporn.net (brakeporn.net/jay/1136970628/1/player.php?m=bW92MS53bXY=&id=34cd2d)
eAntivirusPro.com
freestarsmovies.com
freexxxhere.com
hardcore-adult-video.com
Hardcore-pornmovie.com
Hardcore-video-xxx.com
lightporn.net (lightporn.net/marion/829559177/1/player.php?m=bW92Mi53bXY=&id=3697ff)
Matures-adult-video.com
Matures-pornmovie.com
megazporn.com (megazporn.com/roseanna/575251695/1/player.php?m=bW92MS5hdmk=&id=905ec5)
mp3freesound.com
mpegxxxvideos.com
pornultra.net (pornultra.net/maureen/1307950400/1/player.php?m=bW92Mi5hdmk=&id=ec4e87)
sexwhite.net (sexwhite.net/zachariah/810861416/1/player.php?m=bW92MS53bXY=&id=5f6af5)
sweetfreeporn.com
xeroporn.com (xeroporn.com/xena/59404825/1/player.php?m=bW92MS53bXY=&id=4fc486)
xhporn.net (xhporn.net/aphinius/1528070206/1/player.php?m=bW92MS53bXY=&id=8443d2)