101 replies to this topic

[elex]

nosirrah, on Sep 9 2008, 02:08 AM, said:

http://www.intervidd.com/download.php?id=1091


oooooooo , new domain , strike 1

intervidd.com

HOSTING
77.91.231.201 wahome.ru http://www.db.ripe.net/whois?form_type=sim...&submit.y=8

DOMAIN
ICANN Registrar: GODADDY.COM, INC. http://whois.domaint...m/intervidd.com

nothing about Estdomains Inc.

[elex]

hedgehog, on Sep 9 2008, 10:11 AM, said:

another one:
totsec2009.com

HOSTING
91.203.92.98 uatelecom.com.ua http://www.db.ripe.net/whois?form_type=sim...o_search=Search

DOMAIN
ICANN Registrar: ESTDOMAINS, INC.
Current Status Suspended

[nosirrah]

elex, on Sep 9 2008, 06:02 AM, said:

intervidd.com

HOSTING
77.91.231.201 wahome.ru http://www.db.ripe.net/whois?form_type=sim...&submit.y=8

DOMAIN
ICANN Registrar: GODADDY.COM, INC. http://whois.domaint...m/intervidd.com

nothing about Estdomains Inc.

This is just the install and moved off of estfor obvious reasons . I'm waiting to see where the rest of zlob's components show up .

[estMate]

nosirrah, on Sep 9 2008, 06:21 AM, said:

While we wait for the next new zlob system32 dll to show up here is the current zlob zones domians export .

1st-tube.com
about-adult.net
antispyware2008a.com
antivirus-scanner.com
antivirus-scanonline.com
best-porncollection.com
bestporntgp.org
bestsoftware.cc
clickruntostartshow.com
codechost.com
codecsystem.com
comeforvidsoft.com
csoftddl.com
downloaditrightnow.com
etds0.net
favoredtube.com
fullscanner.com
getadultaccess.com
getavideonow.com
getqtysoftware.com
ieantivirus.com
malwarebell.com
malwscan.com
maxi-software.com
mega-soft-2008.com
mooncodec.com
movsonline.com
myflydirect.com
onlinevideosoftex.com
opaadownload.com
porntubev20.com
powerantivirus-2009.com
powerantivirus2009.com
pro-scanner.com
ruler-cash.com
s-freeware.com
sex18tube2008.com
sexysoftwaredom.com
shredderscan.com
soft-upgrade-network.com
softbestfree2008.com
software-portal2008
spywareisolator.com
supersoft21freeware.com
surf-scanner.com
the-programsportal.com
tube-viewer.com
veryhodownload.com
virusisolator.com
vsvs6.info
vwwredtube.com
wetsoftwares.com
youjizsite.com
youpornztube.com

Lots of those domains were already suspended, some of them aren't with EstDomains (so please check before posting), and the ones that weren't down and are with us are suspended totally now.

Regards,
EstDomains Team

[elex]

nosirrah, on Sep 9 2008, 10:57 AM, said:

This is just the install and moved off of estfor obvious reasons . I'm waiting to see where the rest of zlob's components show up .

Now all malware domains owners afraid of Estdomain's abuse team. So I don't think that somebody would like that their malware related domains will be suspended immediately. But the fact that now abuse team suspend and block not just one domain but whole customer or even reseller.

[hedgehog]

More domains registered through EstDomains spreading malware:

ia-scan-online.com
complex-scan.net
scan-xp-2008.net
fastpyroscan.com
pyroantispy.com
freetubeguide.net
detection-file101.com
purchase-anti.com
go-scanner.com
yetmorefun.net
doctor2antivirus.com
doctor3antivirus.com
doctor4antivirus.com
doctor5antivirus.com
doctor6antivirus.com
doctor7antivirus.com
doctor8antivirus.com
doctor9antivirus.com
sexy-shake.net
systemscanner2009.com
secure-order-box.com
playfreevids.com
yoootude.com
youpornztube.org
hardpornmpg.com
vidscollector.com (http://www.vidscolle...11487206.jpg%0A)

Thanks for shutting these down

[Jacee]

elex, on Sep 9 2008, 03:02 AM, said:

intervidd.com

HOSTING
77.91.231.201 wahome.ru http://www.db.ripe.net/whois?form_type=sim...&submit.y=8

DOMAIN
ICANN Registrar: GODADDY.COM, INC. http://whois.domaint...m/intervidd.com

nothing about Estdomains Inc.

Connect to 77.91.225.40
Host: www.wahome.ru
http://web-sniffer.net/?url=http%3A%2F%2Fw...es&http=1.1
http://whois.domaint....com/statun.com

[estMate]

hedgehog, on Sep 9 2008, 06:27 PM, said:

More domains registered through EstDomains spreading malware:

ia-scan-online.com
complex-scan.net
scan-xp-2008.net
fastpyroscan.com
pyroantispy.com
freetubeguide.net
detection-file101.com
purchase-anti.com
go-scanner.com
yetmorefun.net
doctor2antivirus.com
doctor3antivirus.com
doctor4antivirus.com
doctor5antivirus.com
doctor6antivirus.com
doctor7antivirus.com
doctor8antivirus.com
doctor9antivirus.com
sexy-shake.net
systemscanner2009.com
secure-order-box.com
playfreevids.com
yoootude.com
youpornztube.org
hardpornmpg.com
vidscollector.com (http://www.vidscolle...11487206.jpg%0A)

Thanks for shutting these down

These domains have now been suspended.

Jacee, on Sep 9 2008, 08:02 PM, said:

Connect to 77.91.225.40
Host: www.wahome.ru
http://web-sniffer.net/?url=http%3A%2F%2Fw...es&http=1.1
http://whois.domaint....com/statun.com

What exactly is wrong about it? Looks like a legitimate service.

Regards,
EstDomains Team

[hedgehog]

EstMate, thanks for taking action, but not all the domains I reported were suspended. These are still live and spreading malware:

ia-scan-online.com
go-scanner.com
doctor3antivirus.com
sexy-shake.net
http://yoootude.com/
hardpornmpg.com
http://www.vidscollector.com/m3/index.php?...11487206.jpg%0A

[estMate]

hedgehog, on Sep 10 2008, 10:13 AM, said:

EstMate, thanks for taking action, but not all the domains I reported were suspended. These are still live and spreading malware:

ia-scan-online.com
go-scanner.com
doctor3antivirus.com
sexy-shake.net
http://yoootude.com/
hardpornmpg.com
http://www.vidscollector.com/m3/index.php?...11487206.jpg%0A

http://whois.domaint...scan-online.com Status:SUSPENDED
http://whois.domaint.../go-scanner.com Status:SUSPENDED
http://whois.domaint...r3antivirus.com Status:SUSPENDED
http://whois.domaint.../sexy-shake.net Status:SUSPENDED
http://whois.domaint...om/yoootude.com Status:SUSPENDED
http://whois.domaint...hardpornmpg.com Status:SUSPENDED
http://whois.domaint...dscollector.com Status:SUSPENDED
http://whois.domaint...ideoportals.com Registration Service Provided By: DYNAMIC DOLPHIN, INC

If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

[hedgehog]

estMate, on Sep 10 2008, 10:15 AM, said:

http://whois.domaint...scan-online.com Status:SUSPENDED
http://whois.domaint.../go-scanner.com Status:SUSPENDED
http://whois.domaint...r3antivirus.com Status:SUSPENDED
http://whois.domaint.../sexy-shake.net Status:SUSPENDED
http://whois.domaint...om/yoootude.com Status:SUSPENDED
http://whois.domaint...hardpornmpg.com Status:SUSPENDED
http://whois.domaint...dscollector.com Status:SUSPENDED
http://whois.domaint...ideoportals.com Registration Service Provided By: DYNAMIC DOLPHIN, INC

If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

Ah, ok.. thanks, I'll make sure to check the status with domaintools later Thanks again!

[hedgehog]

three more EstDomain domains:
win-xp-antivir-hqscanner
porntubj.com
Balupdate.com (nothing there, but it's known to spread zlob)

[Suzi]

Appears to be still active and spreading zlob/fake av malware

http://whois.domaint...com/vids365.com

vids365.com/Pornoamateurs
vids365.com/toutube
vids365.com/pornaccess
vids365.com/Pornminded
vids365.com/rus/russia-porno
vids365.com/rus/lolita
etc.

The registrant info is partially if not all bogus... why does Estdomains allow domains to be registered with false information? That is against ICANN regulations.

Another question -- On a regular basis I see domains registered with Estdomains that appear to be registered with a stolen identity and stolen credit card. What does Estdomains do about these? Here is an example of one such domain:

http://whois.domaint...porntubev20.com
It appears to be inactive now, but was the registrant ever refunded the money?

Here is another one that was likely registered with a stolen ID and credit card.
http://whois.domaint...tube-viewer.com

[Suzi]

Here is another one:
http://whois.domaint...mepagetoday.com <---- Scam Internet Security Page

Posted at Sunbelt's blog.
http://sunbeltblog.blogspot.com/2008/09/sc...-update_10.html

Another one from the write up:
http://whois.domaint.../brokenurls.com <--- 404 error page scam

The list continues:
http://whois.domaint...m/desklinks.com
http://whois.domaintools.com/rycsp.com
http://whois.domaintools.com/cusln.com
http://whois.domaint...pcsdefender.com <---- Scam Security center site
http://whois.domaint...m/webprobar.com <----- Scam Security Toolbar
http://whois.domaint...otheralerts.com <--- same IP as the above
http://whois.domaint...om/ieextend.com <--- component Site used in the Internet Explorer tools menu to redirect to other scam page

These were just created on Sept. 4.

[Tex]

Ok, so I'm somewhat confused about having estdomains in here since they appear to be so heavily involved in hosting malware sites. I had one of my sites compromised and was warned by google of the fact someone had turned it into a malware download page. From the info they sent me I went to http://stopbadware.org and downloaded this scary report which makes HEAVY mention of all things EST > http://blog.stopbadware.org/2008/08/28/rep...-and-affiliates and especially this portion which appears to show them as either being the same people or even controlled by Atrivo...

(page 8 of the above report)...
"A further key factor for cyber crime is anonymity, the most important of these Atrivo associations is, EstDomains (anonymous registrant), EstHost (anonymous hosting), PrivacyProtect (anonymous registrant), LogicBoxes (hosting servers). It is an interesting background Rather than an elaborate explanation in this version of the study, we use a few simple community quotes:
(a) Spam: 76.09% - 35 of 46 active domains appearing in (spam) email which are registered at ESTDOMAINS, INC. are listed by URIBL in the last 5 days. (URIBL - 08/28/08)"

So now I'm even feeling somewhat uncomfortable even using Malwarebytes because of this association here in this forum of someone whom apparently works with these apparent nogoodniks.

Someone care to explain to me what's going on here? If it's the EST bunch actually trying to clean up their act then fine (then prove it), if it's just another part of Atrivo's ongoing disinformation then it's NOT fine.

Tex

[Tigger93]

This topic is here to link to domains for Estdomains to shutdown (and since you want "proof", just look, most of the domains in this thread have indeed been suspended). EST seems to be starting to clean up their act. No one here other that estMate is involved with Estdomains, and he/she is the one who is shutting these domains down.

[hedgehog]

More active EstDomain domains spreading malware:
Antivirusxp-2008.net
Antivirusxp2008.net
Axpdefender08.com
Axpfixer.com
Easyspywarecleaner.com
Infestop.com
Malwareprotector08.com
Spy-rid.com
innovagest2000sl.com (fake payment site, links to malware)
1stantivirus.com
anti-virus-pro.com

[estMate]

hedgehog: These domains have been suspended, thank You

Suzi: We've suspended vids365.com. As for the false whois information - we don't allow this and even if there wasn't any Zlob on this domain name it'd be suspended after the investigation.
In case there really was some identity theft, we'll definitely deal with this. Please give me all information you have regarding the issue, why do you think that there was any identity theft, and we'll investigate this.
http://sunbeltblog.blogspot.com/2008/09/sc...-update_10.html all domains were already suspended

Tex: We are going through the total clean-up, and that's real. Thanks everyone who doesn't accuse us but gives adequate information which we can use to find any shady activity at our customers' accounts.

[hedgehog]

Thanks, EstMate, I wish more registrars would take action like you. Lately I've noticed that lots of malware domains have been registered through RegTime LTD (webnames.ru).

Keep up the good work

[JeanInMontana]

Tex, on Sep 10 2008, 08:08 PM, said:

Ok, so I'm somewhat confused about having estdomains in here since they appear to be so heavily involved in hosting malware sites. I had one of my sites compromised and was warned by google of the fact someone had turned it into a malware download page. From the info they sent me I went to http://stopbadware.org and downloaded this scary report which makes HEAVY mention of all things EST > http://blog.stopbadware.org/2008/08/28/rep...-and-affiliates and especially this portion which appears to show them as either being the same people or even controlled by Atrivo...

(page 8 of the above report)...
"A further key factor for cyber crime is anonymity, the most important of these Atrivo associations is, EstDomains (anonymous registrant), EstHost (anonymous hosting), PrivacyProtect (anonymous registrant), LogicBoxes (hosting servers). It is an interesting background Rather than an elaborate explanation in this version of the study, we use a few simple community quotes:
(a) Spam: 76.09% - 35 of 46 active domains appearing in (spam) email which are registered at ESTDOMAINS, INC. are listed by URIBL in the last 5 days. (URIBL - 08/28/08)"

So now I'm even feeling somewhat uncomfortable even using Malwarebytes because of this association here in this forum of someone whom apparently works with these apparent nogoodniks.

Someone care to explain to me what's going on here? If it's the EST bunch actually trying to clean up their act then fine (then prove it), if it's just another part of Atrivo's ongoing disinformation then it's NOT fine.

Tex

Sure I'll explain it. Start with the title of the topic, priority estdomains domain suspension requests . Then read the first post in this topic.

Quote

EstMate has joined malwarebytes.org and it appears that he has the ability to either directly or indirectly have rogue domains registered with Estdomains taken down .

Place all requests for rogue domain takedowns here and he should have them taken care of promptly .

Now read the thread.

If you can't see that great progress has been made here taking down dozens of bad sites I don't know what else would prove it to you. Don't ruin the good things being done here with your attitude.

You got a compromised site that's too bad. It has nothing to do with what is going on here.