[Full-Disclosure] Re: block all popups [google knockoff]

From: sh0rtie (this.is_at_gmail.com)
Date: 08/26/04

  • Next message: Todd Towles: "RE: [Full-Disclosure] Automated ssh scanning"
    To: Jeremy Heslop <vector@ezy.net>
    Date: Thu, 26 Aug 2004 22:06:38 +0100
    
    

    its spyware
    a quick peek inside the installer reveals links to toolbarshopper.com
    so definatly not google (although the toolbar does have links to use
    google as well as the usual affiliate links to other sites (using
    linksynergy)

    the site at ipaddress where the installer is located has links selling
    an ebook ,following the money (purchase) leads to a site
    called moreinfo4you.net a whois of this site reveals

    domain: moreinfo4you.net
    status: production
    organization: CSI
    owner: James Real jackson
    email: domainalias@yahoo.com
    address: 23244 Avenida Pico
    city: San Clemente
    state: CA
    postal-code: 92654
    country: US
    admin-c: domainalias@yahoo.com#0
    tech-c: domainalias@yahoo.com#0
    billing-c: domainalias@yahoo.com#0
    nserver: ns.dnsfree.biz
    nserver: ns2.dnsfree.biz
    registrar: JORE-1
    created: 2004-08-22 19:53:30 UTC JORE-1
    modified: 2004-08-22 22:25:43 UTC JORE-1
    expires: 2005-08-22 15:53:28 UTC
    source: joker.com
    db-updated: 2004-08-26 20:40:16 UTC

    fake details and joker.com is a public dns service often used by
    scammers because they can change domain ipaddresses (where the domain
    points to) quickly

    the ipaddress where the exe is located is based in korea (probably a
    compromised adsl machine)

    inetnum: 61.248.0.0 - 61.255.255.255
    netname: KRNIC-KR
    descr: KRNIC
    descr: Korea Network Information Center
    country: KR
    admin-c: HM127-AP
    tech-c: HM127-AP
    remarks: ******************************************
    remarks: KRNIC is the National Internet Registry
    remarks: in Korea under APNIC. If you would like to
    remarks: find assignment information in detail
    remarks: please refer to the KRNIC Whois DB
    remarks: http://whois.nic.or.kr/english/index.html
    remarks: ******************************************
    mnt-by: APNIC-HM
    mnt-lower: MNT-KRNIC-AP
    changed: hostmaster@apnic.net 20010321
    changed: hostmaster@apnic.net 20010606
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Host Master
    address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
    address: Seoul, Korea, 137-857
    country: KR
    phone: +82-2-2186-4500
    fax-no: +82-2-2186-4496
    e-mail: hostmaster@nic.or.kr
    nic-hdl: HM127-AP
    mnt-by: MNT-KRNIC-AP
    changed: hostmaster@nic.or.kr 20020507
    source: APNIC

    regards

    On Tue, 24 Aug 2004 21:49:41 -0400, Jeremy Heslop <vector@ezy.net> wrote:
    > Not sure who this should go to, but I received an email the other day
    > and it is advertising the google toolbar. It installs a toolbar, but not
    > googles. Looks sketchy to me and similar to other phishing attempts. URL
    > to valuebar_setup.exe was in email.
    >
    > Jeremy
    >
    > Html email here: http://footon.jheslop.com/block%20all%20popups.html
    > txt email here: http://footon.jheslop.com/block%20all%20popups.txt
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Todd Towles: "RE: [Full-Disclosure] Automated ssh scanning"