Security → SpyAxe -> SpywareStrike

Hey All... just a heads up to let you know that SpyAxe has had a baby...Spyware Strike. The website is on the same IP for spyaxe (spywarestrike.com). We have been receiving reports of this one installed using WMF exploits and will be adding it to detection ASAP... (yes yes I know its sunday... I just popped into work to put up a desk) I hope MS fix the WMF problem on tuesday.. its gettin outa' hand....

It never ends. Thanks for heads up

Cudni

Thats great news LS Steve

SmitRem C/O NoAdFear has already updated his tool to take care of this new variant.
»www3.dslreports.com/faq/13542

Also MIcrosoft released a patch for the WMF exploit on 5/1/06
»www3.dslreports.com/foru ··· ~start=0

We started seeing this on Jan 5th. In fact, suzi5 wrote up a nice blog on the new SpyAxe twin, SpywareStrike.
»blogs.zdnet.com/Spyware/ ··· hp?p=742

Unfortunately, I'm sure we'll see more of these smitfraud variants, using many different exploits. I'm glad Lavasoft is working hard to keep up with these

Edit: typo

We would be up a creek without a paddle if noahdfear wasn't updating his tool so frequently.

That is no way to spend a Sunday. There's no limit to the talents of LS Research!

There may also be an association with the following apps:
Program Files\Crystalys Media and \\Program Files\Video iCodec

Seems noahadfear is looking for info on them, but not what is linked to below.

Additional info provided by a user at TC:
»forums.tomcoyote.org/ind ··· ic=55547

Hi All:

More "wonderful" news from the rogue anti-spyware front: the universally loved SpySheriff has also spawned yet another clone: Spyware-Stop (spyware-stop.com). Screenshots here:

»www.spywarewarrior.com/f ··· s.htm#15

That's rogue family # 15 above. Families #17, #18, #19, #20, #21, and #22 (visible lower on the same page) contain most of the rest of the CWS-related rogue anti-spyware apps

Best,

Eric L. Howes

They must have been in such a rush to bang it out, and with All those different versions too, they musta got confused which product they are trying to foist on people this time.

It's got SpywareNo! plastered all over the panels etc lol.

»www.spyware-stop.com/help.php#r9

Don't you just weep for them hey !

Spanner

Hi Eric!

Whooboy. Have you looked at the whois info for spyware-stop.com? It's good old markus-nullday-ExpDialer.

Which finally confirms the long-suspected link between the SpywareNo/SpySheriff/SpyTropper/SpyDemolisher gang and CWS exploits. (Other than that CWS exploits so often install them.)

expdialer.com/traffcash.com is/was itself a significant CWS affiliate hub from which the exploits were served. So looks like the SpywareNo gang are themselves criminal exploit-installers.

Which isn't like any great surprise or anything of course.

Edit: www.master-x.com/forum/postings/464302 - if the fish's translation is accurate, here's "markus" asking for affiliates to promote Spyware-Stop by all means including unsolicited downloads.

But is the SpySherriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?

And if so what links connect them?

Andrew:

Good catch! Here's yet another SpySheriff clone that popped up:

PestTrap (pesttrap.com)
Info: »spywarewarrior.com/viewt ··· ?t=19219

Best,

Eric L. Howes

quote:

---

But is the SpySheriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?

---

Apart from having the same business model, affiliating with the same Russian adult webmasters, and using the same old dodgy hosting companies as the rest of CWSdom - no, not as far as I can tell. Here's a whois dump of servers associated with them:

SpyAxe rogue antispyware and scare ads
same interface as antivirusgold, adwaredelete (Impro group)
  @cogent
    ns4.aboutjohnniewalker.biz    66.250.170.82       David Taylor SunShine Alant
    ns4.almanah.biz               66.250.170.82       Joshua Veronimo Olongapo
  @pilosoft
    ns2.aboutjohnniewalker.biz    69.31.93.162        David Taylor SunShine Alant
    ns2.almanah.biz               69.31.93.162        Joshua Veronimo Olongapo
    spyaxesupport.com             69.31.131.82        David Taylor SunShine Alant
  @esthost
    malwarewipe.com               85.255.114.202      Michael Rodriges Olongapo
    ns5.almanah.biz               85.255.114.202      Joshua Veronimo Olongapo
    download6.spyaxe.net          85.255.114.203      David Taylor SunShine Alant
    antiwatch.com                 85.255.114.203      David Taylor SunShine Alant
    malwarewipesupport.com        85.255.114.206      David Taylor SunShine Alant
    malwarewipeupdate.com         85.255.114.206      David Taylor SunShine Alant
  @netcat
    spyaxe.com                    195.225.176.68      David Taylor SunShine Alant
    spyaxe.biz                    195.225.176.68      David Taylor SpyAxe Alant
    spyaxe.net                    195.225.176.68      David Taylor SpyAxe Alant
    ns1.aboutjohnniewalker.biz    195.225.176.68      David Taylor SunShine Alant
    ns1.almanah.biz               195.225.176.68      Joshua Veronimo Olongapo
    almanah.biz                   195.225.176.68      Joshua Veronimo Olongapo
    nospywaresoft.com             195.225.176.68      David Taylor Keramitsu
    spywarestrike.com             195.225.176.68      David Taylor Keramitsu
    ns3.aboutjohnniewalker.biz    195.225.176.76      David Taylor SunShine Alant
    ns3.almanah.biz               195.225.176.76      Joshua Veronimo Olongapo
  @atrivo
    ns6.almanah.biz               216.255.183.2       Joshua Veronimo Olongapo

Whereas here's the SpySheriff et al gang (who are indeed also responsible for the new PestTrap).

SpywareNo gang, italian-bilanguage exploit hub redir from new megatds.
expdialer used as target in server hackings. user nullday on umaxforum.
ICQ 3317159. linked to sgrunt, WB.
  @aps
    mongoliadc.org                64.124.84.147       Alexandre Krouglov Peter teensgate
    buscando.org                  64.124.84.147       Alexandre Krouglov Peter teensgate
    jlojc.org                     64.124.84.147       Alexandre Krouglov Peter teensgate
    buy-cheap-vioxx.com           64.124.84.148       Alexandre Krouglov Peter teensgate
  @pilosoft
    goldgaypost.com               69.31.128.141       Albert Hendrik Euro Tech nullday
  @atrivo
    smart-security.info           69.50.166.194       Aleksandr Romantsev Overijse
    bridgeuk.org                  69.50.166.194       Alexandre Krouglov Peter teensgate
    spywareno.com                 69.50.166.196       Alexandre Petrov Moscow
    spyware-cash.com              69.50.166.196       Alexandre Ivanov Ecuador
    spyware-stop.com              69.50.166.196       ExpDialer markus nullday
    pesttrap.com                  69.50.167.173       Alison Popandopulos crystaljones
    ns1.pesttrap.com              69.50.168.101       Alison Popandopulos crystaljones
    spytrooper.com                69.50.170.82        Alison Popandopulos crystaljones
    spysheriff.com                69.50.170.83        Alexandre Ivanov Ecuador
    spy-trooper.com               69.50.170.83        Alexandre Ivanov Ecuador
    spydemolisher.com             69.50.170.84        Alexandre Ivanov Ecuador
    pillsbook.com                 69.50.170.86        Alex Circle Moscow teensgate
  @theplanet
    karamoke.com                  70.84.54.50         Alexandre Mikoni Peter tamej
    tamej.com                     70.84.54.51         Egor Abramov Peter
  @uaonline
    guysgalleries.com             80.77.88.27         Albert Hendrik Euro Tech nullday
    gaylovetwinks.com             80.77.88.27         Albert Hendrik Euro Tech nullday
    picboys.net                   80.77.88.27         Albert Hendrik Euro Tech nullday
  @livas.lv
  * expdialer.com                 84.245.216.10       ExpDialer markus nullday
  @esthost
    1listing.org                  85.255.115.138      Alexandre Krouglov Peter teensgate
    tlc-pregled.com               85.255.115.138      Alexandre Zixer Peter teensgate
  @aps - expired domain name trade
    beactiveamerica.org           208.184.65.253      Alexandre Krouglov Peter teensgate
    714ministries.org             208.184.65.253      Alexandre Krouglov Peter teensgate
    adwareno.com                  208.184.65.253      Alexandre Krouglov Peter teensgate
    baccarat-winning.com          208.184.65.253      Alexandre Krouglov Peter teensgate
    cozin.org                     208.184.65.253      Alexandre Krouglov Peter teensgate
    paperrepublic.com             208.184.65.253      Alexandre Krouglov Peter teensgate
    touringlondon.org             208.184.65.253      Alexandre Krouglov Peter teensgate
    commodity-trading-online.com  208.184.65.254      Alexandre Krouglov Peter teensgate
    ninetozero.org                208.184.65.254      Alexandre Krouglov Peter teensgate
    unspyware.com                 208.184.65.254      Alexandre Krouglov Peter mongoliadc
    wolfgang-lehner.net           208.184.65.254      Alexandre Krouglov Peter teensgate
    ghostinc.org                  209.66.115.248      Alexandre Krouglov Peter teensgate
    simple-mortgage-calculator.com209.66.115.248      Alexandre Krouglov Peter teensgate
    telipay.com                   209.66.115.248      Alexandre Krouglov Peter teensgate
    autodialblocker.com           209.66.115.249      Alexandre Petrov Peter teensgate
    celleros.com                  209.66.115.249      Alexandre SearchMeta beactiveamerica
    lyricsongmusic.com            209.66.115.249      Alexandre Krouglov Peter teensgate
    skiins.com                    209.66.115.249      Alexandre Krouglov Peter teensgate
  @enom parking
    teensgate.com                 63.251.83.53        Alexandre Krouglov Peter mediaheap
  dns broken?
  * traffcash.com                                     ExpDialer markus nullday

"bottom feeder's" is a definite common denominator present