1 edit
1 recommendation |
SpyAxe -> SpywareStrikeHey All... just a heads up to let you know that SpyAxe has had a baby...Spyware Strike. The website is on the same IP for spyaxe (spywarestrike.com). We have been receiving reports of this one installed using WMF exploits and will be adding it to detection ASAP... (yes yes I know its sunday... I just popped into work to put up a desk) I hope MS fix the WMF problem on tuesday.. its gettin outa' hand.... |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
Cudni
MVM
2006-Jan-8 11:02 am
It never ends. Thanks for heads up
Cudni |
|
fatdcuk Premium Member join:2005-02-20 England 1 edit
1 recommendation |
fatdcuk
Premium Member
2006-Jan-8 11:07 am
Thats great news LS Steve SmitRem C/O NoAdFear has already updated his tool to take care of this new variant. » www3.dslreports.com/faq/13542Also MIcrosoft released a patch for the WMF exploit on 5/1/06 » www3.dslreports.com/foru ··· ~start=0 |
|
1 edit |
to Profixer
We started seeing this on Jan 5th. In fact, suzi5 wrote up a nice blog on the new SpyAxe twin, SpywareStrike. » blogs.zdnet.com/Spyware/ ··· hp?p=742Unfortunately, I'm sure we'll see more of these smitfraud variants, using many different exploits. I'm glad Lavasoft is working hard to keep up with these Edit: typo |
|
|
to Profixer
We would be up a creek without a paddle if noahdfear wasn't updating his tool so frequently. |
|
Corrine Premium Member join:2004-08-27 |
to Profixer
said by Profixer:...I just popped into work to put up a desk... That is no way to spend a Sunday. There's no limit to the talents of LS Research! |
|
|
to Profixer
There may also be an association with the following apps: Program Files\Crystalys Media and \\Program Files\Video iCodec Seems noahadfear is looking for info on them, but not what is linked to below. Additional info provided by a user at TC: » forums.tomcoyote.org/ind ··· ic=55547 |
|
your moderator at work
hidden : hidden :
|
|
to Profixer
Re: SpyAxe -> SpywareStrikeHi All: More "wonderful" news from the rogue anti-spyware front: the universally loved SpySheriff has also spawned yet another clone: Spyware-Stop (spyware-stop.com). Screenshots here: » www.spywarewarrior.com/f ··· s.htm#15That's rogue family # 15 above. Families #17, #18, #19, #20, #21, and #22 (visible lower on the same page) contain most of the rest of the CWS-related rogue anti-spyware apps Best, Eric L. Howes |
|
|
to Profixer
They must have been in such a rush to bang it out, and with All those different versions too, they musta got confused which product they are trying to foist on people this time. It's got SpywareNo! plastered all over the panels etc lol. » www.spyware-stop.com/help.php#r9Don't you just weep for them hey ! Spanner |
|
2 edits |
to eburger68
Hi Eric!
Whooboy. Have you looked at the whois info for spyware-stop.com? It's good old markus-nullday-ExpDialer.
Which finally confirms the long-suspected link between the SpywareNo/SpySheriff/SpyTropper/SpyDemolisher gang and CWS exploits. (Other than that CWS exploits so often install them.)
expdialer.com/traffcash.com is/was itself a significant CWS affiliate hub from which the exploits were served. So looks like the SpywareNo gang are themselves criminal exploit-installers.
Which isn't like any great surprise or anything of course.
Edit: www.master-x.com/forum/postings/464302 - if the fish's translation is accurate, here's "markus" asking for affiliates to promote Spyware-Stop by all means including unsolicited downloads. |
|
|
to Profixer
But is the SpySherriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?
And if so what links connect them? |
|
|
to Profixer
Andrew: Good catch! Here's yet another SpySheriff clone that popped up: PestTrap (pesttrap.com) Info: » spywarewarrior.com/viewt ··· ?t=19219Best, Eric L. Howes |
|
1 edit |
to TeMerc6
quote: But is the SpySheriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?
Apart from having the same business model, affiliating with the same Russian adult webmasters, and using the same old dodgy hosting companies as the rest of CWSdom - no, not as far as I can tell. Here's a whois dump of servers associated with them: SpyAxe rogue antispyware and scare ads same interface as antivirusgold, adwaredelete (Impro group) @cogent ns4.aboutjohnniewalker.biz 66.250.170.82 David Taylor SunShine Alant ns4.almanah.biz 66.250.170.82 Joshua Veronimo Olongapo @pilosoft ns2.aboutjohnniewalker.biz 69.31.93.162 David Taylor SunShine Alant ns2.almanah.biz 69.31.93.162 Joshua Veronimo Olongapo spyaxesupport.com 69.31.131.82 David Taylor SunShine Alant @esthost malwarewipe.com 85.255.114.202 Michael Rodriges Olongapo ns5.almanah.biz 85.255.114.202 Joshua Veronimo Olongapo download6.spyaxe.net 85.255.114.203 David Taylor SunShine Alant antiwatch.com 85.255.114.203 David Taylor SunShine Alant malwarewipesupport.com 85.255.114.206 David Taylor SunShine Alant malwarewipeupdate.com 85.255.114.206 David Taylor SunShine Alant @netcat spyaxe.com 195.225.176.68 David Taylor SunShine Alant spyaxe.biz 195.225.176.68 David Taylor SpyAxe Alant spyaxe.net 195.225.176.68 David Taylor SpyAxe Alant ns1.aboutjohnniewalker.biz 195.225.176.68 David Taylor SunShine Alant ns1.almanah.biz 195.225.176.68 Joshua Veronimo Olongapo almanah.biz 195.225.176.68 Joshua Veronimo Olongapo nospywaresoft.com 195.225.176.68 David Taylor Keramitsu spywarestrike.com 195.225.176.68 David Taylor Keramitsu ns3.aboutjohnniewalker.biz 195.225.176.76 David Taylor SunShine Alant ns3.almanah.biz 195.225.176.76 Joshua Veronimo Olongapo @atrivo ns6.almanah.biz 216.255.183.2 Joshua Veronimo Olongapo Whereas here's the SpySheriff et al gang (who are indeed also responsible for the new PestTrap). SpywareNo gang, italian-bilanguage exploit hub redir from new megatds. expdialer used as target in server hackings. user nullday on umaxforum. ICQ 3317159. linked to sgrunt, WB. @aps mongoliadc.org 64.124.84.147 Alexandre Krouglov Peter teensgate buscando.org 64.124.84.147 Alexandre Krouglov Peter teensgate jlojc.org 64.124.84.147 Alexandre Krouglov Peter teensgate buy-cheap-vioxx.com 64.124.84.148 Alexandre Krouglov Peter teensgate @pilosoft goldgaypost.com 69.31.128.141 Albert Hendrik Euro Tech nullday @atrivo smart-security.info 69.50.166.194 Aleksandr Romantsev Overijse bridgeuk.org 69.50.166.194 Alexandre Krouglov Peter teensgate spywareno.com 69.50.166.196 Alexandre Petrov Moscow spyware-cash.com 69.50.166.196 Alexandre Ivanov Ecuador spyware-stop.com 69.50.166.196 ExpDialer markus nullday pesttrap.com 69.50.167.173 Alison Popandopulos crystaljones ns1.pesttrap.com 69.50.168.101 Alison Popandopulos crystaljones spytrooper.com 69.50.170.82 Alison Popandopulos crystaljones spysheriff.com 69.50.170.83 Alexandre Ivanov Ecuador spy-trooper.com 69.50.170.83 Alexandre Ivanov Ecuador spydemolisher.com 69.50.170.84 Alexandre Ivanov Ecuador pillsbook.com 69.50.170.86 Alex Circle Moscow teensgate @theplanet karamoke.com 70.84.54.50 Alexandre Mikoni Peter tamej tamej.com 70.84.54.51 Egor Abramov Peter @uaonline guysgalleries.com 80.77.88.27 Albert Hendrik Euro Tech nullday gaylovetwinks.com 80.77.88.27 Albert Hendrik Euro Tech nullday picboys.net 80.77.88.27 Albert Hendrik Euro Tech nullday @livas.lv * expdialer.com 84.245.216.10 ExpDialer markus nullday @esthost 1listing.org 85.255.115.138 Alexandre Krouglov Peter teensgate tlc-pregled.com 85.255.115.138 Alexandre Zixer Peter teensgate @aps - expired domain name trade beactiveamerica.org 208.184.65.253 Alexandre Krouglov Peter teensgate 714ministries.org 208.184.65.253 Alexandre Krouglov Peter teensgate adwareno.com 208.184.65.253 Alexandre Krouglov Peter teensgate baccarat-winning.com 208.184.65.253 Alexandre Krouglov Peter teensgate cozin.org 208.184.65.253 Alexandre Krouglov Peter teensgate paperrepublic.com 208.184.65.253 Alexandre Krouglov Peter teensgate touringlondon.org 208.184.65.253 Alexandre Krouglov Peter teensgate commodity-trading-online.com 208.184.65.254 Alexandre Krouglov Peter teensgate ninetozero.org 208.184.65.254 Alexandre Krouglov Peter teensgate unspyware.com 208.184.65.254 Alexandre Krouglov Peter mongoliadc wolfgang-lehner.net 208.184.65.254 Alexandre Krouglov Peter teensgate ghostinc.org 209.66.115.248 Alexandre Krouglov Peter teensgate simple-mortgage-calculator.com209.66.115.248 Alexandre Krouglov Peter teensgate telipay.com 209.66.115.248 Alexandre Krouglov Peter teensgate autodialblocker.com 209.66.115.249 Alexandre Petrov Peter teensgate celleros.com 209.66.115.249 Alexandre SearchMeta beactiveamerica lyricsongmusic.com 209.66.115.249 Alexandre Krouglov Peter teensgate skiins.com 209.66.115.249 Alexandre Krouglov Peter teensgate @enom parking teensgate.com 63.251.83.53 Alexandre Krouglov Peter mediaheap dns broken? * traffcash.com ExpDialer markus nullday |
|
fatdcuk Premium Member join:2005-02-20 England |
to TeMerc6
said by TeMerc6:But is the SpySherriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch? And if so what links connect them? "bottom feeder's" is a definite common denominator present |
|