Profixer
join:2005-07-01
1 edit | SpyAxe -> SpywareStrike
Hey All... just a heads up to let you know that SpyAxe has had a baby...Spyware Strike. The website is on the same IP for spyaxe (spywarestrike.com). We have been receiving reports of this one installed using WMF exploits and will be adding it to detection ASAP... (yes yes I know its sunday... I just popped into work to put up a desk) I hope MS fix the WMF problem on tuesday.. its gettin outa' hand.... |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | It never ends. Thanks for heads up
Cudni |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit |  Thats great news LS Steve
SmitRem C/O NoAdFear has already updated his tool to take care of this new variant.
»www3.dslreports.com/faq/13542
Also MIcrosoft released a patch for the WMF exploit on 5/1/06
»www3.dslreports.com/forum/remark···~start=0 |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | reply to Profixer
We started seeing this on Jan 5th. In fact, suzi  wrote up a nice blog on the new SpyAxe twin, SpywareStrike.
»blogs.zdnet.com/Spyware/index.php?p=742
Unfortunately, I'm sure we'll see more of these smitfraud variants, using many different exploits. I'm glad Lavasoft is working hard to keep up with these 
Edit: typo
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
winchester73
join:2003-08-08
Chapel Hill, NC | reply to Profixer
We would be up a creek without a paddle if noahdfear wasn't updating his tool so frequently. |
|
Corrine
Premium
join:2004-08-27
| reply to Profixer
said by Profixer :...I just popped into work to put up a desk... That is no way to spend a Sunday. There's no limit to the talents of LS Research!
--
Microsoft MVP, Windows - Security; Administrator Freedomlist & LandzDown; Charter Member ASAP |
|
TeMerc
join:2004-01-22
Phoenix, AZ
| reply to Profixer
There may also be an association with the following apps:
Program Files\Crystalys Media and \\Program Files\Video iCodec
Seems noahadfear is looking for info on them, but not what is linked to below.
Additional info provided by a user at TC:
»forums.tomcoyote.org/index.php?s···ic=55547 |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to Profixer
Re: SpyAxe -> SpywareStrike
Hi All:
More "wonderful" news from the rogue anti-spyware front: the universally loved SpySheriff has also spawned yet another clone: Spyware-Stop (spyware-stop.com). Screenshots here:
»www.spywarewarrior.com/family_re···s.htm#15
That's rogue family # 15 above. Families #17, #18, #19, #20, #21, and #22 (visible lower on the same page) contain most of the rest of the CWS-related rogue anti-spyware apps
Best,
Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior |
|
SpannerITWks
Premium
join:2005-04-22
| reply to Profixer
They must have been in such a rush to bang it out, and with All those different versions too, they musta got confused which product they are trying to foist on people this time.
It's got SpywareNo! plastered all over the panels etc lol.
»www.spyware-stop.com/help.php#r9
Don't you just weep for them hey !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
bobince
join:2002-04-19
DE
2 edits | reply to eburger68
Hi Eric!
Whooboy. Have you looked at the whois info for spyware-stop.com? It's good old markus-nullday-ExpDialer.
Which finally confirms the long-suspected link between the SpywareNo/SpySheriff/SpyTropper/SpyDemolisher gang and CWS exploits. (Other than that CWS exploits so often install them.)
expdialer.com/traffcash.com is/was itself a significant CWS affiliate hub from which the exploits were served. So looks like the SpywareNo gang are themselves criminal exploit-installers.
Which isn't like any great surprise or anything of course.
Edit: www.master-x.com/forum/postings/464302 - if the fish's translation is accurate, here's "markus" asking for affiliates to promote Spyware-Stop by all means including unsolicited downloads. |
|
TeMerc
join:2004-01-22
Phoenix, AZ | reply to Profixer
But is the SpySherriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?
And if so what links connect them? |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to Profixer
Andrew:
Good catch! Here's yet another SpySheriff clone that popped up:
PestTrap (pesttrap.com)
Info: »spywarewarrior.com/viewtopic.php?t=19219
Best,
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior |
|
bobince
join:2002-04-19
DE
1 edit | reply to TeMerc
quote:
But is the SpySheriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch?
Apart from having the same business model, affiliating with the same Russian adult webmasters, and using the same old dodgy hosting companies as the rest of CWSdom - no, not as far as I can tell. Here's a whois dump of servers associated with them:
SpyAxe rogue antispyware and scare ads
same interface as antivirusgold, adwaredelete (Impro group)
@cogent
ns4.aboutjohnniewalker.biz 66.250.170.82 David Taylor SunShine Alant
ns4.almanah.biz 66.250.170.82 Joshua Veronimo Olongapo
@pilosoft
ns2.aboutjohnniewalker.biz 69.31.93.162 David Taylor SunShine Alant
ns2.almanah.biz 69.31.93.162 Joshua Veronimo Olongapo
spyaxesupport.com 69.31.131.82 David Taylor SunShine Alant
@esthost
malwarewipe.com 85.255.114.202 Michael Rodriges Olongapo
ns5.almanah.biz 85.255.114.202 Joshua Veronimo Olongapo
download6.spyaxe.net 85.255.114.203 David Taylor SunShine Alant
antiwatch.com 85.255.114.203 David Taylor SunShine Alant
malwarewipesupport.com 85.255.114.206 David Taylor SunShine Alant
malwarewipeupdate.com 85.255.114.206 David Taylor SunShine Alant
@netcat
spyaxe.com 195.225.176.68 David Taylor SunShine Alant
spyaxe.biz 195.225.176.68 David Taylor SpyAxe Alant
spyaxe.net 195.225.176.68 David Taylor SpyAxe Alant
ns1.aboutjohnniewalker.biz 195.225.176.68 David Taylor SunShine Alant
ns1.almanah.biz 195.225.176.68 Joshua Veronimo Olongapo
almanah.biz 195.225.176.68 Joshua Veronimo Olongapo
nospywaresoft.com 195.225.176.68 David Taylor Keramitsu
spywarestrike.com 195.225.176.68 David Taylor Keramitsu
ns3.aboutjohnniewalker.biz 195.225.176.76 David Taylor SunShine Alant
ns3.almanah.biz 195.225.176.76 Joshua Veronimo Olongapo
@atrivo
ns6.almanah.biz 216.255.183.2 Joshua Veronimo Olongapo
Whereas here's the SpySheriff et al gang (who are indeed also responsible for the new PestTrap).
SpywareNo gang, italian-bilanguage exploit hub redir from new megatds.
expdialer used as target in server hackings. user nullday on umaxforum.
ICQ 3317159. linked to sgrunt, WB.
@aps
mongoliadc.org 64.124.84.147 Alexandre Krouglov Peter teensgate
buscando.org 64.124.84.147 Alexandre Krouglov Peter teensgate
jlojc.org 64.124.84.147 Alexandre Krouglov Peter teensgate
buy-cheap-vioxx.com 64.124.84.148 Alexandre Krouglov Peter teensgate
@pilosoft
goldgaypost.com 69.31.128.141 Albert Hendrik Euro Tech nullday
@atrivo
smart-security.info 69.50.166.194 Aleksandr Romantsev Overijse
bridgeuk.org 69.50.166.194 Alexandre Krouglov Peter teensgate
spywareno.com 69.50.166.196 Alexandre Petrov Moscow
spyware-cash.com 69.50.166.196 Alexandre Ivanov Ecuador
spyware-stop.com 69.50.166.196 ExpDialer markus nullday
pesttrap.com 69.50.167.173 Alison Popandopulos crystaljones
ns1.pesttrap.com 69.50.168.101 Alison Popandopulos crystaljones
spytrooper.com 69.50.170.82 Alison Popandopulos crystaljones
spysheriff.com 69.50.170.83 Alexandre Ivanov Ecuador
spy-trooper.com 69.50.170.83 Alexandre Ivanov Ecuador
spydemolisher.com 69.50.170.84 Alexandre Ivanov Ecuador
pillsbook.com 69.50.170.86 Alex Circle Moscow teensgate
@theplanet
karamoke.com 70.84.54.50 Alexandre Mikoni Peter tamej
tamej.com 70.84.54.51 Egor Abramov Peter
@uaonline
guysgalleries.com 80.77.88.27 Albert Hendrik Euro Tech nullday
gaylovetwinks.com 80.77.88.27 Albert Hendrik Euro Tech nullday
picboys.net 80.77.88.27 Albert Hendrik Euro Tech nullday
@livas.lv
* expdialer.com 84.245.216.10 ExpDialer markus nullday
@esthost
1listing.org 85.255.115.138 Alexandre Krouglov Peter teensgate
tlc-pregled.com 85.255.115.138 Alexandre Zixer Peter teensgate
@aps - expired domain name trade
beactiveamerica.org 208.184.65.253 Alexandre Krouglov Peter teensgate
714ministries.org 208.184.65.253 Alexandre Krouglov Peter teensgate
adwareno.com 208.184.65.253 Alexandre Krouglov Peter teensgate
baccarat-winning.com 208.184.65.253 Alexandre Krouglov Peter teensgate
cozin.org 208.184.65.253 Alexandre Krouglov Peter teensgate
paperrepublic.com 208.184.65.253 Alexandre Krouglov Peter teensgate
touringlondon.org 208.184.65.253 Alexandre Krouglov Peter teensgate
commodity-trading-online.com 208.184.65.254 Alexandre Krouglov Peter teensgate
ninetozero.org 208.184.65.254 Alexandre Krouglov Peter teensgate
unspyware.com 208.184.65.254 Alexandre Krouglov Peter mongoliadc
wolfgang-lehner.net 208.184.65.254 Alexandre Krouglov Peter teensgate
ghostinc.org 209.66.115.248 Alexandre Krouglov Peter teensgate
simple-mortgage-calculator.com209.66.115.248 Alexandre Krouglov Peter teensgate
telipay.com 209.66.115.248 Alexandre Krouglov Peter teensgate
autodialblocker.com 209.66.115.249 Alexandre Petrov Peter teensgate
celleros.com 209.66.115.249 Alexandre SearchMeta beactiveamerica
lyricsongmusic.com 209.66.115.249 Alexandre Krouglov Peter teensgate
skiins.com 209.66.115.249 Alexandre Krouglov Peter teensgate
@enom parking
teensgate.com 63.251.83.53 Alexandre Krouglov Peter mediaheap
dns broken?
* traffcash.com ExpDialer markus nullday |
|
fatdcuk
Premium
join:2005-02-20
England
| reply to TeMerc
said by TeMerc :But is the SpySherriff\SpyTrooper\SpyDemolisher\Spyware-Stop gang also related to the SpyAxe\SpywareStrike bunch? And if so what links connect them? "bottom feeder's" is a definite common denominator present |
|
