2008-12-01_03
The following changes were done in F-Secure Anti-Virus database update 2008-12-01_03:
Changes in version 2008-12-01_03:
——————————–
Changes in Orion engine databases:
——————————–
Added: Rogue:W32/RegSweep.A [1]
Added: Trojan-Downloader:JS/Agent.CUE [1]
Added: Trojan-Downloader:JS/Agent.CUF [1]
Added: Trojan-Downloader:VBS/Agent.AS [1]
Added: Trojan-Downloader:W32/Agent.IDL [1]
Added: Trojan-Downloader:W32/Agent.IDM [1]
Added: Trojan-Downloader:W32/FakeAlert.CB [1]
Added: Trojan-Downloader:W32/FakeAlert.CC [1]
Added: Trojan-Downloader:W32/Zlob.HZV [1]
Added: Trojan:W32/BHO.EUN [1]
Added: Trojan:W32/BHO.EUO [1]
Added: Trojan:W32/Vundo.BY [1]
Added: Trojan:W32/Vundo.BZ [2]
Added: Trojan:W32/Vundo.CA [1]
Added: Worm:W32/AutoRun.KO [1]
Removed: Trojan-PSW:W32/Habbo.A [1]
——————————–
Changes in AVP engine databases:
——————————–
Added: Backdoor.Win32.Agent.scj [1]
Added: Backdoor.Win32.Agent.uws [1]
Added: Backdoor.Win32.Agent.uwt [1]
Added: Backdoor.Win32.Aimbot.jl [1]
Added: Backdoor.Win32.Aimbot.jn [1]
Added: Backdoor.Win32.Hupigon.bwnd [1]
Added: Backdoor.Win32.Hupigon.eyiu [1]
Added: Backdoor.Win32.Hupigon.eyiv [1]
Added: Backdoor.Win32.Hupigon.eyiw [1]
Added: Backdoor.Win32.Hupigon.eyix [1]
Added: Backdoor.Win32.Hupigon.eyiy [1]
Added: Backdoor.Win32.Optix.Pro.ei [1]
Added: Backdoor.Win32.TDSS.bou [1]
Added: Constructor.Win32.Binder.np [1]
Added: Email-Worm.Win32.Brontok.em [1]
Added: Exploit.Win32.IMG-ANI.ct [1]
Added: Exploit.Win32.Pidief.ux [1]
Added: Hoax.Win32.Renos.vawm [1]
Added: Rootkit.Win32.Agent.fec [1]
Added: Trojan-Banker.Win32.Banker.aazp [1]
Added: Trojan-Banker.Win32.Banker.aazq [1]
Added: Trojan-Banker.Win32.Banker.aazr [1]
Added: Trojan-Banker.Win32.Banker.aazs [1]
Added: Trojan-Downloader.JS.Agent.dae [1]
Added: Trojan-Downloader.Win32.Agent.asmc [1]
Added: Trojan-Downloader.Win32.Agent.asmd [2]
Added: Trojan-Downloader.Win32.Agent.asme [2]
Added: Trojan-Downloader.Win32.Agent.asmf [1]
Added: Trojan-Downloader.Win32.AutoIt.ic [1]
Added: Trojan-Downloader.Win32.Banload.ymb [1]
Added: Trojan-Downloader.Win32.Banload.ymc [1]
Added: Trojan-Downloader.Win32.CodecPack.alp [1]
Added: Trojan-Downloader.Win32.Winlagons.akn [1]
Added: Trojan-Downloader.Win32.Zlob.aoki [1]
Added: Trojan-Downloader.Win32.Zlob.aokk [1]
Added: Trojan-Downloader.Win32.Zlob.aokm [1]
Added: Trojan-Dropper.Win32.Agent.aapk [1]
Added: Trojan-GameThief.Win32.Magania.amdo [1]
Added: Trojan-GameThief.Win32.Magania.amdp [1]
Added: Trojan-GameThief.Win32.Magania.amdq [1]
Added: Trojan-GameThief.Win32.Magania.amdr [1]
Added: Trojan-GameThief.Win32.Magania.amds [1]
Added: Trojan-GameThief.Win32.Magania.amdt [1]
Added: Trojan-GameThief.Win32.Magania.amdu [1]
Added: Trojan-GameThief.Win32.OnLineGames.tvkq [1]
Added: Trojan-GameThief.Win32.OnLineGames.tvkr [1]
Added: Trojan-GameThief.Win32.OnLineGames.tvks [1]
Added: Trojan-GameThief.Win32.OnLineGames.tvkt [1]
Added: Trojan-PSW.Win32.LdPinch.abxl [1]
Added: Trojan-Spy.Win32.Goldun.bhm [1]
Added: Trojan.JS.Agent.fl [1]
Added: Trojan.JS.Agent.fm [1]
Added: Trojan.JS.Agent.fn [1]
Added: Trojan.JS.Agent.fo [1]
Added: Trojan.JS.Agent.fp [1]
Added: Trojan.JS.Agent.fq [1]
Added: Trojan.Win32.Agent.arwd [1]
Added: Trojan.Win32.Agent.arwe [1]
Added: Trojan.Win32.Agent.arwf [1]
Added: Trojan.Win32.Agent.arwg [1]
Added: Trojan.Win32.Agent.arwh [1]
Added: Trojan.Win32.Agent.arwi [1]
Added: Trojan.Win32.Agent.arwj [1]
Added: Trojan.Win32.Agent.arwk [1]
Added: Trojan.Win32.Agent.arwl [1]
Added: Trojan.Win32.Agent.arwm [1]
Added: Trojan.Win32.Agent.arwn [1]
Added: Trojan.Win32.Agent.arwo [1]
Added: Trojan.Win32.Agent.arwp [1]
Added: Trojan.Win32.Agent.arwq [1]
Added: Trojan.Win32.Agent.arwr [1]
Added: Trojan.Win32.Agent.arws [1]
Added: Trojan.Win32.Agent.arwt [1]
Added: Trojan.Win32.Agent.arwu [1]
Added: Trojan.Win32.Agent.arwv [1]
Added: Trojan.Win32.Agent.arww [1]
Added: Trojan.Win32.Agent.arwx [1]
Added: Trojan.Win32.Agent.arwy [1]
Added: Trojan.Win32.Agent.arwz [1]
Added: Trojan.Win32.Agent.arxa [1]
Added: Trojan.Win32.BHO.ihy [1]
Added: Trojan.Win32.Buzus.adub [1]
Added: Trojan.Win32.Delf.gku [1]
Added: Trojan.Win32.Delf.gkv [1]
Added: Trojan.Win32.Inject.kus [1]
Added: Trojan.Win32.Monder.aann [1]
Added: Trojan.Win32.Monder.aanp [1]
Added: Trojan.Win32.Pakes.lyb [1]
Added: Trojan.Win32.Qhost.kgw [1]
Added: Trojan.Win32.StartPage.dbn [1]
Added: Trojan.Win32.VB.hfk [1]
Added: Worm.Win32.AutoRun.thk [1]
Added: Worm.Win32.AutoRun.thl [1]
Added: Worm.Win32.AutoRun.thm [1]
Added: Worm.Win32.AutoRun.thn [1]
2008-12-01_01
The following changes were done in F-Secure Anti-Virus database update 2008-12-01_01:
Changes in version 2008-12-01_01:
——————————–
Changes in Hydra engine databases:
——————————–
Added: Trojan-Downloader:W32/Zlob.HZU [1]
Added: Trojan-PSW:W32/Habbo.A [1]
Added: Trojan-PSW:W32/Magania.TJN [1]
Added: Trojan-PSW:W32/Magania.TJO [1]
Added: Trojan-Spy:W32/Banker.IWR [1]
Added: Trojan:W32/Agent.GPX [1]
Added: Trojan:W32/Qhost.VA [1]
Added: Trojan:W32/Vundo.BX [1]
Added: Worm:W32/AutoRun.KN [1]
2008-11-30_02
The following changes were done in F-Secure Anti-Virus database update 2008-11-30_02:
Changes in version 2008-11-30_02:
——————————–
Changes in Hydra engine databases:
——————————–
Added: Trojan-Downloader:W32/Agent.IDK [1]
Added: Trojan-Spy:W32/Banker.IWP [1]
Added: Trojan-Spy:W32/Banker.IWQ [1]
2008-11-30_01
The following changes were done in F-Secure Anti-Virus database update 2008-11-30_01:
Changes in version 2008-11-30_01:
——————————–
Changes in Hydra engine databases:
——————————–
Added: Adware:W32/Trymedia.C [1]
Removed: Adware:W32/Trymedia.C [1]
2008-11-29_01
The following changes were done in F-Secure Anti-Virus database update 2008-11-29_01:
Changes in version 2008-11-29_01:
——————————–
Changes in Hydra engine databases:
——————————–
Added: Trojan-Downloader:W32/Agent.IDF [1]
Added: Worm:W32/Downadup.A [1]
Added: Worm:W32/Downadup.C [1]
Added: Worm:W32/Downadup.D [1]
Added: Worm:W32/Downadup.E [1]
Added: Worm:W32/Downadup.F [1]
Removed: Trojan-Downloader:W32/Agent.IDF [1]
Removed: Worm:W32/Downadup.A [1]
AntiVir Personal 8.2.00.337
The AntiVir Personal Edition offers the effective protection against computer viruses for the individual and private use on a single PC-workstation. In order to make possible an easy operation, the AntiVir Personal Edition is developed to the essenti…
Avast! Home Edition 4.8.1296
Avast! 4 Home Edition is a full-featured antivirus package designed exclusively for home users, non-commercial users. Home Edition is free of charge, since in our opinion, it is possible to avoid global virus spreading by efficient prevention; howeve…
Spot the similarities
What I am trying to do is show my readers not only where malvertizements are coming from and what they look like, what they do and how they work, but also reveal the ties that bind between the various domains associated with the facilitation of malvertizing. You would be surprised how often the same names, the same Registrars, the same IP addresses (or IP range) are used, and even how often the same words are repeated on web pages at different web sites. The bad guys have always been, to put it bluntly, lazy … and they were lazy because we let them get away with it.
Below is an example of duplicate content on just two web sites for domains that have been associated with facilitating the distribution of malware via malvertizement. Don't get me wrong - the people behind sites such as this one are not quite as lazy as they used to be, and their grasp of the English language is certainly improved…
 |
 |
Note: "Sunwell Corporation" appears elsewhere on the site, quoted as a "client" of Zappinads. Perhaps coincidentally, there is a Sunwell Corporation website at sunwellcorp.com that was registered via Yesnic (just like Zappinads). |
 |
 |
 |
| zappinads.com |
ICANN Registrar: YESNIC CO. LTD Reverse IP: bestadmedia.com, elanads.com, favouriteshop.com, infyte.com, keywordcpv.com, zappinads.com —– |
| adtraff.com |
ICANN Registrar: TUCOWS INC —– Note: A check of the IP range reveals Onlinepromostats.com at IP 84.243.252.86 - that domain was implicated in a malvertizement at photobucket.com Cite: malvertizing at photobucket. |
ALERT: change of domain details - newstat.net
Those of us who are regular readers of my blog will know that newstat.net has been associated with malvertizing in the past. Its WHOIS details have recently been changed.
Old details:
Serg
Moon
moon.serg@gmail.com
Krokus str.
Amsterdam
NL
31 334558757
New details:
John Brisbone (larsonown@gmail.com)
Active Solutions
8255 S Michigan Ave
Chicago, IL 60608
US
5676876812
John Brisbone is associated with 3 other domains: aboutstat.net, freeorangestats.com and newstat.net. Note that newstat.net's Website title, at time of writing, is "BurnadsHome", and aboutstat.net's Website title is Uniquads - both are names familiar to the world of malvertizing, as is the name Serg Moon. As you'll see later in this article, burnads.com is now defunct, as is uniqads.com (both have an IP address of 127.0.0.1) and it seems that whoever it was that created the sites for newstat.net and aboutstat.net didn't bother to properly edit the new sites' code 
larsonown@gmail.com (which is used in association with several pseudonyms) is associated with 6 domains: aboutstat.net, freeorangestats.com, getmosales.com, newstat.net, sexprofit.com and softwareprofit.com
Let's follow the bouncing ball for a while - take a little peek at the ties that bind the above domains using various tools and services and see what we can find…. for example, we discover a couple of email addresses - admiragroup@yahoo.com and burnads_c@yahoo.com that might be worth a closer look.
We find a copy of other email addresses during our investigation - admiragroup@yahoo.com and burnads_c@yahoo.com. admiragroup@yahoo.com is associated with 6 domains: admiragroup.com, antispyexpert.com, antispyexpertpro.com, getmosales.com, malwarecrash.com and malwarecrashpro.com. burnads_c@yahoo.com is associated with two domains: burnads.com and the infamous netmediagroup.net.
| newstat.net
|
—– ICANN Registrar: TLDS, LLC DBA SRSPLUS Reverse IP - several familiar names here: 7636071.ru | 9796933.ru | Advokatus.info | Allmas.ru | Audio-knigka.ru | Audioknigka.ru | Baza-inform.ru | Bazainform.ru | Casino-goldmoney.com | Cd-dvd-diski.ru | Dating-s.ru | Dating-start.ru | -mag.ru | Disk-magaz.ru | Dvdsbornik.net | Help-nalog.ru | Kvartira-na-kurorte.ru | Mag-disk.ru | Magazin-diskov.ru | Money-company.ru | Moneygold-casino.com | Podarki1.ru | Sbornikdvd.net | Seowin.ru | Site1day.ru | Spalero.ru | Spamsoft.ru | Stkhouse.ru | Storcvist.ru | Super-disk.ru | Vahdom.ru | Vertu-elite.ru | Zeuglhaus.ru | 1000-ga.ru | 1000site.ru | Dispetcher.org | Findfast.ru | Horoshiy-rezultat.ru | Kredkart.ru | Newfindercards.ru | Vam-pismo.ru | Vam-pismo.su | Vibiray-nas.ru | Sotana.su | Cashpopup.info | Cashpopup.net | Cashpopup.org | Searchonlineweb.cn | Casino2009.org | Rx13.com | Usdrugstorebest.com | Abt5.biz | Email-marketing-easy.com 1 listings 0 listings 1 listings | Englo.net | Lux-life.net | Pornoplanet.biz | Raskrutika.ru | Seopaket.ru | Sexzon.info | Spytec.biz | Ventilsys.net | Pc-protection-center-2008.com | Afrogruster.com | Agiromentop.com | Agrostergio.com | Akierodentos.com | Aportobrasok.com | Atopresorgo.com | Aviorebato.com | Awrentoblasgo.com | Beshragos.com | Counterprise.com | Diomertona.com | Dresmondas.com | Equalcrowd.ru | Findsss.com | Frododkoone.com | Frododkotwo.com | Hortesoda.com | Kierodentos.com | Kioretions.com | Kironegas.com | Kordanoser.com | Krombustor.com | Martobare.com | Massachuret.com | Miforbalo.com | Morganiver.com | Notifisarto.com | Portobrasok.com | Rx-online-order.com | Sohurando.com | Topresorgo.com | Twopgoslyso.com | Viorebato.com | Wrentoblasgo.com | Ypsss.com | Bb-statistics.com | Bucksbrothers.com | Clean-master-2008.com | Av-adv.com | M-s-a-v-c.com | Ms-avc.com | Ms-avcc.com | Sentrymasterpro.com | Antivirussentry.com | Av-ultima.com | Power-avc.com | Power-avcc.com | Pvrantivirus.com | S-a-v2009.com | S-av2008.com | Sav2008.com | Sy-av.com | Sysav-pro.com | Systemavpro.com | Security-updates-network.com | Winsecupdates.com | Hibucks.com | Moviesforall.info | Musicscollection.com | Welovemovie.com | Xpbooster.net | Winsecurityupd.com | Ab-outstat.com | Index849.com | Index938.com | Aboutstat.net | Newstat.net | 69loadz.com | Mloadsbiz.com | Ab-outstat.net | Officialstat.net | Ne-wstat.net | Of-ficialstat.com | Statgroup.net | Of-ficialstat.net | St-at-diagnostic-imaging.net | St-atgroup.net | Staticglobalsources.net | Mldsbiz.com | Station-appraisals.com | St-athisranch.com | St-athisranch.net | St-athome.net | St-aticglobalsources.com | St-aticglobalsources.net | St-ation-appraisals.com | St-ation-appraisals.net | S-tatetstr.com | St-atetstr.com | S-tathisranch.com | S-tathisranch.net | S-tatgroup.net | Freeorangestats.com ———- |
| aboutstat.net
|
ICANN Registrar: TLDS, LLC DBA SRSPLUS Reverse IP - see aboutstat.net. ———- |
| freeorangestats.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS Reverse IP - see aboutstat.net. ———- |
| getmosales.com
|
ICANN Registrar: TLDS, LLC DBA SRSPLUS
———- |
| sexprofit.com |
ICANN Registrar: TUCOWS, INC ———- |
| softwareprofit.com |
ICANN Registrar: TUCOWS, INC ———- |
| burnads.com |
ICANN Registrar: YESNIC CO. LTD ———- |
| uniqads.com |
ICANN Registrar: TUCOWS INC ———- |
| admiragroup.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS —– |
| antispyexpert.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS IP Range: 89.18.181.% - lots of fraudware-esque domains: Advancedprivacyguard.com | Advancedprivacyguard2008.com | Advancedprivacyguardpro.com | Advancedprivacyguardsolution.com | Advancedprivacyguardtool.com | Advancedprivacysuite.com | Advancedprivacysuite2008.com | Advancedprivacysuite2009.com | Advancedprivacysuitepro.com | Antispyexpert.com | Antispyexpertpro.com | Antispywareexpert-scanner.com | Antispywareexpert-solution.com | Antispywareexpert-system.com | Antispywareexpertpro.com | Bestpcprivacycleaner.com | Cyberadvancedprivacysuite.com | Globaladvancedprivacyguard.com | Globaladvancedprivacysuite.com | Pc-cleanerpro.com | Pcadvancedprivacyguard.com | Pcadvancedprivacysuite.com | Pcprivacycleaner.com | Pcprivacycleanerpro.com | Personalpccleaner.com | Spywareremover2009pro.com | Swiftpcprivacycleaner.com | Yourpcprivacycleaner.com —– |
| antispyexpertpro.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS —– |
| malwarecrash.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS Reverse IP: antimalwareguard.com, antimalwareguardpro.com, antimalwaremasterpro.com, antispywareguard.com, antispywareguardpro.com, malwarecrash.com, malwarecrashpro.com —– |
| malwarecrashpro.com |
ICANN Registrar: TLDS, LLC DBA SRSPLUS —– |
| netmediagroup.net |
ICANN Registrar: YESNIC CO. LTD —– |
[2/5] Ubuntu update for samba
Ubuntu has issued an update for samba. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information.
http://secunia.com/Advisories/32919/
NOTE: This RSS feed does not include information about updated Secunia advisories. You should note that Secunia on average issues more than 20 updated advisories per day, containing information about exploit and patch availability, new and in depth research, and all other details that are relevant. Learn more about receiving complete and customised Secunia advisory information:
http://secunia.com/advisories/business_solutions/