(read on to find out the source of all your Pulse360 clickfraud)
So yesterday I was browsing for a download link the latest entourage episode on warez-bb.org - usually a very safe forum. I hadn't even downloaded anything yet - I was just browsing around (in Firefox). All of a sudden AVG started freaking out with a bunch of messages about shit getting downloaded. I deleted what I could.....or so it seemed.
I've got this SpyWare on my computer now that is a pain in the ass to remove. I can't open .exe installation files, for one thing (like I tried to download hijackthis but can't install it), and it does all sorts of other shit. When I search for something in google, all the results are redirected to something like:
I wanted to see where this was hosted, so I looked up the whois. I got more than I bargained for!
Keep in mind this is from a very visible URL that I can see just by clicking on a google result - it is not some background process. Surely nobody running spyware traffic would be stupid enough not to get a private whois. So it must be a fake name or identity theft or something right?
Turns out, no...
If you google for Elliot Cameron, it's not difficult to find this little gem:
Federal Trade Commission, Plaintiff, v. ERG Ventures, LLC, et al, Defendants
Looks like this guy has been around the block when it comes to spyware! He had to pay $3 mil in 07 along with his partners - which is probably nothing compared to how much he banks.
I tried calling him but got his answering machine. I left a message asking him to call me back regarding private matters.
------------
other details:
I watched Ethereal to see what kind of shit this spyware is doing. There is always at least one instance of iexplore.exe open in the background consuming a fair bit of memory, so what is it up to?
It's putting all sorts of random searches through
That's an obvious rip of
(just look at the unchanged footer). It then proceeds to click on the kanoodle ads, engaging in obvious clickfraud against a Pulse360-owned company (no wonder we are always complaining :crying.
Meanwhile, it sends queries that look like this:
If you go to that page you see:
This seems to be the central control of the whole bot that it checks with for instructions. Troptravetmd.com has an index page that says "正在建设中、、、、、、" which in English means "under construction" - obviously the dude's control center.
That domain is registered to some chinese motherfucker at some sketchy registrar, and is on a server at VRTSERVERS.NET.
So that's about all I have right now.
tl;dr: suggestions for Elliot Cameron? :zzwhip:
So yesterday I was browsing for a download link the latest entourage episode on warez-bb.org - usually a very safe forum. I hadn't even downloaded anything yet - I was just browsing around (in Firefox). All of a sudden AVG started freaking out with a bunch of messages about shit getting downloaded. I deleted what I could.....or so it seemed.
I've got this SpyWare on my computer now that is a pain in the ass to remove. I can't open .exe installation files, for one thing (like I tried to download hijackthis but can't install it), and it does all sorts of other shit. When I search for something in google, all the results are redirected to something like:
Code:
http://windowsclick.com/go.php?u=Ap7qs0A8vyj55CRShiFZgIVFhwlI2SpUsnVwckdy_r7Tly0VC4ulA1kiu2shj5C9vzZESGxC5ys88wYoaVyDFtoAe0pC4d93bb3Rfzhkz48Eenw4HRgwPhB7fGeimxPA-w-H2B5P2O3r6HURmFM31vNJ-GEkEFfgINiOtcOV-ovcbBIb_hPRHcO3RvF9OD_XNwQF7avzYT4wxHAyV3y_aumYawJJxiCxEGAeuUUAQjv42g5qtKIrChUF4aUr991A3TZGSffg2cR5D4AxjP8F5mOsIhsk0A3MMqROpLO6Ocm-N8qOoIrdqH9ZZBA1O1ATSiUs36GWPcdnyO2tLZ6t9FaFdx2ZN-got2qvg22BU-ncaC4wXlydJt7E634Dl4eE0Jw4j7-xFZmm12XFmF8NhZddc0bl98h88l3cCkZYJCfKMTAq44s7zEVlBZG6DAd9Lqkr2pjhPS7pas0jNoPdZRwbgufmiVmAwWYy-RNBz2gzb1dlNNJfoOweuSd7mknfBxTz723B8uepaBp7_8CAh4FGd92-b6JSJHI6bsz-O2l1MtoMX25IjIkr3LnoELlvFGTWnOvGg042VbWEes0G79tlvnzd79N2ftUGu4w2Q2Gsiy5Yt7sx1kqwfJL5IjwehC4lXDNMdAhU9gVLzw9Trqxn8NrpWHF6gqxV26GF7SaL2c1l3iYZZFlDt_dSNy89yTNmKzGR-yLN9OMfRycz2TQq2XDBjspZff7INHm2bfH5cvbQyHb8O0zjgGBnMtP_ubRbJh8QKZnqCjov5Ec799LKLzDWa0dzWGxzte-prmLcpwbonwPMPLat6IKeQCdjLtZBwu3JaN0w1tXi5pJqbqyuxZBGQ6MsotJZ4vpqYiNwdvHuZa9400ArdoYJxh2vEsDVgfOWd3UBKXXasbN5djhPU8-d04kEwubwcA5tHnOIWrxI91UcZl6fFYEvq7kcf7FctnapFqWVp3Bx_wQJ22muFKdzislv8ZtI5jL-2RnZ1Zq0o3EmKQudKyJgnWA5frLWpmtbP7Rbv03bymsz9pimu0WzYcm58nOGTPVlO9uZOvNOKBe44Vr39aGalvMIV3qcEJY8bjTj6JOu9C_SBpNHlqntd1qUmquifaK7J1wBLuFpq9zbMc6H1kt1vz3XjqKp_69x7Y1dcG6htuIEXP_JbY_6V3LRuVWqUfX2vvOdPFxqgXb6c7cu06xQOmrAmKCZoPR4K-CPI7qf7ypWmvXKy5bl7XT5hr-gLRPXbwcWTbHoHuxvPnOjmzEyMUmzkoCGCGjYYYMlhRJceKOLlSFY5J9jDw5aMlGTi4ILDx5lsmT45IOG1i4c2O7rfqOhD1nLIUMOEMIrAEC_fyDg_Z_x6G7V9puwL57TGHbkXkZMPkSMjr6WtWSe6de9_HJUQCJHJm01dFEEREFQwC4CrzJ4J5I-DAAglqumMlloNe%3Ds%3Fphp.c%2F711.691.111.46&bid=0.025500&aid=158&said=clean12&mppc=peak
Code:
Domain Name: windowsclick.com
Registered at http://www.dynadot.com
Registrant:
Zitoclick
Elliott Cameron
15180 Western Springs
Reno, NV 89521
United States
Administrative Contact:
Zitoclick
Elliott Cameron
15180 Western Springs
Reno, NV 89521
United States
[URL="http://www.domaintools.com/registrant-search/?email=0d4644339b612dd2c0fd56878c089325"][IMG]http://source.domaintools.com/email.pgif?md5=0d4644339b612dd2c0fd56878c089325&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format%5B%5D=underline&format%5B%5D=transparent&format%5B%5D=transparent[/IMG][/URL]
+1 775-851-7682
Technical Contact:
Zitoclick
Elliott Cameron
15180 Western Springs
Reno, NV 89521
United States
[URL="http://www.domaintools.com/registrant-search/?email=0d4644339b612dd2c0fd56878c089325"][IMG]http://source.domaintools.com/email.pgif?md5=0d4644339b612dd2c0fd56878c089325&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format%5B%5D=underline&format%5B%5D=transparent&format%5B%5D=transparent[/IMG][/URL]
+1 775-851-7682
Record expires on 2010/01/11 UTC
Record created on 2009/01/11 UTC
Domain servers in listed order:
ns1.zitodns.com
ns2.zitodns.com
Turns out, no...
If you google for Elliot Cameron, it's not difficult to find this little gem:
Federal Trade Commission, Plaintiff, v. ERG Ventures, LLC, et al, Defendants
Looks like this guy has been around the block when it comes to spyware! He had to pay $3 mil in 07 along with his partners - which is probably nothing compared to how much he banks.
I tried calling him but got his answering machine. I left a message asking him to call me back regarding private matters.
------------
other details:
I watched Ethereal to see what kind of shit this spyware is doing. There is always at least one instance of iexplore.exe open in the background consuming a fair bit of memory, so what is it up to?
It's putting all sorts of random searches through
Code:
http://www.alertsfind.com
Code:
http://www.alert4find.com
Meanwhile, it sends queries that look like this:
Code:
http://www.toptravetmd.com/work.aspx?query=E4C6D5AA9E98A1A9A3AF9CADA0B5A9B1A9BEA892A9716FEBDEE2CAB4A4846FE2DCE0DCA4A9A3AD9A9F737AE8DCE5B5A092979D95AE97A6
Code:
user= pass= remotehost=74.222.4.235
That domain is registered to some chinese motherfucker at some sketchy registrar, and is on a server at VRTSERVERS.NET.
So that's about all I have right now.
tl;dr: suggestions for Elliot Cameron? :zzwhip: