Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

ALERT: 7install - Yet more fake Flash badness

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News
View previous topic :: View next topic  
Author Message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 03 Feb 2017
Posts: 865
Location: Tyne & Wear, UK

PostPosted: Tue Oct 22, 2013 10:35 pm    Post subject: ALERT: 7install - Yet more fake Flash badness Reply with quote

Here we have yet another crapware company, this time US based, 7install, using highly deceptive and outright malicious methods to peddle their rubbish.

The IPs in this case, is;

209.126.131.87
ASN: 10439 209.126.128.0/17 CARINET - CariNet, Inc.

Code:
7install.com - marianog61@gmail.com GODADDY.COM, LLC
7install.info - marianog61@gmail.com GODADDY.COM, LLC
7searchbox.com - marianog61@gmail.com GODADDY.COM, LLC
analytic-login.com - marianog61@gmail.com GODADDY.COM, LLC
cerberav.us - marianog61@gmail.com GODADDY.COM, LLC
freedownlodenow.com - marianog61@gmail.com GODADDY.COM, LLC
incomeinstall.net - marianog61@gmail.com GODADDY.COM, LLC
installmonster.com - marianog61@gmail.com GODADDY.COM, LLC
megafreedownload.com - marianog61@gmail.com GODADDY.COM, LLC



91.214.201.126
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

Code:
unsecuredconnection.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updatedflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC
updflashplayer.com - Henry Nguyen Gong contact@privacy-protect.cn BIZCN.COM, INC

91.214.201.148
ASN: 49527 91.214.200.0/22 ROXNET-COM-AS SRL ROXNET-COM

Code:
brosertie.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
fenretosit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
forentor.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
forotesit.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jaterisok.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jerenkoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
jonteoli.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
moguleroc.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
mongolero.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.biz - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, INC.
ventupri.us - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, Inc.
brosertie.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
fenretosit.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
forotesit.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
mongolero.net - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
jaterisok.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
moguleroc.net - Repossessed / - Repossesseddomain@godaddy.com GODADDY.COM, LLC
brosertie.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
fenretosit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forotesit.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
jaterisok.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
moguleroc.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
mongolero.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
ventupri.info - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R171-LRMS)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
brosertie.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
fenretosit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com GoDaddy.com, LLC (R91-LROR)
forotesit.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jaterisok.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
jerenkoli.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
moguleroc.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
mongolero.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
ventupri.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry
forentor.org - Repossessed by Go Daddy / - Repossesseddomain@godaddy.com Public Interest Registry


198.199.65.137
ASN: 46652 198.199.64.0/20 SERVERSTACK-ASN - ServerStack, Inc.

Code:
alwaysdownloads.com - Admin / 14E08F8D78D1412A945F67F34DC204D5.PROTECT@WHOISGUARD.COM ENOM, INC.


8.29.133.130
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

Code:
freegiveawayoffers.com - Admin / ADMIN@SLHOST.COM ENOM, INC.

8.29.133.189
ASN: 30152 8.29.128.0/21 BEYOND-HOSTING - Beyond Hosting, LLC

Code:
javainstalls.com - Admin / ADMIN@SLHOST.COM ENOM, INC.

184.105.178.69
ASN: 6939 184.104.0.0/15 HURRICANE - Hurricane Electric, Inc

Code:
yesdownloads.com - Admin / support@383media.com GODADDY.COM, LLC
dl.yesdownloads.com
adobeflashfreedownload.com - Admin / support@383media.com GODADDY.COM, LLC
avgantivirusforfree.com - Admin / support@383media.com GODADDY.COM, LLC
downloadmessengerfree.com - Admin / DOWNLOADMESSENGERFREE.COM@domainsbyproxy.com GODADDY.COM, LLC
installjavafree.com - Admin / support@383media.com GODADDY.COM, LLC
yahoomessengerforfree.com - Domain Administrator / domainadmin@yahoo-inc.com Markmonitor.com


141.101.125.155
ASN: 13335 141.101.125.0/24 CLOUDFLARENET - CloudFlare, Inc.

Code:
getsoftfree.com Admin / 806AB1DA379142F7A89D556D1FB6E33E.PROTECT@WHOISGUARD.COM ENOM, INC.


If you have a gander through the domains, you'll no doubt notice the likes of "AVG" being impersonated, but there's also another one - cerberav.us, impersonating cerberav.com (Spanish AV company).

Funny thing is, the companies involved in the use of the fake Flash/Java etc deception, are still trying to convince me that they're not doing anything wrong. On that subject, iLivid, are STILL not responding, and still using things like this;

As you've no doubt already guessed, AirInstaller, who I wrote about previously, are still using the very same tactics. For example;

hxxp://trkur.com/trk?o=7945&p=71676 -> hxxp://globalpromotions.kidsclothingstore.org/?sov=226078602&hid=fvjnhjjfnffphfhr&noflu=noflu&id=XNSX.71676%3A%3APEERFLY%3A%3AUK%3A%3A29%3A%3A7945 --> hxxp://globalpromotions.kidsclothingstore.org/AIRAdobeRS2filenameGB.html

globalpromotions.kidsclothingstore.org in case you're wondering, is housed at;

Code:
208.87.34.151 - 208-87-34-151.securehost.com - 15146 - 15146 208.87.32.0/21 CABLEBAHAMAS - Cable Bahamas
23.20.106.130 - ec2-23-20-106-130.compute-1.amazonaws.com - 14618 - 14618 23.20.0.0/15 AMAZON-AES - Amazon.com, Inc.
5.199.171.205 - hst-171-205.digital-forex.net - 16125 - 16125 5.199.168.0/22 DC-AS UAB Duomenu Centras
75.101.216.99 - ec2-75-101-216-99.compute-1.amazonaws.com - 14618 - 14618 75.101.128.0/17 AMAZON-AES - Amazon.com, Inc.

Not surprisingly, some of the companies have resorted to trying to block me seeing the sites on their IPs (they're about as successful at this, as the skiddies, and a few hosts/ASNs have been - not realising I've got far more than one or two IPs at my disposal - woops!).

http://hphosts.blogspot.co.uk/2013/10/alert-7install-yet-more-fake-flash.html
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group