Spyware Warrior

[YUGWEN]

I have been working about 20 hours a week JUST on getting keywords and domains added to SPAM filters. One such SPAM message that I opened was so sneaky that it NAILED me. I should have known better, but I was in such a speed production mode of grabbing and inputting data that I let my guard down...

In a SPAM message there is a delayed "pop up" within the SPAM that poses as a mail error. (it is actually just an image link file but it downloads delayed so that it appears to "pop up") It exactly matches something you would see and just click on to close. Which, of course, I did. I normally move slow enough to notice a cursor change, but not this time... When I clicked on the red "X" it imediately hijacked me out to its website. SPAM/spyware/adware = virus! I immediately closed the window before it could finish loading, but now I have to scan this system for EVERYTHING...

This is something to watch out for, and should NOT be legal in any way shape or form! This is a 100% deceptive attack against everyone they send the message to. I am going to send this message to the authorities and see if they can slap these creeps down...

Watch out for these guys and their nasty tricks... bestnotospy.net
_________________
Absorb what is useful

[MadameX]

Thanks for the heads up, Yugwen!
_________________
CARMA

[YUGWEN]

I don't know who the paretn company for this stuff is, but I am sure it is creating a HEAP of victims. I don't know what it does, but I can only imagine what they do to the people that the con into going to their website...

myspyzone.com is using the exact same SPAM tactic as in the message above, so they are probably the exact same thing... I'm sure there are going to be more, so I will just edit this message and add their names to it if I see them. If anyone knows who is behind this please let me know. I am afraid to fully follow the link on a Windows machine, even as protected as I try to keep them... I think I will forward one of these messages to my Yahoo account and then go to it on my OS 8.6 Mac... That ought to slap down any of their nasty plans

I hope everyone is having more fun than I am

SPAM, Spyware, Adware, Viruses... Oh my!
_________________
Absorb what is useful

[3162]

Yugwen, could you fwd one to me as well?
Send it to 3162 -at- spywarewarior.com
Thanks
_________________
Proud member of the Chest Zipper Club!

[Chao284]

Guys before making any new things, I beleve there is a connection to the new URL and to this virant wich is the same of coruse,

Spy-Control spy-control.com
spyware-list.info installs Searchmeup parasite (1); unconscionable license terms; dubious implied endorsement (1); Ad-ware knockoff (1); same app as Ad-Eliminator

[Scaramouche]

These guys are starting to pop up constantly for me from my 'research' vx2 infection. I think it's really sad that supposed spyware companies actually use SPYWARE-GENERATED POPUPS to flog their product. It's like shooting someone in the leg to try and sell them a bullet-proof vest. It also pitches Spyware Stormer, Privacy Defender, Spyware Nuker, BulletProof Anti Spy, and 'spyware ferret'. Ad rotations change usually every couple of days so it ends up being a 'who's who of rogue anti-spyware'.
_________________
---
My comments represent my own opinions and research.

[eburger68]

Scaramouche:

Do you have screenshots of those pop-ups? URLs for the pages that pop up? If so, send them to me and I'd be happy to add that description to the rogue/suspect list.

Best,

Eric L. Howes

[Moore]

Wow , you hit the jackpot on these guys YUGWEN ..

This list of domains might help you block the rest of their garbage.

Lets all block them hey.. Looks like a few good entries for Spyware blocklists , Hosts and IE spyads I think


bestnotospy.net:82.114.48.64-82.114.48.64

bestnotospy.net
SPY-CONTROL.COM

82.114.48.0-82.114.48.255
Taurus Telecom interconnect block #48
Moscow, Russia
Russian Federation

Website Status: Active
Reverse IP: Web server hosts 160 websites
IP Address: 82.114.48.64
IP Location: - Taurus-block

Name Server: NS7.WDRHOSTING.COM NS4.BIGHOSTSOLUTIONS.COM
ICANN Registrar: TUCOWS INC.
Created: 14-dec-2004
Expires: 14-dec-2005
Status: ACTIVE

Registrant:
kozlu i companiya
po box 4567
kiev, ua 65000
UA

Domain name: SPY-CONTROL.COM

Administrative Contact:
kozlodoev, ivan
po box 4567
kiev, ua 65000
UA
+38.0503106754

Registrar of Record: TUCOWS, INC.
Record last updated on 30-Jan-2005.
Record expires on 14-Dec-2005.
Record created on 14-Dec-2004.

Domain servers in listed order:
LAYER1.MORPHEUS-SPYWARE.INFO
NS7.WDRHOSTING.COM 222.223.134.244
LAYER2.MORPHEUS-SPYWARE.INFO
NS4.BIGHOSTSOLUTIONS.COM 218.7.120.118

Blacklisted here :
http://www.joewein.de/sw/bl-log-2005-02-13.htm

[Scaramouche]

[Scaramouche]

Eric -

They've changed the ad catalogue again so I wasn't able to get all of the providers this time around but here's the four I did find. Unfortunately the BPS one doesn't have a traceable URL in it but I'll probably get an Ethereal dump for that.








_________________
---
My comments represent my own opinions and research.

[Scaramouche]

Here's another one just came up for privacy defender


_________________
---
My comments represent my own opinions and research.

[radio]

<<bump>>


I've noticed a lot of SPAM activity for this group again in the last couple of days on our mailserver, coming from spambots


they're pointing to a differnet IP# now

[Moore]

Good catch Radio , thanks for the update..
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[webhelper]