Estdomains Is Behind The Trojan! - GoFuckYourself.com

nation-x · 03-11-2007, 02:42 PM

So I am here to bust out the people behind this... From a post on adx by DanS where he pointed out that surfers were being redirected to a codec download on assisass.com I found the domain that the codec was being downloaded from...

The domain also has other exploits so I am not going to post the url but I will post the IP...

216.255.179.125

Some investigation of this ip revealed that it resolves to an ISP called InterCage...

From an earlier post you will find that the people that discovered the trojan at the University of Minnesota discovered that the varient that they wrre analyzing was being hosted by InHosters and they determined that InHosters was being run by a crime ring from the Ukraine.

http://lists.sans.org/pipermail/unis...er/026937.html

After digging a little deeper into Intercage I discovered that they have been blacklisted and accused of many crimes... including hijacking proxies and whole netblocks...

http://spamhuntress.com/wiki/Dyakon
http://blogs.zdnet.com/Spyware/?p=752

I did a whois on the domain serving the trojan and discovered that it was registered via ESTDOMAINS... there have been many posts on adx about the onslought of cheaters that have appeared over the last few months that were registered via ESTDOMAINS... the odd thing about most of these cheaters is that the traffic doesn't necessarily look like cheater traffic... it doesn't always have alot of proxy and it generates clicks... I think it's already been posted that this trojan generates fake traffic.

And then I hit the motherload...

InHosters, Estdomains and Intercage are all the same company...
http://blogs.zdnet.com/Spyware/?p=763

Quote:

The other block listed by SANS, ?Inhoster?, appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo?s; it?s not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.

JD · 03-11-2007, 02:45 PM

Ma.....get muh shotgun...

ztik · 03-11-2007, 02:45 PM

Estdomains is behind alot of crap, no need to even post it. They are probably one of the biggest spammers on the net

nation-x · 03-11-2007, 03:08 PM

more

http://netrn.net/spywareblog/archive...um-on-the-run/

Dirty F · 03-11-2007, 03:17 PM

The Ukraine...what a surprise. Its really time they get their own internet over there thats cut off from the rest of the world.

Lanceman · 03-11-2007, 03:20 PM

Good fucking job man!!!!!

Now like what do we do?

I say lets start that coillation against this shit!

It is like the war on terror,same shit different towel head!

Until all the sponsors get there act together we as webmasters will always run this risk!

Problem is will the sponsors play ball?

borked · 03-11-2007, 03:23 PM

why can't you give a url to the codec download? I have my own reservations about estdomains, but an accusation needs the solid proof, or else you're leaving yourself open for banning....

Lanceman · 03-11-2007, 03:25 PM

Quote:

Originally Posted by Dirty Franck

The Ukraine...what a surprise. Its really time they get their own internet over there thats cut off from the rest of the world.

I actually dont hate any part of the world in general especially where actresses can be filmed cheap!

Problem is cheater scum not Race/Religion/or region

nation-x · 03-11-2007, 03:39 PM

Quote:

Originally Posted by borked

why can't you give a url to the codec download? I have my own reservations about estdomains, but an accusation needs the solid proof, or else you're leaving yourself open for banning....

the person that bans me for this shit is complicit...

http://alexa.com/data/details/traffi...m%2Fgoanal.php

that won't take you directly to the download but will show you what the url is.

nation-x · 03-11-2007, 03:44 PM

So how about the people that say they are protecting us?

http://protecty.wikispaces.com/info

borked · 03-11-2007, 03:47 PM

Quote:

Originally Posted by nation-x

the person that bans me for this shit is complicit...

http://alexa.com/data/details/traffi...m%2Fgoanal.php

that won't take you directly to the download but will show you what the url is.

whoever owns fresh3xvideos must read gfy then because all those links are 404ing

--edit never mind the source shows the links

borked · 03-11-2007, 04:03 PM

just be careful nation-x - great investigative posting, but the motherload post, even following the links is still circumstantial....

nation-x · 03-11-2007, 04:13 PM

Quote:

Originally Posted by borked

just be careful nation-x - great investigative posting, but the motherload post, even following the links is still circumstantial....

I agree it's circumstantial... but where I live... in reality... if it smells like shit and looks like shit it's usually shit. And I don't really even give a fuck if someone wants to ban me for busting this shit out... gfy does not make my business... nor most of the motherfuckers that post here... if there is someone that has a problem with this post then they can eat a sick dick. This is serious shit.

Let's consider the enormity of this for a moment... not only is this rampant ripping off of affiliates (and more then likely programs as well)... it's a HUGE security problem... Those professors estimated that lots and lots of people were infected... it could even be millions since there are no antivirus programs that currently detect the trojan... and judging by the amount of traffic that this one install location gets I would be willing to estimate that it's POSSIBLE that more then a million machines may be infected.

Dude... that is a National Security Risk!

nation-x · 03-11-2007, 04:17 PM

btw... I should mention that the codec installer doesn't show up for firefox

nation-x · 03-11-2007, 04:20 PM

and really... ultimately... your posts tell me that you didn't read the mailing list post from Brian Eckman... he plainly says that the thing is controlled by InHost... Inhost = Estdomains...

borked · 03-11-2007, 04:23 PM

Quote:

Originally Posted by nation-x

... This is serious shit....

Don't get me wrong - it IS serious shit, and a lot of major players couldn't give a toss. There are some out there that are actively trying to combat this problem.

I infected a puter with the trojan, and tested it out, and in my tests the first click had a refcode changed, which stuck. If the link had no refocde in it, it appeared unchanged, but when it got the the processor, a new refcode got added.

The refcode appeared to change randomly though, which was weird.

HOWEVER - there is a current easy workaround for this trojan, and with a bit more implementation, will protect for a few more revisions. I'm not posting what the solution is on a public board, but it is a payside server-side implementation that will protect all affiliates. Funny though how some big guys don't seem to care about it

borked · 03-11-2007, 04:32 PM

Quote:

Originally Posted by nation-x

and really... ultimately... your posts tell me that you didn't read the mailing list post from Brian Eckman... he plainly says that the thing is controlled by InHost... Inhost = Estdomains...

You're very wrong - I just don't see that the evidence linking Inhosters to Estdomains is very strong....

Quote:

The other block listed by SANS, ?Inhoster?, appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo?s; it?s not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.

That's a big IF....

cones · 03-11-2007, 04:42 PM

Nice work man

nation-x · 03-11-2007, 04:44 PM

Quote:

Originally Posted by borked

You're very wrong - I just don't see that the evidence linking Inhosters to Estdomains is very strong....

That's a big IF....

http://netrn.net/spywareblog/archive...um-on-the-run/

crockett · 03-11-2007, 04:46 PM

Quote:

Originally Posted by ztik

Estdomains is behind alot of crap, no need to even post it. They are probably one of the biggest spammers on the net

Then why are they able to accept Epassporte and Paypal? E-gold , Moneybrokers are a few of the others. Hit them where the money is, turn it off.

I think if this is true and enuff of us bitch we can at least get epass and paypal to pull the plug on them.

borked · 03-11-2007, 04:51 PM

Quote:

Originally Posted by nation-x

http://netrn.net/spywareblog/archive...um-on-the-run/

(I missed that link)

ladida · 03-11-2007, 04:54 PM

Don't have time to read it all (read only your initial post), but because they are registered through estdomains, estdomains is behind it? Is that what you're saying?

Lanceman · 03-11-2007, 04:57 PM

PLEASE SEE THREAD:ANTI SPYWARE COALITION!!!!!!!

Why can't we form a group, say the " anti spyware coalition ". Why can't affiliates donate $50 a month to this and sponsors donate $500 a month.

If just 100 affiliates anti up and just 10 sponsors that is $10,000 a month. apoint a board, hire a couple full time well qualified anti spyware people to start working on this. 10K a month should hire a couple really qualified people.

the more people who join the group the lower we can reduce the fees. $50 x 100 is the same as 1000 x $5 so fees could be lowered as more people join and/or more people could be hired to work on it.

If you make even $1,000 a month what is $50 to help fight this. Sponsors, if you make millions a month what is $500 ?

borked · 03-11-2007, 05:02 PM

Quote:

Originally Posted by Lanceman

PLEASE SEE THREAD:ANTI SPYWARE COALITION!!!!!!!

Why can't we form a group, say the " anti spyware coalition ". Why can't affiliates donate $50 a month to this and sponsors donate $500 a month.

If just 100 affiliates anti up and just 10 sponsors that is $10,000 a month. apoint a board, hire a couple full time well qualified anti spyware people to start working on this. 10K a month should hire a couple really qualified people.

the more people who join the group the lower we can reduce the fees. $50 x 100 is the same as 1000 x $5 so fees could be lowered as more people join and/or more people could be hired to work on it.

If you make even $1,000 a month what is $50 to help fight this. Sponsors, if you make millions a month what is $500 ?

Apparently, some of the AV companies are already onto it, which is the best we could hope for, but better in preventing future trojans would rest firmly with the sponsors. They need simply to STOP relying on refcodes and start implementing something more robust.

It's not rocket science.... yet it requires a bit of backend work, which most don't want to do, until that is enough affiliates start talking up....

Lanceman · 03-11-2007, 05:13 PM

Anti Spyware Coalition.
PLEASE SEE THREAD AND SIGN THE FUCK UP!!!!!!!!!!!!!

irbobo · 03-11-2007, 08:20 PM

Fuck those homos... I hope someone stops them up.

Legendary_Samir · 03-11-2007, 08:28 PM

where is Ukraine?

Tempest · 03-11-2007, 08:48 PM

Quote:

Originally Posted by nation-x

Some investigation of this ip revealed that it resolves to an ISP called InterCage...

After digging a little deeper into Intercage I discovered that they have been blacklisted and accused of many crimes... including hijacking proxies and whole netblocks...

Big surprise that intercage is involved with this.. I posted this thread a year ago.. read the last three posts.

http://www.gofuckyourself.com/showthread.php?t=573522

nation-x · 03-12-2007, 04:28 AM

it funny how this shit has turned out to be all interconnected

nation-x · 03-12-2007, 06:16 AM

I am amazed at the lack of response I am seeing to these threads...

03-11-2007, 02:45 PM	#3
ztik Confirmed User Industry Role: Join Date: Aug 2001 Location: Nomad Posts: 5,196	Estdomains is behind alot of crap, no need to even post it. They are probably one of the biggest spammers on the net __________________ .

03-11-2007, 03:23 PM	#7
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	why can't you give a url to the codec download? I have my own reservations about estdomains, but an accusation needs the solid proof, or else you're leaving yourself open for banning.... __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

03-11-2007, 04:03 PM	#12
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	just be careful nation-x - great investigative posting, but the motherload post, even following the links is still circumstantial.... __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

03-11-2007, 04:54 PM	#22
ladida Confirmed User Join Date: Nov 2005 Posts: 2,167	Don't have time to read it all (read only your initial post), but because they are registered through estdomains, estdomains is behind it? Is that what you're saying? __________________ agentGFY at gmail.com

03-11-2007, 08:20 PM	#26
irbobo Confirmed User Industry Role: Join Date: Dec 2005 Posts: 410	Fuck those homos... I hope someone stops them up. __________________ Lacey Foxx - Alison Angel - Thea C - Elle Alexandra

03-11-2007, 02:45 PM	#2
JD Too lazy to set a custom title Industry Role: Join Date: Sep 2003 Posts: 22,651	Ma.....get muh shotgun...

03-11-2007, 03:08 PM	#4
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	more http://netrn.net/spywareblog/archive...um-on-the-run/

03-11-2007, 03:17 PM	#5
Dirty F Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Posts: 59,204	The Ukraine...what a surprise. Its really time they get their own internet over there thats cut off from the rest of the world.

03-11-2007, 03:20 PM	#6
Lanceman So Fucking Banned Join Date: Mar 2007 Posts: 301	Good fucking job man!!!!! Now like what do we do? I say lets start that coillation against this shit! It is like the war on terror,same shit different towel head! Until all the sponsors get there act together we as webmasters will always run this risk! Problem is will the sponsors play ball?

03-11-2007, 03:44 PM	#10
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	So how about the people that say they are protecting us? http://protecty.wikispaces.com/info

03-11-2007, 04:17 PM	#14
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	btw... I should mention that the codec installer doesn't show up for firefox

03-11-2007, 04:20 PM	#15
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	and really... ultimately... your posts tell me that you didn't read the mailing list post from Brian Eckman... he plainly says that the thing is controlled by InHost... Inhost = Estdomains...

03-11-2007, 04:42 PM	#18
cones So Fucking Banned Join Date: Feb 2007 Location: Australia Posts: 571	Nice work man

03-11-2007, 04:57 PM	#23
Lanceman So Fucking Banned Join Date: Mar 2007 Posts: 301	PLEASE SEE THREAD:ANTI SPYWARE COALITION!!!!!!! Why can't we form a group, say the " anti spyware coalition ". Why can't affiliates donate $50 a month to this and sponsors donate $500 a month. If just 100 affiliates anti up and just 10 sponsors that is $10,000 a month. apoint a board, hire a couple full time well qualified anti spyware people to start working on this. 10K a month should hire a couple really qualified people. the more people who join the group the lower we can reduce the fees. $50 x 100 is the same as 1000 x $5 so fees could be lowered as more people join and/or more people could be hired to work on it. If you make even $1,000 a month what is $50 to help fight this. Sponsors, if you make millions a month what is $500 ?

03-11-2007, 05:13 PM	#25
Lanceman So Fucking Banned Join Date: Mar 2007 Posts: 301	Anti Spyware Coalition. PLEASE SEE THREAD AND SIGN THE FUCK UP!!!!!!!!!!!!!

03-11-2007, 08:28 PM	#27
Legendary_Samir So Fucking Banned Join Date: Dec 2006 Posts: 440	where is Ukraine?

03-12-2007, 04:28 AM	#29
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	it funny how this shit has turned out to be all interconnected

03-12-2007, 06:16 AM	#30
nation-x Confirmed User Industry Role: Join Date: Mar 2004 Location: Rock Hill, SC Posts: 5,370	I am amazed at the lack of response I am seeing to these threads...