So I am here to bust out the people behind this... From a post on adx by DanS where he pointed out that surfers were being redirected to a codec download on assisass.com I found the domain that the codec was being downloaded from...
The domain also has other exploits so I am not going to post the url but I will post the IP...
216.255.179.125
Some investigation of this ip revealed that it resolves to an ISP called InterCage...
From an earlier post you will find that the people that discovered the trojan at the University of Minnesota discovered that the varient that they wrre analyzing was being hosted by InHosters and they determined that InHosters was being run by a crime ring from the Ukraine.
http://lists.sans.org/pipermail/unis...er/026937.html
After digging a little deeper into Intercage I discovered that they have been blacklisted and accused of many crimes... including hijacking proxies and whole netblocks...
http://spamhuntress.com/wiki/Dyakon
http://blogs.zdnet.com/Spyware/?p=752
I did a whois on the domain serving the trojan and discovered that it was registered via ESTDOMAINS... there have been many posts on adx about the onslought of cheaters that have appeared over the last few months that were registered via ESTDOMAINS... the odd thing about most of these cheaters is that the traffic doesn't necessarily look like cheater traffic... it doesn't always have alot of proxy and it generates clicks... I think it's already been posted that this trojan generates fake traffic.
And then I hit the motherload...
InHosters, Estdomains and Intercage are all the same company...
http://blogs.zdnet.com/Spyware/?p=763
Quote:
|
The other block listed by SANS, ?Inhoster?, appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo?s; it?s not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.
|