View Single Post
Old 05-02-2007, 09:04 PM  
aico
Moo Moo Cow
 
Join Date: Mar 2004
Location: Washington State
Posts: 14,748
Quote:
Originally Posted by Adam_WildCash View Post
After a deeper investigation we feel the need to clarify a few things..

First of all, about the WildCash affiliate mentioned in this thread: It is
entirely possible and likely that he has absolutely no knowledge of the
MovieBox trojan or porn-abc.com.

porn-abc.com is a completely independent domain.

We investigate all these matters very seriously, and although this stuff has
nothing to do with Wildcash at all we're reporting what we've found to the
community.

The following we know to be 100% certain:

An independent malicious party is downloading gallery pages from the web and
re-hosting them on their own servers with the videos removed and links to a
fake-codec (MovieBox trojan) inserted.

As QuickDraw mentioned, there is also JavaScript added to the page that
attempts to install the malware automatically. If the surfer's browser does
not allow this automatic installation there is still a chance the surfer, in
all his horniness, will download and install the fake codec manually.

They are hosting these spidered galleries on at least 233 domains spread
across at least 56 IP addresses.
All the domains are registered through ESTDOMAINS.
All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at
INTERCAGE).

It is important to note that galleries from many programs and many different
affiliates have been downloaded and re-hosted by these guys, and that in
almost all cases it's entirely likely the affiliate and program have no
knowledge of this.

Ok, that's great, so what can we do?

As a surfer:
* Keep your system up to date with the latest security patches
* Don't download untrusted .EXE's (no matter how horny you are)

As a gallery hoster:
* Blacklist the offending IP addresses from spidering your galleries

As a gallery submission site:
* Blacklist the submission of entries containing the offending domain names
* Blacklist the submission of entries whose domain names resolve to
offending IP addresses

As a motivated onlooker:
* Report URLs like this to StopBadware.org, then there's a good chance they
will show up with a warning in Google search results like this one:

http://www.google.com/search?hl=en&q...2705851%2F1%2F

To find more galleries like this, the following Google search terms give
pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net)
Thanks for the update and actually taking the time to investigate the issue.
aico is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote