One of the domains I end up at is party-adult.com which is a fake TGP installing the codec trojan...
Here's a little "report" about it :
64.28.183.0/24 is listed on the Spamhaus Block List (SBL)
11-Apr-2007 09:13 GMT | SR04
MovieCommander DNS hijacking malware rootkit
The McAfee/Avert Labs blog, talks about MovieCommander,
a bit of DNS hijacking malware with rootkit functionality. See:
"MovieCommander! No, it's DNS Changer"
http://www.avertlabs.com/research/blog/?p=236
Monday, April 2nd, 2006
That blog entry in turn refers to:
DNSChanger.f
http://vil.mcafeesecurity.com/vil/content/v_141841.htm
discovered 03/27/2007, description modified 03/29/2007 12:15PM (PT)
If you go to the characteristics tab on the DNSChanger.f page, it mentions:
"Upon installation this trojan changes the DNS server address to
point to its preffered DNS.
"For example the recent variants are observed to point it to
85.255.115.46. A quick "whois" on this IP show this is in Ukraine."
Of course, if you actually check that dotted quad, it is being advertised by AS27595 - Intercage. If you do a traceroute:
10 sfc-b1-00-ve24-ctr-atrivo.wvfiber.net (63.223.30.130) 111.749 ms 111.662 ms 111.662 ms
11 85.255.115.46-xbox.dedi.inhoster.com (85.255.115.46) 111.614 ms 111.628 ms 111.753 ms
Also note that the "Method of Infection" page refers to
www.codecaddon.com and that site is at 64.28.181.243 a Cernel dotted quad also advertised by AS27595
See:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453
[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website:
http://www.estdomains.com
Domain Name: CODECADDON.COM
Registrant:
CodecAddon inc
Asteria Villamar (webmaster@codecaddon. com)
349 Swinnerton St
Staten Island
New York,10307-1644
US
Tel. +1.718967098 <-- one digit shy of a phone number, how embarassing...
Creation Date: 19-Feb-2007
Expiration Date: 19-Feb-2008
Domain servers in listed order:
ns1.codecaddon.com <-- 64.28.183.35
ns2.codecaddon.com <-- 64.28.183.36
[etc]
http://www.siteadvisor.com/sites/COD...N.COM/summary/ has a comment that mentions:
Other sites that are clones of this site:
216.255.182.171 tvscodec.com
216.255.182.172 tvs-codec.com
216.255.182.173 tscodec.com
What a surprise, more AS27595 IP's.
Following 64.28.183.35, we see:
ns1.codecaddon.com
ns1.video-access.net
ns2.player-codec.net
ns2.videos-access.com
.34 has:
ns1.player-codec.net
ns1.videos-access.com
ns2.page-tickets.com
ns2.page-tickets.net
.36 has:
ns1.accessclips.com
ns1.codecfeature.com
ns2.codecaddon.com
ns2.video-access.net
.37 has:
ns1.dvd-access.net
ns1.site-pass.net
ns2.accessclips.com
ns2.codecfeature.com'
.38 has:
ns1.codecdvd.net
ns1.sitespass.net
ns2.dvd-access.net
ns2.site-pass.net
.39 has:
ns1.dvdsvideos.net
ns1.sites-pass.com
ns2.codecdvd.net
ns2.sitespass.net
.40 has:
ns1.sites-pass.net
ns2.dvdsvideos.net
ns2.sites-pass.com
.41 has:
ns1.dvdsmovies.net
ns1.moviesdvds.net
ns1.passtosite.com
ns2.sites-pass.net
.42 has:
ns1.dvds-movies.net
ns1.passtosite.net
ns2.dvdsmovies.net
ns2.passtosite.com
.43 has:
ns1.passtosites.com
ns1.tvcodecs.com
ns2.dvds-movies.net
ns2.passtosite.net