Pinging spywarequake.info [195.225.177.7] with 32 bytes of data:

20 104 ms 88 ms 88 ms 64.111.192.205
21 87 ms 90 ms 88 ms 66.230.128.91
22 92 ms 84 ms 86 ms 195.225.177.7

OrgName: ISPrime, Inc.
OrgID: IPRM
Address: 25 Broadway
Address: 6th Floor, Suite #2
City: New York
StateProv: NY
PostalCode: 10004-1086
Country: US

ReferralServer: rwhois://rwhois.isprime.net:4321/

is that all you have to reply to the bunch of posts about intercage on the last page??

here in another recent malware codec downloading site, guess where it's hosted?



your host seems to be nothing else than the "El Dorado" and "Paradise" for all kind of criminals.

I would suggest that NO adult site should be doing business anymore with sites anywa related to estdomains, eshost, intercage and any other company somehow using any of these services.

If we cap the traffic exchange with sites hosting with hosts that obviously tolerate and support criminals, than a lot of our problems should be fixed automaticly as we are not longer part of the malware distribution or at very least it will decrease a lot.

it'd be nice to know what IP ranges those hosts use

wow....what a horrible rebuttal that was.

i'am pretty sure isprime will fix things a bit faster than intercage ....

At this point, I think you can safely say: If the traffic comes from a domain registered with ESTDOMAINS, it is fairly suspect.

It would I have to agree however it would also be nice to know that sponsors do not promote such behavior

I wage to bet that if we look closer we will find out which sponsors do and dont support this for I have a feeling that behind this organized group lies Quite of few others....

Every good band havs a front man!

Join the "Anti Spyware Coilition"

See thread.

I got this email from Sunbelt Software today
and I also got one back from the FBI informing me that they take my report seriously and wwill be investigating....

To Emil,
Thanks for taking the time to reply to this thread... I am glad I got the right name when I made the report to the FBI... you ARE Emil Kacpersky correct? I sent an email to [email protected] but I see the site is still live... as far as I know it's a crime to facilitate an international crime... you do know that disseminating viruses/trojans is a crime right?

Here is why we have a serious issue with Intercage... first of all... you host spammers, ppc cheaters, hackers, etc... wtf are you thinking? Btw... here is the email I sent you...

btw... I find it odd that you would even post here... lol

Great Maybe they can reimburse all of us!

Or better yet maybe they could get with this guy over on the "Anti Spyware Coilation Sign Up" Thread who claims to be the originator of spyware and pay him for a cure!

In case you were interested... I downloaded a pdf of the report to the FBI... I am not going to make it public because it has my personal info in it but here is the report part...

I also find that quite strange for some very good reasons:

1.This guy signed up today right before he started posting threads
2.How was he alerted of this discussion?

With those two out in the open Hmmmmmmmm?
I wonder who alerted him!

3.THE BIG PICTURE?

if you don't think that these fuckers posts here then you are misguided... We swim with sharks...

Lets say someone does get caught with how I track them, Does anyone know if ccbill will give those sales to the right person? I wrote an email asking and they did not give me a clear answer

bump for an very interesting thread

A member at another board I posted at provided this find:

from http://www.tunix.nl/index.php?s_cat=...loits_advisory

bump this back to 1st page

I would say that any fairly new videosharing site started late 2005 or early 2006 that have build up a lot of traffic in a short time by trading like crazy with well established sites may be suspicious if in anyway connected with ESTDOMAINS or the other suspects.

:2 cents:

are you talking about avicash? If so, than every tgp/mgp and generally adult webmaster should have blacklist immediatly ALL sites using them, at least that's what i have done and will do. If it's another company you are talking about please forward me somehow the info.

I hear microsoft is onto this codec exploit issue now!

link?

it would be nice for them to do so, they really shouldn't allow something as significant as this trojan to be installed without noticeable warnings being issued by the OS first.

You mean our CWS friends at klikrevenue are suspect? Who woulda thunk it.. They still an advertiser here?

I wonder why Emil never posted again :D

I am sure there are honest people using ESTDOMAINS, but I think that having ESTDOMAINS as a registrar is one of those little flags that says "check this closely". This is especially important because these people register the domains, provide the hosting, and provide the connectivity to those hosts, with the clear intention of absorbing any negative comments, complaints, LARTs, or other notifications and not taking action. Basically, they control all three of the places that would get a DMCA notice. It's a nice touch.

It isn't a 100% sure thing that someone with ESTDOMAINS is going to be a scammer, but if you live next to a crack house, some people might think you like drugs, right?

Theres a very old saying "Show me your friends and I will show you what you are"!!!!!!!

Alternately, you lie down with dogs, and you will get fleas.

Microsoft Windows WMF exploits advisory

An update from Microsoft that fixes this vulnerabilty is now available:
http://www.microsoft.com/athome/secu...00601_WMF.mspx

A very serious vulnerability has been discovered in Microsoft Windows, for which exploits are found on the internet. It concerns issues with files that are interpreted by windows as .WMF files.

At this moment there is no patch from Microsoft. There are some workarounds for vulnerable systems that can be applied. More information on this issue can be found here:

urls:
http://www.security.nl/article/12594...F_exploit.html
http://secunia.com/advisories/18255/
http://isc.sans.org/diary.php
http://www.viruslist.com/en/alerts?alertid=176701669

Malicious files that can lead to an exploit can be both in e-mail attachments and on the internet on http servers.


The TUNIX/Firewall can help to avoid some risk in the following ways:

Firstly the Kaspersky virusscanner for email on TUNIX firewalls detects trojans that use this exploit, if the firewall uses a recent signature-database. It has been doing so since December 28th 2005.

Secondly a number of URLs have been identified that may contain malicious content. TUNIX recommends blacklisting the listed URLs on the TUNIX/Firewall. This can be accomplished using a simple URL blacklist.

At this moment the following URLs can be blocked:
m.cpa4.org
008k.com
mscracks.com
keygen.us
dailyfreepics.us
pornsites-reviews.com
mmxo.megaman-network.com
600pics.com
Crackz.ws
unionseek.com
www.tfcco.com
Iframeurl.biz
beehappyy.biz
Buytoolbar.biz
teens7.com

Thirdly two netblocks can be blocked as well according to sources at SANS:
http://isc.sans.org/diary.php

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

This can also be implemented by http blocklists. It should be noted that blocking entire netblocks always carries the risk of blocking websites that should not be blocked.


Customers with a Managed Firewall (MF) contract, customers with a Remote Standby (RS) contract or customers with a Remote Maintenance (RB) contract can contact TUNIX Firewall Support to make the necessary adjustments to the configuration of TUNIX/txhttp or Tunix/http-gw to block this activity.

Im sure you have good intentions my only question is what will you do with all the sales that infected surfers computers have sent you and how will you delegate the rightful affiliate?
When this happens on a daily basis I beleive that this is where the problem starts for any sponsor!
When the thousands of redirected dollars start flowing in come on back and tell us who gets paid!
Better yet why dont you just send us a post card from the Islands:thumbsup

Just for clarification... the trojan we are posting about isn't always delivered via an exploit... We have found multiple urls that are masking the trojan as a codec that users are voluntarily installing.

Hey please do me a favor go read this new thread of mine and tell me if you think Im infected or not!
It will explain My story.
I would give out the URL but I took it off line till I get this problem fixed!
Oh and by the way post replies on that thread not this one-thanks

http://www.gofuckyourself.com/showthread.php?t=714455

http://alexa.com/data/details/traffi...m%2Fgoanal.php

holy fuck

yeah not bad for a site with only 10 thumbnails on it most of which look like diseased asian hookers huh?:thumbsup

I received a little bit different prompt than you, judging from the Google bar prompt you had. The 'video' just had sound and the link in the video goes to activexvideosoftware-dot-com/main/setup.exe
It appears that the guy that owns assisass.com owns roccomovies.net. Assisass.com has been spreading trojans for a very long time now

http://img89.imageshack.us/img89/653...ivexvidbt6.jpg

There are two types of codec-style exploits:

The one that microsoft mentions, which uses either a malformed wmv file or similar, which is a true security exploit, and the "you need a codec" sites that are using pure social engineering to get installed.

The social engineering approach is the hardest one to stop, because human nature is "install stuff to see video". It is the same reason why people foolishly install things like Zango. They think they are going to see a video or play a game. They don't realize that they will be installing a spyware piece of shit that is going to pop shit all over their screens when they surf. If they knew that, they would never do it.

The only reasons any of this stuff works is because programs are willing to pay money for the traffic generated from it. Pure economics says that if nobody was paying, nobody would do it.

Then again, Zango forced Lars to do it. I wonder how many other people have been forced?

So now cheating affiliates who couldn't get any of the money they stole, can now report themselves and get 10% of it; repeat process.

Exactly like I said before the only way to narrow this down to a dull roar is to get sponsors to spyware proof their content and non of them are standing up to say "Hey ya thats a good Idea"!

Why would they?

They are too busy drinking martinis at the Ritz Carlton.........With our would be sales.

bump bump

I think some of the bigger programs care, but not enough to terminate the accounts due to the possible retribution (who wants those bastards to suddenly send traffic going to my domain, somewhere else?)

Docs a smart guy and makes some good points

Anybody with half a brain can make that stuff nearly undetectable, so any complaints made from tests don?t rise above the din of the normal everyday querks or fuckups

Well just sit back and whatch what happens next!

We closed 2 affiliate accounts, that were doing this shit, we monitor our reffering urls pretty close, and caught them pretty fast.

right now we are waiting on ccbill, to send us the money that was held from those affiliates, so we could pay directly to those who were hit by this.

I think ccbill should provide all the info they have on ppl like this so we could act on our own aswell. (of course once they confirmed the issue)

What company are you?

Any program owner with even the least amount of sense would not consider that arguement. If they're capable of redirecting traffic at the join page they're more likely to redirect to a different program with a higher payout - without any provocation - than they are to redirect out of retribution.

Many join pages are very generic looking, the end user probably wouldn't notice he had been redirected to a different site until the last moment.

glad to hear paysites like yours are being proactive about this. I agree with you re: ccbill sharing information, in their defense they may be concerned about liability for slander though (which isn't to say that such information can't be quietly leaked to program owners).

WARNING - do NOT install any of these codecs - do NOT visit without good anti-virus protection

This TGP http://adultau.com/?id=1110&t=4 is linking this gallery http://coolbestporn.com/robin/330225868/1/?id=1110

which upon clicking one of the videos loads the page http://coolbestporn.com/robin/330225...53bXY=&id=1110 kasperky is warning of "Trojan.Win32.DNSChanger.ir" trying to auto-install
the affiliate link on that gallery is http://collegepartytime.com/ref/1004000/ so maybe the blockboostercash guys can identify him.

Here's another doing the same with a TCG gallery: http://porn-room.net/obedience/1619577015/1/?id=1110
affiliate link from that gallery: http://www.castingcouchteens.com/?wm...tbond&cf=&sub=

Same for http://teenporntop.com/harman/1312166799/1/?id=1110
affiliate link: http://www.tamedteens.com/go/596263/22/9/n/

http://porntimeguide.com/alphinias/1...021/1/?id=1110
affiliate link: http://armyofass.maniacpass.com/?id=rikki&pt=p

http://pornhelp.net/pheney/1107727492/1/?id=1110
affiliate link: http://teen-stop.com/?id=crossales

http://xxxadultgold.com/bo/616802479/1/?id=1110
affiliate link: http://secure.hardcoreteeniesex.com/...0:HCTS,0,0,0,/

There's a TON more. The http://adultau.com/?id=1110&t=4 appears to be getting all traffic clicked from http://www.free-nude-photo.org/ which signed up for a trade on my site using IP 64.22.82.232 @ 15:22 EST on 3/21/07 (in case anybody really feels like tracking down this fool).

I haven't reported these yet to the proper sponsors, just too damn late at night for me to screw with atm :P so if anybody feels like messaging the sponsors before I do tomorrow go right ahead...

Yeah... I always wondered why Choker still accepts his traffic.

ive witness this code changing shit live on my girlfriend PC, i was working on my blog then testing my sponsr links and all my afilliated code were changing to another code when i was clicking my links
ive start a post on traffic cash gold board ans still waiting a response..

here is a copy on my post on TCG

bump for this thread which needs the attention of every webmaster and sponsor program!

Bump to page 1 - very interesting thread.

It's more like a big red warning light.