The trojan guys also submits trojan galleries to your TGP - GoFuckYourself.com

biskoppen · 06-26-2007, 09:10 AM

Example, the hairy section on Pichunter..

http://www.pichunter.com/movs/hairy.shtml

Check out the 1st gallery in row 4... (http://www.eliteasianzone.com/newgp/38/pichunter.html)

This gallery loads a trojan page the 1st time you click it and the real gallery the 2nd time you click it...

The last gallery in the 2nd row (http://www.orientalpornvideos.com/as...pichunter.html) gives me a fake TGP with trojan videos the 1st time and a real gallery the second time...

So, these guys are actual gallery submitters which spends time building these real galleries...

biskoppen · 06-26-2007, 09:21 AM

One of the domains I end up at is party-adult.com which is a fake TGP installing the codec trojan...

Here's a little "report" about it :

64.28.183.0/24 is listed on the Spamhaus Block List (SBL)

11-Apr-2007 09:13 GMT | SR04

MovieCommander DNS hijacking malware rootkit

The McAfee/Avert Labs blog, talks about MovieCommander,
a bit of DNS hijacking malware with rootkit functionality. See:
"MovieCommander! No, it's DNS Changer"
http://www.avertlabs.com/research/blog/?p=236
Monday, April 2nd, 2006

That blog entry in turn refers to:

DNSChanger.f
http://vil.mcafeesecurity.com/vil/content/v_141841.htm
discovered 03/27/2007, description modified 03/29/2007 12:15PM (PT)

If you go to the characteristics tab on the DNSChanger.f page, it mentions:

"Upon installation this trojan changes the DNS server address to
point to its preffered DNS.

"For example the recent variants are observed to point it to
85.255.115.46. A quick "whois" on this IP show this is in Ukraine."

Of course, if you actually check that dotted quad, it is being advertised by AS27595 - Intercage. If you do a traceroute:

10 sfc-b1-00-ve24-ctr-atrivo.wvfiber.net (63.223.30.130) 111.749 ms 111.662 ms 111.662 ms
11 85.255.115.46-xbox.dedi.inhoster.com (85.255.115.46) 111.614 ms 111.628 ms 111.753 ms

Also note that the "Method of Infection" page refers to www.codecaddon.com and that site is at 64.28.181.243 a Cernel dotted quad also advertised by AS27595

See:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: CODECADDON.COM

Registrant:
CodecAddon inc
Asteria Villamar (webmaster@codecaddon. com)
349 Swinnerton St
Staten Island
New York,10307-1644
US
Tel. +1.718967098 <-- one digit shy of a phone number, how embarassing...

Creation Date: 19-Feb-2007
Expiration Date: 19-Feb-2008

Domain servers in listed order:
ns1.codecaddon.com <-- 64.28.183.35
ns2.codecaddon.com <-- 64.28.183.36

[etc]

http://www.siteadvisor.com/sites/COD...N.COM/summary/ has a comment that mentions:

Other sites that are clones of this site:

216.255.182.171 tvscodec.com
216.255.182.172 tvs-codec.com
216.255.182.173 tscodec.com

What a surprise, more AS27595 IP's.

Following 64.28.183.35, we see:

ns1.codecaddon.com
ns1.video-access.net
ns2.player-codec.net
ns2.videos-access.com

.34 has:

ns1.player-codec.net
ns1.videos-access.com
ns2.page-tickets.com
ns2.page-tickets.net

.36 has:

ns1.accessclips.com
ns1.codecfeature.com
ns2.codecaddon.com
ns2.video-access.net

.37 has:

ns1.dvd-access.net
ns1.site-pass.net
ns2.accessclips.com
ns2.codecfeature.com'

.38 has:

ns1.codecdvd.net
ns1.sitespass.net
ns2.dvd-access.net
ns2.site-pass.net

.39 has:

ns1.dvdsvideos.net
ns1.sites-pass.com
ns2.codecdvd.net
ns2.sitespass.net

.40 has:

ns1.sites-pass.net
ns2.dvdsvideos.net
ns2.sites-pass.com

.41 has:

ns1.dvdsmovies.net
ns1.moviesdvds.net
ns1.passtosite.com
ns2.sites-pass.net

.42 has:

ns1.dvds-movies.net
ns1.passtosite.net
ns2.dvdsmovies.net
ns2.passtosite.com

.43 has:

ns1.passtosites.com
ns1.tvcodecs.com
ns2.dvds-movies.net
ns2.passtosite.net

Lycanthrope · 06-26-2007, 09:25 AM

I'm not getting anything nasty nor redirected. I'm using Firefox on Linux though - maybe they only play games w/ IE.

hjnet · 06-26-2007, 09:38 AM

Estdomains, Inhosters, Atrivo, Intercage, who would have thought.

Blacklist the entire IP range of these hosts (do a google/board search) and check every domain that want's to do business with you to make sure it's not registered at Estdomains, then you've covered 99% of these cheaters (for now).

FiReC · 06-26-2007, 10:18 AM

yup this DNS changer has been around for awhile, mad PPC fraud going on with this thing. who has a contact over at pichunter?

biskoppen · 06-26-2007, 12:57 PM

Quote:

Originally Posted by FiReC

yup this DNS changer has been around for awhile, mad PPC fraud going on with this thing. who has a contact over at pichunter?

I have contacted him about this earlier today

CIVMatt · 06-26-2007, 01:04 PM

once again for tgp people

DO NOT EVER ALLOW TRADES FROM

Registration Service Provided By: ESTDOMAINS INC

AT ALL

bobby666 · 06-26-2007, 01:41 PM

oh shit and my mac has no problems

06-26-2007, 09:10 AM	#1
biskoppen Confirmed User Join Date: Mar 2003 Location: Very small penis Posts: 5,809	The trojan guys also submits trojan galleries to your TGP Example, the hairy section on Pichunter.. http://www.pichunter.com/movs/hairy.shtml Check out the 1st gallery in row 4... (http://www.eliteasianzone.com/newgp/38/pichunter.html) This gallery loads a trojan page the 1st time you click it and the real gallery the 2nd time you click it... The last gallery in the 2nd row (http://www.orientalpornvideos.com/as...pichunter.html) gives me a fake TGP with trojan videos the 1st time and a real gallery the second time... So, these guys are actual gallery submitters which spends time building these real galleries... __________________ Submit my videos to make bank, tons of 5 minute videos offered right here

06-26-2007, 09:21 AM	#2
biskoppen Confirmed User Join Date: Mar 2003 Location: Very small penis Posts: 5,809	One of the domains I end up at is party-adult.com which is a fake TGP installing the codec trojan... Here's a little "report" about it : 64.28.183.0/24 is listed on the Spamhaus Block List (SBL) 11-Apr-2007 09:13 GMT \| SR04 MovieCommander DNS hijacking malware rootkit The McAfee/Avert Labs blog, talks about MovieCommander, a bit of DNS hijacking malware with rootkit functionality. See: "MovieCommander! No, it's DNS Changer" http://www.avertlabs.com/research/blog/?p=236 Monday, April 2nd, 2006 That blog entry in turn refers to: DNSChanger.f http://vil.mcafeesecurity.com/vil/content/v_141841.htm discovered 03/27/2007, description modified 03/29/2007 12:15PM (PT) If you go to the characteristics tab on the DNSChanger.f page, it mentions: "Upon installation this trojan changes the DNS server address to point to its preffered DNS. "For example the recent variants are observed to point it to 85.255.115.46. A quick "whois" on this IP show this is in Ukraine." Of course, if you actually check that dotted quad, it is being advertised by AS27595 - Intercage. If you do a traceroute: 10 sfc-b1-00-ve24-ctr-atrivo.wvfiber.net (63.223.30.130) 111.749 ms 111.662 ms 111.662 ms 11 85.255.115.46-xbox.dedi.inhoster.com (85.255.115.46) 111.614 ms 111.628 ms 111.753 ms Also note that the "Method of Infection" page refers to www.codecaddon.com and that site is at 64.28.181.243 a Cernel dotted quad also advertised by AS27595 See: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453 [whois.estdomains.com] Registration Service Provided By: ESTDOMAINS INC Contact: +1.3027224217 Website: http://www.estdomains.com Domain Name: CODECADDON.COM Registrant: CodecAddon inc Asteria Villamar (webmaster@codecaddon. com) 349 Swinnerton St Staten Island New York,10307-1644 US Tel. +1.718967098 <-- one digit shy of a phone number, how embarassing... Creation Date: 19-Feb-2007 Expiration Date: 19-Feb-2008 Domain servers in listed order: ns1.codecaddon.com <-- 64.28.183.35 ns2.codecaddon.com <-- 64.28.183.36 [etc] http://www.siteadvisor.com/sites/COD...N.COM/summary/ has a comment that mentions: Other sites that are clones of this site: 216.255.182.171 tvscodec.com 216.255.182.172 tvs-codec.com 216.255.182.173 tscodec.com What a surprise, more AS27595 IP's. Following 64.28.183.35, we see: ns1.codecaddon.com ns1.video-access.net ns2.player-codec.net ns2.videos-access.com .34 has: ns1.player-codec.net ns1.videos-access.com ns2.page-tickets.com ns2.page-tickets.net .36 has: ns1.accessclips.com ns1.codecfeature.com ns2.codecaddon.com ns2.video-access.net .37 has: ns1.dvd-access.net ns1.site-pass.net ns2.accessclips.com ns2.codecfeature.com' .38 has: ns1.codecdvd.net ns1.sitespass.net ns2.dvd-access.net ns2.site-pass.net .39 has: ns1.dvdsvideos.net ns1.sites-pass.com ns2.codecdvd.net ns2.sitespass.net .40 has: ns1.sites-pass.net ns2.dvdsvideos.net ns2.sites-pass.com .41 has: ns1.dvdsmovies.net ns1.moviesdvds.net ns1.passtosite.com ns2.sites-pass.net .42 has: ns1.dvds-movies.net ns1.passtosite.net ns2.dvdsmovies.net ns2.passtosite.com .43 has: ns1.passtosites.com ns1.tvcodecs.com ns2.dvds-movies.net ns2.passtosite.net __________________ Submit my videos to make bank, tons of 5 minute videos offered right here

06-26-2007, 09:25 AM	#3
Lycanthrope Confirmed User Industry Role: Join Date: Jan 2004 Location: Wisconsin Posts: 4,517	I'm not getting anything nasty nor redirected. I'm using Firefox on Linux though - maybe they only play games w/ IE. __________________

06-26-2007, 10:18 AM	#5
FiReC Confirmed User Industry Role: Join Date: Jan 2002 Location: Land o Nubiles Posts: 2,350	yup this DNS changer has been around for awhile, mad PPC fraud going on with this thing. who has a contact over at pichunter? __________________ www.nubilefilms.com \| www.nubiles.net \| www.anilos.com \| tubescript.nubiles.net \| icq4162727

06-26-2007, 01:04 PM	#7
CIVMatt Amateur Pimpin Industry Role: Join Date: Aug 2004 Location: Orlando, FL Posts: 13,075	once again for tgp people DO NOT EVER ALLOW TRADES FROM Registration Service Provided By: ESTDOMAINS INC AT ALL __________________ Make easy money with Webcams

06-26-2007, 09:38 AM	#4
hjnet Confirmed User Join Date: May 2002 Location: European Union Posts: 3,815	Estdomains, Inhosters, Atrivo, Intercage, who would have thought. Blacklist the entire IP range of these hosts (do a google/board search) and check every domain that want's to do business with you to make sure it's not registered at Estdomains, then you've covered 99% of these cheaters (for now).

06-26-2007, 01:41 PM	#8
bobby666 boots are my religion Join Date: Nov 2005 Location: Heart of europe Posts: 21,765	oh shit and my mac has no problems __________________