3/28/2006

SpywareQuake scum on the run?

When I first wrote about SpywareQuake at SpywareConfidential and here, the domains spywarequake.com, spywarequake.net and spywarequake.info were hosted at a California ISP known to host spyware (CWS) and malware, and other Super Rogue anti-spyware apps such as SpySheriff (whois).

That ISP is InterCage (whois), formerly known as Atrivo (whois) or Atrivotechnologies, located in the San Francisco Bay area (corporation lookup) of California. More on InterCage/Atrivo later.

I just checked the whois information for the 3 Spyware Quake domains and it looks like the sites are now hosted at a different location, different ISP, (maybe different—there is or was a relationship between InterCage and the current hosting company but I’m not clear what.)

The current IP address for spywarequake.com, according to Dnsstuff.com is this:

Pinging spywarequake.com [85.255.117.202]:

Ping #1: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #2: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #3: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #4: Got reply from 85.255.117.202 in 82ms [TTL=57]

Done pinging spywarequake.com!


Whois for IP 85.255.117.202 shows that it belongs to Inhoster in the Ukraine.

85.255.117.202

Blacklist Status: Listed – Cached Today (details)
Cached Whois: Cached today
Record Type: IP Address
IP Location: Ukraine – Inhoster Hosting Company
Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
Reverse DNS: not set

inetnum: 85.255.112.0 – 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

More in Inhoster in a bit, too.

Spywarequake.info shows the same IP as spywarequake.com.

Pinging spywarequake.info [85.255.117.202]:

Ping #1: Got reply from 85.255.117.202 in 82ms [TTL=57]

Spywarequake.net seems to be in a different location.

Pinging spywarequake.net [66.116.200.239]:

Ping #1: * [No response]

66.116.200.239 is located in Hopkinsville, Kentucky according to whois.sc and dnsstuff.com. The page at spywarequake.net says “web server is ok ”.
Odd.

So who is behind InterCage/Atrivo? And who is behind Inhoster, formerly Esthost? Are the two related or are they actually one and the same?

The name shown in the whois information for most of the InterCage/Atrivo domains is Emil Kacpersky, (not to be confused with Eugene Kaspersky of the antivirus company Kaspersky.) Inhoster.com (whois) is registered to:


Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: INHOSTER.COM

Registrant:

Inhoster Inc. Andrei Kislizin () Lenina str. 23/95 Odessa ,54302 UA Tel. +38.0664637362 Fax. +38.0664637362

Creation Date: 01-Jun-2005
Expiration Date: 01-Jun-2006

Note the registrar, ESTDOMAINS, at estdomains.com (whois).

Estdomains.com is hosted at InterCage, at IP address 69.50.183.26 (whois)

The IP addresses now shown at Inhoster were fomerly shown as belonging to Esthost. Esthost.com is still alive and hosted at InterCage also. Esthost.com shares the IP address 69.50.176.228 with Estcertificates.com (whois).

SpamHuntress has blogged about Esthost and Atrivo/InterCage as well, and links to a thread on Google Groups where the relationship between Esthost and Atrivo is discussed.

This blog post is getting long and I’m going to break here for now, but I have more information about Emil Kacpersky, Atrivo/InterCage and Esthost/Inhoster to post in the next episode.

Said Suzi @ 9:07 pm
Comments (2) | Permalink | Filed under: About Spyware/adware/scumware , Spyware Scumbags

9/9/2005

Super Rogues

This made my blood boil. As Sunbeltblog says, this site a Windows Security Center faux clone.

Click for larger image

My IP address is edited out of the screenshot, but look at the outrageous scare tactics. I haven’t seen anything this bad since the Spy Wiper Spy Deleter days. There are 4 anti-spyware apps shown and 3 of them are already on the Rogue/Suspect Anti-Spyware Programs and Sites page, and I expect the 4th will earn a place shortly. PSGuard is known for hijacking desktops in forced installs through security exploits and RazeSpyware is no better. WorldAntiSpy follows suit.

The whois information on the domain security2k.net. shows it is hosted on Atrivo, a known host for many CWS hijackers, sites running exploits and spammers.

Update: SpyTrooper has also been added to the Rogue/Suspect Anti-Spyware page.

Note—if you need help removing this spyware, click on the comments or the “read more” link and scroll to the bottom for instructions.

—> Read more
Said Suzi @ 10:26 pm
Comments (37) | Permalink | Filed under: Rogue Anti-spyware software and sites

April 2024
S M T W T F S
« Nov    
 123456
78910111213
14151617181920
21222324252627
282930  

Search Blog

Spyware Warrior Recommended Books




Archives
November 2007
November 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
Recent Entries
I'm back... maybe
Rob Martinson, Walt Rines and the FTC - final chapter
Movieland.com sued by Washington State AG for spyware
161 trackback spams from InterCage/Atrivo IP
CastleCops responds to trademark troll Leo Stoller
Trademark Troll Leo Stoller targets CastleCops
Spyware fighter under attack by trojan from DollarRevenue
Gimmy some Cash and Dollar Revenue!
180solutions and botnets again
Spamford Wallace busted and owes $4 million
180solutions at it again, this time with a child porn browser and CoolWebSearch
DirectRevenue's dirty laundry
SpywareQuake scum on the run?
New rogue SpywareQuake hijacking and installing malware
DirectRevenue lawsuit settled
Newest rogue anti-spyware installs adware from BestOffersNetwork
Windows Defender Beta 2 tested against real spyware
Australian press talks about Dale Begg-Smith and spyware
180solutions does it again
UK spyware victims can fight back
Categories

About Spyware/adware/scumware (83)
Aluria & WhenU (12)
FTC v. Spamford & Spyware (12)
General (32)
New Spyware/Adware Warnings (27)
Rogue Anti-spyware software and sites (60)
Security and Prevention (8)
Security Warnings (7)
Software Updates (85)
Spy Wiper, aka Mail Wiper, Inc., Spy Deleter (31)
Spyware Scumbags (55)
Spyware/Adware in the News (133)
The Fight (77)
Transponder Gang (3)
Weapons of Mass Spyware Destruction (26)
Webhelper Updates/Reviews (4)
Your Privacy Online (5)
Spyware Help Forums
Spyware Warrior Forums
SpywareInfo Forums
Javacool Software Forums
Wilders Security Forums
Cexx.org Discussion Boards
Tech Support Guy Security Forum
BroadbandReports.com Security Forum
AdAware Support Forums from Lavasoft
SpyWare BeWare
TeMerc Internet Countermeasures Forums
More Spyware Warriors
TeMerc Internet Security Site
Ben Edelman
Eric L. Howes
Doxdesk Parasites
Patrick M. Kolla
Merijn
Javacool
Webhelper
Alliance of Security Analysis Professionals (ASAP)
Tutorials and Info
Spybot Search & Destroy Tutorial
Hijack Prevention
So how did I get infected in the first place?
Spyware and Other Internet Nuisances
Bleeping Computer Tutorials
Javacool Software Knowledge Base
Rogue/Suspect Anti-Spyware Products & Web Sites
Getting Help with Spyware
Internet Explorer Privacy & Security Settings
Blogs of Interest
VitalSecurity.org
Security Fix - Brian Krebs
Ryan Naraine's Zero Day
SunbeltBlog
Security Cadets
Spyware Sucks
Spyware Hunt
ReveNews: News: Articles: Business: Wayne Porter
Flying Hamster Security News
Technology & Marketing Law Blog
The Gripe Line Weblog by Ed Foster
Security Ticker
Techdirt
General Links
Spyware Warrior Home Page
Computing.net
Home PC Firewall Guide
Comment Policy & Disclaimer
All comments are the opinions of the commenter.
Management takes no responsibility for the views expressed in comments.

Disclosure
In April 2005, I began doing part time consulting work for Sunbelt Software, makers of CounterSpy, as an independent contractor.
Copyright Notice
Unless otherwise noted contents of this blog are Copyright © 2004 - 2007 by SpywareWarrior.com. Blog content including screenshots and videos may not be reproduced or redistributed without prior written permission.
Blog Links
Listed on Blogwise
RSS 2.0
Comments RSS 2.0
WP