Rogue RBN Software Pushed Through Blackhat SEO

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dancho Danchev:

[snip]

This is yet another example of the KISS strategy uncovering another huge
IFRAME campaign, again taking advantage of locally cached pages generated
upon searching for a particular word, and the IFRAME itself. In the
previous example for instance, we had an second ongoing IFRAME campaign
with just 4 pages injected with 89.149.243.201, however, what Keep it
Simple Stupid really means in this case is that the next IP in their
netblock 89.149.243.202 is currently getting injected at many other sites
as well.

The difference between the previous campaign and this one, is that the
previous one was targeting just two high page rank-ed sites, while in the
second one, the malicious parties pushing RBN's rogue XP AntiVirus are
relying on a much more diverse set of domains loading the IFRAME. One
factor remains the same, both campaigns continue pushing the rogue XP
AntiVirus.

[snip]

More:
http://ddanchev.blogspot.com/2008/03/rogue-rbn-software-pushed-through.html

Note:

So it appears to be time to start naming names.

netdirekt e.K. [1] - a hosting provider based in Frankfurt,
Germany - has long been a (perhaps unwittingly) hosting provider
for RBN activities for well over a year. So has Layered
Technologies, Inc. [2] (based in Plano, Texas), InterCage, Inc.
[3] (Concord, California), and SoftLayer Technologies, Inc. [4]
(Dallas, Texas). Each of these have long been known to be
operational deployment platforms for RBN-related activities.

And they have been repeatedly notified of these activities.

Isn't it time for these companies to be called to task for
continuing to turn a blind eye to criminal activities hosted
in their networks?

- - ferg

[1] http://www.cidr-report.org/cgi-bin/as-report?as=AS28753
[2] http://www.cidr-report.org/cgi-bin/as-report?as=AS13767
[3] http://www.cidr-report.org/cgi-bin/as-report?as=AS27595
[4] http://www.cidr-report.org/cgi-bin/as-report?as=AS36351

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHz0uAq1pz9mNUZTMRAq0FAJ93KmZCpEi0eqjLLNFgBhjjlEuYogCg7FNU
tbTPkRxCqOB172iJl9DLQbo=
=Z7t3
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.