Saturday, May 28, 2011

RBN Targets Lady Gaga

Steroid marketers in the Russian Business Network have targeted pop star Lady Gaga.

This takes the form of brand/copyright infringement attendant with the creation of the following domains:


On the face of it, these Lady Gaga domains appear to be the property of a Swedish marketing firm:
Reverse Whois:
"Ogelvy & Nielsen Ltd" owns about 19 other domains

Domain ID:D160903576-LROR
Created On:11-Dec-2010 21:48:32 UTC
Last Updated On:10-Feb-2011 03:49:07 UTC
Expiration Date:11-Dec-2011 21:48:32 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a
Registrant ID:DI_2144851
Registrant Name:Per Lundstroem
Registrant Organization:Ogelvy & Nielsen Ltd
Registrant Street1:12, Gammel Kongevej
Registrant Street2:
Registrant Street3:
Registrant City:Copenhagen V
Registrant State/Province:Bornholm
Registrant Postal Code:1610
Registrant Country:DK
Registrant Phone:+45.332565
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: is also Ogelvy & Nielsen Ltd (

Looking more closely, we can see that Ogelvy & Nielsen Ltd are a front: is hosted on a server in Hong Kong with IP address    a
Hong Kong

The name server for is

Other domains with the same IP address and name server are:
Domains using this as name server (8) itself is shielded by privacyprotect:

Domain Name: PRANZA.COM
Domain Admin (
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit
Nobby Beach
null,QLD 4218
Tel. +45.36946676 was registered through Directi:

Domain Name:    PRANZA.COM
Examining the other properties associated by DNS and IP address:

Created On:25-Mar-2005 09:25:39 UTC
Last Updated On:24-Aug-2010 13:46:11 UTC
Expiration Date:25-Mar-2012 09:25:39 UTC
Sponsoring Registrar:1API GmbH (R1724-LROR)
Registrant ID:RAI6113358-QAPX
Registrant Name:Rusnac Irina Anatoli
Registrant Organization:ICS Interland SRL
Registrant Street1:B-dul Stefan celMare, no. 169
Registrant Street2:
Registrant Street3:
Registrant City:Chisinau
Registrant State/Province:Chisinau
Registrant Postal Code:2004
Registrant Country:MD
Registrant Phone:+373.60305749
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:, based in Moldova, is an Internet marketer of anabolic steroids, human growth hormone, and the like, presumably manufactured by Balkan Pharmaceuticals SRL:

iVitamins Shop

Manufacturer:Balkan Pharmaceuticals. This product is human use licensed by law at GMP standards. More details on company website ... - Cached - Similar
Show more results from

iVITAMINS - Anabolic Steroids Discussion and Bodybuilding Forum

20 posts - 10 authors - Last post: Sep 19, 2006
Just to let others know,I had some damage occur during shipping and I-vitamins said they would ship a replacement.Exellent costumer service. ... › ... › News & Updates › Anasci Board Sponsors - Cached - Similar
Very Happy with
Reverse Whois:
"SC Balkan Pharmaceuticals SRL" owns about 1 other domains
Registration Service Provided By: IMENA.UA
Contact: +380.442010102
    SC Balkan Pharmaceuticals SRL
    Silviu Chiru        ()
    ul. N.Grehdesku 4
    Tel. +1.22503588
    Fax. +373.22503589

James McQuaid

Saturday, May 14, 2011

How To Disable WebGL

On May 11th, Swa Frantzen posted "Time to disable WebGL?" on the Internet Storm Center's Diary page (  Dan Goodin also covered this story on the 11th: "New graphics engine imperils users of Firefox and Chrome" ( 

Both articles point out that US-CERT has recommended that WebGL be turned off in browsers which support it (

The SANS piece mentions that in order to disable WebGL in Google Chrome "It needs the --disable-webgl argument on the command line".  After some testing, I have concluded that this only works once (i.e. in the browser session opened from the command line).  In addition, if you open the command window in the Run As Administrator mode, the command line argument does not work at all.

In order to disable WebGL on end user computers, it is necessary to change the target of every Google Chrome shortcut on a machine. 

To make this change in Windows 7:
1) right click the Google Chrome shortcut,
2) left click Properties,
3) click the Shortcut tab,and
4) change the Target to:
C:\Users\THEUSERNAME\AppData\Local\Google\Chrome\Application\chrome.exe --disable-webgl

This will not prevent users from creating a new WebGL enabled shortcut.

In Firefox 4.01, WebGL can be disabled by:
1) enter "about:config" in the address window,
2) scroll down to webgl.disabled and right click on it,
3) left click Toggle.

You can test your configurations by browsing to this site:  If the puppy appears in a rotating cube, WebGL is enabled.  If WebGL is disabled, you will see a photograph.

The WebGL extension designed to protect the GPU stack from exploitation, GL_ARB_robustness, has not been deployed by most GPU vendors.

Once WebGL is effectively sandboxed by Google and Mozilla, I will be happy to turn it back on.  Until then, the eye candy will have to wait.

Additional references:

James McQuaid

Sunday, March 20, 2011

RBN IP List and Super Black Hole Updated

Hunting the RBN

IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will:

Protect your family and home network from 300,675 of "the baddest of the bad" domains blacklisted for Smoothwall 3:



Sunday, March 6, 2011

RBN IP List Update 3-6-2011

RBN IP List Update 3-6-2011 is available at:

In this update we add more coverage for ChronoPay properties.  Thus far, we have seen only one domain object move.  The mail server was located at (AS43355 UPL-TELECOM-AS UPL Telecom) and is now deployed at (Hetzner).  Both of these IP addresses also host DNS servers, so this provides a clue as to enemy infrastructure.

In addition to Pavel Vrublevsky's hubris, the update lists new instances of SpyEye Command and Control servers, Zeus, several backdoor trojans, a Heihachi deployment of Trojan Palevo, and we catch the Koobface Gang victimizing cancer patients with Trojan Bredolab.

We have consolidated several IP listings (an opportunity provided by consistently malicious behavior).

We wish to acknowledge Brian Krebs, the Malware Domain List, and David Glosser at Malware Domains.

Thank you,

James McQuaid

Saturday, February 12, 2011

AnonLeaks On The Move

Yesterday, I pointed out that had been deployed on IP address During the night, was moved to In addition, was deployed on
In addition, has been set up within criminal hoster Webalta's IP space:
Anonops has several familiar dedicated DDOS domains at
Hijacked brands on include Facebook, HSBC Finance, Nintendo, and Star Wars. In addition, the IP is cluttered with web spam junk domains.

According to, there have been 29 separate instances of malware on during the past 12 months (including, and the host domain objects remain in play (they include various subdomains for,, and
MalwareURL reports that Zeus and other keyloggers are currently active on the IP. is the bad hosting firm involved, and we will be taking a close look at their other operations.

James McQuaid

Friday, February 11, 2011

AnonLeaks Continues Relationship With Criminals

The sociopaths at Anonymous are once again aligning themselves with cyber criminals.  You may recall that they hooked up with Heihachi some time ago.  Now they are launching AnonLeaks as a replacement for wikileaks.  While AnonLeaks is being promoted through social media, and a free sites such as blogger, they have also launched a subdomain at malware domain

Google Safe Browsing paints a pretty ugly picture:
"Malicious software includes 1 scripting exploit(s), 1 trojan(s), 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine."

Threat Expert, Norton, and McAfee also warn of malware at the site: is nestled in with numerous scam, fraud and malware sites at

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
If you don't want to reload your computer as well as, deal with the nightmare that is identity theft, stay away from the various AnonLeaks sites.

We will be adding to the RBN IP List with the next update.

Amazon may be interested to learn that they are hosting a site being utilized by Anonymous:

AnonLeaks. posted Dec 14, 2010 03:57:55 by anonleaks123. Pure Awesomeness. page 1. Back to Topics. Login below to reply: get your own embeddable forum with a United States Amazon IAD prefix AS14618 Amazon-AES-IAD

One of the characteristics that the members of Anonymous have in common with their Russian and Ukrainian cybercriminal benefactors is that they evidently never received a moral education. Another is that they are felons who have earned hard prison time.

James McQuaid
11 February 2011

Friday, January 28, 2011

FBI Impersonation Spam Serves Trojan.Ransom

For the past month,  a compromised web site has been sending emails purporting to be from the "Federal Bureau of Investigation".   The email encourages the victim to download a file which installs Trojan.Ransom.

The spear phishing email originates from an evidently compromised domain  The email that I received bears the subject line "Email Correspondence", and was 111 kb in size.  The email account which was used to send the email is

A check of the site reveals that it has been in existence since 1999: a
ICANN Registrar:INTERNETWIRE COMMUNICATIONS GMBHCreated:1999-08-24Expires:2011-08-24Updated:2010-12-07
created:         1999-08-24
updated:         2010-12-07

owner-id:        RM624348
owner-name:      Robert Caspar Mueller
owner-address:   Frankfurter Tor 7
owner-pcode:     10243
owner-city:      Berlin
owner-country:   DE
owner-phone:     +49 305 4714361

This spear phishing campaign appears to be relatively unknown.  I checked the domain at Google Safe Browsing and Norton Safe Web, neither of which had checked the site.  McAfee Site Advisor gives the site a safe rating.

For over a year, members of the Russian Business Network have sought to impersonate F.B.I. leaders and web sites.

If you receive this email do not open it.

James McQuaid