October 2008

ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.

{ 0 comments }

Stacy K. Burnette, Director of Contractual Compliance at ICANN, sent an official letter to Vladimir Tsastsin, President of EstDomains Inc., informing him that the company’s accreditation as a registrar is being terminated.

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for Estdomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.

The attached Estonia Court records state that you were convicted of credit card fraud, money laundering and document forgery on 6 February 2008. EstDomains’ has submitted official documents to ICANN that state you are the President of EstDomains. Absent receipt by ICANN of any document indicating that you were removed from the position of President, ICANN concludes that you maintained the position of President of EstDomains since the date of your conviction. Estdomains’ RAA is being terminated based on your conviction and your status as President of EstDomains.

Notice Of Termination Of ICANN Register Accreditation Agreement. (PDF)

ICANN’s notice informs that approximately 281,000 domains currently sponsored by EstDomains will be transferred to another ICANN-Accredited Registrar in accordance with the De registration Transition Procedure and that EstDomains has the right to suggest the transfer recipient by November 6, 2008.

Certifiedbug: http://certifiedbug.com/blog/tag/estdomains/

Edit
ICANN - Expressions of Interest Sought for Bulk Transfer of Registrations

As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains. EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names. EstDomains, Inc. is organized in Delaware, United States

Whack-A-Mole.

http://www.domainnews.com/en/general/icann-expressions-of-interest-sought-for-bulk-transfer-of-registrations.html

{ 2 comments }

The Microsoft Security Response Center (MSRC)

It’s been almost five days since we originally released MS08-067, and our tracking shows that security deployments remain strong. We’re also still unaware of any application compatibility issues with this update.

Like we’ve said, we’re continuing to watch the threat environment. Yesterday, we said that our analysis of public exploit code that was available showed it would always result in a denial of service. Today, we’ve identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067. This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000 systems. Our investigation has shown that it does not affect customers who have installed the update. We’ve just published Microsoft Security Advisory 958963 to let customers know about this new development.

http://blogs.technet.com/msrc/archive/2008/10/27/microsoft-security-advisory-958963.aspx

Certifiedbug. October 24, 2008.
Microsoft Security Bulletin MS08-067 Critical Update

{ 0 comments }

Microsoft Professional Developers Conference, October 27-29.
http://www.microsoftpdc.com/
http://www.microsoftpdc.com/Agenda/

“All-star bloggers” group liveblogging at PDC 2008.
http://www.istartedsomething.com/20081020/all-star-bloggers-group-liveblogging-at-pdc-2008/

Bill Pytlovany is attending, “The first 20 people who ask will receive a free 1 GB WinPatrol Flash wristband.”
http://billpstudios.blogspot.com/2008/10/meet-me-in-los-angeles-at-pdc.html

{ 0 comments }

decitu.com is one of estdomain’s October registrations, checking it out my browser was redirected to porno-tube-online.com/porn/. Obviously an adult content site.

Snippet from my log,
/banners/flash/24368/json_400×600_005.swf 11,524 application/x-shockwave-flash
Host: banners.adultfriendfinder.com.

By the way, if your Adobe flash is up to date and you think you are protected from SWF exploits see Sandi’s article at Spyware Sucks.
Adobe Flash 10 does NOT stop malvertizement hijacking

A lot of malware victims end up in help forums because they were redirected to a bad site, or intentionally downloaded video codecs so they could watch such content.

The dialog informs that a codec is needed to view the video, this is where you should stop already before infecting your computer.

The anti virus program alerted.

Hiding in the background waiting for an unsuspecting user to download the codec was a rogue, the link on its own produced an error.

Domain Name: DECITU.COM
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-10-23
Expires: 2009-10-23
Updated: 2008-10-23
3 other sites hosted on this server.

Certifiedbug October 24, 2008. EstDomains, Inc. PR

From EstDomains’s Press release,

Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe. Please report infringements that involve the activity of EstDomains, Inc customers to: https://support.estdomains.com.

The support link they provided produced,
“The requested site did not respond to a connection request and the browser has stopped waiting for a reply.”
I went directly to their website and clicked the red ‘Report Abuse’ button, same thing.

The rest of the site loads normally, it is the ’support’ page that was kapoot at time of writing.

{ 0 comments }

To read history see http://certifiedbug.com/blog/tag/estdomains/

October Press releases:
EstDomains, Inc Takes Next Step in Combating Spam and Malware
http://www.prweb.com/releases/2008/10/prweb1504344.htm

EstDomains, Inc Combating Cyber Crime — Thousands Domain Names Suspended
http://www.prweb.com/releases/2008/10/prweb1511704.htm

Edit
The Spamhaus Project.
SBL68934
89.108.95.135/32 agava.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68935
89.108.73.87/32 agava.ru
24-Oct-2008 09:03 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68936
89.108.74.33/32 agava.ru
24-Oct-2008 09:04 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68937
83.171.76.96/28 ptt.spb.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

http://www.spamhaus.org/sbl/index.lasso

{ 0 comments }

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Out-of-band update, extremely urgent to patch ASAP.
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Edit
Get Protected, Now!
http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

Note:
Threat Expert’s Blog called Gimmiv.A a worm.  A worm may follow but at this stage the attack is a trojan as shown in their own reports.

Sunbelt Blog. The trojan itself isn’t a worm but a dll dropped by Gimmiv is.

{ 0 comments }

Noted by users, ‘official-download.net’ appears to be selling a product that is presented in such a way as to mislead a person searching for the download page for a well known antispyware program.

Domain Tools.
Related Sites: 2008-official.net
Website title: Earth 2009 Secrets

That’s how the banner appeared yesterday, today it looked like this.

At the bottom of the page in pale grey,

This website has no affiliation whatsoever with the owner of this software program, and provides ONLY a link to the software program. If you are a member and need support please contact us and not the software owner. This Software may be obtained freely New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don’t need our services.

The download button took me to secure.signupsecurity.com and the following steps requiring one fill out an email address, contact information, 1,2 or 3 year membership options and features.

No thanks…

Persistant aren’t they…

http://www.mywot.com/en/scorecard/official-download.net

The real thing: Spybot-S&D©® http://www.spybot.info/

{ 0 comments }

Victims report a rogue named ‘Spybot 2009′ received in the form of email spam posing as an application upgrade. The scam is playing off the trademark name of the well known antispyware program, Spybot-S&D.

Be warned you may also see websites offering the fake, rogue program Spybot 2009.

Screenshots of the rogue at a blog containing malicious code on Google’s blogspot.com, which is yet a separate matter to be addressed. Just going to the site will infect your computer.

http://www.avira.com/en/threats/section/fulldetails/id_vir/3684/html_infected.webpage.gen.html

Don’t fall for the rogue scam, Spybot - Search & Destroy©® is free for personal use and you can download the program at the official site here: http://www.spybot.info/

The current version of Spybot - Search & Destroy©® is at v 1.6.

{ 0 comments }