Author Topic: Software Profit  (Read 7108 times)

0 Members and 1 Guest are viewing this topic.

September 15, 2008, 04:15:52 am
Read 7108 times

gimcnuk

  • Newbie

  • Offline
  • *

  • 7
I want to talk about this affiliate program.
Details You can found here: http://softwareprofit.com/index.html?lang=en

My site was added to "black list" (mdl.php) because it had link on Softwareprofit product (winantispyware.com)
Now i removed it, but i thinking that this aff program is absolutely legal. It suggest a real antivirus and anti-spy software.

Please, post Your opinions.

September 15, 2008, 04:45:10 am
Reply #1

sowhat-x

  • Guest
What's real about it?...

Quote
hxxp://softwareprofit.com/oursites/
I don't see the links to winantispyware.com removed there...

Quote
hxxp://winantispyware.com/
Which,if you play a bit around,it redirects to...

Code: [Select]
http://mistikotitatuipologisti.com/mistikotitatuipologisti/?cmpnamegeo=grgeogdc&4=&mtrt=ppage-was7&language=en&aid=keyin&lid=keyin&affid=&mt_info=5231_0_15827:5230_0_15603&cmpnamegeo=null&4858530604&mt_info=5231_0_15827:5230_0_15603
 

Which is obviously another one of the numerous rogue craps that infect end-users...
I'm also under the impression that the above last link,mistikotitatuipologisti.com,
might differ/'rotate' depending on visitors' geo-location...but I didn't bothered checkin' it that far,doh...

September 15, 2008, 04:49:07 am
Reply #2

sowhat-x

  • Guest
And I should also add this one there...  ;D
Quote
hxxp://winantivirus.com/

September 15, 2008, 04:51:22 am
Reply #3

gimcnuk

  • Newbie

  • Offline
  • *

  • 7

hxxp://softwareprofit.com/oursites/
I don't see the links to winantispyware.com removed there...
I removed links to winantispyware from my site. softwareprofit is not my site, it is a aff program that selling winantispyware.

September 15, 2008, 05:00:46 am
Reply #4

sowhat-x

  • Guest
I don't blaim it on you obviously - I merely quickly checked the sites that you've mentioned above...

And indeed,the above do a few nifty tricks in order to redirect to the malware in question:
if it's not geolocating,then it must be checking browser's language/if cookies are already set or so...
But I'm not in front of a spare machine at the moment,so I can't really dive that much deep into it...


September 15, 2008, 05:17:45 am
Reply #5

sowhat-x

  • Guest
mistikotitatuipologisti.com is by far the most interesting from the above (ip 67.55.81.200)...
http://www.robtex.com/ip/67.55.81.200.html
http://www.robtex.com/dns/mistikotitatuipologisti.com.html#a2

Couple more of rogue anti-virus 'products' shared in the same ip as well...

September 15, 2008, 05:32:19 am
Reply #6

sowhat-x

  • Guest
For the fun of it,here's also one which is hosted in the same ip,called "AVSystemCare".
This one seems to be well-known and detected though:
http://www.virustotal.com/analisis/dad8ef1941351cdda88f0acf3be0ecb8

Code: [Select]
hxxp://avsystemcare.com/data/?450801071357510a5501&mpt=1181125634&gai=swg_av&gli=3948&gff=pp_1084837492&ax=4&wqbp=7484-46197-7784-0

hxxp://avsystemcare.com/data//datainstaller.php?4657570d04165e560d0c12135268574e6b531069575a10065a510a025a525a425253550d454066065409555c060002010612050b0003

hxxp://cdn.bestdownloadsoft.com/avsystemcare.com/AVSystemCare/install_sbd_en.exe

September 15, 2008, 09:05:42 am
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

Code: [Select]
hxxp://mistikotitatuipologisti.com/mistikotitatuipologisti/?cmpnamegeo=grgeogdc&4=&mtrt=ppage-was7&language=en&aid=keyin&lid=keyin&affid=&mt_info=5231_0_15827:5230_0_15603&cmpnamegeo=null&4858530604&mt_info=5231_0_15827:5230_0_15603

redirects to

Code: [Select]
hxxp://mistikotitatuipologisti.com/mistikotitatuipologisti/installer.php?41040c0b5d06180f083c10456f684a000110415d5c0b5e04495c5e1018460406085743575207155b565350540004035d0257090305500550050d0405540f08010e07500e06075403565a54020056075303570800000605000100050051000c010d55535403575704535350020056035506000d53050605550504050757540c050e07550603555103535555030104030207521e4257520851

http://www.virustotal.com/analisis/b098bb97f8da040d64eca1e6fb75e773
Ruining the bad guy's day

September 15, 2008, 09:24:24 am
Reply #8

gimcnuk

  • Newbie

  • Offline
  • *

  • 7
some antiviruses said:

Quote
Not-A-Virus.PUP.BestSeller.n
not-a-virus:Downloader.Win32.WinFixer.lx
etc.

September 15, 2008, 11:33:43 am
Reply #9

SWPkey

  • Guest
Hi all!

First of all -> we are not selling anymore http://winantispyware.com/, our software is absolutely legal, which we use at nowadays.
All our competitors use information about our software for their antiviruses bases, but our software not a virus or spyware. SoftwareProfit products you can easyly remove from PC users, all files at folder for our soft will be empty after removing

September 15, 2008, 12:36:39 pm
Reply #10

sowhat-x

  • Guest
Do I really have to explain why spamvertisements of this kind,
especially when also involved in malicious activities as described above,will be removed immediately?...

September 15, 2008, 01:19:02 pm
Reply #11

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

September 15, 2008, 01:37:36 pm
Reply #12

sowhat-x

  • Guest
That's really funky...actually,it's the very 1st return in Google:
http://www.pay-per-install.org/softwareprofit/1375-signing-up-2.html#post14111

Quote
For now we don't give silent exe, maybe in future.
Cool.Please do tell us when you do so...
it will always be our pleasure to blacklist more of your domains.  8)

'Pay-per-install',or should I better say..."pay-per-infect"...
I challenge anyone to have a look at the "Downloads" section there as well.
But hey,wait,now that's kinda funny...from what I see,
there's also quite a few well-known malware coders lurking there...
are they actually that much idiots to use the same nickname in every forum around?   :)

September 15, 2008, 03:12:07 pm
Reply #13

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Says it all;

http://www.pay-per-install.org/softwareprofit/1375-signing-up.html#post13817

winantispyware.com was at;

66.244.254.63

http://hosts-file.net/pest.asp?show=66.244.254.

Code: [Select]
NetRange: 66.244.192.0 - 66.244.255.255
CIDR: 66.244.192.0/18
NetName: BIGPIPE-2
NetHandle: NET-66-244-192-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.BIGPIPEINC.COM
NameServer: DNS2.BIGPIPEINC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-03-14
Updated: 2002-05-21

... and is now at;

85.17.4.103

http://hosts-file.net/pest.asp?show=85.17.4.

Code: [Select]
inetnum: 85.17.4.0 - 85.17.4.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 15, 2008, 03:48:58 pm
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
For clarity, softwareprofit.com was on the same IP block;

66.244.254.180

... and is now on;

84.243.252.175 (PTR: swphouse.com)

swphouse.com itself is also quite interesting - notice any familiar names there?

http://www.robtex.com/dns/ns1.swphouse.com.html
http://www.robtex.com/dns/ns3.swphouse.com.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net