Author Topic: EstDomains clearing up the shit  (Read 72379 times)

0 Members and 1 Guest are viewing this topic.

September 11, 2008, 05:01:47 pm
Reply #46


  • Guest

September 11, 2008, 09:09:59 pm
Reply #47


  • Guest
...some members decided to scrape through the data archived in the past here at MDL,
and were kind enough to supply me with them...

We're currently though in the process of re-validating MDL's archived data regarding EstDomains,
in order to avoid listing as much as possible potentially 'false' entries,
eg.malware sites that have been redirecting to EstDomains,but which were not directly affiliated...
As soon as the process gets finished,during next days or so,the info will be submitted here obviously...

September 12, 2008, 10:54:00 am
Reply #48

Ilya Klein

  • Newbie

  • Offline
  • *

  • 4
I'm the owner of that was listed on previous page.
Thanks to you my domain name was suspended, but there is nothing illegal on it, no phishing/spam/malware or anything of this kind...
It was a USEFUL website visited by thousands of people daily.
But if you google it, you can find people asking to remove it or telling that it hijacked their homepage... I can explain it, yes, on some websites visitors were asked (via standard IE alert) if they want to set favourlinks as their homepage or not, they have a CHOICE, and they HAVE TO click "Yes" to set it. It's their decision. No software/malware was used and they ALWAYS could change their homepage to anything they want.
But, I think you agree with it, most of the internet surfers click "yes" on everything they see without reading it, and most of them even don't know how to change browser's homepage, so that's why you could find such topics on Google.
Now thousands of people see blank page as their homepage instead of website they saw and used everyday before, do you think they happy?
Thank you for your understanding.

September 12, 2008, 11:14:13 am
Reply #49


  • Guest
Ilya Klein:

There's literally thousands of EstDomains sites that are associated with malware.
False positives might occur occasionally,although this is minimized here...
as all malware-hosting sites listed here have been MANUALLY verified in the past.

It's obviously not possible to remember by heart,
the reason for which every site listed here had been marked as malicious. is NOT listed either in MDL main list,
neither I can find an entry about it in the hosts file that we provide.

September 12, 2008, 11:29:01 am
Reply #51

Ilya Klein

  • Newbie

  • Offline
  • *

  • 4
I think I explained it in my post.
Setting favourlinks as homepage is a hard work - you should click something that activate IE prompt to change homepage, then you have to wait some seconds to activate "Yes" button (but you can click "No" instantly and it's set as default button), then you have to click "Yes". And you can change it anytime you want. Is it hijacking? Or malware?

And the main question - do you think people who used to this website happy now?

p.s. In my local store there are people always asking "do you want to try this new product??!!", I have a choice, to say "yes I want" or "no thanks", and I don't think those people are criminals even if I don't like them because they are tiresome.

September 12, 2008, 11:35:08 am
Reply #52


  • Jr. Member

  • Offline
  • **

  • 10
So you don't mind if we unsuspend the
We took the information about it from your links.txt
Also, there are some domain names, which owners claim their domains are legit.
For example these are:
As these domains were in your report, could you tell me if this is correct?

September 12, 2008, 11:39:52 am
Reply #53


  • Guest
Plus SiteAdvisor's report as well...

The report from 21 August there,just two weeks ago,is a very representative one:
Quote of Aug. 21, 2008 this is still a current browser hijacking site,
it also plants sypware and malware that turns off your security scanner,
so it can give you driveby downloads. Avoid it all costs.

Meaning,we are certainly not accusing webmasters "in person",
that they are the ones who planted the malware scripts/.exes there in question.
Obviously,they might have been 100% legitimate web admins whose sites got hijacked.

Plus,we certainly are not the ones who "cancel" them:
we merely REPORT in public the domains that have been found,
to be extensively used in malware distribution.
What happens afterwards,is something that in most cases we cannot possibly be aware of...

September 12, 2008, 11:42:32 am
Reply #54


  • Guest
My insight in this comes mostly from this thread(and a few others)

user stating they cannot change their homepage away from, while obviously it's down now since i can't check it out obviously, but to me this denotes other changes to the system for instance disabling internet options changing, and or a exe running on the system, which even if your site didn't infect them, why would a malware exe link to your site?


September 12, 2008, 11:48:38 am
Reply #55


  • Guest
So you don't mind if we unsuspend the
We took the information about it from your links.txt
Also, there are some domain names, which owners claim their domains are legit.
For example these are:
As these domains were in your report, could you tell me if this is correct?

While there all down since you guys suspended them, theres a very interesting read for the top 3(online pharmacies)

while this pertains mostly(if not all) to the US, i can pretty much guarentee those are not good online pharmacy websites(i've personally not seen any online pharmacies hosting malware, not to say they couldn't)

Then your getting into a 'gray' area, most probably those top 3 were from spam emails, however sowhat and the others can probably give you more information, i'd wait until they respond to you :)


September 12, 2008, 11:53:09 am
Reply #56


  • Guest
So you don't mind if we unsuspend the
Personally speaking always,I don't mind in general what you do with the data here...
Our task is to identify sites involved in malware/spam/phishing and report them back in public,
so that end-users can protect themselves via hosts files,
and obviously for AV companies to grab the malware in question...

Now in order to 'clean up' all of this mess over there in EstDomains, identify which sites were possibly hijacked,
which of them are indeed 'bad' clients and which of them not...
With all the crap that has been gathered throughout all these years,
I can understand this will be a very time-consuming process...
About 1070 domains gathered from MDL's archived data,as I had promised earlier...

Code: [Select]

September 12, 2008, 11:57:44 am
Reply #57


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Here is a list of domains which are registered at Estdomains and listed here on MalwareDomainList.
Ruining the bad guy's day

September 12, 2008, 12:04:03 pm
Reply #58

Ilya Klein

  • Newbie

  • Offline
  • *

  • 4
but to me this denotes other changes to the system for instance disabling internet options changing, and or a exe running on the system

No. No. No. I don't know how to explain... you know, I just don't need such visitors who was forced to have my website as homepage. They are not happy, they complain, they don't need my website and or any of my services, they are bad customers. For what reason should I force them to visit my website?
I have a feedback form on my website and if somebody want to change favourlinks to anything else but don't know how to do it - I'm always trying to help.

why would a malware exe link to your site?

What malware exe are you talking about?

About SiteAdvisor, - spam, phishing, malware - all at once!

September 12, 2008, 12:15:51 pm
Reply #59


  • Guest
To kokach:

Assuming you're in a rush,in case this is of any help,
here's also the "not-so-tidy" version of our archived data as well,
as we didn't had the time required to sanitize them to the full extend...
You can be rest assured though that ALL of these were involved in 'suspicious' activities,
NO matter if their website owners were actually aware of this fact or not.

Some general statistics for those curious about it:
12700 domains archived in total by MDL,obviously all of them involved in malware/spam/phishing
4500 of them (approximately) somehow connected with EstDomains
Ie.not necessary registered via EstDomains...for example,
site via Directi hosting malicious javascript,that redirects to EstDomains site and goes on...
About 35% of MDL's data since ever...