Hi,
Today I was informed of a new Privacy Threat spreaded through MSN.
Offline contacts sends to all online contacts the following link http://ultimatestufff.com/
Let’s see how ultimatestufff works..
At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;
HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19
Because lighttpd is used.
The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:
<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=”">
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>
-> abuse.html
<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>
Looks perfectly similar to the previous case, but without java obfuscation.
-> counter.php
<img src=”http://www.ipcounter.de/count.php?u=52572355&color=pink” alt=”" border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&color=pink” alt=”" border=”0″ width=0 height=0></a></noscript>
And finally the most intersting, indexx.php that performs a redirection to:
http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx
This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8
And this is the source code:
<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>
As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:
http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx
A common visitor will not see the passage from Incentaclick, but will have its cookies..
Perfspot is a Website that offers a Meeting Service.
It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.
Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.
Here the Domain Informations for ultimatestufff.com
Domain Informations
| ICANN Registrar: | ENOM, INC. |
| Created: | 2008-08-15 |
| Expires: | 2009-08-15 |
| Updated: | 2008-08-15 |
| Registrar Status: | clientTransferProhibited |
| Name Server: | DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains) |
| Name Server: | DNS2.REGISTRAR-SERVERS.COM |
| Name Server: | DNS3.REGISTRAR-SERVERS.COM |
| Whois Server: | whois.enom.com |
jQuery(‘#registryDataContainer’).show();
Server Data
| IP Address: | 210.56.53.73      |
| IP Location |  – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited |
| Response Code: | 200 |
| Domain Status: | Registered And Active Website |
What to say..I’m a proud paranoid!!! 
See you to the next post..
PS: I’m open to job offerings!
Some good information here, and I wanted to let people know that it would come in as:
http://Danny.invite.UltimateStufff.com
So let’s say my msn is Danny@hotmail.com, it would be that.
Okay so it seems you are very knowledgable about these things. I am getting IM’s from an unsigned msn buddy of mine to visit that particular site. So does that mean that my pc is infected by some virus or spam or is it coming from my buddy’s machine?
And if so, how can I fix it, or report it, or whatever I need to do to make it stop?
Hi,
@Danny
Yes Danny, ultimatestufff creates this fake subdomain just for Social Engineering scopes, has more impact over a basical user
@Tarcisio:
As written in the subject of this post, this is only Privacy Threat not a Malware Spreading System, so there is no Malware (cooming from that site) into your PC
Regards,
Evilcry
How do you make it go away? I have had two friends from my contacts list tell my that I have sent this message to them. I changed my msn password and cleared all cookies. Is that enough to stop it?
Hi,
Change password and clear cookies.
Regards,
Evilcry
Thank you for the advice
[...] New MSN Privacy Threat – ultimatestufff.com « Evilcodecave's Weblog [...]