Sunday, February 06, 2005

 

Schweinhund Of The Week Award

We're introducing a new semi-irregular feature today, the Schweinhund Of The Week, to be awarded to the person or entity who has aggravated me the most in the previous ill-defined time period. While Ward Churchill and our Crack Sales Team would've been the prime contenders for this award prior to last evening, the dubious honor, along with all the rights, privileges and immunities conferred by it actually is a tie this week. The winners are a slimeball search site called Megago, and none other than our friends in Redmond.

Our friends in Redmond win the award for their idiotic architecture decisions that so closely coupled the default browser to the operating system, and left said browser, in the name of "extensibility" vulnerable to any number of malware infections.

We now turn to Megago. First, let's look at their whois info.:
Whois info for, megago.com:
Registrant:
MegaGO.com Inc.
3511 Silverside Road
Suite 105
Wilmington, DE 19810
US
Domain name: MEGAGO.COM
Administrative Contact:
Hostmaster, Hostmaster www@37.net
3511 Silverside Road
Suite 105
Wilmington, DE 19810
US
310-203-6699
Technical Contact:
Hostmaster, Hostmaster www@37.net
P.O.Box 480167
Los Angeles, CA 90048
US
310-203-6699
Registrar of Record: TUCOWS, INC.
Record last updated on 29-Dec-2003.
Record expires on 20-Feb-2010.
Record created on 20-Feb-1999.
Domain servers in listed order:
NS.ZF.NET 205.216.134.37
DNS.ZF.NET 216.102.246.43
NS2.WEBJUMP.COM 205.216.134.242
Domain status: REGISTRAR-LOCK


I will bet money that the Delaware address is a post box rental establishment. Doing a reverse lookup on the phone number we can't find any listing for the company, so I'll bet it's a phony. The NPA-NXX for the phone number shows it in West Los Angeles and Beverly Hills. The zip code on the California address points to LA and West Hollywood. Googling the phone number shows that Pini.net and Coinc.com are also registered to what seems to be the same entity, an outfit called Zahav.net, with a different address in Delaware. Zahav has the exact same registration information at Tucows. Taking a look at 37.net (for the e-mail addys of the ahem, contacts), we find:

Whois info for, 37.net:
Registrant:
USGO.com Inc.
914 Westwood Blvd.
No. 177
Los Angeles, CA 90024
US
Domain name: 37.NET
Administrative Contact:
Hostmaster, Hostmaster www@37.net
914 Westwood Blvd.
No. 177
Los Angeles, CA 90024
US
310-209-8004
Technical Contact:
Hostmaster, Hostmaster www@37.net
914 Westwood Blvd.
No. 177
Los Angeles, CA 90024
US
310-209-8004
Registration Service Provider:
USGO Inc., www@37.net
310-203-6699
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 21-Oct-2004.
Record expires on 03-May-2005.
Record created on 03-May-1999.
Domain servers in listed order:
NS26B.SBC-WEBHOSTING.COM 216.173.237.47
NS26A.SBC-WEBHOSTING.COM 216.173.237.28
Domain status: REGISTRAR-LOCK

I'd bet money we're also looking at a post box rental place in LA based on this.

The phone number is unpublished, based on several reverse lookups. No legitimate business hides itself that way. I'm somewhat inclined to spring for the Intelius search for fifteen bucks to publish the slimeball's info (although with my luck it's behind several cut outs or there's no legitimate info).

Why am I hot under the collar about Megago and its associated entities? Because I spent most of last evening fixing the Mrs.' computer again (which had been immunized with every anti-spyware tool recommended on the various forums), trying to defeat a typo hijacker. Ad-Aware, Spybot and CWShredder all reported the system as completely clean. Nothing funky in the HijackThis log, all recognized stuff. Redid them all in Safe Mode, the box reported clean. There were no popups happening, but IE was painfully slow on her machine, and if she mistyped an URL, she was directed to Megago.com, instead of the MSN autosearch. I went into Tools/Options and tried turning off the autosearch, and I've got a very nice indication in IE and the registry that autosearch is indeed disabled. I deliberately entered a typo, and sure enough I was back at Megago. It was time to dig into the registry at that point, HKLM/Software/Microsoft/Internet Explorer being picked over with a fine tooth comb, then a deep dive into HKCU\Software\Microsoft\Windows\CurrentVersion until 4am. Comme ce dit en Francais, gornisht. Nothing out of the ordinary.

I gave up and hit the sack, and returned to the machine after a restless couple of hours. I'm the kind of person who hates to leave a problem unsolved. I rebooted the machine, and horrors, it was blue screening loading IOS (it's a WinME box). I was getting seriously pissed at this point, and fortunately I was able to get to Safe Mode and run System Restore (there were quite a few heart-stopping moments during that one). I brought the machine back to Tuesday's restore point, the last known good one before Megago appeared. Once I had connectivity back up (that PC is on a wireless connection, and it was being a bit recalcitrant at finding the access point, but another reboot fixed that), I downloaded Firefox and told my wife not to hit the little blue "e" anymore. Unsurprisingly, the machine has been absolutely flying with IE not having been started.

I suspect that the problem is a Peper trojan variant, but I will be darned if I can find it. PeperFix doesn't work. I may try about:buster, but I doubt that's the problem. I'll probably just point www dot megago dot com to 127.0.0.1 in the Hosts file as a temporary fix (Like I said, I really hate to leave a problem unsolved; I'm not Motti The Mechanic).

Unfortunately there isn't a lot that's easily findable about Megago. One Hosts file provider describes them aptly as a typo squatter, but since I've disabled autosearch (at least that's what IE and the registry say), I should just get a simple not found page.

Since there are no pop-ups, I'm ahead of the game, but this thing was immunized according to best practices (there's that consulting lingo again). I'm unsurprised, given that Former Esteemed Client, an Extremely Large Financial Services Company with a tightly locked down Win2K desktop and strong content filtering, had one desktop that was completely infested and unusable thanks to a naive foreign consultant whose main experience was with MVS clicking on Free Scratch And Win. Mr. Gates, instead of trying to track down these people who are poking holes in his wares like thinly sliced cheese and putting them into his QA department, has merely given marching orders to his minions to spread FUD about Linux to protect his market share.

To summarize this rant:

I'm going back to bed.

|

<< Home

This page is powered by Blogger. Isn't yours?

Technorati search