[Scgeeks] Re: Query: watch.ru

rooster acmeanvil at fishnet.com
Mon Aug 25 00:46:24 EDT 2008 

Farelf wrote:
> rooster wrote:
>> watch.ru
>>
>> McAFee's overview indicates watch.ru is relatively benign, albeit; 
>> ”Reliable sources indicate that this site may be a legitimate business 
>> under attack by spammers.”
>>
>> The html on the site presents enticements to d/l “macromedia flash 
>> player“ (“fp...macromedia.com/go/getflashplayer", as well as to click 
>> on “iframe” <.../cgi-bin/lasttopic.cgi>.
>>
>> As a general rule, both of these kinds of objects present potential 
>> malware threats.  Checks on embedded links on watch.ru to other sites 
>> (e.g., liveinternet.ru, alltime.ru) didn't yield anything especially 
>> damning. I suspect there might be click fraud or malware involved 
>> since watch.ru has a history of vulnerability and the recent incidence 
>> of spam linking to watch.ru correlates with other click fraud, 
>> phishing and malware attempts I'm seeing.
>> Are any of y'all set up to drill down any further to see if this is 
>> just an intermittently spammy site that resembles a dangerous site or 
>> if it's actually currently dangerous?
>>
>> IMWTK
> 
> G'day Rod.
> 
> I think you would need to nominate the actual pages you suspect (just 
> munge them slightly so they're not 'clickable' by the 
> innocent/unprepared.  > 

The only url/page that appears on this iteration is 
<http://watch[dot]ru>. That's _all_
there is.

 > Or you could check them yourself with LinkScanner
 > Online - http://linkscanner.explabs.com/linkscanner/default.asp
 > A positive is a positive with that but a negative is indeterminate (so
 > don't accept the offer to go to the page just because you get
 > "Congratulations! LinkScanner Online did not find any exploits.")

I'd been there. It's just that was thinking there *must* be some 
referrer code embedded
somewhere on watch.ru; perhaps something new that linkscanner's 
estimable, though auto,
features weren't catching....

If I had a sandbox or some way to protect myself, I'd follow the 
flashplayer and iframe links
to see what showed up. But I'm just a lonesome desktopper behind a 
conventional firewall
routed via hs modem to my ISP. I don't mind driving along jungle trails, 
but I'm not
gonna get out of the Rover just to check out funny smells coming out'n 
the bushes.
Different tool for different fools....

> Well, watch.ru seems to be a spammer (flogging moody timepieces, as it 
> happens) - see forum topic 
> http://forum.spamcop.net/forums/index.php?showtopic=9690  It would be 
> generally unusual for a 'commercial' spammer to spoil business by trying 
> to hijack visitors' PCs but maybe they've just been hacked.  There was 
> an awful lot of that going around in the last few weeks leading up to 
> the CNN Top 10 and other illicit attempts to subject PC ownership to the 
> rigours of 'survival of the fittest'.
> 
> Imagine - hacking a spammer!  "Little fleas have smaller fleas," etc. 
> Still, the Russians evidently see spamming in a 'different' light, just 
> another kind of advertising to them.

"hacking a spammer." Doesn't really make sense though, does it? If I'm
understanding you. The spamming agent (spag) would have to have rather
intimidating receivables clerks when it came time to collect from 
watches.ru
for his masters unsolicited promo services; eh?

If the watch.ru spew *isn't* a malware medium directed at hijacking the 
unwary,
perhaps we're seeing a turf war over share in the fake bling market. The 
2 biggies,
King Replica (cum Elite Herbal, cum Herbal King) and Prestige Replica(s) 
have been
hosted on Korean nameservers, ...although PresRep also has a smattering 
of Chinese,
Panamanian and Romanians in the mix. Point being, no .ru's. The 
legitimacy of
watch.ru aside for the moment, perhaps this blitz is a full-frontal 
attempt to get the
watch.ru site blisted/red flagged to discredit them (further) in order 
to level the
playing field.

FWI
King Replica/Elite Herbal/Herbal King uses name server:
124.1.2.3
124.0.0.0 - 124.1.255.255
netname:      SKNETWORKS
descr:        SK Networks Co.
descr:        199-15, Ulchiro-2Ga, Chung-Gu, Seoul, 100-192
descr:        ************************************************
descr:        Allocated to KRNIC Member.

Prestige Replica(s) also uses a preponderance of Korean nameservers
(e.g., ns1.monn12.com 211.110.100.137 & etc.).,. with a
smattering of Chinese, Panamanian and Romanians into the mix.

I don't know if anyone has established it, but these two bruits might
be affiliates. On one hand, it's obvious. But that's not the same as
provable.

watch.ru on the other hand is distinctly Russian, ...been around for 10 
years
or so, following a business plan that kind of straddles the line between 
outright
spam and mere opportunistic marketing, (i.e., between criminal and 
really irritating)
ns.caravan.ru. 217.23.128.1
ns2.caravan.ru. 217.23.146.1

FFYI: (from my notes)
#985
watch.ru
<snip>
SC link resolver misquotes link!

http://www.spamcop.net/sc?id=z2183806550z9274e85fe59499a998169b98da18ba11z

Subj: Rolex, Raddo, Patek  Philippe, Omega, Gucci

Resolving link obfuscation
   http://www.watch.ru
   http://www.watchru
   Host www.watchru (checking ip) IP not found ; www.watchru discarded 
as fake.
   Host www.watchru (checking ip) IP not found ; www.watchru discarded 
as fake.
Tracking link: http://www.watchru/
No recent reports, no history available
Cannot resolve http://www.watchru/
-- 
Steve;
Sorry if my input is a bit disjointed. We've been trying to get back out 
on the water,
the weather has not been conducive (per the missus) and we've got our 
usual compliment
of summer guests, annexing the study *and* my computer.... Point being; 
when you
retire, *don't* get talked into getting beach front property.


Happy trails,
rooster
boundary beach, bc

More information about the SCgeeks mailing list