Friday, October 31, 2008

LaSalle acquisition by Bank of America spreads malware

LaSalle customers are being invited by spam to use the new Digital Certificates that are required by Bank of America. The email messages being sent are quite simple, and belong to the long string of "Digital Certificate" malware which we have seen target BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank, Classmates.com, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, Wachovia.

The newsworthy portion of this scam is the fact that it preys on the uncertainty of banking customers involved in a merger. The FDIC's Sandra Thompson issued a memo on October 28th addressing exactly that point. Thompson's warning was to be on the alert for phishing scams targeting "financial institutions involved in high-profile mergers, acquisitions or failures."

Here's a sample of the LaSalle/Bank of America email:


LaSalle Bank Consumers Warning:

Please be advised that we cannot guarantee the confidentiality of not protected information.
Therefore, we strongly encourage you to update your system.
New Bank of America x.509 privacy certificate for LaSalle Bank consumers can be downloaded from our customer service department.

Proceed to customer service department>>.


LaSalle Bank and Bank of America will not be responsible for any damages, if you ignore this warning.

Sincerely, Keith Landers.
2008 LaSalle Bank and Bank of America Community.



The "Sincerely" name is random and is unique in each of the several hundred sample emails that we've received so far.

The destination website points to a page that looks like this:



and which tries to download an executable malware program. This tiny program, called "LaSalleSetup.exe" is merely the "dropper" which downloads additional malware, but its still troubling how few anti-virus products will actually stop it from running. At this timestamp, only 15 of the 36 Anti-virus products at VirusTotal detected this dropper as being malware, and neither McAfee nor Symantec were among those detecting it.

Once the dropper executes on the computer, it downloads additional malware from the address http://customlod.com/a.exe which is the address all of the recent versions (since October 15th) have been using. Customlod.com is a Register.com registered domain. Perhaps they will remove it for us?

Customlod.com is fast-flux hosted on a botnet, just like the rest of the domains. The "right-this-minute" group of IP addresses its using are:

68.53.208.245,
79.114.237.252,
82.83.208.155,
121.113.164.71
190.160.207.242

some of which allow the malware to be dropped, and others of which do not. The last address on the list seems to ahve been part of this botnet the longest, and has been observed running the Ocean Bank version of the Digital Certificate malware as well.

The "a.exe" malware is also not very well detected, with only 19 of 36 anti-virus products detecting it from Virustotal, and again, with no coverage from McAfee or Symantec.

Both the dropper and the second stage malware were crafted today. This probably just means they were repacked from the same base code, but neither had been observed or reported in the places we checked before this afternoon.

a.exe will store itself on the local machine as the file 9129837.exe and will link itself to Internet Explorer. IE is the only browser which will cause keystrokes to be sent to the criminals because of that. The malware also steals FTP, POP email, and ICQ session logon credentials.

I don't know where this one sends its stolen data yet . . . the most recent version we've run "in the wild" sent it to:

1.alisiosanguera.com.cn or 2.bernardosolo.net.cn


We've seen at least 34 unique subject lines on the spam messages, such as:
  • LaSalle Bank - Date and time our site was accessed
  • LaSalle Bank - determine the level of interest in information available on our site.
  • LaSalle Bank - identifying information about our visitors
  • LaSalle Bank - Please be advised
  • LaSalle Bank - the bank uses this information to create summary statistics
  • LaSalle Bank - Visitors to this bank Website remain anonymous.
  • LaSalle Bank - we do not collect identifying information about visitors to our site.
  • LaSalle Bank - we may use standard software
  • LaSalle Bank Consumers - we cannot guarantee the confidentiality of information sent.
  • LaSalle Bank Consumers: allow the web server to log the pages you use
  • LaSalle Bank Consumers: any information that you might send to us
  • LaSalle Bank Consumers: if you send confidential or private information to us
  • LaSalle Bank Consumers: other personal information
  • LaSalle Bank Consumers: private information in your e-mail
  • LaSalle Bank Consumers: we strongly discourage you from including any confidential information
  • LaSalle Bank Consumers: you have visited the site before
  • LaSalle Bank Consumers: your Account Number
  • LaSalle Bank Security: additional step to logging onto Online Banking .
  • LaSalle Bank Security: implemented an additional access authentication feature
  • LaSalle Bank Security: Please take a moment to prepare for this additional layer of security
  • LaSalle Bank Security: prompt you to answer your security verification question(s)
  • LaSalle Bank Security: reviewing your security verification question and answer
  • LaSalle Bank Security: we help you monitor your online accounts.
  • LaSalle Bank Security: we’re adding additional security features
  • LaSalle Bank will not be responsible for any damages
  • Warning LaSalle Bank Consumers:Making Online Banking even more convenient and secure for you—totally free.
  • Warning LaSalle Bank Consumers: Additional Security Features for Online Banking
  • Warning LaSalle Bank Consumers: Customer Identification Program
  • Warning LaSalle Bank Consumers: Information from a consumer reporting agency
  • Warning LaSalle Bank Consumers: Information We Collect
  • Warning LaSalle Bank Consumers: Information you provide us for applications or other forms
  • Warning LaSalle Bank Consumers: Notice of Financial Privacy Rights
  • Warning LaSalle Bank Consumers: providing you with secure and convenient online access


The domain names that we've seen hosting the dropper malware so far are:

bervioneeil.com
dfeuyerl.com
reekisb.com
reiureps.com
sdeirooe.com

which were all registered with BIZCN.COM as their registrar.

The full machine names look like these (with many random strings and different names substituted. Each full URL is truly unique.)

welcomelasalle.actionvalidate.bankonline.eBjjvVNII.reiureps.com
welcomelasalle.actionvalidate.carehtmlclient.l8UCc3sMZ.bervioneeil.com
welcomelasalle.actionvalidate.onlineupdate.HHtJWlNFa.dfeuyerl.com
welcomelasalle.actionvalidate.selfservice.bqUlaYr3t.sdeirooe.com
welcomelasalle.actionvalidate.services.T3Q2MVoy1.reekisb.com

The full URLs really look more like this:

http://welcomelasalle.customerlogin.sitesurvey.ovqvq1yco.reiureps.com/lasalle.php?/carehtmlclient/services/OSL.htm?LOGIN=iesHRMCt2g&VERIFY=BgwGlYOvQvq1YcO

http://welcomelasalle.onlineupdatemirror.certificateupdate.zetlslttm.reiureps.com/lasalle.php?/customerlogin/portalserver/OSL.htm?LOGIN=yG8If3X3h1&VERIFY=ovHI21zETLslTtm

http://welcomelasalle.securitychallenge.encrypted.vcxxudntu.reiureps.com/lasalle.php?/encrypted/communitypage/OSL.htm?LOGIN=xDnbTvlGvq&VERIFY=XrNKQDVcxxUdntu

But anything that includes at least the domain name and the lasalle.php will resolve to the same location.

Thursday, October 30, 2008

First Enom Phish, now Network Solutions Phish

Yesterday we reported that in the wake of ICANN's actions against ESTDomains, a new phishing campaign against eNom had begun. eNom holds the keys to more than 9 million domains, so that was pretty big news. Today the phishers have turned their attention to Network Solutions, which is listed as the Number Three registrar by domain count with more than 6.5 million domains.



With email subjects such as:

Attention: domain is expired
Attention: domain will be expired soon.
Attention: domain will be expired tomorrow.
Attention: domains are expired.
Attention: domains will be expired tomorrow.
Please, renew your domain
Please, renew your domains
Your domain are expired at this time!
Your domain is expired today!
Your domain will be deleted soon
Your domain will be deleted today

the phisher hopes to get the attention (and the userid and password) of the legitimate owners of domains registered at Network Solutions.

The email body looks like this:



Dear Network Solutions Customer,

We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.

Renew your domain now - http://www.networksolutions.com

You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking "submit" from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.

Sincerely,

Network Solutions® Customer Support



With Senders such as:

NetworkSolutions Inc
NetworkSolutions Support
NetworkSolutions Support Team
NetworkSolutions Team
networksolutions.com
networksolutions.com Tech Support

and From addresses such as:

support@networksolutions.com
customerservice@networksolutions.com
tech@networksolutions.com

and nonsense tags such as:

NSCC0+2351620824@networksolutions.com

We expect more URLs will be added, as we are still on the early side of this phishing spam campaign, but here is what we have seen so far at the UAB Spam Data Mine.

http://www.networksolutions.com.com21.asia
http://www.networksolutions.com.com42.asia
http://www.networksolutions.com.com55.asia
http://www.networksolutions.com.sys42.mobi
http://www.networksolutions.com.sys44.mobi
http://www.networksolutions.com.sys49.mobi

We've reported these domains and hope to see quick action by the registrar for them.

As with every current top spam campaign, the registration WHOIS information indicates the registrant as being "Shestakov Yuriy" AKA Alexey Vasiliev - the registrant behind all the top "Russian girls" spam domains and most of the Canadian pharmacy spam domains, who has also used email addresses "alexvasiliev1987@gmail.com" and "alexvasiliev1987@cocainmail.com" as his identity when registering domains.

Hopefully OnlineNIC will terminate these domains quickly.

As with yesterday's eNom domains - these domains are fast flux hosted on the same site as a great deal of child pornography. More details are available to law enforcement.

Wednesday, October 29, 2008

Caution: Enom Phishing continues

If you have a domain name registered with the ICANN Registrar Enom, please be on the alert! A phishing campaign began against Enom users on October 27th. Here's what the phishing page looks like. As the phishing page points out, eNom is the "#1 Registrar Reseller" for the past seven years, and manages more than eleven million domain names!

Its too early to know if this attempt to steal userids and passwords for some of those eleven million domain names is related to the announcement that ICANN has terminated ESTDomains privileges. As we mentioned yesterday, the absence of ESTDomains may be a great inconvenience to criminals who are accustomed to using their services to register new domains for their criminal activities.

The spam from the earlier version looked like this:





Dear eNom Customer,

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable:

* Main site
* All web hosting services
* Email services
* Communication with the registry affecting new registrations, renewals, and transfers

For access your account follow this link - http://www.enom.com

The following services will not be affected and will continue to be fully operational:

* DNS will resolve normally - although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period
* Email forwarding and site redirection will operate normally

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience.

Sincerely,
eNom Tech Support



The UAB Spam Data Mine received 298 copies of the earlier campaign, which resolved to seven unique domain names. Instead of sending the user to the actual domain for Enom, they were redirected to:

www.enom.com.com62.biz
www.enom.com.com72.biz
www.enom.com.com82.biz
www.enom.com.com92.biz
www.enom.com.com94.net
www.enom.com.sys52.net
www.enom.com.sys82.net

The email subject lines for the first batch were:

Maintenance
Maintenance at eNom
Maintenance at eNom - attention
Maintenance at eNom - warning
Maintenance at eNom.com
Maintenance at eNom.com - attention!
Maintenance at eNom.com - warning!

Sending names including:

eNom Inc
eNom Support
eNom Support Team
eNom Team
eNom Tech Support
eNomCentral Inc
eNomCentral Support
eNomCentral Team
eNomCentral Tech Support

From addresses were customercare@enom.com, info@enom.com, info2@enom.com, support@enom.com, or tech@enom.com


We got roughly fifty of these spam messages so far today. Here's a typical one:

=====================

Dear user,

On Wed, 29 Oct 2008 12:22:39 +0530 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 12:22:39 +0530 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260


LINK TO CHANGE INFORMATION - http://www.enom.com


Thank you,
Domain Services

[IncidentID:85036]


==================

The domains are of course Fast Flux hosted. At the moment of this writing each resolves to the following IP addresses:

67.242.30.251,
70.68.199.207,
71.230.88.68,
72.2.13.24
75.142.147.100
76.112.161.176,
76.235.212.56,
98.218.41.200,
99.245.182.179
209.252.169.130

But a quick history shows that they have also resolved to all of the following:

4.131.44.218
4.225.16.4
4.230.36.134
24.0.221.127
24.12.32.221
24.17.79.94
24.34.234.234
24.57.239.96
24.90.69.49
24.155.156.60
65.26.133.98
65.182.248.145
66.30.49.194
66.41.3.128
66.90.155.188
67.194.1.247
67.242.30.251
68.48.197.101
68.80.158.76
68.83.84.60
68.144.113.175
68.202.51.123
68.213.120.90
68.253.214.145
69.208.80.218
69.208.81.37
69.246.209.106
70.68.199.207
70.233.103.108
70.242.26.59
70.242.129.184
70.255.173.205
71.130.124.202
71.230.88.68
71.233.134.155
71.235.96.203
72.2.13.24
72.133.38.192
72.174.41.36
72.234.87.137
74.84.1.122
74.132.157.170
75.18.202.195
75.136.210.9
75.142.147.100
75.185.182.235
76.10.46.213
76.18.82.141
76.29.169.13
76.112.161.176
76.192.142.24
76.221.179.34
76.235.209.24
76.235.212.56
76.239.27.252
78.82.247.245
79.78.161.25
82.19.94.16
82.26.78.119
86.4.20.212
86.24.2.130
86.125.194.7
89.228.44.116
92.233.32.122
97.104.23.70
98.31.42.138
98.195.45.85
98.209.207.77
98.216.91.22
98.218.41.200
98.229.69.62
99.140.162.151
99.245.182.179
130.63.186.128
144.139.119.7
169.231.76.183
200.116.212.106
203.100.23.182
208.54.219.161
209.23.100.18
209.252.169.130
220.101.127.188
220.235.34.207

This botnet of hosting machines is also associated with the group of child pornography servers. These domains use "ns4.nastynameserver.com" (ns5, ns6) and "ns1.xwhlwww.com" as their nameservers, with such domains as "littlelolita", "lolita-bbs", and "nude-kids", "xlsites" and others. (More information available to law enforcement, just ask.)

Tuesday, October 28, 2008

Ding Dong The Witch Is Dead! ( ICANN Pulls the Plug on ESTDomains )

Today is certainly a great day! The first day of NBA season had me feeling good (although I'd rather be watching the Pistons than Cavs-Celtics or Portland-Lakers), but the latest news has me dancing in the living room! (Which is scaring the parakeet, and making the water in the fishtank jiggle alarmingly.)



ICANN's Director of Contractual Compliance, Stacy Burnette, has officially begun termination proceedings to eliminate EST Domains as a registrar.

Anyone who has worked in Internet Security for any amount of time will be familiar with the fact that EST Domains is the registrar of choice for most Eastern European cyber criminals. EST should have realized their time was limited when investigative cyber reporter Brian Krebs shined his searchlights into their dark corner of the Internet with his two part series, that began with A Superlative Spam and Scam Site Registrar and continued with EST Domains: A Sordid History and a Storied CEO.

It was Krebs' second column that started certain parties in the ICANN community to begin the process of finding Estonian court documents that would prove conclusively (and locally) that what Krebs allged in his column was true -- that a known criminal was running an ICANN Registrar.


The hand-writing has been on the wall since Krebs' column, which has lead to an increase in criminal domains being registered on Chinese-based registrars, but historically if a domain was involved in crime or malware, there was a great chance it was going to be registered at EST Domains. (Some of the "Chinese" registrars actually have "subcontractor" arrangements in St. Petersburg and Moscow to allow Russian criminals to register their own domains, but make them appear to be registered in China.)


The ICANN letter opens with:

Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.
...





Since Estonian Court records indicate the conviction occurred on 6 February 2008, and EstDomains made no attempt to remove Tsastsin from office because of these convictions, the terms of the RAA allow such a termination.

EstDomains 281,000 domain names under management will be transfered using the ICANN "De-accredited Registrar Transition Procedure" on or before 6 November 2008. An announcement requesting parties interested in taking over the management of these domains was posted on the ICANN website this evening at:

http://www.icann.org/en/announcements/announcement-2-28ct08-en.htm.

The letter quoted above is also available on the ICANN website, at:

http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

Brian Krebs and all the folks at ICANN, and all the researchers who contributed to bringing this event to pass - Well Done!

Tip to Phishers: First Build Site, THEN Spam

As a transplant to the South, I was not at first familiar with the expression "Bless his little heart". Its often used to express amusement at something silly a young child or animal may do, because they don't know any better. When used with regards to adults, it replaces Yankee expressions because Southerners are generally too polite to say someone is too stupid to live. I've lived in the South for more than twenty years now, so when I saw the phishing campaign that started up around 1:20 this morning, all I could say about the Phisher was "awwww....bless his little heart!"

Here's what the spam emails look like:









When I say we started getting spam from this campaign, I mean SEVERAL messages every minute. The spammer had registered himself some nice domain names using the Chinese Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

1securebanking.com
connect-secure.com
ibanking-net.com
ibanking-secure.com
securebanking-net.com
secureconnect-us.com
secure-ebank.com
secure-ebanking.com
secure-ibank.com
secure-ibanking.com
secure-netbanker.com
securesolutions-net.com
us-bankconnect.com
us-securebanking.com



He had chosen some innocent American's identities to use when he did his domain name registrations, so they would seem "American", I guess . . .

He was Darleen Murray from Buffalo, NY
and Ray Brooks from Swanquarter, NY
and David Minor from New York, NY
and Eric Mattson from Sherman Oaks, CA
and Joshua Zadow from Mitchell, SD
and Thomas Brooks from Atlanta, GA
and Alice Hatch from Murray, UT
and Leonard Johnson from Socaldwell, OK
and Stephanie Jordan from Seattle, WA
and Ruth Sims from Morro Bay, CA
and Sam McNeal from Baltimore, MD
and Barbara White from Bangor, ME
and Robert Russwurm from Kingston, NY
and Megan Alfonso from Lake Wales, FL

He even used their real phone numbers and email addresses for the contact information on the registrations!

Each of these folks curiously decided to use the same Technical ID on their registrations -- gTec Limited in Moscow, Russia.

Seven of the domains were registered on October 13th, and seven more on October 23rd, but none were used for spamming before this morning.

Early this morning, Our Pathetic Phisher launched his spam campaign, using machines from all around the world to send his spam. We received messages sent from Japan and Germany, from Korea and Lithuania, from Canada and Kansas City, from Russia and Bulgaria, from the Ukraine and from Turkey.

But there is nothing on ANY of the websites! Even as we sit here watching the spam continue to flow in, we can't get ANY of the websites to show content!

Was it a bad path in the spam? (Regardless of brand they all used the same path.)

Was it quick action by those staunch anti-phishing crusaders in China? (The IP addresses are all the same . . . 123.134.66.8 . . . which is hosted on CNCGroup in Shangdong China.

Or it possible, that the Phisher is just that stupid. That he forgot to put the content on his webservers before he began to send his spam. I'm inclined to believe this is the situation here.

Say it with me . . .

"Bless his little heart..."



Here are the URLs that we saw . . . many times each:

http://associatedbank.1securebanking.com/251005/account-update/
http://associatedbank.1-securebanking.com/251005/account-update/
http://associatedbank.connect-usbanks.com/251005/account-update/
http://associatedbank.ibanking-net.com/251005/account-update/
http://associatedbank.ibanking-secure.com/251005/account-update/
http://associatedbank.securebanking-net.com/251005/account-update/
http://associatedbank.secureconnect-us.com/251005/account-update/
http://associatedbank.secure-ebank.com/251005/account-update/
http://associatedbank.secure-ebanking.com/251005/account-update/
http://associatedbank.secure-ibank.com/251005/account-update/
http://associatedbank.secure-ibanking.com/251005/account-update/
http://associatedbank.secure-netbanker.com/251005/account-update/
http://associatedbank.us-bankconnect.com/251005/account-update/
http://associatedbank.us-securebanking.com/251005/account-update/
http://commercebank.1securebanking.com/251005/account-update/
http://commercebank.1-securebanking.com/251005/account-update/
http://commercebank.connect-secure.com/251005/account-update/
http://commercebank.ibanking-net.com/251005/account-update/
http://commercebank.ibanking-secure.com/251005/account-update/
http://commercebank.securebanking-net.com/251005/account-update/
http://commercebank.secureconnect-us.com/251005/account-update/
http://commercebank.secure-ebanking.com/251005/account-update/
http://commercebank.secure-ibank.com/251005/account-update/
http://commercebank.secure-ibanking.com/251005/account-update/
http://commercebank.secure-netbanker.com/251005/account-update/
http://commercebank.securesolutions-net.com/251005/account-update/
http://commercebank.us-bankconnect.com/251005/account-update/
http://commercebank.us-securebanking.com/251005/account-update/
http://bank.countrywide.1-securebanking.com/251005/account-update/
http://bank.countrywide.connect-secure.com/251005/account-update/
http://bank.countrywide.connect-usbanks.com/251005/account-update/
http://bank.countrywide.ibanking-net.com/251005/account-update/
http://bank.countrywide.ibanking-secure.com/251005/account-update/
http://bank.countrywide.securebanking-net.com/251005/account-update/
http://bank.countrywide.secureconnect-us.com/251005/account-update/
http://bank.countrywide.secure-ebank.com/251005/account-update/
http://bank.countrywide.secure-ebanking.com/251005/account-update/
http://bank.countrywide.secure-ibank.com/251005/account-update/
http://bank.countrywide.secure-ibanking.com/251005/account-update/
http://bank.countrywide.secure-netbanker.com/251005/account-update/
http://bank.countrywide.securesolutions-net.com/251005/account-update/
http://bank.countrywide.us-bankconnect.com/251005/account-update/
http://bank.countrywide.us-securebanking.com/251005/account-update/
http://countrywide.1securebanking.com/251005/account-update/
http://countrywide.connect-secure.com/251005/account-update/
http://countrywide.ibanking-net.com/251005/account-update/
http://countrywide.ibanking-secure.com/251005/account-update/
http://countrywide.securebanking-net.com/251005/account-update/
http://countrywide.secureconnect-us.com/251005/account-update/
http://countrywide.secure-ebanking.com/251005/account-update/
http://countrywide.secure-ibank.com/251005/account-update/
http://countrywide.secure-ibanking.com/251005/account-update/
http://countrywide.secure-netbanker.com/251005/account-update/
http://countrywide.securesolutions-net.com/251005/account-update/
http://wachovia.1securebanking.com/251005/account-update/
http://wachovia.1-securebanking.com/251005/account-update/
http://wachovia.connect-secure.com/251005/account-update/
http://wachovia.ibanking-net.com/251005/account-update/
http://wachovia.ibanking-secure.com/251005/account-update/
http://wachovia.securebanking-net.com/251005/account-update/
http://wachovia.secureconnect-us.com/251005/account-update/
http://wachovia.secure-ebank.com/251005/account-update/
http://wachovia.secure-ebanking.com/251005/account-update/
http://wachovia.secure-ibank.com/251005/account-update/
http://wachovia.secure-ibanking.com/251005/account-update/
http://wachovia.secure-netbanker.com/251005/account-update/
http://wachovia.securesolutions-net.com/251005/account-update/
http://wachovia.us-bankconnect.com/251005/account-update/
http://wachovia.us-securebanking.com/251005/account-update/

Monday, October 27, 2008

OperaciĆ³n Carrusel sets an example for fighting Child Pornography

The Spanish government last week reminded us how easy it is to catch large groups of online perverts who enjoy downloading child pornography. Last week in Spain, Manuel Vasquez, the chief of the national police's "Brigada de InvestigaciĆ³n TecnolĆ³gica", announced the detention of 121 people, and brought charges against 96 of them. 800 police officials performed 210 searches in 42 Spanish provinces, leading to the seizure of 347 hard drives, 1,186 CDs and DVDs, and 36 laptop computers. Among those charged was a member of the CNI (Centro Nacional de Inteligencia) and an agent of the National Police who worked in Spain. Four underaged students were also detained.


(watch the video in Spanish)

"Operation Carrousel" is the largest coordinated effort in the history of la PolicĆ­a Nacional. The investigation began in July of 2007 when the Federal Police of Brasil (la PolicĆ­a Federal de Brasil) shared log files from a major child pornography distribution network with the government of 75 countries. The archives which they shared identified 18,000 IP addresses from which child pornography had been accessed, including 1,600 connections that had originated in Spain. Those IP addresses were turned over to the Brigade of Technological Research (BIT), who used them to identify 250 homes from a great deal of the activity had occurred.

Those investigated were all "distributers" -- those who could be shown to have ACCESSED the Brazilian stash and also to have SHARED at least three files via Peer to Peer (P2P) networks that made clear reference to underaged pornography in their file names. Terms such as "preteen" or "pcth" (which in Spanish is an abbreviation for "preteen hard core") were suspected, and contents were checked to determine whether the files were in fact what they were labelled.

The Spanish article describing these events, at rtve.es, closes by pointing out how the criminals in these situations are from all walks of life . . . taxi drivers, bank employees, police, commercial pilots, concierges, and teachers, . . . from all ages . . . 4 minors, 5 over the age of 60, 60 between the ages of 18 and 30, 74 from 31 to 40, 52 from 41 to 50, and 22 more between 51 and 60 . . .and from all parts of the country. 49 were arrested in Catalonia, 37 in Andalusia, 29 in Madrid, 22 in Valencia, 15 in Basque country, 13 in Castilla y Leon, 11 in Galicia, 8 in Castilla La Mancha, 7 in Canarias, 6 in Murcia, 5 in AragĆ³n, 5 in Cantabria, 5 in Baleares, 4 in Extramadura, and 1 in La Rioja.

The crime is the same in most every country. We saw similar results in Australia this summer with Operation Centurion, which began when German authorities shared lists of IP addresses of those who visited a child porn website in Germany with other countries. In that case 1,500 Australian IP addresses were investigated -- so far as we can tell the ONLY country of the 170 with whom the Germans shared the information that did anything useful with it. In the opening raid in May, more than 70 Australians were arrested, and more than one million child exploitation images and videos were seized. Arrests in Australia now exceed one hundred people, with the most recent happening last week with the arrest of Robert Andrusiow in Wollongong.

The USA has not had a similar operations since the March 2002 Operation Candyman, which netted 89 offenders in 20 states after 266 searches were conducted. 27 of those arrested plead guilty to molesting more than 36 children.

In Operation Candyman, the Houston FBI's Child Exploitation Task Force set up a Yahoo "eGroup" at www.egroups.com/groups/thecandyman, and monitored the activities of visitors for nearly a year before the raids.

Like its predecessor, Operation Avalanche, which lead to 100 arrests in 37 states, there were some rather strong challenges and accusations of entrapment. The problems generated from CandyMan and Avalanche need to be studied, and compared with the results of Spain's OperaciĆ³n Carrusel and Australia's Operation Centurion.

The lesson we should be learning from the successes in Australia and Spain is that its not necessary to conduct undercover operations that may lead to charges of entrapment. We have technology on our side. Monitoring the highly trafficked child pornography websites of the world and determining where the visitors come from is a perfectly adequate way in which to scoop up large collections of online perverts. To be sure, some of those IP addresses will lead to open WiFi points, libraries, hotels, etc. But as we learned in Spain, many of the perverts are operating from their own homes, and using those same home addresses to do Peer to Peer "distribution". Searching their homes will certainly put officials on the trail to more badness, and will send an important message that is in need of an update: Child Pornography Is Not Tolerated in the United States of America.

Thursday, October 23, 2008

The demise of index1.php PornTube Video Malware

When a criminal finds a good thing, he stays with it. One criminal has been doing exactly that since May 17th. Every day since May 17th, the UAB Spam Data Mine has received spam messages with shocking, offensive titles promising to have videos of offensively described sex acts, which pointed to webpages ending in "index1.php". I started to write today's article saying that it had finally stopped, but unfortunately, a small batch trickled in just before I sat down to write. (Two domains were in that batch - estofadosgrando.com.br, which has already been fixed so that it is not able to deliver the malware - and rasini.it, which is still hosting a fake YouTube page showing a sexual act and attempting to infect visitors with their malware.)

What I can say is that something has happened this week to dramatically impact the volume of this malware-advertising spam. While there are times when the volume was more than 10% of all spam, for the month of October, this campaign averaged about 2% of the total spam volume per day. In May it was only a fraction of 1%, although present each day, in June it crossed 1%, peaking in mid-August where it was 3% of all spam we received.

During the course of this spam campaign, we received spam from more than 30,000 infected computers, which advertised malicious websites on more than 2,260 domains.

Each of those websites was an existing legitimate website, which was taken over by the criminals to allow them to post their malicious software on the site. Once their malware was in place, visitors would be invited to load software to view the movie (viewers with older browsers were infected even if they didn't ask to load the software). That malware in turn launched the installer for the then current fake Anti-Virus 2008 (currently calling itself AntiSpyware 2009).

A quick check of the 2,269 previously used domains shows that 166 of them are still hosting the malware.

Here are the links to the malware, in case someone would like to contact these webmasters and help them get this stuff removed.

We believe that the webmaster's own computer may be compromised. It appears that the criminal logs in to the websites using the administrator's userid and password, creates the directory where he is going to place his virus, and then uploads his files to it.

If you are a webmaster of one of these domains, we would very much like to see your server logs. Please email if you would be willing to share: gar@cis.uab.edu


!!DANGER!! IF YOU ARE NOT A PROFESSIONAL ANTIVIRUS RESEARCHER, THESE LINKS ARE NOT FOR YOU!!!!

193.238.209.17\hot_video.exe
195.145.241.232\pornvideo815uw.exe
198.66.130.103\videopornu376x.exe
1pajda1.borec.cz\video435_porn.exe
66.36.231.223\videporn920ma.exe
69.73.158.27\news_usama_video.exe
74.50.89.140\usama_video.exe
999.gen.tr\pornotube\video1439654.exe
999.gen.tr\pornotube\video54582.exe
999.gen.tr\pornotube\video76566.exe
999.gen.tr\pornotube\video8657786.exe
aberturaslif.com.ar\pornotube\video1439654.exe
aberturaslif.com.ar\pornotube\video54582.exe
aberturaslif.com.ar\pornotube\video76566.exe
aberturaslif.com.ar\pornotube\video8657786.exe
acalon.es\news\video463847.exe
acalon.es\news\video6432434.exe
acalon.es\news\video7656532.exe
acalon.es\news\video9865565.exe
achdepannexpress.com\news_usama_video.exe
addressprint.ru\news_usama_video.exe
agriturismovillavittoria.it\pornivideo03y45i.exe
agroredenoticias.com.br\pornotube\video1439654.exe
agroredenoticias.com.br\pornotube\video54582.exe
agroredenoticias.com.br\pornotube\video76566.exe
agroredenoticias.com.br\pornotube\video8657786.exe
aisal.ru\videoPorn218hdy.exe
aisoftware.ro\tvideo_my_hot.exe
alcaphone.com.br\hot_video.exe
aloidiasimoveis.com.br\pornvideo815uw.exe
alrafah.net\pornotube\video1439654.exe
alrafah.net\pornotube\video54582.exe
alrafah.net\pornotube\video76566.exe
alrafah.net\pornotube\video8657786.exe
amadicarpets.com\news_usama_video.exe
amiram.org.il\shoking_video_news.exe
amphonesinh.info\videporn920ma.exe
andreadelvalle.com\pornvideo815uw.exe
antonianki.ofm.pl\pornotube\video1439654.exe
antonianki.ofm.pl\pornotube\video54582.exe
antonianki.ofm.pl\pornotube\video76566.exe
antonianki.ofm.pl\pornotube\video8657786.exe
antytusk.pl\tvideo_my_hot.exe
asaib.info\video79885.exe
asociace.euweb.cz\news\video463847.exe
asociace.euweb.cz\news\video6432434.exe
asociace.euweb.cz\news\video7656532.exe
asociace.euweb.cz\news\video9865565.exe
atatac.com\hot_video.exe
autocalunnictvojv.sk\pornotube\video1439654.exe
autocalunnictvojv.sk\pornotube\video54582.exe
autocalunnictvojv.sk\pornotube\video76566.exe
autocalunnictvojv.sk\pornotube\video8657786.exe
axonsrl.com\videporn920ma.exe
aziendaruggeri.it\pornwvideo3u96.exe
azoreil-yar.ru\pornnvideo238vf.exe
bakir.bel.tr\video4326xx.exe
bali-hotels-budget.com\my_video_hot.exe
baselangues.emme.fr\video432654xd.exe
bba.kbu.ac.th\pornwvideo3u96.exe
beatnikteacher.com\pornivideo396.exe
benhurantiguidades.com.br\videopornu376x.exe
betosom.com.br\pornnvideo238vf.exe
billoepallina.it\news\video463847.exe
billoepallina.it\news\video6432434.exe
billoepallina.it\news\video7656532.exe
billoepallina.it\news\video9865565.exe
bolats.com\videoPorn218hdy.exe
bubugrupo.com\tvideo_my_hot.exe
buenosairesltd.com\tvideo_my_hot.exe
bux666.com\pornivideo396.exe
cadorgames.xf.cz\news\video463847.exe
cadorgames.xf.cz\news\video6432434.exe
cadorgames.xf.cz\news\video7656532.exe
cadorgames.xf.cz\news\video9865565.exe
calimh.com\news\video463847.exe
calimh.com\news\video6432434.exe
calimh.com\news\video7656532.exe
calimh.com\news\video9865565.exe
castropaes.com.br\pornvideo815uw.exe
cdlourdes.com\news_usama_video.exe
cedacbrasil.com.br\videporn920ma.exe
celinakochen.com.br\videokl_ds4.exe
center-eno.com\vide839pornn.exe
charley.wz.cz\news_usama_video.exe
chennai.needindya.com\pornotube\video1439654.exe
chennai.needindya.com\pornotube\video54582.exe
chennai.needindya.com\pornotube\video76566.exe
chennai.needindya.com\pornotube\video8657786.exe
click-cargo.com\shokinng_video.exe
cobrahk.wz.cz\video25653.exe
collectedthoughts.co.uk\news_usama_video.exe
coralis.ro\video.exe
crazynails.pro24.pl\videoXXX76s3545.exe
crisracebook.com\videoxxx834j.exe
derggi.com\my_video_hot.exe
dipucu.com\pornmvideo6d19.exe
dominuscobrancas.com.br\video_usama.exe
dsl-uebersicht.de\video.exe
dyc-1.celingest.es\new_usama_video.exe
eltubio.com.ar\tvideo_my_hot.exe
emporio-uk.it\my_hot_video.exe
erolantik.com\pornyvideo194vf.exe
escola-allegro.com\videporn920ma.exe
eskapada.info\video.exe
estudiscunit.com\videoQe32.exe
evagino.net\pornivideo03y45i.exe
eyecatchinggear.com\videoPorn218hdy.exe
farfalle.es\news_usama_video.exe
ferrucasdeltrenrojo.com.ar\tvideo_my_hot.exe
fitonit.cl\pornotube\video1439654.exe
fitonit.cl\pornotube\video54582.exe
fitonit.cl\pornotube\video76566.exe
fitonit.cl\pornotube\video8657786.exe
freddyrock.com.ar\videopornu376x.exe
gargamel.com.tr\my_video_hot.exe
geoteam.sk\pornivideo03y45i.exe
giovani.donorione.it\secret_archive.exe
gorodok-band.de\pornotube\video1439654.exe
gorodok-band.de\pornotube\video54582.exe
gorodok-band.de\pornotube\video76566.exe
gorodok-band.de\pornotube\video8657786.exe
grafo.com.tr\video.exe
grupamc.com\vide839pornn.exe
guillaumenery.fr\news_usama_video.exe
hardcore-united.com\pornmvideo6d19.exe
hiperlab.com.br\pornotube\video1439654.exe
hiperlab.com.br\pornotube\video54582.exe
hiperlab.com.br\pornotube\video76566.exe
hiperlab.com.br\pornotube\video8657786.exe
hisaryapi.com.tr\pornovideo729lo.exe
holdispharma.com\videopornu376x.exe
holytrinity.com.ua\videporn920ma.exe
horsetrainingsuperstars.com\news_usama_video.exe
hotel-lebellevue.fr\my_hot_video.exe
hotelxibalba.com\news_usama_video.exe
hsmicro.co.kr\pornotube\video1439654.exe
hsmicro.co.kr\pornotube\video54582.exe
hsmicro.co.kr\pornotube\video76566.exe
hsmicro.co.kr\pornotube\video8657786.exe
i-bournemouth.com\pornotube\video1439654.exe
i-bournemouth.com\pornotube\video54582.exe
i-bournemouth.com\pornotube\video76566.exe
i-bournemouth.com\pornotube\video8657786.exe
imparbrasil.com.br\hot_video.exe
inspirace.ic.cz\video4335gfd3.exe
integratedlabelsoutlet.com\pornnvideo238vf.exe
integratedlabelsusa.com\videoPorn218hdy.exe
ipago.info\my_hotvideo.exe
irisotel.com\my_video_hot.exe
isvo.nl\videopornu376x.exe
ivoireweb.biz\pornwvideo3u96.exe
iyc.org.tr\pornotube\video1439654.exe
iyc.org.tr\pornotube\video54582.exe
iyc.org.tr\pornotube\video76566.exe
iyc.org.tr\pornotube\video8657786.exe
jegupi.com\antivir\AntivirusXP2008Installer.exe
jesusnolar.org.br\pornvideo815uw.exe
jorgelopezdj.com\pornivideo03y45i.exe
josiasgranito.com\install_antivirus.exe
kamenipitarimilas.hr\videopornu376x.exe
korviet.net\pornivideo396.exe
koshkindom.vio.ru\video245fgw22.exe
label-sheets.com\my_hots_video.exe
laccsa.com\pornvideo815uw.exe
ladrigan.com\antivir\AntivirusXP2008Installer.exe
lafabak.com\pornotube\video1439654.exe
lafabak.com\pornotube\video54582.exe
lafabak.com\pornotube\video76566.exe
lafabak.com\pornotube\video8657786.exe
lichter-loh.com\pornnvideo238vf.exe
litecrete.com\my_hots_video.exe
lolo16.com\my_video_hot.exe
loritritel.com\pornotube\video1439654.exe
loritritel.com\pornotube\video54582.exe
loritritel.com\pornotube\video76566.exe
loritritel.com\pornotube\video8657786.exe
magdatur.com.br\video83porn.exe
marklenders.com\pornyvideo194vf.exe
marwad.com\my_hotvideo.exe
maximelaplante.com\video23574fr41.exe
maximumassetshield.com\videoXXX76s3545.exe
mediamatika.wu.cz\pornmvideo6d19.exe
membersvcs.com\antivir\AntivirusXP2008Installer.exe
merchant.directaccess.ro\videosecrt927.exe
miavai.com\my_hots_video.exe
michcom.cl\my_hots_video.exe
millenniummobilya.com\video857porn.exe
mkz.unas.cz\pornotube\video1439654.exe
mkz.unas.cz\pornotube\video54582.exe
mkz.unas.cz\pornotube\video76566.exe
mkz.unas.cz\pornotube\video8657786.exe
mobila.yard.ru\video7346.exe
momoelectronic.com\pornivideo03y45i.exe
motorpost.com\pornivideo03y45i.exe
muranga.es\pornotube\video1439654.exe
muranga.es\pornotube\video54582.exe
muranga.es\pornotube\video76566.exe
muranga.es\pornotube\video8657786.exe
music2000.eu\videosecrt927.exe
musiquote.it\tvideo_my_hot.exe
neocodec.com\free_vid.exe
netmalakay.com\videonjk568.exe
nrss.com.br\video623porn.exe
oarsoaldea.net\tvideo_my_hot.exe
oempricing.com\videoPorn218hdy.exe
omalissi.com.ar\pornivideo03y45i.exe
opcionsp.com\videosecrt927.exe
orf.ru\pornotube\video1439654.exe
orf.ru\pornotube\video54582.exe
orf.ru\pornotube\video76566.exe
orf.ru\pornotube\video8657786.exe
orsoft.es\video23678fe3.exe
otromadrid.dmkhost.net\pornotube\video1439654.exe
otromadrid.dmkhost.net\pornotube\video54582.exe
otromadrid.dmkhost.net\pornotube\video76566.exe
otromadrid.dmkhost.net\pornotube\video8657786.exe
paoloterni.com\videopornu376x.exe
payalweb.cusiteonline.com\videoPorn218hdy.exe
pegasolar.com\videoPorn218hdy.exe
penzion-hradsky.cz\video354rporn.exe
perezmu.com\news_usama_video.exe
pfmsindia.biz\hot_video.exe
pichelariadias.com\my_hot_video.exe
polatenerji.com\my_video_hot.exe
portaledonna.org\news_usama_video.exe
ppctotal.com\my_hotvideo.exe
precision.needindya.com\pornovideo729lo.exe
previarch.com\pornotube\video1439654.exe
previarch.com\pornotube\video54582.exe
previarch.com\pornotube\video76566.exe
previarch.com\pornotube\video8657786.exe
pro-heni.hr\pornotube\video1439654.exe
pro-heni.hr\pornotube\video54582.exe
pro-heni.hr\pornotube\video76566.exe
pro-heni.hr\pornotube\video8657786.exe
quintametalica.com\my_hots_video.exe
regv.net\videosecrt927.exe
remcovandermeide.nl\pornovideo729lo.exe
ringrajeradio.com.ar\video3468ht34.exe
rollarampiberica.com\my_hots_video.exe
rovinj.ch\videopornu376x.exe
rubblemaster.pl\pornnvideo238vf.exe

Wednesday, October 22, 2008

Ryan Goldstein: Digerati Faces ?Justice?

This will be brief. I promise.

You'll recall my frustration when New Zealander hacker, Owen Thor Walker, AKA "AKILL", was indicted as a "super hacker" back in April (see AKILL Convicted Are We Safer Now?, and my even greater frustration when he got off with no jail time and only having to pay $11,000 in restitution (which was only about 1/5th of what we could PROVE he had stolen!)

I'm back in frustration mode over the sentencing of Ryan Goldstein. Goldstein was finally sentenced yesterday in the East District of Pennsylvania, after being indicted more than eleven months ago (November 1, 2007) for "18 USC 371 - Conspiracy to Commit Computer Fraud".

Ryan traded favors such as "an undetected, unreleased bifrost beta with 100% antivirus and firewall bypass", as well as passwords to various forums to incentive AKILL to DDOS groups which had bothered Ryan, including TAUNET, ssgroup, and others. No one probably would have noticed or cared if it weren't for the fact that Ryan decided to host a malware update on some servers at University of Pennsylvania, where he is a student. When Walker instructed his 50,000 compromised computers to update themselves with code from the UPenn server, it caused an "accidental" Denial of Service, disabling some of the network services at UPenn.

Ryan's lawyer, Ronald Levine of Post & Schell, got an extension until March 10th, but they decided to plea out, and did so on February 29th. Since then, sentencing was scheduled for June 10, August 5, August 19, and finally October 21st.

Ryan was finally sentenced yesterday to 90 days in jail, followed by 90 days in a halfway house, and 180 days of house arrest. He will also not be allowed to use a computer "other than for work or school activities" for five years.

The prosecution failed to bring any charges regarding the more than 1,000 child pornography images found on his computer. They then agreed that he could schedule the 90 days at his convenience, so as not to conflict with his class schedule. He'll probably serve them during summer vacation.

I'm not sure what kind of school wants to have a convicted computer criminal and child pornography collector as one of their students. I guess he'll get his degree and go find a job, after his brief visit to jail.

The judge apparently shared my frustration at the lack of serious charges, based on his remarks reported in the Philadelphia Inquirer yesterday. U.S. District Judge Michael Baylson completed the sentencing of Goldstein, and then turned to his next case, where he sentenced Derrick Williams to two years for possession of Child Pornography. The judge thought it worth noting that "It seems very unfair. . . . I want to note for the record that Mr. Goldstein is white and Mr. Williams is African American and that adds to my discomfort". According to the Philadelphia Inquirer, both men possessed roughly 1,000 images of child pornography.

According to the sentencing guidelines, Williams should have received an 8 to 10 year sentence.

Thursday, October 16, 2008

FTC stops AffKing and SanCash, so is Pill Spam Gone?

In yesterday's blog, we shared information about the FTC and New Zealand police's Takedown of AffKing and SanCash. As soon as I posted, people started asking, "Have you seen a decrease in pill spam?" So, this morning we went to Starbuck's and checked out the morning spam over a few espressos.

To make sure we were using fresh spam, we looked only at spam from midnight until 6 AM for October 16, 2008. To begin, we sorted our spam into two big buckets: Pill Spam, and Everything Else. Then, we did some simple checking of what was in the Everything Else bucket, to reveal this graph:



We then opened up the "Pill Spam" data and started digging into the clusters. The emails in this category contained 12,040 URLs, of which 1,231 were unique. The most common URL was for the website http://www.includeisland.com/ which occurred 1,118 times, followed by http://www.mostbody.com/ with 960 occurrences and http://indatzayrce.com/ which was present in 570 emails.

Twenty-Eight URLs accounted for 50% of the pill spam emails.

Eighty-seven URLs accounted for 75% of the pill spam emails.

179 URLs accounted for 90% of the pill spam emails.

The graphic below shows the top Sixty-five URLs in the Pill Spam category which each contained at least .25% of the volume of emails.



In each case, all of the domains from each provider were hosted on a single ISP. The domains were:



31% - 78.157.143.160
http://aspirationhelp.com
http://fractionwhich.com
http://observeclock.com
http://leftsit.com
http://yourhappen.com/
http://nounmount.com
http://spiritualityegg.com
http://www.houseprosperity.com
http://settlecotton.com/
http://thesyllable.com/
http://segmentcapital.com/
http://mappoem.com
http://purposehear.com
http://purposehear.com/
http://frontsoon.com
http://butvalue.com
http://tonesuch.com
http://allowsong.com/
http://www.mostbody.com
http://www.includeisland.com




14% - 118.216.29.89
http://pillslovefelt.com
http://loverxmelody.com
http://www.optimismmeasure.com/
http://www.courageanimal.com/
http://placemedpopulate.com
http://lovepharmsea.com
http://qualitycanadiansearch.com
http://placepharmscolor.com
http://medicalloversagree.com
http://newrxroad.com
http://www.determineagain.com/
http://www.gathercourage.com/
http://pharmsitefact.com
http://www.responsibilitymatter.com/
http://www.integritycar.com/


8% - 201.65.181.178
http://buyirishhealth.sg
http://buyitdoctor.sg
http://coldtherapyonline.sg
http://combuymeds.sg
http://columbiainternationalmed.sg
http://coloradorecoveryguide.sg
http://carmedscripts.sg
http://collegeclubstore.sg
http://collinsamericanmeds.sg



6% - 58.20.154.162
http://objectdecimal.com/
http://propertydefinition.com/
http://madeingenuity.com/
http://reflectionsell.com/
http://welltotal.com/
http://actdefinition.com/
http://spiritualitywhere.com/
http://reflectionteach.com/
http://specialallow.com/
http://experiencerealization.com/
http://syllableharmony.com/
http://breadsave.com/
http://probablenumber.com/
http://optimismchief.com/
http://separatesolution.com/
http://doesage.com/
http://respectroot.com/

No Image Available - Site Offline

5% - 218.64.218.4
http://lewiwdenne.com
http://indatzayrce.com



1% - 74.53.96.178
http://iemoriah.com.br/rf.html



0.3% - 220.248.185.97
http://largeindependence.com/

We'll revisit the topic of pill spam in two weeks time to see if there has been any significant change in the field. It may be that the implications of the recent decision have not yet set in, or it may be some of the spammers are so bold that they just switched affiliates and kept right on spamming!

For now, I'll leave you with the even worse truth about these spammers. They have dozens or even thousands of other domains already registered and ready to send spam. Each of these IP addresses above also hosts a plethora of other domain names which are sitting in reserve for future spam purposes. Some of these may be valid domains, I am not claiming they are all pill sites, but every one that I have checked so far was hosting a pill site:

VDHost of Latvia - 78.157.143.160
=====================================
Abilitylot.com
Aboveingenuity.com
Achievementhalf.com
Advocacycan.com
Advocacyever.com
Advocacyorder.com
Advocacystead.com
Afterteam.com
Allowsong.com
Appreciationmany.com
Appreciationnow.com
Appreciationtire.com
Appreciationwing.com
Arrangepurpose.com
Aspirationprobable.com
Aspirationthough.com
Atomgenerosity.com
Atomthere.com
Ballshape.com
Beatapple.com
Bobava.com
Bookdear.com
Bottomtrain.com
Boughtsail.com
Branchlearn.com
Branchsingle.com
Carryrespect.com
Characterachievement.com
Checksister.com
Columnarrive.com
Columnyellow.com
Compassionhurry.com
Conditionoptimism.com
Conditionprepare.com
Containterm.com
Couragefinger.com
Cutreciprocity.com
Decidewisdom.com
Definitionbefore.com
Definitiongrew.com
Didresponsibility.com
Differsalt.com
Dividebell.com
Dividemain.com
Doorachievement.com
Drywrote.com
Duringseveral.com
Eachparagraph.com
Eightintuition.com
Eitherreflection.com
Elseagain.com
Especiallyknow.com
Eyecompassion.com
Eyeoriginal.com
Famousbird.com
Finalpattern.com
Firstaspiration.com
Forgivenesscount.com
Forgivenessearth.com
Forgivenessregion.com
Fourease.com
Fourstrength.com
Fractionwhich.com
Gardenstring.com
Generosityprocess.com
Gotpose.com
Grayhard.com
Grouprealization.com
Groupwild.com
Guessyour.com
Happinessmight.com
Happinessweather.com
Hardexcite.com
Harmonythere.com
Harmonythis.com
Hasusual.com
Hatwit.com
Herintuition.com
Hotintuition.com
Housecome.com
Houseprosperity.com
Housestraight.com
Independenceknew.com
Independencewhy.com
Ingenuityappear.com
Ingenuityfor.com
Instrumentrespect.com
Integritygentle.com
Intuitionthese.com
Keptlegacy.com
Legacykept.com
Legacymilk.com
Lengtharm.com
Lineprosperity.com
Lovethus.com
Machinejoin.com
Masterenough.com
Meatcount.com
Melodywisdom.com
Metalappreciation.com
Minuteachievement.com
Motivationanimal.com
Motivationexcite.com
Nextwritten.com
Noonability.com
Observeclock.com
Otherdefinition.com
Pageingenuity.com
Paintlegacy.com
Paragraphwisdom.com
Patternstrength.com
Populategroup.com
Postresponsibility.com
Poundstrength.com
Powercourage.com
Progresscompare.com
Progressspoke.com
Properoptimism.com
Purposehear.com
Purposesing.com
Quarttrust.com
Racejoin.com
Rathercow.com
Reachreflection.com
Realizationexcite.com
Reasonhappiness.com
Representdiffer.com
Resolutionmany.com
Respectbring.com
Respecttoward.com
Responsibilitymoney.com
Responsibilityride.com
Richmass.com
Ringreciprocity.com
Rubfight.com
Rubjoin.com
Rubrealization.com
Saverather.com
Seedforgiveness.com
Sendhold.com
Sendoccur.com
Settlecotton.com
Shinechord.com
Signtradition.com
Sisterhappiness.com
Speechresolution.com
Speechwisdom.com
Speedcome.com
Spellindependence.com
Straightweek.com
Strengthfig.com
Strengthmouth.com
Strengthsmell.com
Systemwant.com
Tenlegacy.com
Thoughperiod.com
Throughlength.com
Tonespirituality.com
Townarrive.com
Traditionneighbor.com
Traditionroad.com
Traditionsyllable.com
Traditionweather.com
Triangledefinition.com
Valleystead.com
Varymaterial.com
Varywrote.com
Wallchance.com
Washdefinition.com
Wherescience.com
Whitefavor.com
Witlate.com
Wouldsame.com

Hanaro Telecom in Korea on 118.216.29.89

Courageanimal.com
Determineagain.com
Gathercourage.com
Integritycar.com
Lovepharmsea.com
Loverxmelody.com
Medicalloversagree.com
Newrxroad.com
Optimismmeasure.com
Pharmnewsystem.com
Pharmsitefact.com
Pharmsplaceboy.com
Pharmvip.com
Pillslovefelt.com
Placemedicalheat.com
Placemedpopulate.com
Placepharmscolor.com
Qualitycanadiansearch.com
Qualitymedsroad.com
Qualitypillgirl.com
Responsibilitymatter.com
Toppharmacyhunt.com
Viagra-club-m1.com
Viagra-club-m2.com
Viagra-club-m3.com
Viagra-club-m4.com
Viagra-club-m5.com
Viagra-club-m6.com
Viagra-club-m7.com
Viagra-club-m8.com

Megaplan on 201.65.181.178:

365anniversary.com
Ableweight.com
Accesscanadadrugs.com
Accesscanadapharmacy.com
Accessmedicalonline.com
Accessmedicalsitex.com
Acoxgiftsworld.com
Addcustomersonline.com
Adddoconline.com
Addeasy3inch.com
Addknowmore.com
Addmedirect.com
Addmoread.com
Addmoreplaces.com
Addmoreram.com
Addsitelite.com
Addtravelsite.com
Advanceddiscountpharmacys.com
Advanceedhealth.com
Aedprescription.com
Airpotmap.com
Alcoholdrugdirect.com
Alexandermedicalbeds.com
Allaboutadd.com
Allindiabulkdrugguides.com
Allthedrugsx.com
Allyeardirect.com
Allyearetc.com
Allyearhome.com
Allyearonline.com
Allyearsite.com
Allyeartan.com
Alotonline.com
Altmedjobss.com
Amedicalschool.com
Amedonlinex.com
Americaneddrugstor.com
Americanmedicalclub.com
Americanmedicalconcept.com
Americanmedicaljob.com
Americanmedicalnet.com
Americanpharmacyjobs.com
Americanspharmacyonline.com
Americapharmacyschools.com
Angellmedicalcenter.com
Annumyear.com
Antipsychoticdrugsonline.com
Antipsychoticeddrugsonline.com
Anybodyonlies.com
Anyonebutsite.com
Apharmacysite.com
Apothecarydiscount.com
Apothecarydiscounts.com
Apothecaryguidex.com
Apothecaryprescription.com
Apothecaryschools.com
Apothecarytechnicians.com
Apothecarytechnicianx.com
Arealot.com
Arlenmeded.com
Atlanticcityreal.com
Austinpharmacyschools.com
Australianpharmacyonline.com
Australiapharmacyonline.com
Axismedicalsupply.com
Babygotheat.com
Backlotusa.com
Bankallyear.com
Bankschevorlet.com
Bargaindrugsonline.com
Bargaindrugspharmacy.com
Bargainerdrugsonline.com
Bargainpharmacydirect.com
Bargainpharmacyguide.com
Bargainprescriptiondrug.com
Baysideprop.com
Bayvoteyes.com
Bcfoc.com
Bdecontainer.com
Becamegot.com
Behealthysite.com
Bestaddware.com
Bestanticancerdrugs.com
Bestanticancereddrugs.com
Bestantiviraleddrugs.com
Bestbeachpharmacy.com
Bestbeautyhealthy.com
Bestbigfatx.com
Bestbobesponja.com
Bestbutcanada.com
Bestbutsports.com
Bestbuyondrugsx.com
Bestbuyspharmacys.com
Bestcitygov.com
Bestdepressiondrugs.com
Bestdepressiondrugsx.com
Bestdepressioneddrugs.com
Bestdietpharmacy.com
Bestdirectpharmacys.com
Bestdrugsbargain.com
Bestdrugsbiz.com
Bestdrugscard.com
Bestdrugscards.com
Bestdrugsforme.com
Bestdrugsmart.com
Bestdrugstoday.com
Bestdrugstor.com
Bestedchen.com
Besteddrugaddiction.com
Besteddruglawyer.com
Bestelectrolytedrugs.com
Bestelectrolyteeddrugs.com
Bestglobalpharmacy.com
Bestgoodink.com
Bestgotweb.com
Besthealthywealthy.com
Bestheartdrugs.com
Bestimpotencedrugs.com
Bestinexpensivepharmacys.com
Bestinfertilitydrugs.com
Bestjobspharmacys.com
Bestjobspharmacyx.com
Bestkettle.com
Bestlandvip.com
Bestlifescience.com
Bestlifesystems.com
Bestlikeborscht.com
Bestlikefree.com
Bestlocalpharmacys.com
Bestlottryx.com
Bestmedconss.com
Bestmedconxx.com
Bestmedcoxx.com
Bestmedgroups.com
Bestmedicalconsultants.com
Bestmedicaldirect.com
Bestmedicalgear.com
Bestmedicalmall.com
Bestmedicalrate.com
Bestmedicalts.com
Bestmedmarts.com
Bestmedmartx.com
Bestmedonlines.com
Bestmedonlinex.com
Bestmedpreps.com
Bestmedprepx.com
Bestmedworlds.com
Bestmedworldx.com
Bestnarcoticdrugs.com
Bestofdrug.com
Bestpastapot.com
Bestpetmedxx.com
Bestpetsdrugs.com
Bestpharmacycard.com
Bestpharmacycards.com
Bestpharmacycenters.com
Bestpharmacycenterx.com
Bestpharmacycentrals.com
Bestpharmacydiscountx.com
Bestpharmacydiscountxx.com
Bestpharmacyeuropes.com
Bestpharmacyinfo.com
Bestpharmacyla.com
Bestpharmacylink.com
Bestpharmacynewsletters.com
Bestpharmacynewsletterx.com
Bestpharmacytechnician.com
Bestpharmacywebs.com
Bestpharmacyworld.com
Bestplatinumdrugs.com
Bestpricecanadadrugs.com
Bestpricecanadadrugsx.com
Bestratemedical.com
Bestseniorpharmacy.com
Bestusadental.com
Bestusalending.com
Bestusamtg.com
Bestusarate.com
Bestvaluecanada.com
Bestvaluecanadadrugs.com
Bestvoiceusa.com
Bestwatchsurvey.com
Bestwebpharmacy.com
Bestyukon.com
Betterbuyuk.com
Bettereuro.com
Bettereye.com
Betterrocks.com
Betterset.com
Bfdpasses.com
Bigdaddyblackx.com
Bigfatgaryx.com
Bigfathuge.com
Bigfatnetx.com
Bigfatsportsxx.com
Bigfatstuffx.com
Bigfatwhatx.com
Biggiantheadbandx.com
Biggiantheads.com
Biggiantradiox.com
Bighugeshop.com
Biglotcellx.com
Bigmailonlinex.com
Bigriverlot.com
Bigwayonline.com
Bigwhiteworldx.com
Bigwigvip.com
Bigworlddvdx.com
Bigworldltd.com
Biomeded.com
Biomedgenes.com
Biomedincx.com
Bioparapharma.com
Biopropharmax.com
Bizdiscountdrugs.com
Bluemedtechx.com
Bobhopemovies.com
Bondoddlotx.com
Bonfoc.com
Bookthelot.com
Bostonmeded.com
Bowllightx.com
Bowltry.com
Brazilgovguide.com
Brazilianpharmacyonlinex.com
Brazilpharmacyonlines.com
Brazilpharmacyonlinex.com
Bunchmachine.com
Bunoh.com
Businessmeded.com
Buydrugsdirectat.com
Buyeddrugsdirectat.com
Buyeddrugsonlinehere.com
Buyhomemedical.com
Buywisedrugs.com
Cachecus.com
Californiahealh.com
Californiarealsite.com
Callthepharmacy.com
Canadachristianpharmacys.com
Canadadrugorder.com
Canadadrugsclub.com
Canadadrugsorder.com
Canadiandrugservices.com
Canadiandrugsutah.com
Canadianexpressdrug.com
Canadianfreedomdrugsx.com
Canadianpharmacygateways.com
Canadianpharmacyguidess.com
Canadianpharmacyguidex.com
Canadianpharmacyreviewx.com
Canadianpharmacyshoppers.com
Cancerpharmacyonline.com
Canjoindirect.com
Canwesue.com
Caremedicalsystems.com
Carepharmacyguide.com
Carepharmacyreliefs.com
Carlotpro.com
Carpenterspharmacydirect.com
Casinosload.com
Centerdrugsonline.com
Chaudfoc.com
Chaudrideau.com
Cheapdrugscard.com
Cheapeddrug.com
Cheapedhealth.com
Cheapedmedicinesx.com
Cheapedprescription.com
Cheapestedmedicines.com
Cheapestedmedicinesx.com
Cheapestedmeds.com
Cheapestedmedsx.com
Cheapestpharmacyguides.com
Cheapmeded.com
Cheappharmacyguides.com
Cheappharmacyschools.com
Cheaptoppharmacys.com
Checkyourpharmacy.com
Chedirecto.com
Chetierra.com
Cheyx.com
Chinacitygov.com
Chinamedicinedrug.com
Chinamedworlds.com
Chinamedworldx.com
Cholesteroldrugsonline.com
Choosegenericdrugs.com
Citiesbestgot.com
Citygovonline.com
Citymedicalworld.com
Cityrealstates.com
Clubmedbestprice.com
Clubvipcam.com
Cnfoc.com
Coastclubvip.com
Compoundingcarepharmacy.com
Containertry.com
Cookwarepotx.com
Coolmeproject.com
Cosmolotron.com
Couponslotonlinex.com
Crackfaggot.com
Crankthedrugs.com
Cutoffyourco.com
Cyberpharmacysite.com
Darksidenetwork.com
Designpromeds.com
Designpromedx.com
Determiningmedicalneeds.com
Dietdrugdamage.com
Dietdrugrecalls.com
Dietdrugsclaims.com
Dietdrugshelp.com
Dietdrugsreport.com
Diethealthynow.com
Diethealthysite.com
Dietrobust.com
Dietsdrugonline.com
Diopharma.com
Directwinbig.com
Discountdrugcity.com
Discountdrugsale.com
Discountdrugsaver.com
Discounteddrugsaver.com
Discounteddrugsdepot.com
Discounteddrugsofcanada.com
Discountededdrugsofcanada.com
Discounthivdrugs.com
Discountpharmacycenters.com
Discountpharmacydepots.com
Discountpharmacylink.com
Discountwholesaledrugs.com
Discountwholesaleeddrugs.com
Discreetdrugsonline.com
Disposablepottie.com
Doctorbedshop.com
Doctorbledsoe.com
Doctordesignedsite.com
Doctormedsupply.com
Doctorpharmacymeds.com
Doctorprescribesmeds.com
Dontlikedebt.com
Dotallyear.com
Dotgovdirectory.com
Driverseddrug.com
Drugalternativesonline.com
Drugdiscoverydirect.com
Drugeguide.com
Drugfreecelebrities.com
Drugfreecertificatess.com
Drugfreefitness.com
Druggamesonline.com
Drugpackagingonline.com
Drugsbizonline.com
Drugscriponline.com
Drugsfreeworld.com
Drugsonlineus.com
Drugspharmacybizx.com
Drugstoreschool.com
Drugstoreurope.com
Drugtestmyth.com
Dryeyesdirect.com
Dryeyesinfo.com
Dysfunctionsdrug.com
Dysfunctionsdrugs.com
Earthmedicalls.com
Easycanadaeddrugs.com
Easydiethealthy.com
Easydnssite.com
Easygiftguide.com
Easypetmedication.com
Eathealthystayfit.com
Ecstasythedrugsx.com
Edalcoholdrug.com
Edcanadadrugs.com
Edcanadadrugsx.com
Edcanadiandrug.com
Edcarprescription.com
Edcarsprescription.com
Edchenonline.com
Eddiscountdrugsx.com
Eddrugaddiction.com
Eddrugdirect.com
Eddrugguide.com
Eddrugmart.com
Eddrugsbargainx.com
Eddrugsdirectx.com
Eddrugsworld.com
Eddrugsworldx.com
Edhampills.com
Edipharma.com
Ediscountdrug.com
Edkoopworld.com
Edlawtonhealth.com
Edlonghealth.com
Edmedicinesite.com
Edmedsup.com
Edmedsupx.com
Ednethealth.com
Edonlinedrug.com
Edonlinemedicine.com
Edpillsguide.com
Edprescriptiondrugs.com
Edprescriptiondrugsx.com
Edprescriptionguide.com
Edsdrug.com
Edwarmedicine.com
Edwarmeds.com
Edwarmedsx.com
Edwarsite.com
Eightyearolds.com
Electriclothesx.com
Electriclothingx.com
Elevenyearolds.com
Emailaddchange.com
Emergencymedsite.com
Englandpharmacyonlines.com
Englandpharmacyonlinex.com
Englishdiscountpharmacy.com
Englishoutthere.com
Enormousbigx.com
Enormousgiant.com
Epharmacyprescription.com
Erdrugtest.com
Ethniclothes.com
Eubud.com
Euromedareas.com
Everythingattractive.com
Exche.com
Expresscanadianpharmacy.com
Expressdiscountpharmacy.com
Extendedhealthed.com
Externaloff.com
Eyemedicationonline.com
Ezgamex.com
Facilevoile.com
Faggotonline.com
Familymedicalusa.com
Faroutonlinex.com
Fastprescriptiondrug.com
Fdapharmacyprescriptions.com
Fedgovcenter.com
Fedgovguide.com
Feelgoodair.com
Fenme.com
Fieldmeded.com
Findgoodlife.com
Findprescriptiondrugs.com
Firefitkids.com
Firstannum.com
Firstbigagencyx.com
Firstbigmallx.com
Firstlifeonline.com
Fitandhealthylife.com
Fitlinemed.com
Fityethealthy.com
Flche.com
Floridacomreal.com
Floridarealdirect.com
Floridarealweddings.com
Flusgreat.com
Flushotonline.com
Flyclubmeds.com
Flyclubmedx.com
Flyingfaggot.com
Foced.com
Focenligne.com
Focnouveau.com
Focusalens.com
Focusamenus.com
Focusemc.com
Footcarepharmacy.com
Francediscountpharmacys.com
Freeadddirect.com
Freecomputergift.com
Freedrugspharmacy.com
Freehomelife.com
Freehotdirect.com
Freeonlinepharmacyx.com
Freetrademedical.com
Freetrialjoin.com
Freezonemedical.com
Frenchdiscountpharmacy.com
Frontierpharmacyonline.com
Frontlinepharmacy.com
Frontsideonline.com
Gamespotall.com
Gamespotcentral.com
Gamespotheaven.com
Gamespotservers.com
Gamespotshopper.com
Geekybutnice.com
Genemedicalcenter.com
Genericcarepharmacy.com
Genericdrugsflorida.com
Genericeddrugsflorida.com
Georgescheapeddrugs.com
Getbestmedical.com
Getdrugsdirect.com
Getfittechnology.com
Gethealthyabc.com
Gethealthybusiness.com
Gethealthyfitmall.com
Gethealthyhawaii.com
Gethealthynetwork.com
Gethealthyworld.com
Getmedonlinex.com
Getmedpross.com
Getmedproxx.com
Getseahealthy.com
Giftdepotshop.com
Giftsitestores.com
Giftslikehome.com
Glaucomadrugsonline.com
Gobabygift.com
Gomeded.com
Gonetopotsite.com
Goodlifegift.com
Goodnewsfood.com
Goodtimedvd.com
Goodvaluepharmacyonlines.com
Gotanonline.com
Gotaxiworld.com
Gotdomainsite.com
Gotdotgame.com
Gotenworld.com
Gotgamejob.com
Gotgamenow.com
Gotgameusa.com
Gotgasonline.com
Gotheredirect.com
Gotheretours.com
Gotinterland.com
Gotjobssite.com
Gotkeymail.com
Gotlandsguide.com
Gotmarkonline.com
Gotmoonland.com
Gotmoremail.com
Gotmusicdirect.com
Gotourdirect.com
Gotstockworld.com
Govteamsite.com
Greataddurl.com
Greatamericanpharmacy.com
Greatbeautyyes.com
Greatbigbrother.com
Greatbigmag.com
Greatbritainpharmacy.com
Greatbutthole.com
Greatcanadianpharmacy.com
Greatchinamedical.com
Greatdrugrehabx.com
Greatdrugsguide.com
Greatdysfunctionsdrug.com
Greateddrugscanada.com
Greateddrugscanadax.com
Greatfitplanet.com
Greatgiftsyes.com
Greatgoodcharlotte.com
Greatgothere.com
Greathealthyweight.com
Greatmeddirects.com
Greatmeded.com
Greatmedguides.com
Greatmedicalgroup.com
Greatmedicalschool.com
Greatmedicationpain.com
Greatnorthernpharmacy.com
Greatpharmacyonlinex.com
Greatpharmacyschool.com
Greatpharmacyschools.com
Greatpharmacyschoolx.com
Greatpharmacytech.com
Greatpotland.com
Greatwallmount.com
Greatwhiteeddrugs.com
Greenmedtechs.com
Greenmedtechx.com
Groupmachinesx.com
Groupron.com
Growingpotonline.com
Guipromeds.com
Halflifesite.com
Happyable.com
Harrypottie.com
Healcareguide.com
Healinsurancesite.com
Healmen.com
Healta.com
Healthpromeds.com
Healthpromedx.com
Healthyable.com
Healthycareworld.com
Healthychefguide.com
Healthyfitandrich.com
Healthyfitbars.com
Healthyfitbodies.com
Healthyfityoungstore.com
Healthyhomecafe.com
Healthyhomenews.com
Healthyhomestar.com
Healthyhomeway.com
Healthyhomezone.com
Healthykidshow.com
Healthykidsinc.com
Healthylifebook.com
Healthylifecorp.com
Healthyproductguide.com
Healthyproductsite.com
Healthystartsite.com
Healthystudentbody.com
Healthytandirect.com
Healthythirdworld.com
Healthywaterwell.com
Healthyworldmarket.com
Healthyworldmarketplace.com
Healthyworldmed.com
Healthyworldmedical.com
Healum.com
Heartdiseasedrugsonline.com
Heartdiseaseeddrugsonline.com
Hearthealthydoc.com
Herbalhealthydiet.com
Hitallyear.com
Homelifesite.com
Homemedicaldesign.com
Homemedicaltechnology.com
Homesyearround.com
Honeypotvideo.com
Hostrackdnsx.com
Hotcybersite.com
Hotdotworld.com
Hotlotonline.com
Hotohstore.com
Hotspotcommunity.com
Hotspotsnet.com
Hottoysite.com
Hundredsofdrugs.com
Hundredsofdrugsx.com
Hypertensiondrugsonline.com
Ibayside.com
Ihealthychoice.com
Ihealthysite.com
Ilikesite.com
Impotencesdrug.com
Impotencesdrugs.com
Impotencesdrugsx.com
Improvea.com
Improveh.com
Improveinfo.com
Improvelifestyles.com
Improvemom.com
Indiagiftsite.com
Indiamedicalcenter.com
Indianpottry.com
Ineedsomepills.com
Ineedsomepillsx.com
Inexpensiveeddrugsonline.com
Iniceprice.com
Injoinonline.com
Integradedmedicine.com
Intermednets.com
Intermednetx.com
Ipotunity.com
Irauk.com
Irelandpharmacyonlines.com
Irelandpharmacyonlinex.com
Irishdiscountpharmacy.com
Irishlocalgov.com
Ispoh.com
Israelpharmacyonlines.com
Israelpharmacyonlinex.com
Italypharmacyonlinex.com
Itsgoodsite.com
Ivche.com
Ivegotdirect.com
Ivegotheart.com
Ivegothomework.com
Iwantthebestdrugs.com
Iwantthebestdrugsx.com
Jimbobhog.com
Jobfitworld.com
Joblotworldx.com
Joinkidsclub.com
Jointhejoint.com
Joinwebguide.com
Jovoh.com
Joycekitche.com
Justaddbaby.com
Justaddlinux.com
Justaddnet.com
Justaddsales.com
Justaddwap.com
Justaddwax.com
Justgotup.com
Justlikehuman.com
Justlikemum.com
Justlikeproducts.com
Justsmeh.com
Kettlelight.com
Keyallyear.com
Kidsgotherex.com
Kitcheetc.com
Leadingmedication.com
Leadingpharmacyguide.com
Leemedtechs.com
Leemedtechx.com
Lifecarevisa.com
Liferepairguide.com
Likablenice.com
Likehomecare.com
Likenewcarsdirect.com
Likenewhomesonline.com
Likeyourselfguide.com
Lineapothecary.com
Linepharmacyguides.com
Linepharmacyguidex.com
Livemedworlds.com
Loanyesyes.com
Localdiscountpharmacy.com
Localdrugsofcanada.com
Lohproject.com
Lotapronsite.com
Lotcarx.com
Lotlizardonline.com
Lotronusax.com
Lotsixonlinex.com
Lottoriesonlinex.com
Makethenice.com
Malotgroupsells.com
Manlifeworld.com
Manmedcares.com
Marcdiscountdrugs.com
Marcdiscounteddrugs.com
Marijuanacarepharmacy.com
Masmedicinaalternativa.com
Matewg.com
Mcfoc.com
Medbestlay.com
Medbizbest.com
Medcanseeds.com
Medcarecard.com
Medcentertoped.com
Meddirectlinks.com
Meddotprox.com
Meddriversed.com
Meddysfunctions.com
Mededcar.com
Mededcast.com
Mededcore.com
Mededslide.com
Mededstat.com
Mededsupplies.com
Mededsynergy.com
Medengdirects.com
Medengdirectx.com
Medfirstcorp.com
Medfirstvalet.com
Medfirstwellness.com
Medhighested.com
Mediajobfit.com
Medicalcenterblvd.com
Medicalcityonline.com
Medicaldirectusa.com
Medicalglovesonline.com
Medicalgroupdigest.com
Medicalhealthbeauty.com
Medicalhealthconsulting.com
Medicalhealthwatch.com
Medicalknowledgesite.com
Medicalmastersite.com
Medicalmegasite.com
Medicalneedsdirect.com
Medicalneedsnetwork.com
Medicalshareonline.com
Medicalsurgicaldealers.com
Medicationside.com
Medicinadirecto.com
Medicinasitio.com
Medicinatm.com
Medicinesmedication.com
Medimpotences.com
Mediredsummaries.com
Medlabtechs.com
Medlawfirst.com
Medmedsoc.com
Medmeeds.com
Medneds.com
Medonlinetechs.com
Medpaed.com
Medpitstop.com
Medprogear.com
Medproindias.com
Medproindiax.com
Medprojob.com
Medprotopsite.com
Medredworldss.com
Medredworldxx.com
Medsitepluss.com
Medsourcedrug.com
Medsourcedrugs.com
Medsourcedrugsx.com
Medsourceprox.com
Medspatoponline.com
Medspitstop.com
Medstepguides.com
Medstepguidex.com
Medstyleonlines.com
Medstyleonlinex.com
Medtopdysfunctions.com
Medtopeddirect.com
Medtopedguide.com
Medtopedworld.com
Medtopimpotences.com
Medtradeonlines.com
Medtradeonlinex.com
Medusedsystems.com
Medwaydirect.com
Medwayradios.com
Medwayradiox.com
Medwayshops.com
Medwayshopx.com
Medwisemeds.com
Medworldindias.com
Medworldindiax.com
Medworldnets.com
Medworldnetx.com
Meend.com
Megamestore.com
Meltingcontainer.com
Meltingpotsingles.com
Merckdrugguide.com
Mexicopharmacyguide.com
Miamipharmacyschools.com
Miamipharmacystore.com
Millenniumyearsite.com
Misude.com
Mobilepharmacyschool.com
Mobilepharmacyschoolss.com
Mofoc.com
Mrfoc.com
Mshotspot.com
Musicjoinnow.com
Mypharmacydirectx.com
Mysmeh.com
Napharmax.com
Napsterlikesite.com
Nationalpharmacytech.com
Nationoh.com
Naturalhealh.com
Naturesbestpharmacy.com
Naturesdietdrug.com
Nedsmedsx.com
Needsomepills.com
Nefoc.com
Netdrugsdirect.com
Netmedicalschool.com
Newemailadd.com
Newlifegifts.com
Newmedicalonline.com
Newmedsolutionpills.com
Newmedsolutionpillsx.com
Newpharmacyschool.com
Nextbestyear.com
Nicecarsgroup.com
Nicecarssite.com
Nicechatonline.com
Nicedaygift.com
Nicedayuk.com
Nicegoodday.com
Niceguycam.com
Nicejobonline.com
Nicepricedesign.com
Nightexpose.com
Nipponprescriptiondrug.com
Northsidepharmacyonlines.com
Norwaypharmacyonline.com
Nowrealtime.com
Nymeltingpot.com
Oddlotonline.com
Ofbigbearxx.com
Ohiopharmacyschools.com
Onecarepharmacyx.com
Oneyearsite.com
Onlinebargaindrugs.com
Onlinedrugsnorth.com
Onlineherbalpharmacy.com
Onlinemedicalcenters.com
Onlinepharmacyclub.com
Onlinepharmacydot.com
Onlyvipsite.com
Onthenetdrugs.com
Opencorpusa.com
Openeddrugstor.com
Opiumthedrugsx.com
Orderingprescriptiondrug.com
Organizeyourdrugsx.com
Osteoporosisdrugsonline.com
Ourbayside.com
Ourmeded.com
Ourmedicsites.com
Outcallflorida.com
Overthenetdrugs.com
Oxnut.com
Palmgamespot.com
Parkingbunch.com
Parteffect.com
Passpotworld.com
Paylessdrugsonline.com
Pdqlothes.com
Peripherybeach.com
Peterspharmacyonline.com
Petlifeworld.com
Petmedmart.com
Petmednycs.com
Petsvipclub.com
Pharmacyaffiliatesdirect.com
Pharmacydepotonlinex.com
Pharmacydirectinc.com
Pharmacydirectsydney.com
Pharmacydrugdiscountss.com
Pharmacyguideonline.com
Pharmacyjobstoday.com
Pharmacymedicationguides.com
Pharmacynetonline.com
Pharmacy-online-39.com
Pharmacyrxdirect.com
Pharmacysavingsonline.com
Pharmacyskateboardstore.com
Pharmacytechniciantimess.com
Philippinepharmacyonline.com
Pills-and-drugs.com
Placelikeonline.com
Planetachedirecto.com
Planterroast.com
Platinumdrugonline.com
Plazadiscountpharmacys.com
Pocketpottie.com
Popularprescriptiondrug.com
Portugalpharmacyonline.com
Potalworld.com
Potandcontainer.com
Potbuyersguide.com
Potfaceworld.com
Potimportsonline.com
Potlandweed.com
Potpourmore.com
Potroasthost.com
Potroastrentals.com
Potseedsonline.com
Potshoponline.com
Pottiecam.com
Pottiepackage.com
Pottieparty.com
Pottryban.com
Pottrybar.com
Powermedtechs.com
Prednisone-medicine-group.com
Premierfoc.com
Premierpharmacyonline.com
Prescriptionanddrug.com
Prescriptiondrugagent.com
Prescriptiondrugamerica.com
Prescriptiondrugcenter.com
Prescriptiondrugchoice.com
Prescriptiondrugcom.com
Prescriptiondrugdepot.com
Prescriptiondrugfraud.com
Prescriptiondruggroups.com
Prescriptiondruglinks.com
Prescriptiondrugregister.com
Prescriptiondrugremedies.com
Prescriptiondrugreport.com
Prescriptiondrugreview.com
Prescriptiondrugtimes.com
Prescriptiondruguk.com
Prescriptiondrugus.com
Prescriptiondruguses.com
Priceyourdrugs.com
Probusmeds.com
Progamemeds.com
Progamemedx.com
Prolifecoach.com
Promedaids.com
Promedasias.com
Promedasiax.com
Promeddvds.com
Promeddvdx.com
Promeded.com
Promedicalerts.com
Promedinfo.com
Promedrecords.com
Promedrentx.com
Propharmaventures.com
Pukhome.com
Puknation.com
Pukwizard.com
Qualityprescriptiondrug.com
Quickgiftworlds.com
Razasude.com
Realcanadiandrugs.com
Realdrugstor.com
Reallylikable.com
Realmedsitexx.com
Realniceautos.com
Realnicehome.com
Realnicehouse.com
Realnicephotos.com
Realtyrealtime.com
Realworldcases.com
Realworldoffice.com
Redhotman.com
Redhotplay.com
Redhotrave.com
Redsideguide.com
Rehapromedss.com
Reliantmeded.com
Renopharmacyschool.com
Rideautory.com
Ridgetoppharmacy.com
Ringotworld.com
Robusthealthy.com
Robustwell.com
Roundtheyear.com
Royalcanadiandrug.com
Ruraltechcorp.com
Rxpharmacyguide.com
Rxpharmacyworld.com
Sameasbig.com
Sanespharma.com
Seekpotlight.com
Sellbestgifts.com
Sellsideonline.com
Shesgot.com
Shopniceguy.com
Shoppersdrugworld.com
Sidejobdirect.com
Silverslotmachine.com
Since365.com
Sirmedicalsupply.com
Sizzlingsultry.com
Skymedicenters.com
Smartdrugsofcanada.com
Smartmedicalcenter.com
Smehhome.com
Smellssameas.com
Soundcoffee.com
Southsidearts.com
Southsidehelp.com
Spainpharmacyonline.com
Spanishdiscountpharmacy.com
Sportinggooddirect.com
Sportsfaggot.com
Sportsmedresourcex.com
Sqlouterjoin.com
Stanpropharma.com
Starhomemedical.com
Starlikeonline.com
Starmedsitess.com
Starmedsitexx.com
Stategovsites.com
Stocklotcityx.com
Stocklotshop.com
Storeprescriptions.com
Storetechnician.com
Sudemodelhane.com
Sultryair.com
Superaddmore.com
Superbiomed.com
Superbutoden.com
Superchempharmacy.com
Superdrugabusex.com
Superdrugoptical.com
Superdrugrehab.com
Superdrugsonline.com
Supereddrugtreatment.com
Supergoten.com
Superhealthyhome.com
Superhotpages.com
Superlothes.com
Supermeddirects.com
Supermeded.com
Supermedguides.com
Supermedicalcenter.com
Supermedicalgroupx.com
Supermedicalkid.com
Supermedicationlist.com
Supermedicenters.com
Supermedjobs.com
Supermedsupplyxx.com
Supermedworlds.com
Supernetmeds.com
Superpharmacyjobsx.com
Superpharmacyprescription.com
Superpharmacyschool.com
Superpharmacyschoolx.com
Superpharmacytechnician.com
Superpharmacytechnicianx.com
Superpharmacyworlds.com
Superpotball.com
Superpotlotto.com
Superrealtekx.com
Superritedrugs.com
Supersavedrugs.com
Supersavingspharmacy.com
Supersmeh.com
Supersurgical.com
Surfallyear.com
Surfthedrugs.com
Talentgift.com
Tampapharmacyschools.com
Tandemmedicalsupplies.com
Techbaycorp.com
Texaspharmacyjobs.com
Texasrealsite.com
Texasrealwedding.com
Theaddbook.com
Theasiapharmacys.com
Theautumnyear.com
Thebanneryear.com
Thebargainpharmacyx.com
Thebeerflowslikewater.com
Thebestdrugssite.com
Thebestyes.com
Thebetterpharmacyx.com
Thebigalertx.com
Thebigsounds.com
Thebigspasx.com
Thebitterside.com
Thecardlot.com
Thecheapmedx.com
Thecolorbob.com
Thecommunitypharmacy.com
Thedetailspot.com
Thednsprojectx.com
Thedraftyear.com
Thedragonyear.com
Thedrugbusinesss.com
Thedrugden.com
Thedrugonline.com
Thedrugsout.com
Thedrugsoutx.com
Thedrugstop.com
Thedrugsxoutlet.com
Theeclipseside.com
Theeddrug.com
Theeddrugs.com
Theedham.com
Theedonline.com
Theexpotsite.com
Thefatside.com
Thefitdiet.com
Thefitplan.com
Thegoodbite.com
Thegoodherbs.com
Thegoodsalt.com
Thegotboy.com
Thegotdirectory.com
Thegotgroup.com
Thegotideas.com
Thegotland.com
Thegotlandgroup.com
Thegotour.com
Thegovalley.com
Thegovservices.com
Thegreekmed.com
Thegreenpot.com
Theholisticpharmacy.com
Thehotland.com
Thehotrate.com
Theinternationalpharmacys.com
Theirishpharmacy.com
Thejewishpharmacy.com
Theleadingdrug.com
Thelikewho.com
Thelothouse.com
Thelotinfox.com
Thelotkingx.com
Thelotmusicx.com
Themedicalimagex.com
Themedicalmalpractice.com
Themedicalnet.com
Themedicalreference.com
Themillennialyear.com
Themosaicpot.com
Thenicefit.com
Thenicevice.com
Theolderyear.com
Theoutdesk.com
Theoutworlds.com
Thepalmsmed.com
Thepeepot.com
Theperfectpharmacy.com
Thepharmacyclub.com
Thepharmacyjobs.com
Thepharmacykey.com
Thepharmacyline.com
Thepharmacylot.com
Thepharmacymusics.com
Thepharmacytech.com
Thepharmacyworld.com
Thepharmacyzone.com
Thepicturemedics.com
Thepotplant.com
Thepottie.com
Thepotvote.com
Therapidpharmacy.com
Therealmeds.com
Therealpatchwork.com
Therealperformance.com
Therealrally.com
Therealside.com
Therightmed.com
Theshoplot.com
Thesitepot.com
Thesmartpot.com
Thesportsmed.com
Thestonepot.com
Thesweetyear.com
Thethinkpot.com
Thetreelot.com
Thetrophyyear.com
Thevillagesdrugs.com
Thevintageyear.com
Thevipbar.com
Thevipbox.com
Thewantedadd.com
Thewashpot.com
Thewebing.com
Theweburbs.com
Thewellmeds.com
Thewellmedx.com
Thewinmeds.com
Theworldpharmacyguides.com
Theyearanniversary.com
Theyeardot.com
Theyeargroup.com
Theyearround.com
Todosmedicina.com
Topallyear.com
Topapothecary.com
Topedsite.com
Topharmacyguide.com
Toppharmacyworld.com
Toprichvip.com
Totaldrugstor.com
Totaleddrugstor.com
Trucklotonlinex.com
Tvdiscountdrugs.com
Tvlikeadsonline.com
Twinscarepharmacy.com
Twsme.com
Ukdrugsdirect.com
Uklotterry.com
Ukprescriptiondrug.com
Ulcereddrugsonline.com
Ultimatepharmacyguidex.com
Uniteddiscountpharmacy.com
Uniteddrugspharmacy.com
Unitedmedtechs.com
Urbanfaggot.com
Urgentcarepharmacy.com
Usadrugclub.com
Usdrugclub.com
Vailsportsmed.com
Verygoodbar.com
Verygoodlee.com
Veryniceart.com
Verynicebook.com
Verynicefamily.com
Verynicenet.com
Vipboxonline.com
Vipskyclub.com
Vipsupersite.com
Vipworldmarketplace.com
Vipworldnet.com
Virtualbiomeds.com
Virtualdrugsstore.com
Virtualpuk.com
Virtualsmeh.com
Vivadietdrugs.com
Voileken.com
Votrecache.com
Walgreensdrugsstore.com
Walgreenseddrugsstore.com
Walgreenspharmacyonline.com
Wantaddworld.com
Wayoutdirect.com
Webmedicalworld.com
Websfurnituremedic.com
Wecananswer.com
Wecanbank.com
Wecandwell.com
Wedealworld.com
Weersite.com
Weirdbutnice.com
Wellnessclinical.com
Wemedsmedsx.com
Wepaysite.com
Werateonline.com
Westcarepharmacy.com
Wewesite.com
Wewillrisex.com
Whitelinepharmacy.com
Whogotguide.com
Wholeyearonline.com
Wildslotmachines.com
Winbighostingx.com
Winbigredx.com
Wisegiftworld.com
Worldhotworld.com
Worldmedicalworld.com
Worldpharmacyworld.com
Worldpotguide.com
Worldpottry.com
Wwwbestpharmacy.com
Wwwdrugguide.com
Wwwhomepharmacydirects.com
Wwwlivehealthy.com
Wwwmedbeds.com
Wwwmedneeds.com
Wwwpharmacydirectx.com
Wwwpharmacyschools.com
Xmedicalpharmacyx.com
Xsuperpharmacyschool.com
Xvzzbvznhz.com
Yearbargain.com
Yearlyrics.com
Yearroundcpa.com
Yearroundfilms.com
Yearroundfootball.com
Yearroundhit.com
Yearroundhousing.com
Yearroundyards.com
Yearworld.com
Yescarparts.com
Yesworldwatch.com
Yougotsitex.com
Youraddlife.com
Youraddspace.com
Yourbetterh.com
Yourbowl.com
Yourcornerpharmacy.com
Yourdrugist.com
Yourdrugrehab.com
Yourdrugsdelivered.com
Yourdrugsrx.com
Yourdrugstor.com
Youreddrug.com
Youreddrugsdelivered.com
Youreddrugsrx.com
Youremailadd.com
Yourfaggot.com
Yourgoodintentions.com
Yourgotmail.com
Yourguidetodrugs.com
Yourguidetodrugsx.com
Yourhealthydays.com
Yourhealthyhost.com
Yourhealthyonline.com
Yourhealthytime.com
Yourhealthyvision.com
Yourimpotencesdrug.com
Yourkettle.com
Yourlikebig.com
Yourmedbookx.com
Yourmedicalbill.com
Yourmedicalprox.com
Yourmedicationpharmacy.com
Yourmedlinks.com
Yourmedlinkx.com
Yourmedtoped.com
Yourmexicanpharmacy.com
Yourmindoneddrugs.com
Yourmobilemedication.com
Yournameyear.com
Yourpcpharmacy.com
Yourpharmacycentrals.com
Yourpharmacydepot.com
Yourpharmacyschool.com
Yourpharmacytechnician.com
Yourrealtekx.com
Yourrecoveryed.com
Yoursameas.com
Yourseniorvip.com
Yourstarlife.com
Yourxbigdigx.com
Youvegotbooks.com
Youvegotdeals.com
Youvegotdna.com
Youvegotstars.com
Youvegotwork.com
Youvehas.com


CNC Group on 58.20.154.162:

Ableunit.com
Advocacymine.com
Agotradition.com
Airadvocacy.com
Angerthousand.com
Answerwild.com
Appearbegin.com
Appearprocess.com
Appearsteam.com
Appreciationanswer.com
Appreciationgrow.com
Appreciationrange.com
Batlong.com
Bedweather.com
Bellstood.com
Birdmass.com
Bodytall.com
Bothreflection.com
Branchtradition.com
Broughtfarm.com
Busyexpect.com
Buttheir.com
Catchice.com
Catchvary.com
Cellprogress.com
Centeraspiration.com
Characterfood.com
Chordstood.com
Claimcat.com
Climbsuccess.com
Comedefinition.com
Completeblack.com
Continentnumber.com
Cornerrespect.com
Costbread.com
Courageable.com
Couragesmell.com
Coursehear.com
Crossdefinition.com
Crowdkept.com
Crowdresponsibility.com
Dancefew.com
Dependcolor.com
Describecoat.com
Describeend.com
Describesong.com
Determineisland.com
Dictionaryfell.com
Differgreen.com
Dollarrealization.com
Donemorning.com
Doorusual.com
Downyet.com
Easefight.com
Eitherresponsibility.com
Entercharacter.com
Exactgot.com
Figtogether.com
Fillcompassion.com
Findcent.com
Firstnoun.com
Fiveround.com
Footmeat.com
Forgivenessform.com
Forgivenessrest.com
Forgivenesswave.com
Foundallow.com
Generalexample.com
Generalhard.com
Generosityopposite.com
Generositystream.com
Gentlegather.com
Grewat.com
Grewhuman.com
Handdefinition.com
Happinessbroad.com
Happinessduring.com
Happinesssolve.com
Harmonyespecially.com
Harmonyold.com
Hatreflection.com
Heavyright.com
Highoptimism.com
Hillcount.com
Hundredhas.com
Includedivision.com
Includeend.com
Industryvery.com
Ingenuityespecially.com
Instanttire.com
Integritydictionary.com
Integritymountain.com
Ironcourage.com
Lateedge.com
Laughwant.com
Leadnoun.com
Ledfour.com
Legduring.com
Legforgiveness.com
Lengthplease.com
Listlarge.com
Locatewhite.com
Louddiscuss.com
Loveindicate.com
Massrespect.com
Meanpiece.com
Middleprosperity.com
Mileingenuity.com
Milksymbol.com
Mostwent.com
Motionany.com
Muchcharacter.com
Muchpoem.com
Namemotivation.com
Nearcold.com
Nearforgiveness.com
Neighboragree.com
Notewash.com
Occurbottom.com
Ofbetter.com
Officeobject.com
Oldarrive.com
Overdecide.com
Ownresolution.com
Paintcall.com
Pairsure.com
Patternplural.com
Phrasetwo.com
Planhappen.com
Pleasefarm.com
Posehole.com
Positionrequire.com
Pressclock.com
Prosperitybat.com
Prosperityoffice.com
Provelegacy.com
Purposeking.com
Purposesharp.com
Quickleast.com
Railprotect.com
Realizationcover.com
Realizationshall.com
Reciprocitystep.com
Reciprocityweather.com
Replymotivation.com
Respectyear.com
Responsibilityuse.com
Rootappreciation.com
Ropecatch.com
Roundadvocacy.com
Saltcatch.com
Scaleis.com
Scorewit.com
Seathough.com
Seemanger.com
Separateand.com
Settlewould.com
Severallaugh.com
Shapelittle.com
Shapetall.com
Shapethem.com
Sheetmethod.com
Shipsurprise.com
Shorehunt.com
Sincecut.com
Smileopposite.com
Solveneighbor.com
Soonchildren.com
Soresult.com
Specialprosperity.com
Spendfrom.com
Spiritualityfather.com
Spiritualityspeak.com
Spiritualitystep.com
Spreadsuggest.com
Standchance.com
Storyhundred.com
Streamyellow.com
Strengthdictionary.com
Studyrespect.com
Sugarsail.com
Supplyhand.com
Surfacethe.com
Syllablegenerosity.com
Systemyet.com
Takeheld.com
Teachan.com
Thatcommon.com
Theircolor.com
Theirprogress.com
Thesereflection.com
Thirdearly.com
Thosebar.com
Threeoriginal.com
Thusforgiveness.com
Towardfree.com
Traditionmotion.com
Trustgrand.com
Trustmajor.com
Trustreceive.com
Underreflection.com
Userealization.com
Valueverb.com
Voiceold.com
Watchpurpose.com
Waydivide.com
Weekdistant.com
Westwrote.com
Womanabove.com
Womenweather.com
Wrongbread.com
Yardresponsibility.com
Yesbed.com
Younggone.com

ChinaNet on 218.64.218.4:

Borecometin.com
Calitureleit.com
Canadapharmstore.info
Caredilfs.com
Cigarokurok.info


The Planet on 74.53.96.178:

Agenciamb.com
Alvoradaexport.com
Bancariosrioclaro.org
Bocadamatafm.org
Comprapublica.net
Comunidaderochaeterna.com
Cursopalavraescrita.com
Extreme-rssr.com
Fabriciogoncalves.com
Jumpbrazil.com
Marcoscora.com
Radioecologia.com
Redemasterderadio.com
Zabbixbrasil.org