TOKYO (MacHouse) – We reported more than 14 hours ago that we found a suspicious website that is linked to the notorious malware website of malware-scan.com (MalwareAlarm). This suspicious website is located at autopressweb.com. (See Screenshot 01.) In fact, autopressweb.com has at least two cousins. They are webmovies-a.com and websoft-b.com. In all these spam websites, one will be forced to download a piece of software against their will. (See Screenshot 02-3.) Moreover, this installation file was labeled install_player_3913056.exe before. And it’s now labeled VideoAccessCodeInstall.exe. This Windows-based software is likely to install malware that one cannot easily remove.
 Screenshot 01 – Source: autopressweb.com |
 Screenshot 02 – Source: webmovies-a.com |
 Screenshot 03 – Source: websoft-b.com |
Earlier, we wanted to find out where the website of autopressweb.com is hosted. A simple lookup on this domain with Apple’s Network Utility shows that the nameservers are ns5.public-ns.com and ns6.public-ns.com. (See Screenshot 04.) But we couldn’t really find out who owns these nameservers. Furthermore, a traceroute search on autopressweb.com ends with the IP address of 88.208.0.131. (See Screenshot 05.) Who is authorized to use this IP address, then? RIPE says it’s Haldex, Ltd., which is located in the Netherlands. (See Screenshot 06.) We also used Visualware‘s VisualRoute to trace back routes of autopressweb.com. But as you probably know, Visualware won’t give you more information on a particular domain beyond what Network Utility can do. In fact, Visualware also traces back routes of autopressweb.com to Haldex, Ltd as well. (See Screenshot 07.)
Screenshot 04 |
 Screenshot 05 |
 Screenshot 06 |
What else can we do to find the host of autopressweb.com? In this particular case, there is a simple solution. Just access a directory that doesn’t exist. Sometimes, you can find out the name of the control panel supported at the host in this simple manner. And when I accessed autopressweb.com/wp-admin/, I got an Apache error message, which shows the name of a web hosting company called advancedhosters.com. (See Screenshot 08.) It’s a Russian web hosting company. Likewise, the hosting company of websoft-b.com appears to be iswebsoft.com.
 Screenshot 07 |
 Screenshot 08 |
 Screenshot 09 |
The website of autopressweb.com is managed by a criminal organization. So you can find many odd things about it. For example, if you place your Mouse over the title (‘Internet’) of the WordPress blog located at autopressweb.com (as opposed to the malware page of autopressweb.com/view.html), the forwarding link is autotakt.cz/blog/. (See Screenshot 09.) So why is this URL designated? Is this a stolen content from autotakt.cz/blog? First of all, such directory doesn’t currently exist at autotakt.cz. (See Screenshot 10.) Secondly, if you check the source code of autopressweb.com, there is an ad code from Google. And the client ID is pub-6201316390595694. (See Screenshot 11.) If you check the source code of autotakt.cz, the Google client ID is pub-2789566063450594. (See Screenshot 12.) So they aren’t the same. The first client ID and the domain name of autopressweb.com doesn’t make a pair. That’s why there is a large space in the body of the autopressweb.com blog.
 Screenshot 10 – Source: autotakt.cz |
 Screenshot 11 – Source: autopressweb.com |
 Screenshot 12 – Source: autotakt.cz |
There are other odd aspects about this blog. Right below the empty ad space, there are several comments. It looks like they want to make it look as if these comments were Google ads. Moreover, If you scroll down to the bottom, there are more indications that point this blog to autotakt.cz/blog/. (See Screenshot 12.) But why?
Finally, let’s look up autopressweb.com’s WhoIs registration. It was registered on July 15, 2007. In fact, that’s about the time when some visitors rolled in at autopressweb.com, according to Alexa‘s Traffic Details. (See Screenshot 16) In contrast, the blog dates back to at least October, 2006. And if you see the name of the registrant and his or her contact e-mail address, you can tell that it’s a fake registration. If you look up the e-mail domain of jertoper.com… Ahh… It doesn’t exist. (See Screenshot 15.)
 Screenshot 13 – Source: autopressweb.com |
 Screenshot 14 – Source: whois.net |
 Screenshot 15 – Source: completewhois.com |
In summary, there is no question that the website of autopressweb.com is managed by a criminal organization. Criminals don’t have addresses. So it’s not surprise that the domain registration is fake. And it is possible that the current website of autopressweb.com results from hacking. Cyber criminals often crack and take over healthy websites. There are many inexplicable indications that this spam website is linked to autotakt.cz.
Screenshot 16 – Source: alexa.com
As of February 2008, autopressweb.com is gone. It has been replaced by autopressonline.com, and the malware redirection domains which formerly pointed to autopressweb.com now point to autopressonline.com. The content of autporessonline.com is identical to the content formerly at autopressweb.com, and the malicious software that is downloaded from autopressonline.com is likewise identical.
Autopressonline.com is hosted in the same IP block that used to host autopressweb.com:
Parsing input: http://autopressonline.com/
Host autopressonline.com (checking ip) = 88.208.0.131
whois 88.208.0.131@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ’88.208.0.0 – 88.208.7.255′
inetnum: 88.208.0.0 – 88.208.7.255
netname: HALDEX-NET
descr: Haldex Ltd.
country: NL
admin-c: KA306-RIPE
tech-c: KA306-RIPE
status: ASSIGNED PA
mnt-by: HALDEX-MNT
mnt-lower: HALDEX-MNT
mnt-routes: HALDEX-MNT
source: RIPE # Filtered
person: Khonda Alexey
address: 8, Copthall, P.O. Box 2342,
address: Roseau, 00152, Commonwealth of Dominica
phone: +38 063 188 2888
nic-hdl: KA306-RIPE
mnt-by: HALDEX-MNT
source: RIPE # Filtered
The whois for autopressonline.com, however, is different.
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: AUTOPRESSONLINE.COM
Registrant:
Chistykov
Vladimir Chistykov (lortab@nm.ru)
p. Stolbovay-2, dom. 117, kv. 50
Chehov
Moskovskay obl.,142350
RU
Tel. +905.7975073
Creation Date: 14-Jul-2007
Expiration Date: 14-Jul-2008
Domain servers in listed order:
ns6.public-ns.com
ns5.public-ns.com
Thanks for the information. I don’t think we are directly responsible for the disappearance of autopressweb.com. I don’t remember if we have done anything to get rid of it. But it’s good to know that one spam domain is gone.
As for autopressonline.com, there is little we can do to get rid of it. In the meantime, those nameservers suggest that Pilosoft, Inc. (pilosoft.com) or nLayer Communications, Inc. (nlayer.com) may have some information on this spam domain. It’s possibly Pilosoft that hosts the website of autopressonline.com.