pidgindownload.com - spyware?
Jason Straw
jason.straw at gmail.com
Wed Jul 22 18:12:29 EDT 2009
Panama it is.
whois for the IP block containing pidgindownload.com below.
Jason
Mark Doliner wrote:
> I believe in June we requested that the ISP hosting this site turn it
> off. I believe they did so, but then the pidgindownload.com people
> moved to a different ISP (possibly one outside the US?) Maybe Kevin
> can clarify this statement?
>
> I sent them an email on July 1st and said, "We ask that you avoid
> using our trademarks in a way that looks as if pidgindownload.com is
> the official website of the Pidgin IM client." I haven't gotten any
> response.
>
> Next steps?
>
> -Mark
>
> On Wed, Jul 22, 2009 at 3:01 PM, ChO₂<chemistrydioxide at quantentunnel.de> wrote:
>> Hello everybody,
>>
>> Someone has put a web site on the internet that looks very similar to
>> pidgin.im, but is actually different. This web site offers a file for
>> download that it claims to be Pidgin 2.5.8 for Windows.
>>
>> I've downloaded Pidgin for Windows from the questionable web site and
>> from pidgin.im:
>>
>> Original file:
>> md5: e1f46848473cf69236b8a7020b7e5bd7
>> size: 14323030 bytes
>> Questionable version:
>> md5: fc87e991b2484c4eac968e17a41b0d6d
>> size: 14275882
>>
>> I already suggested that pidgindownload.com could be shipping something
>> different than Pidgin or a version of Pidgin that is infected with
>> spyware or a virus, but after googleing for the md5 hash, it seems that
>> it's just Pidgin 2.5.4 which is offered there:
>> http://www.google.de/search?q=fc87e991b2484c4eac968e17a41b0d6d&ie=UTF-8&oe=UTF-8
>>
>> However, I still think that the person who is running that site is up to
>> doing something nasty because
>> - the website is imitating pidgin.im and mirroring parts of it.
>> - pidgindownload.com is hiding its whois information which is uncommon
>> for reputable web sites when most websites in the same zone have
>> extensive whois data.
>>
>> I am afraid that many people happen to end up on that site because it is
>> the third Google result for "pidgin download":
>> http://www.google.de/search?q=pidgin+download&ie=UTF-8&oe=UTF-8
>>
>>
>> Greetings from a country that doesn't know patriotism
>> ChO2
>>
>>
>> PS: This is from #pidgin, today:
>>
>> (2009-07-22 21:35:27) thomas001: thank google for it
>> (2009-07-22 21:35:48) dan: i did google, and i actually ended up at
>> pidgindownload.com which appears to be spyware
>> (2009-07-22 21:36:26) thomas001: "pidgin windows download" gave good
>> results
>> (2009-07-22 21:37:45) dan: someone might want to take a look at the
>> pidgindownload.com site since it seems to be a near copy of the real web
>> site, but links to s 300k exe file from some ad company
>> (2009-07-22 21:39:40) thomas001: wow,this is bad
>> (2009-07-22 21:39:58) Cobalt: I got a 13.7MB exe.
>> (2009-07-22 21:41:29) thomas001:
>> http://preview.licenseacquisition.org/48/1056168924.86392/pidgin.exe
>> thie link is somewhat odd
>> (2009-07-22 21:42:20) Cobalt: That it is, also the name of the file,
>> although it appears to be the right size... But that can easily be
>> messed with.
>> (2009-07-22 21:42:48) Cobalt: Also, there's nothing there except the
>> Windows version, apparently.
>> (2009-07-22 21:44:10) Cobalt:
>> http://www.whois.net/whois/pidgindownload.com
>> (2009-07-22 21:45:13) Cobalt: Creepy?
>>
>> [...]
>>
>> (2009-07-22 22:33:45) chemistrydioxide: pidgindownlaod.com is somehow
>> mirroring part of pidgin.im
>>
>> [...]
>>
>> (2009-07-22 22:44:01) chemistrydioxide: i just downloaded pidgin 2.5.8
>> from pidgindownload.com. it's actually different from the official
>> version. it's slightly smaller
>>
>> [...]
>>
>> (2009-07-22 22:44:39) chemistrydioxide: i'm afraid that someone is
>> actually doing something nasty here
>> (2009-07-22 22:44:49) darkrain42: chemistrydioxide: ?
>> (2009-07-22 22:45:06) darkrain42: oh, sorry. saw the context. lastlog
>> was in the way.
>> (2009-07-22 22:45:10) ***darkrain42 grumbles
>> (2009-07-22 22:45:18) darkrain42: chemistrydioxide: Mention it in d at cpi,
>> please
>> (2009-07-22 22:45:23) elb: chemistrydioxide: that's not good
>> (2009-07-22 22:45:57) chemistrydioxide: darkrain42: k.
>> (2009-07-22 22:46:06) chemistrydioxide: i'll do it immediately
>>
18:11:04 jstraw at shipon:~ 2$ whois 91.184.49.215
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '91.184.48.0 - 91.184.55.191'
inetnum: 91.184.48.0 - 91.184.55.191
netname: VCN-20061001
descr: VCN Corp. / kolido.net
country: NL
admin-c: VCN-RIPE
tech-c: VCN-RIPE
status: Assigned PA
mnt-by: MNT-VCN
mnt-routes: OCOM-MNT
source: RIPE # Filtered
person: Oliver Ellermeier
remarks: +-----------------------------------------------------------
remarks: | Abuse Contact: abuse at kolido.net in case of Attacks,
|
remarks: | Illegal Activity, Violation, Scans, Spam etc.
|
remarks: | Please see VCN-RIPE for contacts in case of
|
remarks: | operational/technical issues.
|
remarks: +-----------------------------------------------------------
address: VCN Corp.
address: Ramon Arias Avenue Maheli Building
address: Office 12-E
address: Panama City
address: Republic of Panama
phone: +49 (180) 3471133111
fax-no: +49 (180) 3684399484
abuse-mailbox: abuse at kolido.net
mnt-by: MNT-VCN
nic-hdl: VCN-RIPE
source: RIPE # Filtered
% Information related to '91.184.48.0/20AS16265'
route: 91.184.48.0/20
descr: kolido
origin: AS16265
remarks: kolido
mnt-by: MNT-VCN
mnt-by: OCOM-MNT
source: RIPE # Filtered
More information about the Devel
mailing list