pidgindownload.com - spyware?

Jason Straw jason.straw at gmail.com
Wed Jul 22 18:12:29 EDT 2009 

Panama it is.

whois for the IP block containing pidgindownload.com below.

Jason

Mark Doliner wrote:
> I believe in June we requested that the ISP hosting this site turn it
> off.  I believe they did so, but then the pidgindownload.com people
> moved to a different ISP (possibly one outside the US?)  Maybe Kevin
> can clarify this statement?
> 
> I sent them an email on July 1st and said, "We ask that you avoid
> using our trademarks in a way that looks as if pidgindownload.com is
> the official website of the Pidgin IM client."  I haven't gotten any
> response.
> 
> Next steps?
> 
> -Mark
> 
> On Wed, Jul 22, 2009 at 3:01 PM, ChO₂<chemistrydioxide at quantentunnel.de> wrote:
>> Hello everybody,
>>
>> Someone has put a web site on the internet that looks very similar to
>> pidgin.im, but is actually different. This web site offers a file for
>> download that it claims to be Pidgin 2.5.8 for Windows.
>>
>> I've downloaded Pidgin for Windows from the questionable web site and
>> from pidgin.im:
>>
>> Original file:
>>    md5: e1f46848473cf69236b8a7020b7e5bd7
>>    size: 14323030 bytes
>> Questionable version:
>>    md5: fc87e991b2484c4eac968e17a41b0d6d
>>    size: 14275882
>>
>> I already suggested that pidgindownload.com could be shipping something
>> different than Pidgin or a version of Pidgin that is infected with
>> spyware or a virus, but after googleing for the md5 hash, it seems that
>> it's just Pidgin 2.5.4 which is offered there:
>> http://www.google.de/search?q=fc87e991b2484c4eac968e17a41b0d6d&ie=UTF-8&oe=UTF-8
>>
>> However, I still think that the person who is running that site is up to
>> doing something nasty because
>> - the website is imitating pidgin.im and mirroring parts of it.
>> - pidgindownload.com is hiding its whois information which is uncommon
>> for reputable web sites when most websites in the same zone have
>> extensive whois data.
>>
>> I am afraid that many people happen to end up on that site because it is
>> the third Google result for "pidgin download":
>> http://www.google.de/search?q=pidgin+download&ie=UTF-8&oe=UTF-8
>>
>>
>> Greetings from a country that doesn't know patriotism
>> ChO2
>>
>>
>> PS: This is from #pidgin, today:
>>
>> (2009-07-22 21:35:27) thomas001: thank google for it
>> (2009-07-22 21:35:48) dan: i did google, and i actually ended up at
>> pidgindownload.com which appears to be spyware
>> (2009-07-22 21:36:26) thomas001: "pidgin windows download" gave good
>> results
>> (2009-07-22 21:37:45) dan: someone might want to take a look at the
>> pidgindownload.com site since it seems to be a near copy of the real web
>> site, but links to s 300k exe file from some ad company
>> (2009-07-22 21:39:40) thomas001: wow,this is bad
>> (2009-07-22 21:39:58) Cobalt: I got a 13.7MB exe.
>> (2009-07-22 21:41:29) thomas001:
>> http://preview.licenseacquisition.org/48/1056168924.86392/pidgin.exe
>> thie link is somewhat odd
>> (2009-07-22 21:42:20) Cobalt: That it is, also the name of the file,
>> although it appears to be the right size... But that can easily be
>> messed with.
>> (2009-07-22 21:42:48) Cobalt: Also, there's nothing there except the
>> Windows version, apparently.
>> (2009-07-22 21:44:10) Cobalt:
>> http://www.whois.net/whois/pidgindownload.com
>> (2009-07-22 21:45:13) Cobalt: Creepy?
>>
>> [...]
>>
>> (2009-07-22 22:33:45) chemistrydioxide: pidgindownlaod.com is somehow
>> mirroring part of pidgin.im
>>
>> [...]
>>
>> (2009-07-22 22:44:01) chemistrydioxide: i just downloaded pidgin 2.5.8
>> from pidgindownload.com. it's actually different from the official
>> version. it's slightly smaller
>>
>> [...]
>>
>> (2009-07-22 22:44:39) chemistrydioxide: i'm afraid that someone is
>> actually doing something nasty here
>> (2009-07-22 22:44:49) darkrain42: chemistrydioxide: ?
>> (2009-07-22 22:45:06) darkrain42: oh, sorry. saw the context. lastlog
>> was in the way.
>> (2009-07-22 22:45:10) ***darkrain42 grumbles
>> (2009-07-22 22:45:18) darkrain42: chemistrydioxide: Mention it in d at cpi,
>> please
>> (2009-07-22 22:45:23) elb: chemistrydioxide: that's not good
>> (2009-07-22 22:45:57) chemistrydioxide: darkrain42: k.
>> (2009-07-22 22:46:06) chemistrydioxide: i'll do it immediately
>>

18:11:04 jstraw at shipon:~ 2$ whois 91.184.49.215
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '91.184.48.0 - 91.184.55.191'

inetnum:        91.184.48.0 - 91.184.55.191
netname:        VCN-20061001
descr:          VCN Corp. / kolido.net
country:        NL
admin-c:        VCN-RIPE
tech-c:         VCN-RIPE
status:         Assigned PA
mnt-by:         MNT-VCN
mnt-routes:     OCOM-MNT
source:         RIPE # Filtered

person:         Oliver Ellermeier
remarks:        +-----------------------------------------------------------
remarks:        | Abuse Contact: abuse at kolido.net in case of Attacks,
    |
remarks:        | Illegal Activity, Violation, Scans, Spam etc.
    |
remarks:        | Please see VCN-RIPE for contacts in case of
    |
remarks:        | operational/technical issues.
    |
remarks:        +-----------------------------------------------------------
address:        VCN Corp.
address:        Ramon Arias Avenue Maheli Building
address:        Office 12-E
address:        Panama City
address:        Republic of Panama
phone:          +49 (180) 3471133111
fax-no:         +49 (180) 3684399484
abuse-mailbox:  abuse at kolido.net
mnt-by:         MNT-VCN
nic-hdl:        VCN-RIPE
source:         RIPE # Filtered

% Information related to '91.184.48.0/20AS16265'

route:          91.184.48.0/20
descr:          kolido
origin:         AS16265
remarks:        kolido
mnt-by:         MNT-VCN
mnt-by:         OCOM-MNT
source:         RIPE # Filtered

More information about the Devel mailing list