pidgindownload.com - spyware?
Mark Doliner
mark at kingant.net
Wed Jul 22 18:31:36 EDT 2009
I'd also like to point out that when you access pidgindownload.com,
some files are loaded from zangocash.com. The whois for zangocash.com
shows that it is affiliated with zango.com. And the wikipedia entry
for zango.com suggests that they have distributed software with
undesirable behavior in the past.
-Mark
On Wed, Jul 22, 2009 at 3:12 PM, Jason Straw<jason.straw at gmail.com> wrote:
> Panama it is.
>
> whois for the IP block containing pidgindownload.com below.
>
> Jason
>
> Mark Doliner wrote:
>> I believe in June we requested that the ISP hosting this site turn it
>> off. I believe they did so, but then the pidgindownload.com people
>> moved to a different ISP (possibly one outside the US?) Maybe Kevin
>> can clarify this statement?
>>
>> I sent them an email on July 1st and said, "We ask that you avoid
>> using our trademarks in a way that looks as if pidgindownload.com is
>> the official website of the Pidgin IM client." I haven't gotten any
>> response.
>>
>> Next steps?
>>
>> -Mark
>>
>> On Wed, Jul 22, 2009 at 3:01 PM, ChO₂<chemistrydioxide at quantentunnel.de> wrote:
>>> Hello everybody,
>>>
>>> Someone has put a web site on the internet that looks very similar to
>>> pidgin.im, but is actually different. This web site offers a file for
>>> download that it claims to be Pidgin 2.5.8 for Windows.
>>>
>>> I've downloaded Pidgin for Windows from the questionable web site and
>>> from pidgin.im:
>>>
>>> Original file:
>>> md5: e1f46848473cf69236b8a7020b7e5bd7
>>> size: 14323030 bytes
>>> Questionable version:
>>> md5: fc87e991b2484c4eac968e17a41b0d6d
>>> size: 14275882
>>>
>>> I already suggested that pidgindownload.com could be shipping something
>>> different than Pidgin or a version of Pidgin that is infected with
>>> spyware or a virus, but after googleing for the md5 hash, it seems that
>>> it's just Pidgin 2.5.4 which is offered there:
>>> http://www.google.de/search?q=fc87e991b2484c4eac968e17a41b0d6d&ie=UTF-8&oe=UTF-8
>>>
>>> However, I still think that the person who is running that site is up to
>>> doing something nasty because
>>> - the website is imitating pidgin.im and mirroring parts of it.
>>> - pidgindownload.com is hiding its whois information which is uncommon
>>> for reputable web sites when most websites in the same zone have
>>> extensive whois data.
>>>
>>> I am afraid that many people happen to end up on that site because it is
>>> the third Google result for "pidgin download":
>>> http://www.google.de/search?q=pidgin+download&ie=UTF-8&oe=UTF-8
>>>
>>>
>>> Greetings from a country that doesn't know patriotism
>>> ChO2
>>>
>>>
>>> PS: This is from #pidgin, today:
>>>
>>> (2009-07-22 21:35:27) thomas001: thank google for it
>>> (2009-07-22 21:35:48) dan: i did google, and i actually ended up at
>>> pidgindownload.com which appears to be spyware
>>> (2009-07-22 21:36:26) thomas001: "pidgin windows download" gave good
>>> results
>>> (2009-07-22 21:37:45) dan: someone might want to take a look at the
>>> pidgindownload.com site since it seems to be a near copy of the real web
>>> site, but links to s 300k exe file from some ad company
>>> (2009-07-22 21:39:40) thomas001: wow,this is bad
>>> (2009-07-22 21:39:58) Cobalt: I got a 13.7MB exe.
>>> (2009-07-22 21:41:29) thomas001:
>>> http://preview.licenseacquisition.org/48/1056168924.86392/pidgin.exe
>>> thie link is somewhat odd
>>> (2009-07-22 21:42:20) Cobalt: That it is, also the name of the file,
>>> although it appears to be the right size... But that can easily be
>>> messed with.
>>> (2009-07-22 21:42:48) Cobalt: Also, there's nothing there except the
>>> Windows version, apparently.
>>> (2009-07-22 21:44:10) Cobalt:
>>> http://www.whois.net/whois/pidgindownload.com
>>> (2009-07-22 21:45:13) Cobalt: Creepy?
>>>
>>> [...]
>>>
>>> (2009-07-22 22:33:45) chemistrydioxide: pidgindownlaod.com is somehow
>>> mirroring part of pidgin.im
>>>
>>> [...]
>>>
>>> (2009-07-22 22:44:01) chemistrydioxide: i just downloaded pidgin 2.5.8
>>> from pidgindownload.com. it's actually different from the official
>>> version. it's slightly smaller
>>>
>>> [...]
>>>
>>> (2009-07-22 22:44:39) chemistrydioxide: i'm afraid that someone is
>>> actually doing something nasty here
>>> (2009-07-22 22:44:49) darkrain42: chemistrydioxide: ?
>>> (2009-07-22 22:45:06) darkrain42: oh, sorry. saw the context. lastlog
>>> was in the way.
>>> (2009-07-22 22:45:10) ***darkrain42 grumbles
>>> (2009-07-22 22:45:18) darkrain42: chemistrydioxide: Mention it in d at cpi,
>>> please
>>> (2009-07-22 22:45:23) elb: chemistrydioxide: that's not good
>>> (2009-07-22 22:45:57) chemistrydioxide: darkrain42: k.
>>> (2009-07-22 22:46:06) chemistrydioxide: i'll do it immediately
>>>
>
> 18:11:04 jstraw at shipon:~ 2$ whois 91.184.49.215
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: This output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '91.184.48.0 - 91.184.55.191'
>
> inetnum: 91.184.48.0 - 91.184.55.191
> netname: VCN-20061001
> descr: VCN Corp. / kolido.net
> country: NL
> admin-c: VCN-RIPE
> tech-c: VCN-RIPE
> status: Assigned PA
> mnt-by: MNT-VCN
> mnt-routes: OCOM-MNT
> source: RIPE # Filtered
>
> person: Oliver Ellermeier
> remarks: +-----------------------------------------------------------
> remarks: | Abuse Contact: abuse at kolido.net in case of Attacks,
> |
> remarks: | Illegal Activity, Violation, Scans, Spam etc.
> |
> remarks: | Please see VCN-RIPE for contacts in case of
> |
> remarks: | operational/technical issues.
> |
> remarks: +-----------------------------------------------------------
> address: VCN Corp.
> address: Ramon Arias Avenue Maheli Building
> address: Office 12-E
> address: Panama City
> address: Republic of Panama
> phone: +49 (180) 3471133111
> fax-no: +49 (180) 3684399484
> abuse-mailbox: abuse at kolido.net
> mnt-by: MNT-VCN
> nic-hdl: VCN-RIPE
> source: RIPE # Filtered
>
> % Information related to '91.184.48.0/20AS16265'
>
> route: 91.184.48.0/20
> descr: kolido
> origin: AS16265
> remarks: kolido
> mnt-by: MNT-VCN
> mnt-by: OCOM-MNT
> source: RIPE # Filtered
>
>
>
More information about the Devel
mailing list