pidgindownload.com - spyware?

Ankit Singla anksingla at gmail.com
Wed Jul 22 18:42:35 EDT 2009 

On Wed, Jul 22, 2009 at 3:31 PM, Mark Doliner <mark at kingant.net> wrote:

> I'd also like to point out that when you access pidgindownload.com,
> some files are loaded from zangocash.com.  The whois for zangocash.com
> shows that it is affiliated with zango.com.  And the wikipedia entry
> for zango.com suggests that they have distributed software with
> undesirable behavior in the past.
>
> -Mark
>
> On Wed, Jul 22, 2009 at 3:12 PM, Jason Straw<jason.straw at gmail.com> wrote:
> > Panama it is.
> >
> > whois for the IP block containing pidgindownload.com below.
> >
> > Jason
> >
> > Mark Doliner wrote:
> >> I believe in June we requested that the ISP hosting this site turn it
> >> off.  I believe they did so, but then the pidgindownload.com people
> >> moved to a different ISP (possibly one outside the US?)  Maybe Kevin
> >> can clarify this statement?
> >>
> >> I sent them an email on July 1st and said, "We ask that you avoid
> >> using our trademarks in a way that looks as if pidgindownload.com is
> >> the official website of the Pidgin IM client."  I haven't gotten any
> >> response.
> >>
> >> Next steps?
> >>
> >> -Mark
> >>
> >> On Wed, Jul 22, 2009 at 3:01 PM, ChO₂<chemistrydioxide at quantentunnel.de>
> wrote:
> >>> Hello everybody,
> >>>
> >>> Someone has put a web site on the internet that looks very similar to
> >>> pidgin.im, but is actually different. This web site offers a file for
> >>> download that it claims to be Pidgin 2.5.8 for Windows.
> >>>
> >>> I've downloaded Pidgin for Windows from the questionable web site and
> >>> from pidgin.im:
> >>>
> >>> Original file:
> >>>    md5: e1f46848473cf69236b8a7020b7e5bd7
> >>>    size: 14323030 bytes
> >>> Questionable version:
> >>>    md5: fc87e991b2484c4eac968e17a41b0d6d
> >>>    size: 14275882
> >>>
> >>> I already suggested that pidgindownload.com could be shipping
> something
> >>> different than Pidgin or a version of Pidgin that is infected with
> >>> spyware or a virus, but after googleing for the md5 hash, it seems that
> >>> it's just Pidgin 2.5.4 which is offered there:
> >>>
> http://www.google.de/search?q=fc87e991b2484c4eac968e17a41b0d6d&ie=UTF-8&oe=UTF-8
> >>>
> >>> However, I still think that the person who is running that site is up
> to
> >>> doing something nasty because
> >>> - the website is imitating pidgin.im and mirroring parts of it.
> >>> - pidgindownload.com is hiding its whois information which is uncommon
> >>> for reputable web sites when most websites in the same zone have
> >>> extensive whois data.
> >>>
> >>> I am afraid that many people happen to end up on that site because it
> is
> >>> the third Google result for "pidgin download":
> >>> http://www.google.de/search?q=pidgin+download&ie=UTF-8&oe=UTF-8
> >>>
> >>>
> >>> Greetings from a country that doesn't know patriotism
> >>> ChO2
> >>>
> >>>
> >>> PS: This is from #pidgin, today:
> >>>
> >>> (2009-07-22 21:35:27) thomas001: thank google for it
> >>> (2009-07-22 21:35:48) dan: i did google, and i actually ended up at
> >>> pidgindownload.com which appears to be spyware
> >>> (2009-07-22 21:36:26) thomas001: "pidgin windows download" gave good
> >>> results
> >>> (2009-07-22 21:37:45) dan: someone might want to take a look at the
> >>> pidgindownload.com site since it seems to be a near copy of the real
> web
> >>> site, but links to s 300k exe file from some ad company
> >>> (2009-07-22 21:39:40) thomas001: wow,this is bad
> >>> (2009-07-22 21:39:58) Cobalt: I got a 13.7MB exe.
> >>> (2009-07-22 21:41:29) thomas001:
> >>> http://preview.licenseacquisition.org/48/1056168924.86392/pidgin.exe
> >>> thie link is somewhat odd
> >>> (2009-07-22 21:42:20) Cobalt: That it is, also the name of the file,
> >>> although it appears to be the right size... But that can easily be
> >>> messed with.
> >>> (2009-07-22 21:42:48) Cobalt: Also, there's nothing there except the
> >>> Windows version, apparently.
> >>> (2009-07-22 21:44:10) Cobalt:
> >>> http://www.whois.net/whois/pidgindownload.com
> >>> (2009-07-22 21:45:13) Cobalt: Creepy?
> >>>
> >>> [...]
> >>>
> >>> (2009-07-22 22:33:45) chemistrydioxide: pidgindownlaod.com is somehow
> >>> mirroring part of pidgin.im
> >>>
> >>> [...]
> >>>
> >>> (2009-07-22 22:44:01) chemistrydioxide: i just downloaded pidgin 2.5.8
> >>> from pidgindownload.com. it's actually different from the official
> >>> version. it's slightly smaller
> >>>
> >>> [...]
> >>>
> >>> (2009-07-22 22:44:39) chemistrydioxide: i'm afraid that someone is
> >>> actually doing something nasty here
> >>> (2009-07-22 22:44:49) darkrain42: chemistrydioxide: ?
> >>> (2009-07-22 22:45:06) darkrain42: oh, sorry. saw the context. lastlog
> >>> was in the way.
> >>> (2009-07-22 22:45:10) ***darkrain42 grumbles
> >>> (2009-07-22 22:45:18) darkrain42: chemistrydioxide: Mention it in d at cpi
> ,
> >>> please
> >>> (2009-07-22 22:45:23) elb: chemistrydioxide: that's not good
> >>> (2009-07-22 22:45:57) chemistrydioxide: darkrain42: k.
> >>> (2009-07-22 22:46:06) chemistrydioxide: i'll do it immediately
> >>>
> >
> > 18:11:04 jstraw at shipon:~ 2$ whois 91.184.49.215
> > % This is the RIPE Database query service.
> > % The objects are in RPSL format.
> > %
> > % The RIPE Database is subject to Terms and Conditions.
> > % See http://www.ripe.net/db/support/db-terms-conditions.pdf
> >
> > % Note: This output has been filtered.
> > %       To receive output for a database update, use the "-B" flag.
> >
> > % Information related to '91.184.48.0 - 91.184.55.191'
> >
> > inetnum:        91.184.48.0 - 91.184.55.191
> > netname:        VCN-20061001
> > descr:          VCN Corp. / kolido.net
> > country:        NL
> > admin-c:        VCN-RIPE
> > tech-c:         VCN-RIPE
> > status:         Assigned PA
> > mnt-by:         MNT-VCN
> > mnt-routes:     OCOM-MNT
> > source:         RIPE # Filtered
> >
> > person:         Oliver Ellermeier
> > remarks:
>  +-----------------------------------------------------------
> > remarks:        | Abuse Contact: abuse at kolido.net in case of Attacks,
> >    |
> > remarks:        | Illegal Activity, Violation, Scans, Spam etc.
> >    |
> > remarks:        | Please see VCN-RIPE for contacts in case of
> >    |
> > remarks:        | operational/technical issues.
> >    |
> > remarks:
>  +-----------------------------------------------------------
> > address:        VCN Corp.
> > address:        Ramon Arias Avenue Maheli Building
> > address:        Office 12-E
> > address:        Panama City
> > address:        Republic of Panama
> > phone:          +49 (180) 3471133111
> > fax-no:         +49 (180) 3684399484
> > abuse-mailbox:  abuse at kolido.net
> > mnt-by:         MNT-VCN
> > nic-hdl:        VCN-RIPE
> > source:         RIPE # Filtered
> >
> > % Information related to '91.184.48.0/20AS16265'
> >
> > route:          91.184.48.0/20
> > descr:          kolido
> > origin:         AS16265
> > remarks:        kolido
> > mnt-by:         MNT-VCN
> > mnt-by:         OCOM-MNT
> > source:         RIPE # Filtered
> >
> >
> >
>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>

It looks like there is also a fake site at www.downloadpidgin.com. This
one's not up to date, though. I didn't look into very much at that site, but
http://whois.domaintools.com/ told me that downloadpidgin.com is from IL and
pidgindownload.com is from the Netherlands.

Ankit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20090722/dd9c0b27/attachment.html>

More information about the Devel mailing list