Sponsored by..

Showing posts with label Porn. Show all posts
Showing posts with label Porn. Show all posts

Monday, 4 December 2017

Some random thoughts on Damian Green and those porn allegations

If you live in the UK then you might have noticed the somewhat bizarre furore over Damian Green MP and his alleged viewing of pornography on house his Parliament computer. Now, I don't know for certain if he did or didn't, but to put it in context his private email address also allegedly turned up in the Ashley Madison leak and on top of that there are sexual harassment allegations too. But let's stick to the porn for now.

Anybody who has been involved in forensic investigations of computers may well understand these comments:

Mr Lewis, who retired from the Metropolitan Police in 2014, said although "you can't put fingers on a keyboard", a number of factors meant that he was sure it was Mr Green, the MP for Ashford, Kent, who was accessing the pornographic material.

His analysis of the way the computer had been used left the former detective constable in "no doubt whatsoever" that it was Mr Green, who was then an opposition immigration spokesman but is now the first secretary of state.

"The computer was in Mr Green's office, on his desk, logged in, his account, his name," said Mr Lewis, who at the time was working as a computer forensics examiner for SO15, the counter-terrorism command.

"In between browsing pornography, he was sending emails from his account, his personal account, reading documents... it was ridiculous to suggest anybody else could have done it."  
To put this into context - the computer was seized in 2008 when Green was arrested over the suspected leaking of confidential material. Any investigation such as that will look at web browsing history, recently accessed or saved documents, cookies, bookmarks and stored documents and images. So, it is utterly credibly that the investigation would have found this type of activity if it had occurred.

Indeed, there seems to be no denial that this material had been accessed on the computer, but that Mr Green had not done so. But Mr Lewis's statement also says that things such as private email were accessed concurrently. If you were carrying out an investigation on behalf of a business, then this would indeed be enough to "place fingers on a keyboard".

But here is the surprise - why would this material be accessible at all? Nobody has claimed that it was not accessed, just that Mr Green himself did not access it. But any reasonably-sized business would usually have some sort of filter to stop this happening.

The House of Commons by itself employs over 2000 people. Add to that the staff of the House of Lords, the Lords themselves, MPs and other staff who are not directly employed by either House then you are looking at thousands of employees. That's quite a large organisation, and if there is no effective web filtering for any of them, then that introduces a serious security risk.

Anybody who works in IT in a relatively large organisation such as this will know that at least some of them will try to access pornography. My experience is that people who do this on their work computers are exclusively male, and there are 453 male MPs in the House of Commons. This is certainly a large enough group for some of them to be accessing porn, at least some of the time/


So we can surmise a couple of things - it certainly seems to be possible to access porn from a Parliament computer, and given the number of people working there it seems likely that somebody would try. The number of male MPs certainly seems enough for one of those to try to access porn. Given that it is likely that some of them try, there's no particular reason why it shouldn't be Damian Green. And if one MP is fired from his job because of porn, then you can bet there are other MPs who have done the same thing.

But why not implement some sort of filtering? The problem is that MPs are not employees - Parliament is the primary legislative body in the UK and it is essentially sovereign (despite there being a Queen). Imagine that you worked in an organisation where there were hundreds of C-level executives, and then try to police them from an IT point of view. MPs are probably amongst the worst users in the world to support.

As I said, most organisation of any size filter porn from corporate computers. Strategically, the main reason to do that is not to track down and fire errant employees, but to prevent embarrassment to that organisation. It's all very well to fire a low-level employee for viewing smut, but when it comes to the top of the food chain such terminations can also be damaging to the reputation of the organisation itself. If Parliament isn't filtering this sort of material then it is always likely to end up with this sort of scenario from time-to-time.

Mr Lewis's comments indicate that the material was found on the computer itself, not a proxy log or other external system. It's quite possible that whoever was accessing the material on Mr Green's computer could have saved themselves a lot of grief if they'd used private browsing (although a deep forensic investigation can often find artifacts even when this has happened).

Also, Nadine Dorries MP did state that she shared her password with staff who worked for her. This is terrible practice, and certainly in my organisation if you share your password and somebody abuses it, then you are liable for anything that they did.

Don't forget as well, the habit of porn sites infecting visitors with malware though malicious advertisements, and the habit of more "specialist" sites having been created specifically to infect visitor's computers. MPs might not think themselves to be important enough to hack, but they will have private correspondence with constituents and other parties that should remain private.. and not be leaked out.

Whatever the truth of Damian Green's surfing habits, it looks like Parliament is badly in need of proper regulation of its computer systems. But you really do have the nightmare users from hell in that job. I suspect it is going to take something more that one embarrassed MP to force a change.

Image credits:

Tuesday, 31 October 2017

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com

Hello.

I sincerely anticipate that I will not hurt ur feelings. Shit happens, life didn’t give me a choice. I don’t hate people with special tastes, moreover only God can judge u. So:

Firstly, I put the particular virus on a web site with porn videos (I think you understood me).

Secondly, when you tapped on a video, soft instantly started working, all cams turned on and screen started recording, then my soft collected all contacts from emails, messengers etc. Im really proud for this soft, it makes devices act as remote desktop with keylogger function, impressive. This email address Ive collected from your device, I emailed u here because I think you will 100% going to check your corporative email.

Eventually, I edited a split screen video, with your participation and porn video from your screen, its very weird. Consequently, I can share this video with all your friends, colleagues, relatives etc. I guess it’s a big problem for you.

But we can resolve this problem. 305 Usd- in my opinion, very common cost for false like this.

I accept only bitcoin, this is my wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U have 45 hours after opening my letter to make transaction. I will see when u read this letter, I adjusted special tracking pixel in it. This time is sufficiently only to complete all verifications and transaction, so you have to think rapidly. If I wont get my «wage», I will share this video with all contact Ive received from ur device.

You can complain to cops for a help, but they wont search out me for even 150 hours, Im from Japan, so think twice. If Ill receive btc- all compromising evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this notification using my soft for anonymous messages, I don’t check the email after using it, because I contemplate about my safety too. Have a nice day, I hope u will make a good decision for you.
If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on 188.225.9.190

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

5.23.49.167
5.23.49.180
92.53.124.50
176.57.214.134
176.57.214.240
176.57.217.49
176.57.217.55
176.57.217.167
176.57.217.225
188.225.9.190

188.225.9.215

All of those belong to TimeWeb in Russia. The domain itself is also hosted on 5.23.49.180 (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Domain Name: ADULTHEHAPPYTIMES.COM
Domain ID: 1041994153_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2016-09-06T01:55:42Z
Creation Date: 2007-06-21T21:10:46Z
Registrar Registration Expiration Date: 2018-06-21T21:10:46Z
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Netfirms
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Alexey Pokachalov
Registrant Organization: Alexey Pokachalov
Registrant Street: Stepana Razina 84-10
Registrant City: Togliatti
Registrant State/Province: NA
Registrant Postal Code: 445057
Registrant Country: RU
Registrant Phone: +17.9608367000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: genarur@gmail.com
Registry Admin ID: 


It's odd to see an old domain being used for spam like this, so perhaps the domain itself and the infrastructure has been hijacked. It is hard to be certain, but also you wouldn't post real contact details on the WHOIS and then solicit anonymous payments through BitCoin, so my hunch is that the domain owner doesn't even know it is happening.

I don't know if Bitcoin wallet 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY is common to all these spam emails, but at the moment nobody has sent money to that Bitcoin wallet.



Monday, 20 October 2014

beeg.com hacked (again)

Earlier this year I looked at a hack attack on popular porn site beeg.com (Alexa rank 429) which appeared to be something to do with a fake advertising agency that had bought ad space.

Well, it appear that beeg.com has been hacked again (as of yesterday) [1] [2] [3] and has been serving up an exploit kit (which appears to have been cleaned up now).

What's interesting about this attack are the domains in use, all using .CF (Central African Republic), .GA (Gabon), .ML (Mali) plus the more commonly abused .TK and .UNI.ME. The domains detected are listed at the end of this post, but they all appear to be dead now.

All the domains in question use nameservers using the domain rezupsell.com which uses an anonymous registration, but which itself uses reg3.ru nameservers which perhaps gives a clue as to the general origins of this attack.

The malicious hosts were based on the following IPs which might be worth blocking:

192.208.185.103 (Continuum Data Centers, US)
64.187.224.62 (Microglobe LLC, US)
64.251.19.156 (Infolink / Serverpronto, US)


(plain list for copy-and-pasting)
192.208.185.103
64.187.224.62
64.251.19.156

The domains that seem to be associated with this attack are as follows:
axxesopri.cf
carrillen.cf
casselful.cf
ceurstros.cf
chcontaca.cf
ciscomphy.cf
coperhemi.cf
cymersion.cf
disticsis.cf
elenecyat.cf
geommibun.cf
kofaxiors.cf
leumilyso.cf
moultrayi.cf
newspryga.cf
oruminfol.cf
oxbretrin.cf
pathotect.cf
romarflyt.cf
samarkare.cf
shtanakin.cf
spotalaba.cf
stanaderi.cf
tinginest.cf
trollethi.cf
univalone.cf
yocreitaw.cf
zinifersi.cf
librayippinedi.cf
locinagenphafe.cf
obusicaressoft.cf
pandalinexitys.cf
parsportertuel.cf
picabulsteeneo.cf
portgateaminem.cf
pucreweatiange.cf
sysoplanitolbr.cf
techrintorcell.cf
tentectrilyawp.cf
thngrxiamedier.cf
toresilvadplet.cf
axxesopri.ga
casselful.ga
ceurstros.ga
chcontaca.ga
ciscomphy.ga
coperhemi.ga
cymersion.ga
disticsis.ga
elenecyat.ga
geommibun.ga
kofaxiors.ga
leumilyso.ga
moultrayi.ga
newspryga.ga
oruminfol.ga
oxbretrin.ga
pathotect.ga
romarflyt.ga
portgateaminem.cf
shtanakin.ga
spotalaba.ga
stanaderi.ga
tinginest.ga
trollethi.ga
univalone.ga
yocreitaw.ga
zinifersi.ga
librayippinedi.ga
locinagenphafe.ga
obusicaressoft.ga
pandalinexitys.ga
parsportertuel.ga
picabulsteeneo.ga
portgateaminem.ga
pucreweatiange.ga
sysoplanitolbr.ga
techrintorcell.ga
tentectrilyawp.ga
thngrxiamedier.ga
toresilvadplet.ga
acrostorilifeg.uni.me
actuallessaric.uni.me
adianaldbalide.uni.me
adzilablenetsk.uni.me
aestatchapease.uni.me
aistedianametr.uni.me
akedianonligno.uni.me
aladdiersought.uni.me
altonemagingso.uni.me
annousynqsoftv.uni.me
armanorducketi.uni.me
articatianavia.uni.me
ascetonbringra.uni.me
asitegoldnterp.uni.me
asurcersalcode.uni.me
aumentediaside.uni.me
axiantfxtresti.uni.me
aycarpaxcellon.uni.me
backcopartveit.uni.me
barretaballtip.uni.me
bazzinguatelee.uni.me
bectechedianel.uni.me
benshnorgerven.uni.me
beyoneyentpoin.uni.me
boldowngottoni.uni.me
boxholephoniwo.uni.me
breadischarksm.uni.me
axxesopri.ml
carrillen.ml
casselful.ml
ceurstros.ml
chcontaca.ml
ciscomphy.ml
coperhemi.ml
cymersion.ml
disticsis.ml
elenecyat.ml
geommibun.ml
kofaxiors.ml
leumilyso.ml
moultrayi.ml
newspryga.ml
oxbretrin.ml
pathotect.ml
samarkare.ml
shtanakin.ml
spotalaba.ml
stanaderi.ml
tinginest.ml
trollethi.ml
univalone.ml
yocreitaw.ml
zinifersi.ml
locinagenphafe.ml
obusicaressoft.ml
pandalinexitys.ml
parsportertuel.ml
picabulsteeneo.ml
portgateaminem.ml
pucreweatiange.ml
sysoplanitolbr.ml
techrintorcell.ml
tentectrilyawp.ml
thngrxiamedier.ml
toresilvadplet.ml
axxesopri.tk
carrillen.tk
casselful.tk
ceurstros.tk
chcontaca.tk
ciscomphy.tk
coperhemi.tk
cymersion.tk
disticsis.tk
elenecyat.tk
geommibun.tk
kofaxiors.tk
leumilyso.tk
moultrayi.tk
newspryga.tk
oruminfol.tk
oxbretrin.tk
pathotect.tk
romarflyt.tk
samarkare.tk
shtanakin.tk
spotalaba.tk
stanaderi.tk
tinginest.tk
trollethi.tk
univalone.tk
yocreitaw.tk
zinifersi.tk
librayippinedi.tk
locinagenphafe.tk
obusicaressoft.tk
pandalinexitys.tk
parsportertuel.tk
picabulsteeneo.tk
portgateaminem.tk
pucreweatiange.tk
sysoplanitolbr.tk
techrintorcell.tk
tentectrilyawp.tk
thngrxiamedier.tk
toresilvadplet.tk

Friday, 21 March 2014

Porn site beeg.com hacked, aadserver.com and malware sites to block

The folks at Malwarebytes posted an exellent and interesting blog entry on the hack of porn site beeg.com. The technical analysis is spot on.. but sometimes you need actionable intelligence too.

Let's rush towards the climax of the infection chain for a moment. Malwarebytes identify a couple of malicious domains, both hosted on 92.63.109.45 (TheFirst-RU, Russia).

mdquhrp.clark4houk.eu
ipquqoh.lapierre3dudley.eu

Source: Malwarebytes blog
That IP actually contains a lot more bad domains that have all been recently registered with hidden details:

mdquhrp.clark4houk.eu
boqmkwe.lapierre3dudley.eu
wjlxuxt.artola1brodgen.eu
jqeqt.kundel2klimas.eu
ocsck.amar1krauel.eu
qeuhn.kusmider3bossert.eu
ipquqoh.lapierre3dudley.eu
mnsblx.kempffer7hazeldine.eu
alxrjqo.julian7hoscheid.eu
nnmkeseu.clark4houk.eu
jtwwnu.amar1krauel.eu
wbxrufy.hsiang4akai.eu
tanhts.contardo1jak.eu
gcumqix.hazen1ceponis.eu
lgyqyfos.kundel2klimas.eu
qymvauk.artola1brodgen.eu
rugoo.farant4diperna.eu
iyttjqaa.farant4diperna.eu
ekgdb.julian7hoscheid.eu
bteqspe.labranche9allan.eu
pwdulvt.labranche9allan.eu
noslpt.eriksson5akhavan.eu
ywata.kusmider3bossert.eu
yqovf.lamirande9buhler.eu
oidgvrz.kepekci8billoteau.eu
www.kundel2klimas.eu

But how did visitors get delivered to the payload site in the first place? The previous step in the Malwarebytes chain was a site called miofitching3.com on 217.174.108.33 (Domishko Hosting, Russia). A look at the sites recently hosted on that IP shows the following:

aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

One of these things is not like the others. Yes, aadserver.com doesn't match. But the name makes it sound like an advertising network. The domain has hidden WHOIS details but was only registered on 13th February.

A look around the aadserver.com site shows something that looks slick.




It looks slick, but the spelling is terrible and some of the body text has been copied from Wikipedia.. even including a [citation needed] tag. The email contact details are all free webmail providers, and despite promoting itself as an "Australian Ad Server" it has a Russian IP address.

It's pretty obvious that aadserver.com is a fake. The Russian IP address (odd for an Australian business), recent domain registration with hidden WHOIS details, email addresses and poor spelling should have been red flags for an experience media buyer.

So how did these ads end up on beeg.com? Well, if we go back to the first step in the infection chain, we see a reference to a site staticloads.com. This has the same WHOIS details as beeg.com, so my best guess it that the owners of beeg.com were contacted by aadserver.com with a proposition to sell advertising, and a lack of expertise led to fake ads being placed on the site.

So, I mentioned actionable intelligence. Apart from making sure that you properly train media buyers in detecting fake ad agencies, I would strongly recommend applying the following blocklist to your networks to stop any more bad ads from these criminals causing a problems:

92.63.109.45
217.174.108.33
clark4houk.eu
lapierre3dudley.eu
artola1brodgen.eu
kundel2klimas.eu
amar1krauel.eu
kusmider3bossert.eu
kempffer7hazeldine.eu
julian7hoscheid.eu
hsiang4akai.eu
contardo1jak.eu
hazen1ceponis.eu
farant4diperna.eu
labranche9allan.eu
eriksson5akhavan.eu
lamirande9buhler.eu
kepekci8billoteau.eu
aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

Wednesday, 19 February 2014

Somnath Bharti - porn site operator?

I seem to have written a lot about Somnath Bharti lately, and he's certainly a topic of interest in Indian politics. I'm not going to go on about his links to TopSites LLC (watch the video if you are interested), but I wanted to look at these persistent comments that Somnath Bharti was some sort of porn site operator.

If you want the really short version it's this - I've never seen any evidence that Mr Bharti has owned or operated a porn site. That's it.

But what are the links to porn, and where is there confusion?

allwebhunt.com links to porn and pro-pedophilia sites

It is beyond all reasonable doubt that allwebhunt.com is connected to Somnath Bharti. This was a directory of sites that was rapidly taken offline when the Times of India exposed the connection. Some of the more unsavoury contents of that site include a set links to pro-pedophilia sites which had been copied from the Open Directory Project (which had deleted them years ago). That's a pretty poor sense of judgement in this case, but it is really down to sloppiness rather than actual malice in my opinion.

But allwebhunt.com also linked to more regular porn sites, including the examples pictured below.

These entries appeared to be paid or sponsored ones, but the sites themselves are not Mr Bharti's and it does amuse me that some of the India news outlets criticising Mr Bharti for this do exactly the same things themselves.

Ultimately, allwebhut.com (and its predecessor topsites.us) directories are simply a catalogue of available sites, some of those links may be questionable but they do not imply ownership or mean that anything illegal is happening.

Ownership of teens-boy.net

One of the sites that Mr Bharti owned was teens-boy.net, according to historical WHOS records from 2005:

Domain:        teens-boy.net
Record Date:     2005-01-08
Registrar:     GOTNAMES.CA INC.
Server:     whois.gotnames.ca
Created:     2004-11-26
Updated:    
Expires:     2005-11-26

Domain teens-boy.net

  Date Registered: 2004-11-26
    Date Modified: 2004-11-30
      Expiry Date: 2005-11-26
             DNS1: ns1.www--search.com
             DNS2: ns2.www--search.com

  Registrant

                   My Directory LLC
                   PO Box 7334 - 101591
                   San Francisco, CA (US)
                   94120-73

  Administrative Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

  Technical Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

        Registrar: GotNames.ca
teens-boy.net had been a gay porn site until late 2004 as it appears in the Internet Archive [link is probably not safe for work]. The Internet Archive does not have any pictures on it in this case, but it is clear what the site is about by looking at the text.


It's an odd site for Mr Bharti to have in his name. But what did it actually look like after he bought it? The Internet Archive gives the answer again [this link is OK]. We can see that it just acts as a redirector to dirs.org which is yet another clone of the TopSites directory.




I guess this might have been an attempt at SEO, the domain was bought with a lot of other non-porn domains which also forwarded in this way. As far as I can tell, when the domain registration was up the domain simply expired at the end of 2005, it was re-registered by an unrelated party in 2007.

DVLPMNT MARKETING, INC and www-goto.com confusion

Webnewswire.com ran a story looking at the WHOIS details of www-goto.com, a site that had been registered to Mr Bharti in 2005:

Domain:        www-goto.com
Record Date:     2005-05-18
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:    
Expires:     2005-12-08

Registrant:
 Media  LLC
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Technical Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Record last updated 05-17-2005 03:09:40 PM
Record expires on 12-08-2005
Record created on 12-08-2004

Domain servers in listed order:
    NS1.WWW-GOTO.COM    202.14.69.2
    NS2.WWW-GOTO.COM    202.14.69.117
They then looked at the current WHOIS details which are:
Domain:        www-goto.com
Record Date:     2014-02-06
Registrar:     DNC HOLDINGS, INC.
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2013-06-12
Expires:     2014-12-08 

Domain Name: WWW-GOTO.COM
Registry Domain ID:
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: -001-11-30T00:00:00-06:00
Creation Date: 2004-12-08T11:03:22-06:00
Registrar Registration Expiration Date: 2014-12-08T17:03:22-06:00
Registrar: DNC Holdings, Inc.
Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8668569598
Domain Status: ok
Registrant Name: Domain Administrator
Registrant Organization: DVLPMNT MARKETING, INC.
Registrant Street: Hunkins Plaza
Registrant City: Charlestown
Registrant State/Province: Nevis
Registrant Postal Code: NA
Registrant Country: KN
Registrant Phone: 011-869-765-4496
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dvlpmntltd@gmail.com
Admin Name: Domain Administrator
Admin Organization: DVLPMNT MARKETING, INC.
Admin Street: Hunkins Plaza
Admin City: Charlestown
Admin State/Province: Nevis
Admin Postal Code: NA
Admin Country: KN
Admin Phone: 011-869-765-4496
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dvlpmntltd@gmail.com
Tech Name: Domain Administrator
Tech Organization: DVLPMNT MARKETING, INC.
Tech Street: Hunkins Plaza
Tech City: Charlestown
Tech State/Province: Nevis
Tech Postal Code: NA
Tech Country: KN
Tech Phone: 011-869-765-4496
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dvlpmntltd@gmail.com
Name Server: NS1.VOODOO.COM
Name Server: NS2.VOODOO.COM
URL of the ICANN WHOIS Data Problem Reporting System
http://wdprs.internic.net
The creation date for the domain is still 2004, so the domain has never dropped and been reregistered, it has been in continual existence since that date. The rather mysterious DVLPMNT MARKETING, INC certainly does seem to be connected with porn domains, but is this company controlled by Mr Bharti? No.


A look at the historical WHOIS details again yield some clues. The domain expired in 2008 and ended up being controlled by the registrar DirectNIC..
Domain:        www-goto.com
Record Date:     2008-12-19
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2008-12-09
Expires:     2009-12-08
Previous Screenshots
2008-12-18 screenshot
Reverse Whois:

Registrant:
 directNIC.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Technical Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Record last updated 12-09-2008 06:13:27 PM
Record expires on 12-08-2008
Record created on 12-08-2004

Domain servers in listed order:
    NS0.EXPIREDDOMAINSERVICES.COM    69.46.228.236
    NS1.EXPIREDDOMAINSERVICES.COM    69.46.228.237

DirectNIC reserve the right to auction off expired domains and the next WHOIS entry sees the domain being controlled by a domain parking company. It is unlikely that Mr Bharti or any of his associates received anything for this domain, it was essentially scrapped.

Is there any other evidence linking Somnath Bharti to porn?

Over the past couple of weeks I have re-examined the TopSites LLC business plus Mr Bharti's own Madgen Solutions from my own records and other public sources. These revealed all sort of interesting facts and allegations about Mr Bharti's activities.. but absolutely nothing that suggest that he owned or operated porn sites.

Of course, perhaps there is evidence that I am not aware of, but I would be very surprised if there is.. you can always send me an email if you have anything that will prove me wrong.


Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

Back in April I wrote an article about how several top porn sites were having issues with malware. An apparent infection at xvideos.com (link is a little NSFW) led to to look at the Google malware results for the past 90 data again.

I started with a list of sites in the top 1000 sites globally according to data at Alexa.com (a few have dropped out of the top 1000 since I collated the data set) and also used the Alexa data to work out the average number of daily pageviews per user. The next step was to look at Google's data on the number of infected pages and the total number of pages on the site, noting the date of last infection. From that I could work out an "infection likelihood" which is the probability of an average visitor coming into contact with malware during the period the site was infected.

What was surprising was just how clean these sites are looking (well, from a malware perspective). Last time some of the biggest sites had hundreds of pages infected, and now they appear to have virtually none. I've highlighted everything about 1% in red but note that the "riskiest" site (largeporntube.com) has been clean for a couple of months.
 
The results of my analysis are as follows:


Rank
Domain
Pageviews / User
Total pages
Infected
Date
Infection rate
Infection likelihood
38
xvideos.com
11.7
89427
0

0.00%
0.00%
51
xhamster.com
10
11356
1
2013-07-01
0.01%
0.09%
66
pornhub.com
5.6
6235
0

0.00%
0.00%
88
xnxx.com
9.5
26082
0

0.00%
0.00%
95
redtube.com
5
9189
0

0.00%
0.00%
99
youporn.com
5.6
1675
0

0.00%
0.00%
103
livejasmin.com
2.4
502
0

0.00%
0.00%
162
tube8.com
3.9
12697
0

0.00%
0.00%
169
youjizz.com
4.7
1385
0

0.00%
0.00%
227
hardsextube.com
3.3
71817
0

0.00%
0.00%
268
dmm.co.jp
9.2
1245
0

0.00%
0.00%
275
beeg.com
4.9
873
0

0.00%
0.00%
326
motherless.com
14.8
3196
4
2013-06-24
0.13%
1.84%
393
drtuber.com
2.8
1420
0

0.00%
0.00%
438
myfreecams.com
4
148
0

0.00%
0.00%
453
cam4.com
6.3
889
0

0.00%
0.00%
462
adultfriendfinder.com
7.8
241
0

0.00%
0.00%
464
bravotube.net
2.6
1098
0

0.00%
0.00%
502
ixxx.com
3.4
438
5
2013-09-05
1.14%
3.83%
528
chaturbate.com
14.7
2725
0

0.00%
0.00%
578
nuvid.com
2.8
884
0

0.00%
0.00%
588
spankwire.com
3.3
1182
0

0.00%
0.00%
591
porntube.com
2.9
734
0

0.00%
0.00%
595
pornerbros.com
1.9
946
1

0.11%
0.20%
607
largeporntube.com
3.2
5750
160
2013-07-20
2.78%
8.63%
676
yourlust.com
2.7
1224
0

0.00%
0.00%
697
4tube.com
4.3
1337
0

0.00%
0.00%
699
keezmovies.com
3
669
0

0.00%
0.00%
707
pornhublive.com
2.3
30
0

0.00%
0.00%
768
xhamstercams.com
1.8
5
0

0.00%
0.00%
780
h2porn.com
1.8
2193
1

0.05%
0.08%
800
4chan.org
26.7
218
0

0.00%
0.00%
804
video-one.com
13.7
1143
0

0.00%
0.00%
825
xtube.com
12.1
805
0

0.00%
0.00%
830
sunporno.com
2.7
360
0

0.00%
0.00%
848
porn.com
4
1281
0

0.00%
0.00%
864
perfectgirls.net
5.4
1958
5
2013-09-05
0.26%
1.37%
883
nudevista.com
8.7
2088
1
2013-08-03
0.05%
0.42%
931
redtubelive.com
2.8
33
0

0.00%
0.00%
942
alphaporno.com
1.9
10472
32
2013-07-21
0.31%
0.58%
1065
videosexarchive.com
3.8
5183
0

0.00%
0.00%
1238
hellporno.com
3
331
0

0.00%
0.00%
1382
watchmygf.com
1.3
11
0

0.00%
0.00%
1806
ah-me.com
2.7
235
0

0.00%
0.00%
  
So, what is going on? Have these sites cleaned up their act? Well, it certainly looks like there has been an improvement (despite the reported infection at xvideos.com above). 

Over 46,000 people looked at my previous blog post on the topic, and it was covered by some major news outlets [1] [2] [3] [4] [5]. Reaction was varied, and many porn site operators flatly denied the problem despite the Google statistics indicating otherwise.

So perhaps shining a light on the problem helped to clean it up. Perhaps the spike in malware was a temporary glitch. Perhaps the malware operators are better at hiding what they are doing. I suspect that it is a combination of all three.


Despite the apparent cleanup of these sites, my advice is that you still need to exercise caution. It is very important to make sure that your system is fully patched (you can use Secunia OSI to check if you have a Windows PC), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware, and of course a good and up-to-date anti-virus or security package is essential. In addition, Google's Chrome browser is pretty good at picking up malicious sites, and the most dangerous browser to use tends to be Internet Explorer. And if you have Sun's Java platform installed on your system I would strongly recommend that you remove it as that it currently the most popular way of getting your machine infected.