NoVirusThanks Company Srl malwarehash service down or compromised?

Discussion in 'other software & services' started by m00nbl00d, Mar 24, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For those of you who may not know, NoVirusThanks Company Srl provides, among others, the service -http://www.urlvoid.com.

    Yesterday, I tried to access one other service from them -http://www.malwarehash.com

    Access to it was immediatly blocked by one of my blacklists (not by domain, rather IP). I thought that it could be a false positive. So, I temporarily allowed access to it. Once more, access was blocked, but this because a redirection happened to one other domain, which seems to be involved in not so great practices.

    I opened -http://www.urlvoid.com and verified what IPs, domains belonging to NoVirusThanks Company Srl, were resolving to.

    You may see here -http://www.urlvoid.com/scan/ipvoid.com that the domain www.ipvoid.com resolves to 94.23.23.25. You may also see that malwarehash.com also resolves to the same IP. Or, at least, is suppose to resolve to that IP. And, so it does -http://www.urlvoid.com/scan/malwarehash.com

    That's not the IP that gets blocked by my blacklist when accessing -http://www.malwarehash.com

    The IP that gets blocked, seems to be involved with the Palevo worm.

    Dissecting -http://www.malwarehash.com I get this

    Code:
    <html>
    <head>
    <title>malwarehash.com</title>
    </head>
    <frameset frameborder=0 framespacing=0 border=0 rows="100%">
    <frame name="BOTFRAME" src="http://dsnextgen.com/?o_id=143194&domainname=malwarehash.com" noresize scrolling=no>
    </frameset>
    </html>
    The domain dsnextgen.com seems to be involved in not so great practices. -http://hosts-file.net/?s=dsnextgen.com -http://www.mywot.com/en/scorecard/dsnextgen.com

    Two things need to be considered, I believe: 1) The IPs are not the same 2) Wouldn't NoVirusThanks Company Srl simply remove any references to malwarehash.com from www.urlvoid.com (bottom), if they had killed this project?

    I'll see if I can get in touch with them, but would like to hear what you have to say about it... :D

    -edit-

    I also accessed the same domain today, and the same happens, which is why I decided to find more about this issue.
     
    Last edited: Mar 24, 2011
  2. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    The info for -malwarehash.com was outdated(2010-06-04), I scanned that site again: -http://www.urlvoid.com/scan/malwarehash.com also: -http://www.ipvoid.com/scan/67.228.81.180

    I use this site for resolving hostnames: -http://www.ip-adress.com/ip_tracer/malwarehash.com
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Bummer... I actually didn't pay attention to that detail. Thanks for the alert! :thumb:

    The IP doesn't figure in th Autoshun blocklist anymore, though.

    The IP 67.228.81.180 is also involved in the Palevo worm -http://amada.abuse.ch/palevotracker.php

    Tomorrow, I'll see if I'll send them an e-mail asking about this service (malwarehash) and see what they tell me. I highly doubt they're aware their service domain is being redirect to that misleading page... But, who knows...

    Sometimes I use this one -http://domaintoip.com/ip.php?domain=malwarehash.com
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @m00nbl00d

    Malwarehash.com is a domain that was bought with Name.com, few months ago we removed DNS records to the domain malwarehash.com because we wanted to make the service/website offline and work for a new service (commercial) that will be soon available at malwarehash.com. When a customer remove DNS records in a domain, Name.com automatically points the domains to their sedoparking account and unfortunately we cannot control what there is in their sedoparking page. For precautions, I have set DNS records of malwarehash.com to 127.0.0.1 until we have finished to work in the new service.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Thank you for the feedback and explanation. :thumb:
     
Loading...
Thread Status:
Not open for further replies.