In another blog entry, "VMware leaks and directory transversal", I got a comment that made me do some research. I came to the conclusion that the site was a rogue/fake spyware site and shouldn't be visited.
BTW; I'm not going to link there since it seems kind of hypocritical of me. After all, I am saying not to click links in comments so it is a good exercise to look the article up and go there yourself.
The program he mentions, spybot search and destroy (spybotSD), is a good one and has been on the scene for a long time.
However, Spybot Search and Destroy is at spybot.com and safer-networking.org and not the site he claims (STRIKE ONE). Also, why did he comment on a post that had nothing to do with Spybot? The post was about VMWARE. Even though it wasn't enough to convict Thomas, I decided to look further.
A simple Google didn't find any references to "REMOVETHISsearch-and-destroy.com". (Notice the mutilation.)
I went to "samspade.org" to do a who-is and see who the domain was registered to. Turns out it was registered by GoDaddy, who doesn't allow me to research a domain's owner on some accounts. However, he/she/it left their email in. Aha, something else to Google.
After looking around I found that there were several people named "Thomas Bind". He was either a gay porn star, an author of both fake anti-spyware programs, an author of posts that praise rogue antispyware, or a combination of the above. STRIKE TWO.
When I went to that site with a simple VM I didn't see anything that bothered me, but I only took a glance. So nothing conclusive, one way or another.
When I TRACERT'd the site from the DOS command prompt I saw that something was blocking it. Something was resolving the sites name to my computer (127.0.0.1) like the host file does. So I looked at the host file in Windows. Lo and behold, it was listed by the items that spybot blocks. STRIKE THREE, HE'S OUT!
So since spybot blocks it, I'll assume the site isn't real or it hosts malware of some kind.
Another red flag, although I didn't need any more, was that the site search-and-destroy.com seems to be a legit site and he could be hoping people would make a mistake.
Several years ago, there was a site whitehouse.com (not whitehouse.gov) which hoped people would type the wrong name in and end-up at a porn site. I read that since the site owner's kid was growing up enough to ask daddy what he did for a living, he sold the site to a real estate agency. But when I went there a moment ago it looked like a portal for political news. So they are back to doing dirty business.
The who-is results:
Domain ID: D150367400-LROR
Domain Name: SEARCH-AND-DESTROY.ORG
Created On: 13-Dec-2007 21: 04: 15 UTC
Last Updated On: 09-Oct-2008 14: 35: 41 UTC
Expiration Date: 13-Dec-2010 21: 04: 15 UTC
Sponsoring Registrar: GoDaddy.com Inc. (R91-LROR)
Status: CLIENT DELETE PROHIBITED
Status: CLIENT RENEW PROHIBITED
Status: CLIENT TRANSFER PROHIBITED
Status: CLIENT UPDATE PROHIBITED
Registrant ID: GODA-041002158
Registrant Name: - -
Registrant Street1: -
Registrant Street2:
Registrant Street3:
Registrant City: -
Registrant State/Province: -
Registrant Postal Code: -
Registrant Country: CH
Registrant Phone: 41.123
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: thomasbind@gmail.com
Admin Email: thomasbind@gmail.com
Tech ID: GODA-141002158
Tech Email: thomasbind@gmail.com
The articles I found about Thomas and the site:
Comments
Post new comment