The Legacy Sunbelt Software Blog

DC Universe Online is an upcoming MMORPG for Playstation 3 and PC which lets you punish evildoers alongside the likes of Batman, Superman and a large collection of other DC Comics superheroes. As you might imagine, interest levels are high and this is turning into an attractive piece of bait for scammers everywhere.

I mean, one look at the fancypants cinematic trailer and you can see why people are getting excited over it:

As a result, there are numerous Youtube videos (what else!) and blogs popping up promising entry to the Beta test. Here’s just a few from the last day or so, there are many more:

Click to Enlarge

Almost all of the videos point to the same spamblog, although we’re now seeing the contents of said blog being lifted and used by other scammers (which link to their own downloads, naturally). Here’s a screenshot of a typical video:

Click to Enlarge

I did consider embedding one of the videos, but as most of them autoplay bad 90s techno or feature some rapper guy singing about his 40 ounce and his bling bling hubcaps I thought the screenshot was the safer option. Anyway, the main spamblog here is dcuniverseonlinebeta(dot)blogspot(dot)com which looks like this:

Click to Enlarge

Due to increased promotion, the site has had 52 visits today with a total of 357 visitors since the site launched – I imagine that number will continue to rise. What they want you to do is download a “DC Universe Online Beta Registration” program, which generates a code to give access to the Beta testing.

If you want to place your bets that this is a fakeout, now is the time to do it.

Hitting the download link takes you to that favourite of scammers everywhere, the multiple survey popup:

Click to Enlarge

Hand over your personal information to a random third party, and you’ll be able to download this executable:

Oh, the excitement. Fire it up and you’re presented with this admittedly slick looking interface:

Hitting “Generate Code” gives you a Beta key that is absolutely the most useless Beta key in the history of anything. All the program does is display the same short list of non random codes over and over again, every time you fire it up. Predictably, this doesn’t help very much when trying to join the Beta.

Cue a lot of soon to be dashed hopes and signing up on the DC Universe Online website:

Click to Enlarge

“Redeem your code”. Well, if we had a code that actually worked we might get somewhere. As it is, prepare to wave goodbye to your dreams of punching Lex Luthor in the face:

Click to Enlarge

ADVANTAGE: EVIL.

Anything that takes place after you’ve filled in the survey is just filler – the story ends once you’ve filled in a survey and the scammer has generated affiliate cash. All you’re left with is a (non infectious) fake application, a bunch of non working Beta keys and a grumpy Activation Code page telling you off for repeatedly entering fake codes.

You have to admire the chutzpah of one particular scammer who claims to have 10 whole sets of codes for you to download and use. Amazingly (or not) each and every one is protected by a survey.

Click to Enlarge

Gee, I wonder if those codes are fake too.

You don’t have to be Batman to work out that random promises of Beta keys involving dubious spamblogs and executables are not going to deliver. Other downloads further down the line could easily be infection files instead of fake code generators, and at the very least you’re giving underserved cash to people who by rights should be tasting the business end of Superman’s fist.

Up, up and run away…

Christopher Boyd

Microsoft has posted an out-of-band patch for the .lnk vulnerability (CVE-2010-2568) that was widely exploited after it was made public two weeks ago. The company announced Friday that the patch would be forthcoming, saying that the Sality malware family, and specifically Sality.AT was actively exploiting the weakness.

Microsoft Security Bulletin MS10-046 here.

“This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

“This security update is rated Critical for all supported editions of Microsoft Windows.”

Microsoft did not provide patches for Windows 2000 and Windows XP SP2, since support has ended for them.

Tom Kelchner

Microsoft has posted an out-of-band patch for the .lnk vulnerability (CVE-2010-2568) that was widely exploited after it was made public two weeks ago. The company announced Friday that the patch would be forthcoming, saying that the Sality malware family, and specifically Sality.AT was actively exploiting the weakness.

Microsoft Security Bulletin MS10-046 here.

“This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

“This security update is rated Critical for all supported editions of Microsoft Windows.”

Microsoft did not provide patches for Windows 2000 and Windows XP SP2, since support has ended for them.

Tom Kelchner

This is the website for the Roman Catholic Diocese of Portland:

Click to Enlarge

It seems they had a bit of a website break in, because up until yesterday anyone visiting the above page on their website would find something peculiar happening after five seconds of inactivity. This was in the Source Code:

After five seconds, the end-user would be redirected to Athiests.org:

Click to Enlarge

Ouch.

It seems they’ve now cleaned up the tampered page.

Christopher Boyd

This is the website for the Roman Catholic Diocese of Portland:

Click to Enlarge

It seems they had a bit of a website break in, because up until yesterday anyone visiting the above page on their website would find something peculiar happening after five seconds of inactivity. This was in the Source Code:

After five seconds, the end-user would be redirected to Athiests.org:

Click to Enlarge

Ouch.

It seems they’ve now cleaned up the tampered page.

Christopher Boyd

Here’s a curious twist on the old “Install Zango to gain access to movies that don’t work” gag – you now install something called “ClickPotato” instead, which is operated by Pinball Corp (you can read about how Zango effectively became Pinball here). For all intents and purposes, it operates in much the same way as the old Zango installs.

1) You think you’re going to watch a new release online – in this case, Salt:

Click to Enlarge

2) A gateway install prompt appears, the only difference being it says “ClickPotato” instead of “Zango”:

Click to Enlarge

Note that it has ShopperReports and QuestDNS preticked, and the text blurb (which I’m assuming was put there by the affiliate operating movie-watching-site(dot)com) says “You must install the movie codec to play movie”. I’m pretty sure ClickPotato isn’t a movie codec.

3) You end up with the ClickPotato program installed on your PC. The About page says this: “In exchange for access to an endless array of popular videos, ClickPotato displays occasional promotional messages based on your Web search and browsing.”

An “endless array”. We’ll come back to that, but first a question: do you think the above website is actually going to show you Salt after having installed ClickPotato?

The answer, of course, is “no”. In case you were wondering – and I know you are – all of the supposed movies on that site display a similar error.

All in all, my first exposure to ClickPotato hasn’t gone as well as it could have.
Shall we take a look at the “endless array” of movies on the ClickPotato homepage, accessible from the ClickPotato application?

Click to Enlarge

There’s a list of programs from A to Z that you can watch. However, clicking into the various listings is a little surreal because almost everything I looked at was a link to material on sites such as Megavideo, Veoh and sina(dot)com(dot)cn that probably shouldn’t have been there.

For example, here’s a typical set of links from the South Park page:

This is what you see if you click the very first link:

Click to Enlarge

“This video has been removed due to infringement”.

Whoops.

Whenever you click on a program / movie link, they’ll present you with the following before sending you to Megavideo or wherever:

“on a site outside of ClickPotato”.

It seems they’re distancing themselves from the many instances of pirated content hosted elsewhere yet linked to from the main site, especially as the Terms of Use state they’re not responsible for “the quality, content, nature or reliability of Sites accessible by hyperlink from this Site”.

All in all, this isn’t a hot potato. Going by past experience with websites that want to install adware in return for “free movies”, I’d advise you not to bother – you’ll either end up watching camcorder footage shot in the local theatre, a blurry mess hosted in China or a thought provoking error message that the critics are calling “The feelbad movie of the year”!

Not coming soon to a cinema near you…

Christopher Boyd

Here’s a curious twist on the old “Install Zango to gain access to movies that don’t work” gag – you now install something called “ClickPotato” instead, which is operated by Pinball Corp (you can read about how Zango effectively became Pinball here). For all intents and purposes, it operates in much the same way as the old Zango installs.

1) You think you’re going to watch a new release online – in this case, Salt:

Click to Enlarge

2) A gateway install prompt appears, the only difference being it says “ClickPotato” instead of “Zango”:

Click to Enlarge

Note that it has ShopperReports and QuestDNS preticked, and the text blurb (which I’m assuming was put there by the affiliate operating movie-watching-site(dot)com) says “You must install the movie codec to play movie”. I’m pretty sure ClickPotato isn’t a movie codec.

3) You end up with the ClickPotato program installed on your PC. The About page says this: “In exchange for access to an endless array of popular videos, ClickPotato displays occasional promotional messages based on your Web search and browsing.”

An “endless array”. We’ll come back to that, but first a question: do you think the above website is actually going to show you Salt after having installed ClickPotato?

The answer, of course, is “no”. In case you were wondering – and I know you are – all of the supposed movies on that site display a similar error.

All in all, my first exposure to ClickPotato hasn’t gone as well as it could have.
Shall we take a look at the “endless array” of movies on the ClickPotato homepage, accessible from the ClickPotato application?

Click to Enlarge

There’s a list of programs from A to Z that you can watch. However, clicking into the various listings is a little surreal because almost everything I looked at was a link to material on sites such as Megavideo, Veoh and sina(dot)com(dot)cn that probably shouldn’t have been there.

For example, here’s a typical set of links from the South Park page:

This is what you see if you click the very first link:

Click to Enlarge

“This video has been removed due to infringement”.

Whoops.

Whenever you click on a program / movie link, they’ll present you with the following before sending you to Megavideo or wherever:

“on a site outside of ClickPotato”.

It seems they’re distancing themselves from the many instances of pirated content hosted elsewhere yet linked to from the main site, especially as the Terms of Use state they’re not responsible for “the quality, content, nature or reliability of Sites accessible by hyperlink from this Site”.

All in all, this isn’t a hot potato. Going by past experience with websites that want to install adware in return for “free movies”, I’d advise you not to bother – you’ll either end up watching camcorder footage shot in the local theatre, a blurry mess hosted in China or a thought provoking error message that the critics are calling “The feelbad movie of the year”!

Not coming soon to a cinema near you…

Christopher Boyd

On Monday

Microsoft has announced that it will make public an out-of-band patch to fix the high-profile .lnk file vulnerability (CVE-2010-2568).

Holly Stewart, MMPC, wrote today: “As mentioned earlier this month, the Microsoft Malware Protection Center (MMPC), along with other Microsoft Active Protection Program partners, have been keeping a close watch on the use of .LNK files exploiting this vulnerability. As with many new attack techniques, copycat attackers can act quickly to integrate new techniques. Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT.”

Technet blog piece here.

Microsoft’s July 16 advisory here.

Tom Kelchner

On Monday

Microsoft has announced that it will make public an out-of-band patch to fix the high-profile .lnk file vulnerability (CVE-2010-2568).

Holly Stewart, MMPC, wrote today: “As mentioned earlier this month, the Microsoft Malware Protection Center (MMPC), along with other Microsoft Active Protection Program partners, have been keeping a close watch on the use of .LNK files exploiting this vulnerability. As with many new attack techniques, copycat attackers can act quickly to integrate new techniques. Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT.”

Technet blog piece here.

Microsoft’s July 16 advisory here.

Tom Kelchner

Patrick Jordan, our researcher who seems to live in places on the Internet where NOBODY should go, has begun to notice a trend. Billing through cell phone accounts is a growing vector for social engineers.

Beware of any online contest, quiz or survey that asks for your cell phone number.


(click to enlarge)

After you take the quiz, you see: “Enter your cell number to get your test results.”

(click to enlarge)

You put in your cell phone number. They send you the PIN number to see your results via text message and they also enter your “Amazing Facts” subscription for $9.99 per month. The “Amazing Facts” subscription text isn’t in bold face type, which could cause a casual reader to ignore it in his or her burning haste to see the test results.

Simple? Yes. Dishonest? Well, let’s just say it is certainly aimed at those who don’t read the fine print.

In many cases, there is ample warning in the “terms of use” for what you’re signing up for. Here’s an example from the above page (emphasis ours):

“Summary terms: This is an auto renewing subscription service that will continue until canceled anytime by texting STOP to short code 70438. Available to users over 18 for $9.99 per month charged on your wireless account or deducted from your prepaid balance for 2 clues & 1 quiz per week on T-Mobile, AT&T, Sprint, Nextel, Virgin Mobile USA, U.S. Cellular, Cellular One, Cincinnati Bell, Centennial Wireless, and Unicel.”

Patrick also pointed out another ugly possibility here. Someone who knows your cell phone number could sign you up. Your recourse is to cancel the subscription once you notice it, which will be when you get your next cell phone bill, assuming you actually read your cell phone bill (you’d better start if you don’t.)

If you don’t notice it immediately, the “Amazing Facts” folks might give you some push back since they list 30 days as the limit for getting your money back:

“Call for your money back within first 30 days of service if you are not satisfied.”

So, if you start getting text messages full of “Amazing Facts” other than those that your friends send – check your cell phone bill.

Thanks Patrick

Tom Kelchner

Patrick Jordan, our researcher who seems to live in places on the Internet where NOBODY should go, has begun to notice a trend. Billing through cell phone accounts is a growing vector for social engineers.

Beware of any online contest, quiz or survey that asks for your cell phone number.


(click to enlarge)

After you take the quiz, you see: “Enter your cell number to get your test results.”

(click to enlarge)

You put in your cell phone number. They send you the PIN number to see your results via text message and they also enter your “Amazing Facts” subscription for $9.99 per month. The “Amazing Facts” subscription text isn’t in bold face type, which could cause a casual reader to ignore it in his or her burning haste to see the test results.

Simple? Yes. Dishonest? Well, let’s just say it is certainly aimed at those who don’t read the fine print.

In many cases, there is ample warning in the “terms of use” for what you’re signing up for. Here’s an example from the above page (emphasis ours):

“Summary terms: This is an auto renewing subscription service that will continue until canceled anytime by texting STOP to short code 70438. Available to users over 18 for $9.99 per month charged on your wireless account or deducted from your prepaid balance for 2 clues & 1 quiz per week on T-Mobile, AT&T, Sprint, Nextel, Virgin Mobile USA, U.S. Cellular, Cellular One, Cincinnati Bell, Centennial Wireless, and Unicel.”

Patrick also pointed out another ugly possibility here. Someone who knows your cell phone number could sign you up. Your recourse is to cancel the subscription once you notice it, which will be when you get your next cell phone bill, assuming you actually read your cell phone bill (you’d better start if you don’t.)

If you don’t notice it immediately, the “Amazing Facts” folks might give you some push back since they list 30 days as the limit for getting your money back:

“Call for your money back within first 30 days of service if you are not satisfied.”

So, if you start getting text messages full of “Amazing Facts” other than those that your friends send – check your cell phone bill.

Thanks Patrick

Tom Kelchner

Ok. Just because they put out a news release, doesn’t make them legitimate.

Our good friends over at PhishLabs drew our attention to this one: a rogue security product called Shield EC that is using mainstream public relations techniques to make themselves look legitimate.

The operators behind it apparently are setting up shop in hopes that they’ll be around for a while:

— They’re pushing the rogue to potential victims through earning4u.com (formerly IframeDollars.biz)  – the notorious Russian malware-spreading affiliate network.
— They’re delivering the actual malcode through a fast-flux network (not easy to take down).
— They’ve also put up a “company” web page and published a news release (in order to fool victims into thinking they are a legitimate software company):

The bogus press release, which tries to describe Shield EC as a legitimate product includes this nugget of dishonest Engrish gobbledygook:

“The major achievements of the company count a joint development with ZeuS Tracker of a unique antivirus Shield EC, targeted at fighting banking Zbot (ZeuS) trojan.” (http://www.free-press-release.com/news-new-antivirus-will-beat-zeus-1277387316.html)

Other interesting (read suspicious) aspects of their web site (registered in Cyprus June 25):

“Company Overview

“Martindale Enterprises Limited Company…”

Hmmm. There’s no company with that name on the Web. They also claim “ShieldEC Antivirus is used by more than 400,000 users worldwide on a daily basis.”

“Our team

“Martindale Enterprises Limited employs over 50 professionals of divert (sic) experience…” (http://www.shieldec.com/team.php)

Their “divert” experience apparently doesn’t include writing standard English.

Company spokesperson Kseniya Vasilyeva

We also tried to find some kind of public profile for “Kseniya Vasilyeva, the spokesperson for Martindale Enterprises Limited…”

People with that name that we found are:
— a Russian woman with a Facebook profile that indicates she’s interested in needle crafts and old cars.
— someone whose Linked-In profile says she’s an “LLP for HP” in Kazakhstan. “LLP” usually stands for “Limited Liability Partnership.”
— someone whose Linked-In profile says she’s an account executive at SMART Marketing Ukraine. (That kind of fits.)
— the murdered mother of a vampire who’s been undead since 1797. (Probably not her.)

Thanks Adam and the folks at PhishLabs.

Tom Kelchner

Ok. Just because they put out a news release, doesn’t make them legitimate.

Our good friends over at PhishLabs drew our attention to this one: a rogue security product called Shield EC that is using mainstream public relations techniques to make themselves look legitimate.

The operators behind it apparently are setting up shop in hopes that they’ll be around for a while:

— They’re pushing the rogue to potential victims through earning4u.com (formerly IframeDollars.biz)  – the notorious Russian malware-spreading affiliate network.
— They’re delivering the actual malcode through a fast-flux network (not easy to take down).
— They’ve also put up a “company” web page and published a news release (in order to fool victims into thinking they are a legitimate software company):

The bogus press release, which tries to describe Shield EC as a legitimate product includes this nugget of dishonest Engrish gobbledygook:

“The major achievements of the company count a joint development with ZeuS Tracker of a unique antivirus Shield EC, targeted at fighting banking Zbot (ZeuS) trojan.” (http://www.free-press-release.com/news-new-antivirus-will-beat-zeus-1277387316.html)

Other interesting (read suspicious) aspects of their web site (registered in Cyprus June 25):

“Company Overview

“Martindale Enterprises Limited Company…”

Hmmm. There’s no company with that name on the Web. They also claim “ShieldEC Antivirus is used by more than 400,000 users worldwide on a daily basis.”

“Our team

“Martindale Enterprises Limited employs over 50 professionals of divert (sic) experience…” (http://www.shieldec.com/team.php)

Their “divert” experience apparently doesn’t include writing standard English.

Company spokesperson Kseniya Vasilyeva

We also tried to find some kind of public profile for “Kseniya Vasilyeva, the spokesperson for Martindale Enterprises Limited…”

People with that name that we found are:
— a Russian woman with a Facebook profile that indicates she’s interested in needle crafts and old cars.
— someone whose Linked-In profile says she’s an “LLP for HP” in Kazakhstan. “LLP” usually stands for “Limited Liability Partnership.”
— someone whose Linked-In profile says she’s an account executive at SMART Marketing Ukraine. (That kind of fits.)
— the murdered mother of a vampire who’s been undead since 1797. (Probably not her.)

Thanks Adam and the folks at PhishLabs.

Tom Kelchner

Jack.tv is a cable TV network in the Philippines. It seems someone has been doing their best to change the channel:

Click to Enlarge

They haven’t tampered with the frontpage of the site – they’ve placed the above splash elsewhere, presumably to keep the hack alive for as long as possible. We’ve reported the defacement, but it is still live at time of writing. Although there doesn’t appear to be any malicious files or code anywhere, we wouldn’t advise visiting jacktv(dot)com(dot)ph until they’ve fixed the problem.

Christopher Boyd

Jack.tv is a cable TV network in the Philippines. It seems someone has been doing their best to change the channel:

Click to Enlarge

They haven’t tampered with the frontpage of the site – they’ve placed the above splash elsewhere, presumably to keep the hack alive for as long as possible. We’ve reported the defacement, but it is still live at time of writing. Although there doesn’t appear to be any malicious files or code anywhere, we wouldn’t advise visiting jacktv(dot)com(dot)ph until they’ve fixed the problem.

Christopher Boyd

Sunbelt Software is raising its Worldwide Threat Level to “high” in light of unpatched vulnerabilities in three widely-used applications or systems and the Defcon and Black Hat conferences in Las Vegas this week.

Internet users should:
— be sure anti-virus applications are updated and functional
— avoid opening attachments in spam emails or clicking on links in spam messages.
— be cautions opening attachments or following links in email messages from friends
— be especially cautious in web browsing if they use QuickTime Player,
— be alert for updates that are expected soon to fix serious vulnerabilities in QuickTime Player, Microsoft Windows and Cisco Industrial Ethernet 3000 series routers.

Botnet exploits have been reported for a vulnerability (CVE-2010-2568) in Microsoft Windows that allows an intruder to present a victim with a specially crafted shortcut (LNK file) that could enable the execution of arbitrary code with the privileges of the user. Also, with a certain AutoRun/AutoPlay configuration, exploitation could occur without any interaction from the user. (Microsoft Security Bulletin with workaround here: http://www.microsoft.com/technet/security/advisory/2286198.mspx)

Secunia is warning of a buffer overflow vulnerability in QuickTime Player that could enable a malicious web page to execute arbitrary code. No fix is available. (Advisory SA40729: http://secunia.com/advisories/40729/)

Cisco has issued a security advisory warning of a vulnerability in hard-coded SNMP community names in its Industrial Ethernet 3000 series switches. A fix isn’t expected until August, although workarounds are available. (Cisco bulletin here: http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtml).

In addition to the above high-profile vulnerabilities, the Black Hat and Defcon security conferences are going on this week in Las Vegas. Black Hat is running yesterday and today and Defcon runs Friday through Sunday. The presentations at the two are of high interest worldwide to hackers and malicious code writers. CNet News Security blog carries good daily coverage here: http://news.cnet.com/8301-1009_3-20011938-83.html

Sunbelt’s Worldwide Threat Level with a brief description of current threats is available here.

Tom Kelchner

Sunbelt Software is raising its Worldwide Threat Level to “high” in light of unpatched vulnerabilities in three widely-used applications or systems and the Defcon and Black Hat conferences in Las Vegas this week.

Internet users should:
— be sure anti-virus applications are updated and functional
— avoid opening attachments in spam emails or clicking on links in spam messages.
— be cautions opening attachments or following links in email messages from friends
— be especially cautious in web browsing if they use QuickTime Player,
— be alert for updates that are expected soon to fix serious vulnerabilities in QuickTime Player, Microsoft Windows and Cisco Industrial Ethernet 3000 series routers.

Botnet exploits have been reported for a vulnerability (CVE-2010-2568) in Microsoft Windows that allows an intruder to present a victim with a specially crafted shortcut (LNK file) that could enable the execution of arbitrary code with the privileges of the user. Also, with a certain AutoRun/AutoPlay configuration, exploitation could occur without any interaction from the user. (Microsoft Security Bulletin with workaround here: http://www.microsoft.com/technet/security/advisory/2286198.mspx)

Secunia is warning of a buffer overflow vulnerability in QuickTime Player that could enable a malicious web page to execute arbitrary code. No fix is available. (Advisory SA40729: http://secunia.com/advisories/40729/)

Cisco has issued a security advisory warning of a vulnerability in hard-coded SNMP community names in its Industrial Ethernet 3000 series switches. A fix isn’t expected until August, although workarounds are available. (Cisco bulletin here: http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtml).

In addition to the above high-profile vulnerabilities, the Black Hat and Defcon security conferences are going on this week in Las Vegas. Black Hat is running yesterday and today and Defcon runs Friday through Sunday. The presentations at the two are of high interest worldwide to hackers and malicious code writers. CNet News Security blog carries good daily coverage here: http://news.cnet.com/8301-1009_3-20011938-83.html

Sunbelt’s Worldwide Threat Level with a brief description of current threats is available here.

Tom Kelchner

“Facebooik.com” – not good

A domain registered in a tiny town in Georgia is presenting fumble-fingered Facebook fans with few fun-filled hours of diversion:

It’s one of those interminable contest sites we’ve all come to know and love.

If you actually spend the 45 minutes it takes to click through this monster and sign up for everything that’s offered, your cell phone will probably be billed an amount close to the gross national product of a small third-world country.

An outfit named “Freebie Promos” owns the site and it’s been around since 2006.

That address in Austell, Ga., on Google Maps Street View, appears to be an intersection in a VERY rural little whistle-stop community.

Watch your typing.

Tom Kelchner

“Facebooik.com” – not good

A domain registered in a tiny town in Georgia is presenting fumble-fingered Facebook fans with few fun-filled hours of diversion:

It’s one of those interminable contest sites we’ve all come to know and love.

If you actually spend the 45 minutes it takes to click through this monster and sign up for everything that’s offered, your cell phone will probably be billed an amount close to the gross national product of a small third-world country.

An outfit named “Freebie Promos” owns the site and it’s been around since 2006.

That address in Austell, Ga., on Google Maps Street View, appears to be an intersection in a VERY rural little whistle-stop community.

Watch your typing.

Tom Kelchner

The Register is reporting that police in Slovenia have arrested a 23-year-old man, who went by the handle Iserdo, and charged him with writing and selling the code that has been used to create the Mariposa botnet.

Iserdo and two other suspects were taken into custody in Maribor, Slovenia, two weeks ago in the wake of an investigation by the FBI, Spanish Guardia Civil and Slovenian police, officials said.

The Mariposa bot crime kit, which was sold for $500-$1,300 on underground sites, was used by operators to create the botnet of 12-million computers used to steal banking credentials as well as other online crime.

The authorities have taken down Iserdo’s web site as well as the main Mariposa command-and-control servers.

Story here: “Mariposa mastermind arrested in Slovenia”

In March, the Guardia Civil in Spain arrested three people in connection with the Mariposa botnet as part of an investigation that began in 2009.

Sunbelt Blog story here: “Spain arrests three, shuts down Mariposa botnet”

Tom Kelchner