[Emerging-Sigs] blink.com

Matt Jonkman jonkman at jonkmans.com
Mon Jan 12 10:15:36 EST 2009

The sigs are written not necessarily for the exact spyware site, but for
the package. Sorry there's no reference there, many of them haven't much
when we write the sigs.

I remember this one, we've seen the same code/server communication
method used is at least 20 other spyware setups. They change the lure
from free screensavers to flash games, free mp3's, whatever. Now we're
in the days of fake search engines. The domains change of course but the
code and method of communication stays the same.

Seekeen.com is definitely bad news.

You definitely have infections.


James McQuaid wrote:
> In the past, blink.com was responsible for desktop pop up ads, and an
> Internet Explorer toolbar that delivered ads.
> James
>> From: Russell Fulton <r.fulton at auckland.ac.nz>
>> Subject: [Emerging-Sigs] ET TROJAN Blink.com related Backdoor Checkin
>> To: Emerging Threats Signatures <emerging-sigs at emergingthreats.net>
>> Message-ID: <D9FE37F4-B9AE-4E2C-A57C-E812F8B76799 at auckland.ac.nz>
>> Content-Type: text/plain; charset="us-ascii"
>> I have a few machines triggering this rule and I am trying to find out
>> just what sort of threat this is.  It would seem that Blink.com is
>> some sort of "enhanced web search" facility but I can't find any thing
>> that indicates that there are any threats related to it.
>> No references in the sig either...
>> Here is what I'm seeing:
>> GET /?vn=65562&partner=seekeen&ptag=SeeFreez&cid=55788f374f1
>> 84260b143cd7cd7135f00&initial_install=1&b=Seekeen&se=1&au=1&
>> am=0&pver=1&retries=0 HTTP/1.0..User-Agent: Mozilla/4.0 (com
>> patible; MSIE 7.0; Windows NT 6.0)..Host: upgrade.seekeen.co
>> m..Pragma: no-cache....
>> Russell

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list