14
Nov 12

Infamous Hacker Heading Chinese Antivirus Firm?

facebooktwittergoogle_plusredditpinterestlinkedinmail

What does a young Chinese hacker do once he’s achieved legendary status for developing Microsoft Office zero-day exploits and using them to hoover up piles of sensitive data from U.S. Defense Department contractors? Would you believe: Start an antivirus firm?

That appears to be what’s happened at Anvisoft, a Chinese antivirus startup that is being somewhat cagey about its origins and leadership. I stumbled across a discussion on the informative Malwarebytes user forum, in which forum regulars were scratching their heads over whether this was a legitimate antivirus vendor. Anvisoft had already been whitelisted by several other antivirus and security products (including Comodo), but the discussion thread on Malwarebytes about who was running this company was inconclusive, prompting me to dig deeper.

I turned to Anvisoft’s own user forum, and found that I wasn’t the only one hungry for answers. This guy asked a similar question back in April 2012, and was answered by an Anvisoft staff member named “Ivy,” who said Anvisoft was “a new company with no past records, and we located in Canada.” Follow-up questions to the Anvisoft forum admins about the names of company executives produced this response, again from Ivy:

“The person who runs anvisoft company is not worth mentioning because he is unknown to you.  Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.”

A quick review of the Web site registration records for anvisoft.com indicated the company was located in Freemont, Calif. And a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu, a city in the Sichuan Province of China.

Urged on by these apparent inconsistencies, I decided to take a look back at the site’s original WHOIS records, using the historical WHOIS database maintained by domaintools.com. For many months, the domain’s registration records were hidden behind paid WHOIS record privacy protection services. But in late November 2011 — just prior to Anvisoft’s official launch — that WHOIS privacy veil was briefly lowered, revealing this record:

Registrant:
   wth rose
   Moor Building  ST Fremont. U.S.A
   Fremont, California 94538
   United States
Administrative Contact:
      rose, wth  wthrose@gmail.com
      Moor Building  ST Fremont. U.S.A
      Fremont, California 94538
      United States
      (510) 783-9288

A few days later, the “wth rose” registrant name was replaced with “Anvisoft Technology,” and the wthrose@gmail.com address usurped by “anvisoftceo@gmail.com” (emails to both addresses went unanswered). But this only made me more curious, so I had a look at the Web server where anvisoft.com is hosted.

The current Internet address of anvisoft.com is 184.173.181.194, and a reverse DNS lookup on this IP address tells me that there are at least three other domain names hosted at this address: nxee.com, oyeah.com, and coversite.com. The latter forwards to a domain parking service and its WHOIS information is shielded.

But both oyeah.com and nxee.com also were originally registered to wth rose and wthrose@gmail.com. And their WHOIS records history went back even further, revealing a more fascinating detail: Prior to being updated with Anvisoft’s corporate information, they also were registered to a user named “tandailin” in Gaoxingu, China, with the email address tandailin@163.com.

Image: iDefense

When I saw that record, I was instantly reminded of an infamous Chinese hacker who went by the name Wicked Rose (a.k.a. “Withered Rose“). In 2007, Verisign’s iDefense released a report (PDF) on Rose’s hacking exploits, which detailed his alleged role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker).  According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.

“Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the report stated.

iDefense analysts also include a section with pictures of Wicked Rose, explaining that Rose’s real name is Tan Dailin, and that he is a now-28-year-old who cut his teeth at the Sichuan University of Science and Engineering in Zigong, a city in the Sichuan Province of China.

The report said that at the time, Rose administered his hacking team’s Web site at ncph.net, and ran his own personal blog at mghacker.com. According to historic WHOIS records, the email address used to register mghacker.com was  tandailin@163.com, the same email address in the historic WHOIS records for Anvisoft’s online properties.

Some more tantalizing clues: According to iDefense, one of Dailin’s buddies in NCPH — a hacker nicknamed “Rodag” — also ran his own blog. Rodag appears to still be blogging there, so I had Google Translate show me his latest postings: Turns out, earlier this year Rodag urged readers to download and install Anvisoft Smart Defender, calling it a “security aid from abroad” that offers “superior performance” and is “very simple and beautiful.”

Until recently, another site registered to tandailin@163.com — the now-defunct ww4g.com — featured on its home page a long review of Anvisoft, explaining to readers “why you need a good antivirus.”

This may all be a strange coincidence or hoax. Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share.

Tags: , , , , , , , , , , , , , , , , ,

71 comments

  1. Thanks for this info on Anvisoft. I saw a browser repair tool from there recommended in one of my TechRepublic e-letters. Think I’ll stay away from this.
    Thanks again for all the good info.

    • The funny part about this story is the six-degrees-of-separation aspect (or perhaps the Wheel of Life metaphor is more apt here). For instance, another guy mentioned in the iDefense report is a hacker that was related to NCPH, a hacker who used the handle “WHG,” says the rootkits that the group was responsible for writing were informed by work from Lion, another legendary Chinese hacker.

      Lion got famous in 2001 when he unleashed the Lion Worm, which infected my entire home network and ultimately was what got me interested in security. See: http://krebsonsecurity.com/about/

  2. Really enjoyed reading this piece, Brian.

    The next question that comes to my mind: is it a Trojan Horse? I wonder if any users have been profiling what it does or looking for unusual PC/network behavior with it being installed. Of course, with all the so-called APT’s going around, the trojaned software can also be more subtle: they only use it when they need to & it acts benign otherwise.

    Call me paranoid, but this was a standard part of the games hackers played when I was into all of it. Add a country known for espionage and you wouldn’t see me buying it anytime soon.

  3. I suppose it’s better than using his skills to create more mayhem. I’ve had a virus 3 times this year not happy – had to do a windows restore point etc

  4. Interesting. They are sitting on an IP owned by The Planet, of Dallas Tx.

    Here are some of the domains sitting on that IP via pDNS

    nxee.com
    http://www.nxee.com
    mail.nxee.com
    forums.nxee.com
    oyeah.com
    http://www.oyeah.com
    anvisoft.com
    http://www.anvisoft.com
    blog.anvisoft.com
    cloud.anvisoft.com
    design.anvisoft.com
    forums.anvisoft.com
    download.anvisoft.com
    facebookcovers.anvisoft.com
    http://www.coverssite.com

  5. That actually makes sense – if only we could trust them! – NOT!

  6. While you’re at it – please also look into who bought out Lavasoft last January(I believe that is when it was). “The Register” seems to feel they are pretty shady too! I’ve reluctantly had to quit recommending them to my clients.

  7. Good information. Too many people accept these AV vendors at face value. The consequences for unsuspecting people and companies who fall for this type of sham have been painful.
    Once again good reporting!

  8. “The person who runs anvisoft company is not worth mentioning because he is unknown to you. Yes, the company is located at Canada. 5334 Yonge Street, Suite 141, Toronto, Ontario M2N 6V1, Canada.” Amazing, that one comment alone is enough to trigger an investigation. Here is what Norton Safe Web has to say: http://safeweb.norton.com/report/show?url=www.anvisoft.com . Norton found two threats.

  9. For what it’s worth, that address appears to be a rented mail box located in a part of town with a large Chinese population.

    Many of them are first generation immigrants with ties back home, so it seems quite plausible that the mailbox was rented by a friend or relative of someone still living in China.

  10. Christopher Davis from thesecuredomain.org just shared the following data points, which shows a bunch of other very interesting domains that trace back to wthrose@gmail.com and tandailin@163.com

    query_string: “tandailin@163.com”,
    query_type: “email”,
    response:
    [
    {
    description: "Malware - Registering or Supporting the distro or control of malware APT or botnet code",
    type: "Description",
    email: "tandailin@163.com",
    cat: 1
    },
    {
    update_date: "10-may-2012",
    domain: "everremote.com",
    registrar: "XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP",
    name_servers: null,
    type: "whois",
    email: "tandailin@163.com"
    },
    {
    update_date: "10-may-2012",
    domain: "everadmin.com",
    registrar: "XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP",
    name_servers: null,
    type: "whois",
    email: "tandailin@163.com"
    }
    ]

    }

    query_string: “wthrose@gmail.com”,
    query_type: “email”,
    response:
    [
    {
    update_date: “21-sep-2012″,
    domain: “freenewwall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “21-sep-2012″,
    domain: “freesoftwall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “21-sep-2012″,
    domain: “freeioswall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “21-sep-2012″,
    domain: “appopenwall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “21-sep-2012″,
    domain: “iosopenwall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “21-sep-2012″,
    domain: “softopenwall.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “16-sep-2012″,
    domain: “connectnotes.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “14-sep-2012″,
    domain: “coverssite.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “10-sep-2012″,
    domain: “anvicloud.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS21.DOMAINCONTROL.COM|NS22.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “05-jul-2012″,
    domain: “windows-update-download.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS09.DOMAINCONTROL.COM|NS10.DOMAINCONTROL.COM|”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-Mar-2012 08:04:26 UTC”,
    domain: “advancedsystemcare.org”,
    registrar: “GoDaddy.com LLC (R91-LROR)”,
    name_servers: null,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “game-booster.net”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “best-free-antivirus.net”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “adware-removal-tools.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “anti-rogue.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “advancedprogramcare.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “games-booster.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “extrasystemcare.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “how-to-speed-up-pc.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “virusremovetools.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    },
    {
    update_date: “19-mar-2012″,
    domain: “windows-optimizers.com”,
    registrar: “GODADDY.COM LLC”,
    name_servers: “NS61.DOMAINCONTROL.COM|NS62.DOMAINCONTROL.COM”,
    type: “whois”,
    email: “wthrose@gmail.com”
    }

  11. Thank you for the list, added them to my blacklist.

  12. Maybe the av software would be updated later with malware. Maybe with a dedicated update for a special customers. If they collect reports including all the local files scanned, they can siently attack a customer and catch these files. Later they remove the malware with a new special update. … and nobody knows…

  13. Reviews and awards on its page are falsely linked, and it is not Verisign signed.

    Pretty odd. I’ve ALWAYS had a bad feeling about Anvisoft. I have not recommended any products from them, partnered with them, etc.

    On their forums, they don’t seem to answer user’s requests, or have any qualified expertise. Instead, they talk around the user’s questions, by linking them to different products of theirs or just not answering the question.

    I wouldn’t be surprised if their support team was outsourced, low-ended, or non-existent.

    This seems like a wolf-in-sheep’s-clothing, or tactical, ploy by a hacker to raise more money.

    For those who’ve read Blackhat World and other blackhat SEO forums, you’d see some of these blackhat tricks to gain a ton of money at one time. They don’t always do secret operations.

    Other companies, like Fiverr (for example), allow such guerrilla marketing campaigns (I suspect secretly or they just don’t care), such as 10,000 Facebook likes, etc. for just $5. They end up making tons of “gigs” for it. They would be worth investigating as well.

    Some other antivirus companies that have been under scrutiny, like Rising Antivirus, etc. are worth further investigation as well.

  14. My first thought was — cool they can ignore many of the file format attacks that they use. But then I realized that none of the other AV vendors catch them too.. so while the company origins might be sketchy (I live in Fremont and the physical address doesn’t seem to be legit) and the product is probably backdoored or otherwise evil but is it really any different that the other garbage that is sold as protection these days?

    • Assuming that anvisoft is “backdoored or otherwise evil…” comparing it to other legitimate but poorly made AV products is like saying “Is letting criminals run through my house taking whatever they want any different than buying a crappy lock or terrible alarm system”. I’d say it is different, a lot different.

  15. One thing for sure, this is a way interesting article and discussion. Many thanks to Brian and our participants here!!!

  16. your post make me crazy!

  17. Luv your posts, there are not many folks who can dig through like you.

  18. It boils down to this: the software could be legitimate and a case of hilarious irony or — more likely — someone attempting to use unsuspecting consumers looking for a mediocre free antivirus software to backdoor them. The forum and non-existent support, as pointed out by Jay Pfoutz, certainly don’t bode well.

  19. Very good investigation Brian…….keep up the good work! The comments on this post are very helpful. My hunch is this company is hoping many unsuspecting individuals will install their program so that maybe later on they can release zero-day exploits and low and behold, the antivirus will not blacklist their creations.

  20. I don’t find Anvisoft in Microsoft’s list of AV partners, but after reading the above I’m not profoundly shocked.

  21. just as a point of interest, it’s not unheard of for malware creators to try to make a transition into anti-malware.

    in what now might be considered antiquity, stormbringer aka mike ellison hoped (in vain) that he could persuade AV vendors to give him a chance.

    then there was benny aka marek strihavka who was hired by zoner software to create zoner anti-virus.

    more recently, raid aka dustin cook started making his own free anti-malware tool called bughunter and after updating and supporting that for a few years apparently got hired by MBAM.

    • Very interesting Kurt; and very prescient!

      I seem to remember a court case where the company that makes MBAM was suing iObit for stealing their source code. I’ve never trusted iObit since the Chinese bought them out either. I’ve had too many attacks on my perimeter UTM appliance over the years; and seen too much misery from my clients in attempts(some of them successful in putting them out of business) to rob them of their IP to trust any organization that is headed by a former cracker.

      It would take many years of being a trusted solution, with critical oversight, of some kind, for such an organization to become another Symantec, Sophos, or Alwil.

      Trust is everything.

  22. Wouldn’t be the frst time a well-known hacker ahs started a business.

    Without commenting on the usefulness, quality or trustworthiness of any party or software:

    Millions of people blindly trust TrueCrypt and there is NO info to be had on its owners or developers other than a single name to whom the domain is registered, and which appears to be an administrative contact only.

    So likely there will be those who trust products from this company if they appear to work as advertised.

    • At least we can look at the TrueCrypt source code.

      • So you compiled it yourself from source code? No, you didn’t, because it’s a pain in the butt. So you trust the binary. Why? Congratulations, you’re pwned.

        • Probability disagrees. It’s easy to pretend any possible threat is being acted upon. It’s much harder to determine which risks are best to worry about and what to do with them. Although far from guaranteed, it’s quite unlikely that the TrueCrypt binaries will “pown” you. There’s too much risk for that group. They’d be better off putting in some “bug” that weakened the cryptography and looked like a design/coding error. See the Obfuscated C contest for examples of that kind of thing.

          • When I say you’re pwned, I mean the key to your TrueCrypt container file is stored twice in the header, once encrypted with the key derived from your passphrase, and once with a key hardcoded into the TrueCrypt application. No great risk to the TrueCrypt developers, as the code is well obfuscated in the binary, and the back door is used rarely and by only one intelligence agency.

            • “When I say you’re pwned, I mean the key to your TrueCrypt container file is stored twice in the header, once encrypted with the key derived from your passphrase, and once with a key hardcoded into the TrueCrypt application. No great risk to the TrueCrypt developers, as the code is well obfuscated in the binary, and the back door is used rarely and by only one intelligence agency.”

              “…once with a key hardcoded into the truecrypt application…”

              Do you have any evidence of this? The TrueCrypt documentation indicates they combine your password, a large salt, & an optional keyfile cryptographically via PBKDF2 to generate key material. The generated key material is used for header encryption/decryption. No hardcoded keys are mentioned.

              http://www.truecrypt.org/docs/?s=volume-format-specification

              So I call FUD till you present solid evidence of a subversion, such as specific part of source.

    • IsIb beat me to it. TrueCrypt’s source code is available. It also runs on platforms like Linux where people are more likely to play with the source. Experts have also reviewed TrueCrypt to varying degrees. Finally, reports of TrueCrypt doing sneaky things have yet to be on the news.

      So, I wouldn’t say people “blindly trust” TrueCrypt. Probability is on their side & playing the odds is usually a good thing.

    • Yeah – It’s kinda hard to mistrust something you can look at with your own eyes and obviously see no malicious intent. But it never hurts to do a check-sum on the download, just to make sure something “independent” didn’t come in with the package.

      • That will stop a blind subversion. However, where did you get that checksum value? A web page served outside of SSL/TLS along a route of unknown intermediaries?

        My strategy for dealing with this is to fetch such pages from several different proxies (or at least from local WiFi hotspot). I also try to keep timestamped copies of third party public keys and checksums. This helps spot both untalented subversion or subversions in the making.

        • Good reminder Nick! And I agree. I see check-sums displayed with many of the sites that have solutions for download, and you are right, they don’t use SSL. This is the reason I usually simply order the disc/USB stick for such applications/utilities as factory burned, and usually only pay a nominal sum for shipping and handling. Many especially in the FOSS community use the little money they make over head, to fund the improvements in open source, or other software.

          So I feel we both benefit a little by going this route. My problem with check-sums, is they rarely check out as safe. I’ve tried several utilities for calculation them, and I always get the same results(bad). So I haven’t used such downloads in years now.

  23. A German YouTube video based on this article:
    AV-Hersteller ein Ex-Hacker?
    http://www.youtube.com/watch?v=HOjEAIfBo9E
    Published on Nov 17, 2012 by SemperVideo
    In diesem Video nur ein Hinweis auf einen Blogeintrag von Brian Krebs.

  24. sup bk

    whrose=white hat rose :)

  25. also

    his whrose@gmail.com alternate email is

    whrose@t•••••••.••

    cannot think of domain extension that end with that.. possible .ca, .hk, .jp ?

    • As someone in China, I’d wager “.cn”

      It’s definitely not .jp, which is Japan, since most Chinese have a low opinion of or open contempt for Japanese.
      Similarly, mainlanders have a hassle accessing stuff in HK (since an HK company is just as likely as a UK one to ban a range of IP addresses from China), so I’d rule this one out as well.

  26. Man it isnt white hat rose,

    name on his Gmail reverses to

    whrose@gmail.com > Wolter Rose

  27. I just noticed that thanks bk :)

    His G-mail is tied to a 10-digit phone# ending in 00. most likely guy is in united states and/or canada.

    Password help for wThrose

    Get a verification code (via SMS) on my phone: ••• •••• ••00

  28. I would like to ask,you so slander pounds a small company, hackers can not do security, what is your purpose?

  29. Exceptional report.

    As someone who lives in China, I’m curious as to why these gov’t sanctioned hackers don’t attract more attention.
    Given the gov’t's monopoly on technology e.g. DNS hijinks and the Great Firewall, and lack of individual protections/anonymity, the Chinese gov’t could go after these hackers (it’s gone after Chinese dissidents via Yahoo, for instance).
    With luck, reports like the one above will draw shine more light on the Chinese gov’t's tacit endorsement of hacking efforts directed abroad.
    Indeed, the Chinese gov’t has given these hackers a pass (a letter of marque, if you will) to harass and steal from foreign firms and gov’ts, so these hackers are nothing more than digital privateers.

  30. Good investigating Brian.

    Quick question though: are you using domaintools.com’s paid services? I would love to look at their historical records but I can’t really afford the fees they charge. For access to all of their services via API, it’s literally $450 a month plus fees for each query, which I find absurd. A shame too, since it has tons of great information.

    • Thanks, Pyotr. Yes, I am using their paid services. Frankly, it’s one of the reasons I’m always so happy when someone makes a donation, because while the service is probably something I rely on every day, it’s close to $500 per year!

      • I recommend (as an alternative to domaintools.com) viewdns.info, which (aside from being free) has whois, reverse ip, dnssec, port scanner, traceroute, and iranian and chinese firewall testing, just to name a few. Frankly in my opinion it’s better than domaintools.