Cleanator.com has been mentioned on this blog before. It shares an IP address with the now infamous macsweeper.com (and a I note a new entry according to Robtex.com, kavianltd.net.

The advertisement and malicious redirect have been reported to the appropriate parties. Bear in mind that with only a screenshot it will take a while to identify the malicious advertisement.

I received an email tonight warning me that a Diane Samuels from forceup.com is contacting web sites wanting to place an advertising banner. I was contacted by those behind a web site with checks in place that identified the advertising banner as "a virus of some sort".

The creative's name was firstchoise_728x90.swf.

"Diane Samuels" did not respond to emails from the web site's staff once they discovered that the advertisement was bad - a failure to respond is standard operating procedure for the b*stards behind the malicious advertisements - if they get caught by one web site, they just move on to the next one.

Forceup.com is a well known name to those of us who watch and report on malicious banner advertisements - if you search this blog for that name you will find that forceup is mentioned nine times.

Just like Skyauction, Emusic and QPAD before them, Firstchoice have advised that they have nothing to do with the malicious advertisements featuring their company.

I quote the contents of an email from Firstchoice to the web site that supplied the copy of the malicious advertisement from Forceup to me for analysis:

Interesting. We see the following code (URLs deliberately broken):

Variable _level0.url = "openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"
Variable _level0.P = "iexplorer-security.org/?id=463400043"

iexplorer-security.org has hidden some information behind Privacy Protect, but we can find out some things.

First, iexplorer-security.org is hosted by Masterhost in Russia. Second, its nameservers are provided by the infamous eshosst.com (aka estdomains) - the list of malicious/fraudulent domains associated with Estdomains is staggering.

I'll need to get in touch with Doubleclick about their appearance in a variable

Oxfam does fantastic work - in fact several people received "Oxfam Unwrapped" gift cards from me for Christmas (donations on their behalf) - and it makes me FURIOUS to see Oxfam's good name taken advantage of, and a malicious advertisement featuring their name used as a conduit to fraudware.

I received a sample SWF today, an advertisement touting Oxfam - screenshots below.

An examination of the internal code reveals:

hxxp://www.errorsafe.com/pages/scanner/ ... &ax=1&ed=2, __self.str, _root.c4.color(14688422)

which redirects to:

errorsafe.com/download/2007/index.php

Y'know, I already do all I can to track down, and shut down, the bastards behind malicious banner advertisements. I promise you this, if there is one thing that the criminals can do to make me even more determined to chase them to the ends of the earth, it is to do something like impersonating Oxfam.

Well, I said I would get in touch with Doubleclick - their response was interesting - I quote:

"it's to confuse people... look you get the same results:

openadstream.net/ad0.php?url=http://www.google.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

openadstream.net/ad0.php?url=http://www.microsoft.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"

The original URL I provided was:

openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

Each of those URL renders the same result - a plain white white page with the text "stats=917174773"

Oh, and guess who supplies the name servers for openadstream.net - yep, you guessed it - estboxes.com aka estdomains - a domain that has already been mentioned once in my blog today.

We've been watching a new behaviour recently as revealed by some SWF featured on this blog (the Curves SWF and the My Jewelry Box SWF come to mind).

We understand more about what is going on now. The two SWF mentioned both used a domain that had not appeared on this blog before, being iexplorer-security.org.

The two malicious URL, iexplorer-security.org/?id=463400043 and iexplorer-security.org/?id=373400052, were both dormant at time of writing so I was unsure as to what was going on. But now, an active campaign has been identified and we know how things work.

Basically, a malicious iexplorer.security.org campaign will redirect to Google while it remains dormant, but once activated things get interesting.

The redirections depends on the ID [appended to the iexplorer.security.org URL]. Google gives me this:
iexplorer-security.org/?id=666660008
Which throws a 302 with a new Location:
bestsexworld.info/soft.php?aid=011801&d=1&product=XPA
Which itself again redirects via 302 to:
xpantivirus2008.com/2008/1/freescan.php?aid=77011801"

There's another common thread amongst the players in this particular story (xpantivirus2008.com, bestsexworld.info and iexplorer-security.org - all use the following name servers:

• Name Server: MANAGEDNS1.ESTBOXES.COM
• Name Server: MANAGEDNS2.ESTBOXES.COM
• Name Server: MANAGEDNS3.ESTBOXES.COM
• Name Server: MANAGEDNS4.ESTBOXES.COM

This incident was reported via a comment on my blog.

The malicious advertisement is visually identical to the myjewelrybox SWF already featured on this blog.

When I first tested this advertisement I was simply redirected to Google, but now the campaign has been activated and I ended up at xpantivirus.com.

Sites associated with ad:

• openadstream.net
• iexplorer-security.org
• bestsexworld.info
• xpantivirus.com
• 209.50.243.101 seems to belong to srv.angolotesti.it, but is *located* in the United States, specifically at ServInt Corp, 6861 Elm Street, Suite 4-E, McLean, VA 22101.

First, a malicious advertisement has been discovered at ADECN again, the URL being:

• cds.adecn.com/resource/ads/875_9159_1202999742.swf

As you will see, visually the advertisement is identical to the malicious advertisement that appeared on diepresse and washingtonpost.com

From acedn we are redirected to station-appraisals.com/crossdomain.xml, and to:

station-appraisals.com/c/index.php?id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgNmYNkiDgNm

We then hit blessedads.com/?cmpid=identifyso, and prevedmarketing.com/?tmn=mwatmp&aid=identifyso&lid=&ax=1&ed=2&mt_info=5586_5581_2358, before we finally hit:

scanner2.malware-scan.com/9_swp/?tmn=null&aid=identifyso_ma9s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5586_5581_2358:3958

Now let's have a look at another recently reported malicious SWF - the speedbit one that I reported on earlier. It has now been analysed and reveals some interesting information.

We have discovered two URLs thanks to the Speedbit SWF:

staticglobalsources.net/c/index.php?id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aHpyYWdim7NkiZQYNkiDgNmYNkiDgNm and waytotheprofit.com/?cmpid=argumentor

Next, let's look at another malicious SWF - this one featuring Weightwatchers:

The above SWF, when analysed, reveals the URL adtds2.promoplexer.com/statsa.php?campaign=interveco. Promoplexer is a newer (as distinct to new) name that also bears a closer examination.

The above promoplexer URL redirects to the URL adsraise.com/mbuyers/statistics.html.

The adsraise.com domain is very interesting. It is hosted in the Ukraine, with WNET, a name that has appeared on my blog before as host of the now infamous cleanator and macsweeper - therefore, I'd be EXTREMELY suspicious of anything hosted by that network.

Oh, and we have a new name... promoplexer shares A records with maxconvert.com - a sneaky peak at that domain reveals lots of references to macsweeper - why are we not surprised?

As we know, there have also been several campaigns recently using the domain iexplorer-security.org, which is hosted by MCHOST in Russia and which has name servers supplied by estboxes.com (aka estdomains, hosted by Intercage)

I have long since recommended wholesale blocking of Intercage, Interhoster and Nevacon - obviously that advice still stands.

Well, we don't need to say much more, do we.

Have a look at what loads when we visit staticglobalsources.net - adtraff.com has appeared on this blog many times and have been accused of frauduently claiming to represent various web sites when selling advertising.

http://msmvps.com/blogs/spywaresucks/se ... =Relevance

With thanks to Kimberley who writes about the incident here:
http://www.bluetack.co.uk/forums/index. ... entry86387

Originally disclosed here:
http://forum.malekal.com/viewtopic.php?p=69911#p69911

As you will see, the malicious advertisement is being directly hosted by the victim site, the SWF URL being:
medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf

The SWF is still available for viewing, and redirecting victims.

Ok, so I've had a look at the 1-800-petmeds SWF and its the same old same old. The SWF contains reference to the malicious URL iexplorer-security.org/?id=324400102.

Some interesting information thanks to MAD.

On Mar 17 2008, we found the banner below.

medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
There are 2 other yourmusic banners on the loose which have of course the same redirects.


realmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swf
stream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
______________________________

The interesting part is the IP where all these banners are hosted.

212.113.31.48

canonical name eur56deliv.247realmedia.com.
aliases stream.expedia.fr
oas000575.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases medias.voyages-sncf.com
oas000551.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases realmedia.pap.fr
oas000459.247realmedia.com

Robtex information.

212.113.31.32-212.113.31.63 REALMEDIA-UK Real Media London

hostnames sharing ip with a-records.
eur56deliv.247realmedia.com
hostnames sharing ip indirectly via cnames.
ads-nc.rmuk.co.uk
ads-secure.rmuk.co.uk
medias.voyages-sncf.com
multi1.rmuk.co.uk
oas-eu.247realmedia.com
pubca.cvf.fr

The following malicious SWFs were removed from circulation approximately 7 1/2 hours ago:

medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
realmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swf
stream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf

This is excellent news. Both Expedia.fr and pap.fr have *massive* readerships. Potentially millions of people have been placed out of the reach of those behind the malvertisements, if only for a while.

Same malicious SWF:

iexplorer-security.org/?id=624400105

Same redirect, same end result...

Something occurs to me - let's look closely at the URL - it refers to "GeminiIntera"... could that be a reference to "Gemini Interactive", an online advertising agency?

I'm betting it does. Let's check out who is behind http://www.geminiinteractive.net.

Gemini Interactive's web site is hosted by...

NETDIRECT (reverse 89-149-242-64.internetserviceteam.com)



Gemini Interactive's name servers are supplied by... and this is a BIG indication of guilt:

ESTBOXES (aka Estdomains, hosted by the infamous INTERCAGE)



Gemini Interactive's mail server is hosted by CERNELNETWORK. There is some interesting information about CERNELNETWORK to be gleaned. A quick Robtex check of IP 64.28.182.147 (the IP address of the mail server used by Gemini Interactive and supplied by CERNELNETWORK) resolves to:

SMTP:220 tiger.esthost.com

The IP address in turn reveals even more names:

• 2barrels.com
• 4x4project.com
• adoptserver.info
• bestseatreserved.com
• beststuffservice.com
• civilengres.com
• freebondagecentral.com
• iwantmyseat.com
• mail.2barrels.com
• mail.4x4project.com
• mail.adoptserver.info
• mailbestseatreserved.com
• mail.beststuffservice.com
• mail.civilengres.com
• mail.freebondagecentral.com
• mail.geminiinteractive.com
• mail.iwantmyseat.com
• mail.realsearchonline.com
• mail.rupissing.com
• mail.usaticketinfo.com
• realsearchonline.com
• rupissing.com
• samoterra.com
• usaticketinfo.com

The site referrer report for this blog has revealed reports of malicious banner advertisements appearing on not only classmates.com, but also the StarTribune National News site, cincinnati.com, news.enquirer.com, NYPost and cincymoms.com (and who knows how many more).

I'm seeing a common theme in many recent outbreaks - far too often victim web sites are managing their own advertising content and, when this happens, the advertising network that the website is using is unable to shut down a malicious campaign, instead having to wait until the victim site shuts down the malvertisement at their own behest.

This is a situation that requires discussion and thought. For example, is it acceptable for an advertising network to be in a situation where their software or infrastructure is being used to distribute malvertisements, yet be unable to remove the malvertisements because they don't have primary control?

I remember back when blich.ch was hit by the skyauction malvertisement, it was nine.ch that was in the hotseat. Eventually nine.ch "firewalled" the malicious advertisement but in the interim who knows how many thousands, or tens of thousands, of people were exposed to a malvertisement which we knew was there, but were unable to immediately shut down.

cite: http://msmvps.com/blogs/spywaresucks/ar ... 50217.aspx

My personal opinion is that advertising networks must maintain the right to immediately block malicious advertising content as soon as it is reported to them, because it is of critical importance that malvertisements as shut down as soon as possible. Far too often I have seen delays of hours, days or even weeks while advertising networks try to contact website administrators, or convince recalcitrant administrators to act.

Your thoughts?

First, source reliable instructions and advice on how to get rid of xponlinescanner from any reputable anti-spyware advisory forum, and get that information out to their clients.

Second, conduct more comprehensive checks into the background and bona fides of those they accept advertising from - see these links for advice:

Avoiding the bad guys - detecting potentially malicious advertising campaigns
http://msmvps.com/blogs/spywaresucks/ar ... 65721.aspx

Winfixer hide 'n' seek: explaining why some people see the ads, and some people don't
http://msmvps.com/blogs/spywaresucks/ar ... 34527.aspx

Third, run advertisements that they receive through services such as http://www.adopstools.com to check for malicious code.

Adopstools.com provides a service called an Online Click Checker. The Online Click Checker nearly always detects malicious or suspicious code in Flash based advertisements. On those rare occasions that the Online Click Checker has failed to detect that an advertisement is malicious (which I have only seen happen a couple of times), the site's owner has been very fast to respond to my email approach by updating his scanner to catch what was previously missed.

Today we are going to take a look at social engineering and other tactics used by the fraudsters that push malicious banner advertisements. Heaven knows we have talked enough about what the malicious advertisements actually *do*; now it is time to talk about what the *fraudsters* do...

I cannot stress how important it is that we understand the social engineering tactics used by the fraudsters.

Now, the malicious advertisements that we are going to examine today feature FrontGate.

SOCIAL ENGINEERING AND FALSE INFORMATION
I think that my regular readers now understand what malvertisements are, and what they do - so, let's have a look at some "behind the scenes" activity, in the hope that all of you will learn what to watch out for, and what to check. I will quote the gentleman who sent me the advertisements - he makes some very relevant observations - with only minor editing changes made to fix typographic errors or improve clarity...

You may recall that I theorised that the URLs for the malvertizements that were displayed at classmates.com may indicate that the malvertizements were supplied by Gemini Interactive (cite: http://msmvps.com/blogs/spywaresucks/ar ... 50951.aspx) You may also recall that all of the malvertizements that I found at classmates.com featured myjewelrybox.com.

I have received, by email, a copy of an advertisement that was supplied by Gemini Interactive for display on several websites. An analysis of the advertisement that I have received indicates that it contains malware actionscript code. Also, the SWF features myjewelrybox.com (cite: http://www.adopstools.com/index.asp?pag ... lrybox.swf)

Please exercise caution when accepting advertising for your web sites. At the very least you should run each and every advertisement that you receive through the online click checker at adopstools.com and potentially save yourself a lot of grief.

This is an update to my article written on 5 March wherein I warned that Bucksbill.com overcharging for fraudware such as "MalwareAlarm and Registry Defragmentation".

It is worth pointing out that several readers have commented that they, too, have been overcharged by Bucksbill.

OK, so tell me oh gentle reader... just how many "free passes" should a website get?

123greetings.com is, once again, displaying a malicious banner advertisement. This is the third incident that I have personally experienced thanks to an advertisement accepted by those responsible for 123greetings.com, and enough is enough.

Sites involved:

• adtds2.promoplexer.com/statsa.php?campaign=123
• adsraise.com/mbuyers/statistics.html
• tds.promoplexer.com/statsg.php
• antispywaredeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=

adsraise.com and promoplexer are both hosted by WNET who also provide the name servers. WNET have been mentioned several times in this blog.

Preliminary analysis at adopstools indicates malicious content:
adopstools.com/index.asp?page=quicklink&id=z45zlyl4R7sJ5L6I
adopstools.com/index.asp?page=quicklink&id=2nk99FyQ6qot025u

Mediaman:
m1.2mdn.net/1612895/NHL_MediaMan_728x90_flash.swf

Campaign.
adtraff.com/statsa.php?u=23423424&campaign=pushmama

cyberipod:
m1.2mdn.net/1487544/160x600_Cyberipod.swf

Campaign.
workhomecenter.com/crossdomain.xml
workhomecenter.com/stats.php?campaign=5pentt00&u=1206974120161

This alert was sent to me via private email, by the same person who reported the latest malvertizement at 123greetings.com.

It should be noted that I have not personally seen the advertisement appearing on http://www.diynetwork.com.

Loading the URL also loads:
adtds2.promoplexer.com/statsa.php?campaign=708&u=1207097411103

As well as adsraise.com/mbuyers/statistics.html

adszedo.com is hosted by IWEBGROUP, and their name servers are supplied by everydns.net. Its closest name and mailserver relationship is with jamclam.us.

The Registrar for adszedo.com, promoplexer.com and adsraise.com is the infamous ESTDOMAINS, a registrar that has been associated with many domains associated with malvertizements. The domain itself was created just a short while ago, on 5 February 2008.

Malvertisement analysis:
http://www.adopstools.com/index.asp?pag ... MlT19abS2W

As we know, malvertizements have been discovered at 123greetings.com not once, not twice, but three times that I know of and, to add insult to injury, two of the malvertizements were *visually identical* to each other, making me wonder just what checks and balances are in place at 123greetings.com to protect visitors to 123greetings.com from malvertizements.

Several comments have been made to my blog about the problems revealed by recurring incidents such as 123greetings.com.

I think it is worthwhile examining some of the "behind the scenes" reality that we (those of us who fight malvertizements, the advertising networks, and the victim web sites) have to deal with day to day. Please understand that I am not making excuses; my goal is to highlight the problems that we face.

The one that I saw tonight is different from the others featured in that the malicious URL the target of the malvertizement is:

iexplorer-security.org/?id=987650069

At the moment that URL is redirecting to google.com, and will continue to do so until somebody, somewhere, accepts the malvertizement and sends it live.