Rogue Banner Ads [extrabanner.com [Sept 20]

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Cleanator On MSN Groups - Feb 17]

Postby TeMerc » Sun Feb 17, 2008 2:51 pm

Cleanator advertised on groups.msn.com
Cleanator.com has been mentioned on this blog before. It shares an IP address with the now infamous macsweeper.com (and a I note a new entry according to Robtex.com, kavianltd.net.

The advertisement and malicious redirect have been reported to the appropriate parties. Bear in mind that with only a screenshot it will take a while to identify the malicious advertisement.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Major Players - Feb 21]

Postby TeMerc » Wed Feb 20, 2008 10:37 pm

Malicious Advertising (Malvertising) Increasing
Thursday, February 21, 2008

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, , Rhapsody, , all major . Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :
  • quinquecahue.com (190.15.64.190)
    quinquecahue.com/swf/gnida.swf?campaign=tautonymus
    quinquecahue.com/swf/gnida.swf?campaign=atliverish
    quinquecahue.com/statsg.php?campaign=meatrichia
    quinquecahue.com/swf/gnida.swf?campaign=atticismus
  • akamahi.net (190.15.64.185)
    akamahi.net/swf/gnida.swf?cam
    akamahi.net/swf/gnida.swf?campaign=innational
    akamahi.net/swf/gnida.swf?campaign=annalistno
    akamahi.net/statsg.php?u=1199891594&campaign=annalistno
  • thetechnorati.com (190.15.64.191)
    thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
    thetechnorati.com/swf/gnida.swf?campaign=whoduniton
    thetechnorati.com/statsg.php?u=1198689218
  • vozemiliogaranon.com (190.15.64.192)
    vozemiliogaranon.com/statss.php?campaign=zoolatrymy
    vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
    vozemiliogaranon.com/statss.php?campaign=revenantan
  • newbieadguide.com (190.15.64.188)
    newbieadguide.com/statsg.php?campaign=missblue
    newbieadguide.com/statsg.php?campaign=2rapid1y
    newbieadguide.com/statsg.php?campaign=missblue
    newbieadguide.com/statsg.php?campaign=germanit
    newbieadguide.com/swf/gnida.swf?campaign=ta5temix
    newbieadguide.com/swf/gnida.swf?campaign=c0pperin
    newbieadguide.com/swf/gnida.swf?campaign=remain0r
    newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
    newbieadguide.com/swf/gnida.swf?campaign=m9in9re9
  • traffalo.com (84.243.252.94)
    traffalo.com/swf/gnida.swf?campaign=atekistics
    traffalo.com/swf/gnida.swf?campaign=byagnostic
    traffalo.com/statsg.php?u=1201711626
    traffalo.com/statsg.php?u=1202224809
  • burnads.com (84.243.252.85)
    burnads.com/swf/gnida.swf?campaign=1akeweak
    burnads.com/swf/gnida.swf?campaign=flatfootup
  • v0zemili0garan0n.com
    v0zemili0garan0n.com/statsg.php?u=1199391035
  • adtraff.com (84.243.252.84)
    adtraff.com/swf/gnida.swf?campaign=forcejoe
    adtraff.com/swf/gnida.swf?campaign=forcejoe
    adtraff.com/swf/gnida.swf?campaign=forcejoe
    adtraff.com/swf/gnida.swf?campaign=forcejoe
    adtraff.com/swf/gnida.swf?campaign=forcejoe
    adtraff.com/swf/gnida.swf?campaign=weightt0
  • mysurvey4u.com (194.110.67.22)
    mysurvey4u.com/swf/gnida.swf?campaign=rubberu5
    mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe
  • traveltray.com (194.110.67.23)
    traveltray.com/swf/gnida.swf?campaign=pavoninean
  • tds.promoplexer.com (217.20.175.39)
    tds.promoplexer.com/statsg.php
    adtds2.promoplexer.com/in.cgi?2
Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :
  • aboutstat.com
  • newstat.net
  • officialstat.com
  • stathisranch.net
  • station-appraisals.net
0-= More @ DDanchev Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Major Players - Feb 21]

Postby TeMerc » Thu Feb 21, 2008 12:38 am

Scareware package planted in ITV.com ads
By John Leyden
Published Thursday 21st February 2008

Users visiting the website of UK broadcaster ITV risk exposure to a scareware package. Malware-laced banner ads that lead to download sites for the Cleanator scare package have also been served up on the Radio Times website.

Radio Times confirmed that it removed the offending ad late Wednesday morning, following initial reports of the problem on Tuesday. The cleanliness or otherwise of the ITV website is unclear at the time of writing.

Cleanator is a rogue security program that shows false warning messages and misleading scan results in a ruse designed to scare punters into purchasing a "full" version of the package. Aggressive advertising tactics - including the use of Trojan downloaders - are used to distribute the software.
nwz The Register
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [MySpace- Feb 22]

Postby TeMerc » Fri Feb 22, 2008 8:04 am

Malicious advertisement on MySpace.com
Friday, February 22, 2008 | sandi

This particular advertisement is, in fact, quite unsophisticated. If we analyse the creative we immediately detect suspicious content. For example, we see that the creative contains the following actionscript:

Code: Select all

System.security.allowDomain("*")

mysurvey4u.com/statsa.php?campaign=me9ntthe
mysurvey4u.com is a known "shell" web site that uses a nameserver at, you guessed it, securehost.com. Domains sharing name servers and mail servers include:
  • candid-search.com
  • loffersearch.com
  • manage-search.com
  • roller-search.com
  • rombic-search.com
  • se7ensearch.com
  • search-the-prey.com
  • searchmandrake.com
  • searchonline-ease.com
  • searchvirtuoso.com
  • simplesamplesearch.com
  • stratosearch.com
  • traveltray.com <-- mentioned on this blog before
  • treekindsearch.com
  • wontu-search.com
  • zooworld-search.com
Its Registrar is YESNIC CO LTD, yet another name that appears far too often in association with malware and fraudware sites.

0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads ['Diane Samuels' Busted - Feb 22]

Postby TeMerc » Wed Feb 27, 2008 10:09 am

Forceup.com caught trying to sell a malicious advertisement featuring firstchoice.com
Wednesday, February 27, 2008 10:35 PM sandi
I received an email tonight warning me that a Diane Samuels from forceup.com is contacting web sites wanting to place an advertising banner. I was contacted by those behind a web site with checks in place that identified the advertising banner as "a virus of some sort".

The creative's name was firstchoise_728x90.swf.

"Diane Samuels" did not respond to emails from the web site's staff once they discovered that the advertisement was bad - a failure to respond is standard operating procedure for the b*stards behind the malicious advertisements - if they get caught by one web site, they just move on to the next one.

Forceup.com is a well known name to those of us who watch and report on malicious banner advertisements - if you search this blog for that name you will find that forceup is mentioned nine times.
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads ['Diane Samuels' Busted - Feb 22]

Postby TeMerc » Wed Feb 27, 2008 5:51 pm

Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Firstchoice - Feb 28]

Postby TeMerc » Thu Feb 28, 2008 4:54 pm

Friday, February 29, 2008
Firstchoice comments on malicious banner advertisements...
Just like Skyauction, Emusic and QPAD before them, Firstchoice have advised that they have nothing to do with the malicious advertisements featuring their company.

I quote the contents of an email from Firstchoice to the web site that supplied the copy of the malicious advertisement from Forceup to me for analysis:

"1. Our site [is] firstchoice.co.uk not firstchoice.com. (Which is a chain of hairdressers in the US!)

2. More importantly, I would like her to mention that the advert had nothing to do with First Choice. We have never been in contact with Forceup, have never seen that creative, and have not done any banner advertising for a long time now. I have no idea why they chose our site, but I would suspect we are not the only ones."
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Oxfam & Curves- Feb 29]

Postby TeMerc » Fri Feb 29, 2008 8:22 am

A closer look at the Curves SWF
Interesting. We see the following code (URLs deliberately broken):

Variable _level0.url = "openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"
Variable _level0.P = "iexplorer-security.org/?id=463400043"

iexplorer-security.org has hidden some information behind Privacy Protect, but we can find out some things.

First, iexplorer-security.org is hosted by Masterhost in Russia. Second, its nameservers are provided by the infamous eshosst.com (aka estdomains) - the list of malicious/fraudulent domains associated with Estdomains is staggering.

I'll need to get in touch with Doubleclick about their appearance in a variable
0-= Spyware Sucks

=============================================================

Oxfam impersonated by Errorsafe pimps
Oxfam does fantastic work - in fact several people received "Oxfam Unwrapped" gift cards from me for Christmas (donations on their behalf) - and it makes me FURIOUS to see Oxfam's good name taken advantage of, and a malicious advertisement featuring their name used as a conduit to fraudware.

I received a sample SWF today, an advertisement touting Oxfam - screenshots below.

An examination of the internal code reveals:

hxxp://www.errorsafe.com/pages/scanner/ ... &ax=1&ed=2, __self.str, _root.c4.color(14688422)

which redirects to:

errorsafe.com/download/2007/index.php

Y'know, I already do all I can to track down, and shut down, the bastards behind malicious banner advertisements. I promise you this, if there is one thing that the criminals can do to make me even more determined to chase them to the ends of the earth, it is to do something like impersonating Oxfam.
0-= Spyware Sucks

=============================================================

More information about the Curves SWF
Well, I said I would get in touch with Doubleclick - their response was interesting - I quote:

"it's to confuse people... look you get the same results:

openadstream.net/ad0.php?url=http://www.google.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

openadstream.net/ad0.php?url=http://www.microsoft.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"

The original URL I provided was:

openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

Each of those URL renders the same result - a plain white white page with the text "stats=917174773"

Oh, and guess who supplies the name servers for openadstream.net - yep, you guessed it - estboxes.com aka estdomains - a domain that has already been mentioned once in my blog today.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [iexplorer.security.org Mar 7]

Postby TeMerc » Fri Mar 07, 2008 8:13 am

Interesting trickery - iexplorer.security.org
Friday, March 07, 2008 - sandi
We've been watching a new behaviour recently as revealed by some SWF featured on this blog (the Curves SWF and the My Jewelry Box SWF come to mind).

We understand more about what is going on now. The two SWF mentioned both used a domain that had not appeared on this blog before, being iexplorer-security.org.

The two malicious URL, iexplorer-security.org/?id=463400043 and iexplorer-security.org/?id=373400052, were both dormant at time of writing so I was unsure as to what was going on. But now, an active campaign has been identified and we know how things work.

Basically, a malicious iexplorer.security.org campaign will redirect to Google while it remains dormant, but once activated things get interesting.

The redirections depends on the ID [appended to the iexplorer.security.org URL]. Google gives me this:
iexplorer-security.org/?id=666660008
Which throws a 302 with a new Location:
bestsexworld.info/soft.php?aid=011801&d=1&product=XPA
Which itself again redirects via 302 to:
xpantivirus2008.com/2008/1/freescan.php?aid=77011801"

There's another common thread amongst the players in this particular story (xpantivirus2008.com, bestsexworld.info and iexplorer-security.org - all use the following name servers:
  • Name Server: MANAGEDNS1.ESTBOXES.COM
  • Name Server: MANAGEDNS2.ESTBOXES.COM
  • Name Server: MANAGEDNS3.ESTBOXES.COM
  • Name Server: MANAGEDNS4.ESTBOXES.COM
0-= Continued Analysis @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [lyricsmania.com - Mar 10]

Postby TeMerc » Mon Mar 10, 2008 7:44 am

Malicious advertisement at lyricsmania.com
Monday, March 10, 2008 sandi
This incident was reported via a comment on my blog.

The malicious advertisement is visually identical to the myjewelrybox SWF already featured on this blog.

When I first tested this advertisement I was simply redirected to Google, but now the campaign has been activated and I ended up at xpantivirus.com.

Sites associated with ad:
  • openadstream.net
  • iexplorer-security.org
  • bestsexworld.info
  • xpantivirus.com
  • 209.50.243.101 seems to belong to srv.angolotesti.it, but is *located* in the United States, specifically at ServInt Corp, 6861 Elm Street, Suite 4-E, McLean, VA 22101.
0-= Continued Analysis @ Spyware Sucks w\screen shots
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Recent Round Up - Mar 12]

Postby TeMerc » Wed Mar 12, 2008 8:13 am

Movement in the malvertisement world
Wednesday, March 12, 2008
First, a malicious advertisement has been discovered at ADECN again, the URL being:
  • cds.adecn.com/resource/ads/875_9159_1202999742.swf
As you will see, visually the advertisement is identical to the malicious advertisement that appeared on diepresse and washingtonpost.com

From acedn we are redirected to station-appraisals.com/crossdomain.xml, and to:

station-appraisals.com/c/index.php?id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgNmYNkiDgNm

We then hit blessedads.com/?cmpid=identifyso, and prevedmarketing.com/?tmn=mwatmp&aid=identifyso&lid=&ax=1&ed=2&mt_info=5586_5581_2358, before we finally hit:

scanner2.malware-scan.com/9_swp/?tmn=null&aid=identifyso_ma9s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5586_5581_2358:3958

Now let's have a look at another recently reported malicious SWF - the speedbit one that I reported on earlier. It has now been analysed and reveals some interesting information.

We have discovered two URLs thanks to the Speedbit SWF:

staticglobalsources.net/c/index.php?id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aHpyYWdim7NkiZQYNkiDgNmYNkiDgNm and waytotheprofit.com/?cmpid=argumentor

Next, let's look at another malicious SWF - this one featuring Weightwatchers:

The above SWF, when analysed, reveals the URL adtds2.promoplexer.com/statsa.php?campaign=interveco. Promoplexer is a newer (as distinct to new) name that also bears a closer examination.

The above promoplexer URL redirects to the URL adsraise.com/mbuyers/statistics.html.

The adsraise.com domain is very interesting. It is hosted in the Ukraine, with WNET, a name that has appeared on my blog before as host of the now infamous cleanator and macsweeper - therefore, I'd be EXTREMELY suspicious of anything hosted by that network.

Oh, and we have a new name... promoplexer shares A records with maxconvert.com - a sneaky peak at that domain reveals lots of references to macsweeper - why are we not surprised?

As we know, there have also been several campaigns recently using the domain iexplorer-security.org, which is hosted by MCHOST in Russia and which has name servers supplied by estboxes.com (aka estdomains, hosted by Intercage)

I have long since recommended wholesale blocking of Intercage, Interhoster and Nevacon - obviously that advice still stands.
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Recent Round Up - Mar 14]

Postby TeMerc » Thu Mar 13, 2008 10:58 pm

Malvertiser movement - staticglobalsources.net redirects to adtraff.com
Well, we don't need to say much more, do we.

Have a look at what loads when we visit staticglobalsources.net - adtraff.com has appeared on this blog many times and have been accused of frauduently claiming to represent various web sites when selling advertising.

http://msmvps.com/blogs/spywaresucks/se ... =Relevance
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [French Site:voyages-sncf.com - Mar 18]

Postby TeMerc » Mon Mar 17, 2008 7:15 pm

Malicious SWF featuring YourMusic on the French language website voyages-sncf.com
Tuesday, March 18, 2008
With thanks to Kimberley who writes about the incident here:
http://www.bluetack.co.uk/forums/index. ... entry86387

Originally disclosed here:
http://forum.malekal.com/viewtopic.php?p=69911#p69911

As you will see, the malicious advertisement is being directly hosted by the victim site, the SWF URL being:
medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf

The SWF is still available for viewing, and redirecting victims.
0-= Continued Analysis @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [French Site:voyages-sncf.com - Mar 18]

Postby TeMerc » Wed Mar 19, 2008 10:45 am

The malicious 1-800-petmeds SWF
Ok, so I've had a look at the 1-800-petmeds SWF and its the same old same old. The SWF contains reference to the malicious URL iexplorer-security.org/?id=324400102.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [French Site:yourmusic.com - Mar 21]

Postby TeMerc » Thu Mar 20, 2008 10:34 pm

Expedia France/Realmedia hosting malicious SWF featuring yourmusic.com
Some interesting information thanks to MAD.

On Mar 17 2008, we found the banner below.

medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
There are 2 other yourmusic banners on the loose which have of course the same redirects.


realmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swf
stream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
______________________________

The interesting part is the IP where all these banners are hosted.

212.113.31.48

canonical name eur56deliv.247realmedia.com.
aliases stream.expedia.fr
oas000575.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases medias.voyages-sncf.com
oas000551.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases realmedia.pap.fr
oas000459.247realmedia.com

Robtex information.

212.113.31.32-212.113.31.63 REALMEDIA-UK Real Media London

hostnames sharing ip with a-records.
eur56deliv.247realmedia.com
hostnames sharing ip indirectly via cnames.
ads-nc.rmuk.co.uk
ads-secure.rmuk.co.uk
medias.voyages-sncf.com
multi1.rmuk.co.uk
oas-eu.247realmedia.com
pubca.cvf.fr


As reported by the good folks @ Bluetack Internet Security Solutions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Malvertising Campaigns Shutdown[ Mar 21]

Postby TeMerc » Fri Mar 21, 2008 6:20 pm

Success - Malicious advertising campaigns shut down...
The following malicious SWFs were removed from circulation approximately 7 1/2 hours ago:

medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
realmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swf
stream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf

This is excellent news. Both Expedia.fr and pap.fr have *massive* readerships. Potentially millions of people have been placed out of the reach of those behind the malvertisements, if only for a while.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Classmates Mar 23]

Postby TeMerc » Sat Mar 22, 2008 10:52 pm

Malicious advertisement detected at classmates.com
Sunday, March 23, 2008
Thanks to Susan Bradley for the heads up that there is a problem at http://www.classmates.com

An analysis of the SWF reveals a URL pointing to a known malware domain:
iexplorer-security.org/?id=624400105

The iexplorer-security.org URL is active, and redirecting victims to xponlinescanner.com as follows:

The URL iexplorer-security.org/?id=624400105 leads us to:

fastwebway.com/soft.php?aid=011807&d=1&product=XPA

The fastwebway.com URL in turn leads us to:

xponlinescanner.com/2008/1/freescan.php?aid=77011807

It should be noted that as part of the hijacking process a cookie is set that expires after just 24 hours.

Who are fastwebway.com?

The reverse IP for this domain is traffic-coverter.biz.
Its name servers and mailbox are provided by estdomains.
Its IP address is 72.232.224.154, hosted by LayeredTech (ltdomains.com)

Other sites/services hosted at 72.232.224.154 are:
  • bestsexworld.info
  • dvd-disk.net
  • mail.dvd-disk.net
  • mail.er-a.net
  • mail.pornorolikov.net
  • mail.sexroliki.com
  • pornorolikov.,net
  • sexroliki.com
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Classmates Mar 23]

Postby TeMerc » Sun Mar 23, 2008 1:48 am

Two more bad ads @ Classmates.com
Same malicious SWF:

iexplorer-security.org/?id=624400105

Same redirect, same end result...

Something occurs to me - let's look closely at the URL - it refers to "GeminiIntera"... could that be a reference to "Gemini Interactive", an online advertising agency?

I'm betting it does. Let's check out who is behind http://www.geminiinteractive.net.

Gemini Interactive's web site is hosted by...

NETDIRECT (reverse 89-149-242-64.internetserviceteam.com)



Gemini Interactive's name servers are supplied by... and this is a BIG indication of guilt:

ESTBOXES (aka Estdomains, hosted by the infamous INTERCAGE)



Gemini Interactive's mail server is hosted by CERNELNETWORK. There is some interesting information about CERNELNETWORK to be gleaned. A quick Robtex check of IP 64.28.182.147 (the IP address of the mail server used by Gemini Interactive and supplied by CERNELNETWORK) resolves to:

SMTP:220 tiger.esthost.com

The IP address in turn reveals even more names:
  • 2barrels.com
  • 4x4project.com
  • adoptserver.info
  • bestseatreserved.com
  • beststuffservice.com
  • civilengres.com
  • freebondagecentral.com
  • iwantmyseat.com
  • mail.2barrels.com
  • mail.4x4project.com
  • mail.adoptserver.info
  • mailbestseatreserved.com
  • mail.beststuffservice.com
  • mail.civilengres.com
  • mail.freebondagecentral.com
  • mail.geminiinteractive.com
  • mail.iwantmyseat.com
  • mail.realsearchonline.com
  • mail.rupissing.com
  • mail.usaticketinfo.com
  • realsearchonline.com
  • rupissing.com
  • samoterra.com
  • usaticketinfo.com

Spyware Sucks

And:
Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Classmates Mar 23]

Postby TeMerc » Sun Mar 23, 2008 8:20 pm

Kimberly of Bluetack has some more information regarding the parties involved in these banner ads.

Lots of detailed analysis here in this thread
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Round Up Of Bunch Of Ads - Mar 24]

Postby TeMerc » Mon Mar 24, 2008 5:17 pm

The bad guys have been busy... lots of malvertisement reports...
The site referrer report for this blog has revealed reports of malicious banner advertisements appearing on not only classmates.com, but also the StarTribune National News site, cincinnati.com, news.enquirer.com, NYPost and cincymoms.com (and who knows how many more).

I'm seeing a common theme in many recent outbreaks - far too often victim web sites are managing their own advertising content and, when this happens, the advertising network that the website is using is unable to shut down a malicious campaign, instead having to wait until the victim site shuts down the malvertisement at their own behest.

This is a situation that requires discussion and thought. For example, is it acceptable for an advertising network to be in a situation where their software or infrastructure is being used to distribute malvertisements, yet be unable to remove the malvertisements because they don't have primary control?

I remember back when blich.ch was hit by the skyauction malvertisement, it was nine.ch that was in the hotseat. Eventually nine.ch "firewalled" the malicious advertisement but in the interim who knows how many thousands, or tens of thousands, of people were exposed to a malvertisement which we knew was there, but were unable to immediately shut down.

cite: http://msmvps.com/blogs/spywaresucks/ar ... 50217.aspx

My personal opinion is that advertising networks must maintain the right to immediately block malicious advertising content as soon as it is reported to them, because it is of critical importance that malvertisements as shut down as soon as possible. Far too often I have seen delays of hours, days or even weeks while advertising networks try to contact website administrators, or convince recalcitrant administrators to act.

Your thoughts?
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [How Webmasters Can Avoid Them- Mar 25]

Postby TeMerc » Mon Mar 24, 2008 10:38 pm

How can web sites avoid malicious banner advertisements?
Tuesday, March 25, 2008 sandi
First, source reliable instructions and advice on how to get rid of xponlinescanner from any reputable anti-spyware advisory forum, and get that information out to their clients.

Second, conduct more comprehensive checks into the background and bona fides of those they accept advertising from - see these links for advice:

Avoiding the bad guys - detecting potentially malicious advertising campaigns
http://msmvps.com/blogs/spywaresucks/ar ... 65721.aspx

Winfixer hide 'n' seek: explaining why some people see the ads, and some people don't
http://msmvps.com/blogs/spywaresucks/ar ... 34527.aspx

Third, run advertisements that they receive through services such as http://www.adopstools.com to check for malicious code.

Adopstools.com provides a service called an Online Click Checker. The Online Click Checker nearly always detects malicious or suspicious code in Flash based advertisements. On those rare occasions that the Online Click Checker has failed to detect that an advertisement is malicious (which I have only seen happen a couple of times), the site's owner has been very fast to respond to my email approach by updating his scanner to catch what was previously missed.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Forecup.com Serving Rogue Ads- Mar 26]

Postby TeMerc » Thu Mar 27, 2008 8:26 am

Forceup.com are distributing malicious advertisements .. again - an examination of the social engineering behind malvertisements Friday, March 28, 2008 1:10 AM sandi
Today we are going to take a look at social engineering and other tactics used by the fraudsters that push malicious banner advertisements. Heaven knows we have talked enough about what the malicious advertisements actually *do*; now it is time to talk about what the *fraudsters* do...

I cannot stress how important it is that we understand the social engineering tactics used by the fraudsters.

Now, the malicious advertisements that we are going to examine today feature FrontGate.

SOCIAL ENGINEERING AND FALSE INFORMATION
I think that my regular readers now understand what malvertisements are, and what they do - so, let's have a look at some "behind the scenes" activity, in the hope that all of you will learn what to watch out for, and what to check. I will quote the gentleman who sent me the advertisements - he makes some very relevant observations - with only minor editing changes made to fix typographic errors or improve clarity...
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Forecup.com Serving Rogue Ads- Mar 26]

Postby TeMerc » Thu Mar 27, 2008 11:41 pm

Gemini Interactive caught distributing malvertizements
You may recall that I theorised that the URLs for the malvertizements that were displayed at classmates.com may indicate that the malvertizements were supplied by Gemini Interactive (cite: http://msmvps.com/blogs/spywaresucks/ar ... 50951.aspx) You may also recall that all of the malvertizements that I found at classmates.com featured myjewelrybox.com.

I have received, by email, a copy of an advertisement that was supplied by Gemini Interactive for display on several websites. An analysis of the advertisement that I have received indicates that it contains malware actionscript code. Also, the SWF features myjewelrybox.com (cite: http://www.adopstools.com/index.asp?pag ... lrybox.swf)

Please exercise caution when accepting advertising for your web sites. At the very least you should run each and every advertisement that you receive through the online click checker at adopstools.com and potentially save yourself a lot of grief.
0-= Spyware Sucks
========================================================================
Bucksbill.com overcharging victims of fraudware
This is an update to my article written on 5 March wherein I warned that Bucksbill.com overcharging for fraudware such as "MalwareAlarm and Registry Defragmentation".

It is worth pointing out that several readers have commented that they, too, have been overcharged by Bucksbill.
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings.com...AGAIN!- Mar 31]

Postby TeMerc » Mon Mar 31, 2008 9:38 am

Yet another malicious banner advertisement at 123greetings.com
OK, so tell me oh gentle reader... just how many "free passes" should a website get?

123greetings.com is, once again, displaying a malicious banner advertisement. This is the third incident that I have personally experienced thanks to an advertisement accepted by those responsible for 123greetings.com, and enough is enough.

Sites involved:
  • adtds2.promoplexer.com/statsa.php?campaign=123
  • adsraise.com/mbuyers/statistics.html
  • tds.promoplexer.com/statsg.php
  • antispywaredeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=
adsraise.com and promoplexer are both hosted by WNET who also provide the name servers. WNET have been mentioned several times in this blog.
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings\cyberipod\mediaman Mar 31]

Postby TeMerc » Mon Mar 31, 2008 6:41 pm

New malvertizements - cyberipod and mediaman
Preliminary analysis at adopstools indicates malicious content:
adopstools.com/index.asp?page=quicklink&id=z45zlyl4R7sJ5L6I
adopstools.com/index.asp?page=quicklink&id=2nk99FyQ6qot025u

Mediaman:
m1.2mdn.net/1612895/NHL_MediaMan_728x90_flash.swf

Campaign.
adtraff.com/statsa.php?u=23423424&campaign=pushmama

cyberipod:
m1.2mdn.net/1487544/160x600_Cyberipod.swf

Campaign.
workhomecenter.com/crossdomain.xml
workhomecenter.com/stats.php?campaign=5pentt00&u=1206974120161
0-= Images @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings\cyberipod\mediaman Mar 31]

Postby TeMerc » Tue Apr 01, 2008 8:24 pm

Wednesday, April 02, 2008
Malvertisement featuring FedEx Kinko reported to be appearing on diynetwork.com
This alert was sent to me via private email, by the same person who reported the latest malvertizement at 123greetings.com.

It should be noted that I have not personally seen the advertisement appearing on http://www.diynetwork.com.

Loading the URL also loads:
adtds2.promoplexer.com/statsa.php?campaign=708&u=1207097411103

As well as adsraise.com/mbuyers/statistics.html

adszedo.com is hosted by IWEBGROUP, and their name servers are supplied by everydns.net. Its closest name and mailserver relationship is with jamclam.us.

The Registrar for adszedo.com, promoplexer.com and adsraise.com is the infamous ESTDOMAINS, a registrar that has been associated with many domains associated with malvertizements. The domain itself was created just a short while ago, on 5 February 2008.

Malvertisement analysis:
http://www.adopstools.com/index.asp?pag ... MlT19abS2W
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Who's To Blame?? [Apr 2]

Postby TeMerc » Wed Apr 02, 2008 8:18 am

Thursday, April 03, 2008
Malvertizements: web sites versus advertising networks and who we can blame....
As we know, malvertizements have been discovered at 123greetings.com not once, not twice, but three times that I know of and, to add insult to injury, two of the malvertizements were *visually identical* to each other, making me wonder just what checks and balances are in place at 123greetings.com to protect visitors to 123greetings.com from malvertizements.

Several comments have been made to my blog about the problems revealed by recurring incidents such as 123greetings.com.

I think it is worthwhile examining some of the "behind the scenes" reality that we (those of us who fight malvertizements, the advertising networks, and the victim web sites) have to deal with day to day. Please understand that I am not making excuses; my goal is to highlight the problems that we face.
0-= Detailed Analysis @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Who's To Blame?\ebools.com [Apr 2]

Postby TeMerc » Wed Apr 02, 2008 9:40 am

New malvertizement featuring ebooks.com

URLs associated with this malvertizement include:
  • stathome.net/c/index.php?id=cG9NaDRTS0xmeXF3TzNSaE8wTlNoPTEyMDY3MjExNDQmcG56
    Y252dGE9Y3m7NkiZ5dG5leXm7NkiZwNQYNkiDgNmYNkiDgNm
  • waytotheprofit.com/?cmpid=pilgarlic5&adid=intl
  • prevedmarketing.com/?tmn=mwatmp&aid=pilgarlic5&lid=intl&ax=1&ed=2&mt_info=5839_6881_2358
  • scanner2.malware-scan.com/5_swp/?tmn=null&aid=pilgarlic5_ma5s_mb1t&lid=intl&affid=&ax=1&ed=2&mt_info=5839_6881_2358:3958
0-=Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [3-textbookx.com, ringtones, travel 4-3]

Postby TeMerc » Wed Apr 02, 2008 8:32 pm

3 malvertizements featuring textbookx.com, free ringtones and a travel serviceThursday, April 03, 2008
0-= Screen shots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [myjewlerybox.com - 4-3]

Postby TeMerc » Thu Apr 03, 2008 7:27 am

Thursday, April 03, 2008 sandi
Malicious myjewlerybox malvertizements still circulating

The one that I saw tonight is different from the others featured in that the malicious URL the target of the malvertizement is:

iexplorer-security.org/?id=987650069

At the moment that URL is redirecting to google.com, and will continue to do so until somebody, somewhere, accepts the malvertizement and sends it live.
0-= Spyware Sucks
Image


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest