Rogue Banner Ads [extrabanner.com [Sept 20]

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Recent Banner Ads -June 28]

Postby TeMerc » Sat Jun 28, 2008 1:16 pm

Report: Malvertizements that have been circulating @ XM Radio

Sandi lists domains involved with these ads:
  • aboutstat.net
  • waytotheprofit.com/?cmpid=weannalist
  • officialstat.com/c/index.php
waytotheprofit.com/?cmpid=weannalist leads us to an adverdaemon.com URL which then leads on to diskretter.com.
adverdaemon.com is hosted by PEER1, with name servers supplied by none other than securehost in the Bahamas. Lots and lots of known bad domains are sharing name servers with adverdaemon.com

Hostnames sharing ip with a-records
  • ad2profit.com
  • adgurman.com
  • adnetserver.com
  • adredired.com
  • astalaprofit.com
  • bizmarketads.com
  • brandmarketads.com
  • bucksbill.com
  • glorymarkets.com
  • iddqdmarketing.com
  • intervarioclick.com
  • invulnerableads.com
  • luckyadcoin.com
  • luckyadsols.com
  • mythmarketing.com
  • popadprovider.com
  • prevedmarketing.com
  • rocktheads.com
  • waytotheprofit.com
  • popadprovider.com
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Recent Banner Ads -June 28]

Postby TeMerc » Wed Jul 02, 2008 10:37 pm

Thursday, July 03, 2008
sandi
Oh goody. Another SWF display conduit to keep an eye on :(
Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files... I wonder what implication this has with regards to the security landscape surrounding malicious SWF. Are we going to have to watch out for PDFs which contain malicious SWF?

I simply do not have enough information to judge the safety implications (or otherwise) of this new Adobe Reader feature... I quote from the announcement on the Adobe reader blog:
"Adobe Reader 9 can natively display rich media content, which you'll notice immediately with Portfolios. Interested in viewing SWF and FLV files? Adobe Reader 9 is the answer."
The first thing that occurs to me that is our number one complaint about malicious SWF is that there is no way for the end user to stop the initial hijack that exposes them to malicious domains. If Adobe Reader 9 prompts for user permission before opening a web browser, then in that way Adobe Reader is a safer way to view SWF. If, on the other hand, the Reader allows an SWF to open a web browser without user interaction, then we are facing yet another conduit to danger.

0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Attack Vector?-July 3]

Postby TeMerc » Sun Jul 06, 2008 12:27 am

New malvertizement featuring Forex AutoPilot Sunday, July 06, 2008
Kimberly, who is monitoring the ongoing malvertizement problems at isuisse.com, ibelgique.com and iquebec.com, has discovered a new malvertizement featuring Forex Autopilot.
"A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. This is now the FOURTH malicious banner discovered since June the 12th on websites belonging to the group iEUROP. Just on a site note, the XM Radio malvertizement is also being displayed at isuisse on the portal page. This brings the count up to THREE active malvertizements being served to the visitors!!! Imagine the number of users being redirected to fake online scanners ... Enough is enough, this has to stop."


Malicious domains:
  • adoptserver.info/_statis.gif?url=[removed]
  • windowsxp-privacy.net/?id=198760063
  • xponlinescanner.com/soft.php?aid=024202&d=3&product=XPA
  • xponlinescanner9.com/2009/1/freescan.php?aid=77024202 (registered 1 July 2008)
Fraudware sites:
  • antivirus-2009.com
  • antivirus-database.com
  • antivirus2009professional.com
  • xpantivirusonline.com
  • xponlinescanner.com
  • xponlinescanner9.com
0-= Continued Analysis w\Images @ Bluetack Internet Security Soultions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Malverts-July 6]

Postby TeMerc » Tue Jul 08, 2008 6:15 pm

Wednesday, July 09, 2008
ALERT: Malvertizement featuring Skype
No company is safe from impersonation....

Campaign URLS:

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>

The waytotheprofit URL leads us to an adverdaemon.com URL, and from there to the fraudware site - I ended up at a German site, being sicherheitstool.com.

Robtex reports that "sicherheitstool.com is a domain controlled by two nameservers at sicherheitstool.com themselves. They are on the same IP network. Incoming mail for sicherheitstool.com is handled by one mailserver which are also at sicherheitstool.com. sicherheitstool.com has one IP record . virusvakt.com, winanonymous.com, avsystemcare.com and at least seven other hosts point to the same IP."
0-= Continued w\Screenshots @ Spyware Sucks
=======================================================
ALERT: malvertizement featuring classmates.com
Campaign URLS (you will note that the campaign is identical to the one for the Skype malvertizement):

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Classmates & Skype-July 8]

Postby TeMerc » Mon Jul 14, 2008 10:50 am

Developments in the malvertizing world - a new distribution conduit involving MySpace
Tuesday, July 15, 2008
Kimberley writes about a new distribution conduit that she has found - in this example it is an old malvertizement with a currently inactive campaign.

In short, funmunch.com is offering a "MySpace Banner" for download that is, in fact, a malvertizement (an old one, but still a malvertizement).

Here's the question - why would funmunch.com make the banner available for download in the first place, presumably without being paid for it, and why would they have left it there after the inevitable complaints were received (of course, we're assuming that MySpace users actually downloaded and used the SWF file, and that victims (sorry, visitors) to the MySpace pages were savy enough to work out how they being hijacked).

Details @ Bluetack Forum 0-= More @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Classmates & Skype-July 8]

Postby TeMerc » Mon Jul 14, 2008 10:52 am

Tuesday, July 15, 2008
Watch out for these malvertizements...
I have not seen a malvertizement featuring this site before - muchmusic.com
dreammates.com - this one dumped me at virusremover2008.com (domain created on 20 May 2008)
0-= Screen shots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Distro Method-July 14]

Postby TeMerc » Mon Jul 14, 2008 8:20 pm

Tuesday, July 15, 2008
New malvertizement featuring Levis, myownpursuit.com (Lexus) and the re-emergence of Lady Speedstick
There have been several malvertizements in circulation, being:
unicastads.com/<removed>/728x90.swf (the original malicious ad has already replaced with a 'clean' one)
unicastads.com/<removed>/300x250.swf (the original malicious ad has already replaced with a 'clean' one)
trueffect-cdn.com/<removed>/300x250.swf
trueffect-cdn.com/<removed>/728x90.swf
pointroll-ads.com/<removed>/300x250.swf?
unicastads.com is registered via Estdomains, as is trueffect-cdn.com and pointroll-ads.com.

At time of writing, the Levis malvertizement is leading users to fraudware sites, including "Vista Antivirus 2008". The pointroll-ads.com SWF also leads victims to fraudware sites, including tds.internetsecuritydeluxe.com/<removed>. I fully expect these two advertisements, now they have been 'outed' to also be 'cleaned'.
0-= Screenshots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Distro Method-July 14]

Postby TeMerc » Mon Jul 14, 2008 11:21 pm

Tuesday, July 15, 2008
A malvertizement featuring XE Radio rears its head again
Interestingly, the malvertizement features the same campaign as the MediaMan malvertizement that Kimberley found on isuisse, iquebec, ibelgique and ifrance back on 10 July.

We see various domains when hit by a malicious redirect, including:
  • stathisranch.net/crossdomain.xml
  • stathisranch.net/c/index.php?<<removed>>
  • profitabill.com/?cmpid=asbarrator (this is the same as the MediaMan malvertizement mentioned above)
  • adnetserver.com/?<<removed>>
  • adverdaemon.com/?<<removed>>
  • antispywaremaster.com/data/<<removed>>
  • sicherheitstool.com/kontroller/?<<removed>>
0-= Screenshots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Distro Method-July 14]

Postby TeMerc » Mon Aug 04, 2008 8:43 pm

An old malvertizement touting mysurvey4you hit my inbox today.

Mike of MikeOnAds featured this malvertizement back in 2007 after it appeared on careerbuilder.com. You can see his original report here:
http://www.mikeonads.com/2007/07/04/err ... uildercom/

The advertisement sample that I received today points to exactly the same malicious campaign, being mysurvey4u.com/stats.php?campaign=qability

I am uncertain as to whether the campaign is being actively circulated. Keep an eye out for it guys 'n' gals.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [Mysurvey4you.com-Aug 5]

Postby TeMerc » Thu Aug 07, 2008 10:55 pm

Nancy Drew - Circulating malvertisement
Today, 04:11 PM

Nancy Drew Solves Mysteries In Style ... whoops ... maybe we should say Nancy Drew Hijacks In Style instead. And this time no redirect to a fake online scanner but an executable. The pest is nifty to remove btw as it belongs to the Vundo family.

Redirect to:
82.98.235.173/ex3/i.exe

When Internet Explorer is opened, __c005C86E.dat tries to download additional stuff from nx1.todaystats.com using a special User Agent but as seen in the network capture, we get a 404 error for the time being.
0-= Continued Analysis @ Bluetack Internet Security Solutions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings.com-Aug 8]

Postby TeMerc » Fri Aug 08, 2008 9:49 am

123greetings.com - BigHip
Aug 7, 2008 11:23 PM

A new malvertizment is being served on 123greetings.com featuring BigHip Email Marketing Solutions. Fuse Kit 2.1.4. was used for this creative.

openadstream.net/stat.gif?url=[removed]
At the time of the write-up the full redirect was inactive. Adopstools was not able to analyse the malicious banner
0-= Bluetack Internet Security Solutions

Update: ad suspended
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings.com-Aug 8]

Postby TeMerc » Fri Aug 08, 2008 10:33 pm

Warning: forbes.com - BigHip
Today, 05:29 PM

The BigHip malvertizement discovered less than 24h ago on 123greetings.com *might* eventually be displayed at forbes.com, everything does of course depend on how long some advertisements are being actively used. The malicious banner is present on their server as seen below.

openadstream.net/stat.gif?url=[removed]
The redirect is identical as the one from 123greetings.com. At the time of the write-up the full redirect was inactive.

Flash banner properties.

Using wget, the flash file has a date stamp from July 11 2008. Until further notice I would recommend extreme caution upon visiting forbes.com
0-= Bluetack Internet Security Solutions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings.com-Aug 8]

Postby TeMerc » Fri Aug 08, 2008 10:35 pm

Saturday, August 09, 2008 1:35 PM sandi
ALERT: malvertizements utilizing computer clipboards (copy and paste).
An interesting comment was posted to my blog today - the commentator said:

"...I had my clipboard go crazy last night, and I knew right away, because I write clipboard software (ClipMate) and so I was able to "hear" the clipboard events. This thing was posting more than once a second - overwriting the clipboard with their silly URL. I think they hope that people inadvertently paste it into blog posts, comments (like this one), e-mail, and such.

I have posted my findings here:
http://www.thornsoft.com/phpBB2/viewtopic.php?t=3567"

Another person complains of the clipboard problem - you can see the discussion here:
http://forums.devnetwork.net/viewtopic. ... 8&p=477521
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [123greetings.com-Aug 8]

Postby TeMerc » Sun Aug 17, 2008 9:49 am

ALERT: malvertizement at newsweek.com (hosted by washingtonpost.com)
Sunday, August 17, 2008 7:46 AM sandi

Once again, it is a malvertizement created using Fuse Kit. Again, there are signs that the malvertizement came from the now defunct trackstarmedia.

Kimberley has all the details at her forum. The advertisement is still live at time of writing.


It is quite obvious that the bad guys are going to take as much advantage as they can of the fact that their current malvertizements are extremely difficult to detect (malvertizements created using Fuse Kit). They are going to hit every site that they can, as often as they can, for as long as they can. It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating - not only newsweek, but at other big name sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo.

I am seeing reports of the malicious redirects remaining dormant for a week before visitors to victim web sites are hijacked and redirected to fraudware sites. Web sites simply *must* increase their due diligence checks with any new advertiser. It is going to take time, and it is going to cost money, but what alternative do web sites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more of visitors to their sites are going to block all advertising.

0-= Screenshots @ Commentart @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [newsweek\washintonpost-Aug 17]

Postby TeMerc » Thu Aug 21, 2008 10:48 pm

ALERT: please treat all content from eosads.com with extreme caution
Friday, August 22, 2008 1:39 PM sandi

ip with a-records:
    alice-cms.com
    cstur.com
    mail.alice-cms.com
    mail.cstur.com
    mail.eosads.com
    mail.freeebayguide.net
    mail.kxtrlive.com
    mail.phentermine375noprescription.com
    mail.zummedia.com
    phentermine375noprescription.com
    tatushki.info
    zummedia.com
sharing mailserver IP:
    alice-cms.com
    cstur.com
    freeebayguide.net
    phentermine375noprescription.com
    zummedia.com
greatvideo3.com - IP: 84.16.252.73
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
hostnames sharing ip with a-records:
    3gigabytes.com
    84-16-252-73.internetserviceteam.com
    antivirus-download3.com
    internet-defense2009.com
    mail.antispyguard-scanner.com
    mail.onlinexpsecurity.com
    myfreespace3.com
    update-direct.com
    windows-defense.com
    xp-protectsoft.com
sharing mailserver IP:
    84-16-252-73.internetserviceteam.com
    antispyguard-scanner.com
    antivirus-2009pro.com
    antivirus2009-software.com
    antivirus2009professional.com
    onlinexpsecurity.com
    xp-registration.com
0-= More @Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [eosads.com-Aug 22]

Postby TeMerc » Mon Aug 25, 2008 11:06 pm

mediamate malvertizements - several samples
Tuesday, August 26, 2008 11:19 AM sandi

I received three separate samples of a mediamate malvertizement today, all with different names.

  • First sample:
    This time it hit googiesindication.com - IP: 217.150.254.47
    Registrar: TLDS, LLC DBA SRSPLUS
    Creation date - 26 November 2007
    Registrant, administrative and billing contact: Jon Lod (mail@googiesindication.com)
  • Second sample:
    This one hits officialstat.net - IP: 92.62.100.7
    Registrar: COMMUNIGAL COMMUNICATIONS LTD
    Creation date - 1 February 2008
    Registrant, administrative, technical and billing contact: Serg Moon (moon.serg@gmail.com)
  • Third sample:
    This one hit staticglobalsources.com - IP: 92.62.100.14
    Registrar: COMMUNIGAL COMMUNICATIONS LTD
    Creation date - 1 February 2008
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [mediamate.com-Aug 26]

Postby TeMerc » Tue Aug 26, 2008 8:21 am

ALERT: please treat all content from admarketcenter.com with extreme caution
Tuesday, August 26, 2008 11:13 PM sandi
ip with a-records:
excursionglobe.com
mypussyworld.com
sharing mailserver IP:
Nil
sharing name server:
lots

Excursionglobe.com is a known bad actor.
0-= Screenshots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [admarketcenter.comAug 26]

Postby TeMerc » Thu Aug 28, 2008 12:47 am

ALERT: Please treat content from adservdb.com with extreme caution
Thursday, August 28, 2008 3:43 PM sandi
Malicious destination URL: security-scan-pc.com

Malicious campaign URL: adservdb.com/ads/?id=d3

The id=d3 URL completes various checks (browser version mostly) and then redirects to this URL: adservdb.com/tmp01.asp

The tmp01.asp URL sets a cookie, and completes various checks (Year, Month, Date, Hours, Minutes, Milliseconds, browser version) and, if the PC passes the test, we are redirected to this URL: adservdb.com/tmp02.asp (more country and time zone checks) (there is also a tmp03.asp)

No obvious fraudware connections are found via Reverse IP, shared IP etc.

IP, NS and WHOIS history also unrevealing.

Nothing untoward is revealed by a web search (until I send this article live, that is...).

At time of writing, http://www.adservdb.com, which you would assume is the most logical "home page" for adservdbcom, contained little more than Google Analytics javascript.

This is the first time I have not been able to find definitive evidence of past bad behavior, or a connection with known bad actors, when investigating a malvertizing incident. That being said, adservdb.com is definitely the source of the malvertizement that I saw today.
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [adservdb.com-Aug 28]

Postby TeMerc » Mon Sep 01, 2008 10:56 pm

ALERT: Malvertizement featuring car.com
Tuesday, September 02, 2008 12:14 PM sandi
This one uses some pretty old protocols, but is still in cirulation:
  • getfreecar.com/statsa.php?u=<<removed>>
  • getfreecar.com/statsg.php?u=<<removed>> (loads the long since discarded gnida.swf)
  • getfreecar.com/statss.php?campaign=<<removed>>
  • blessedads.com/?cmpid=<<removed>>
  • adnetserver.com/?tmn=<<removed>>
  • antispywaremaster.com/<<removed>>
0-= Screenshots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [car.com-Aug 28]

Postby TeMerc » Mon Sep 08, 2008 7:32 pm

ALERT: treat any content from dentsu-inc.com with extreme caution
Reports have been received that there have been attempts to sell malvertizements, with contact being made by email, with the correspondent using the email address @dentsu-inc.com.

Dentsu is a large Japanese agency, but their real domain is @dentsu.com (no inc).
dentsu-inc.com was registered, not surprisingly, by the infamous Estdomains Inc. The domain was created on 24 June 2008.
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [densu-inc.com-Sept 9]

Postby TeMerc » Tue Sep 09, 2008 11:50 pm

ALERT: malvertizements featuring Travelwise are being distributed
The sample I saw hit aboutstat.com (aboutstat.com/crossdomain.xml, and aboutstat.com/c/index.php?id=<<removed>>)

Registrar: Communigal Communications Ltd
Created 1 February 2008
Updated 8 September 2008

NS: ns1.aboutstat.com; ns2.aboutstat.com

IP: 92.61.100.3 (Estonia, Starline Web Services)

Registrant: Serg Moon (moon.sergATgmail.com) <--- a well known "bad actor"

Websites in IP range 92.61.100.% <-- many "bad actors"
    1. Createyourlove.net
    2. Findyourlovesite.com
    3. Finebeautifulwomen.net
    4. Girlslovefamily.net
    5. Inspiredlove.net
    6. Kindbeautifulgirls.net
    7. Makefamily.net
    8. Tenderwoman.net
    9. Happylovewithgirls.com
    10. Romanticnightworld.com
    11. Vaskot.com
    12. Advancedprivacyguard.com
    13. Advancedprivacyguard2008.com
    14. Advancedprivacyguardpro.com
    15. Advancedprivacyguardsolution.com
    16. Advancedprivacyguardtool.com
    17. Advancedprivacysuite.com
    18. Advancedprivacysuite2008.com
    19. Advancedprivacysuite2009.com
    20. Advancedprivacysuitepro.com
    21. Antispyexpert.com
    22. Antispyexpertpro.com
    23. Antispywareexpert-scanner.com
    24. Antispywareexpert-solution.com
    25. Antispywareexpert-system.com
    26. Antispywareexpert.com
    27. Antispywareexpertpro.com
    28. Bestpcprivacycleaner.com
    29. Cyberadvancedprivacysuite.com
    30. Globaladvancedprivacyguard.com
    31. Globaladvancedprivacysuite.com
    32. Pc-cleanerpro.com
    33. Pcadvancedprivacyguard.com
    34. Pcadvancedprivacysuite.com
    35. Pcprivacycleaner.com
    36. Pcprivacycleanerpro.com
    37. Personalpccleaner.com
    38. Swiftpcprivacycleaner.com
    39. Yourpcprivacycleaner.com
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [densu-inc.com-Sept 9]

Postby TeMerc » Wed Sep 10, 2008 10:53 pm

ALERT: malvertizements currently in circulation
Published Thursday, September 11, 2008 12:34 PM by sandi
There are several malvertizements in circulation - some of which are "new". I have not seen malvertizements featuring Dish Network or Lumosity before today.
  • Cardstore.com - created using Fuse
  • Dish Network - created using Fuse
  • Fast free new car quotes - an older style malvertizement that was NOT created using Fuse
  • Lumosity "Reclaim Your Brain" games- created using Fuse
0-= Screenshots @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [New Ads-Sept 11]

Postby TeMerc » Fri Oct 10, 2008 12:56 am

New malvertizement trickery affecting surfline.com and careerbuilder.com
For a long time now, we have been focusing on SWF (Flash) based malvertizements where the SWF itself contains malicious code. Over time, our detection abilities have improved (thanks in no small part to adopstools) and it is getting harder and harder for malvertizers to get their wares on to web pages.

Then the malvertizers started misusing Fuse, and for a while their malvertizements were not being detected by adopstools. That situation was shortlived.

In recent days, I have seen signs that the malvertizers are diversifying, and using tricks other than maliciously coded SWF.
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [carreerbuilder.com-Oct 10]

Postby TeMerc » Fri Oct 10, 2008 11:07 pm

ALERT: Treat all content from the ad agency called Adshaven with extreme caution Saturday, October 11, 2008 11:50 AM by sandi
So, who are AdShaven? Let's take a look.

According to domaintools.com, there is an adshaven.com. None of the other domains discovered are a logical fit:

The domain adshaven.com was created on 20 August 2008. Netfirms (a name that has appeared before in connection with recent malvertizement activity in recent times) is the ICANN Registrar.

Name servers and mail servers are supplied by panelboxmanager.com.

According to Robtex, panelboxmanager's upstream provider is AS32613 (aka, iWeb - yet another name that has previously appeared in association with domains that facilitate malvertizing).

IP: 72.55.186.16 - Panelbox, Quebec (shared with 391 other sites)

Previous IPs:
    38.113.185.195
    69.64.155.76
    68.178.232.99
    78.129.128.40
    82.98.86.164
    69.93.129.226
WHOIS details currently hidden behind "Domain Privacy Group".

There is a note here advising that adshaven.com had been "suspended until further notice".
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [adshaven.com-Oct 11]

Postby TeMerc » Wed Oct 15, 2008 10:41 pm

Malvertizement featuring Skype - again
Malicious URLS: s-tatetstr.com/crossdomain.xml
s-tatetstr.com/c/index.php?id=<<snipped>>

s-tatetstr.com - 92.62.100.27 - - Estonia - Starline Web Services
ICANN Registrar - TLDS, LLC DBA SRSPLUS
Created: 25 September 2008
NS: NS1.S-TATETSTR.COM
NS" NS2.S-TATETSTR.COM
Registrant:
Sagent Group (adminsagent@gmail.com) associated with about 86 other domains
Sagent Group Ltd.
Guzel street, 45
Belize City, NONE NONE
BZ
698-456-324

IP currently listed in Spamhaus:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL66912

Sharing IP range (lots of old, familiar names here...) [list=]1. Statgroup.net
2. Stathisranch.com
3. Stathisranch.net
4. Stathome.net
5. Staticglobalsources.com
6. Staticglobalsources.net
7. Station-appraisals.com
8. S-tatetstr.com
9. S-tathisranch.com
10. S-tathisranch.net
11. Aboutstat.com
12. S-tatgroup.net
13. Aboutstat.net
14. Vaskot.com
15. Newstat.net
16. Officialstat.com
17. Officialstat.net
18. Stat-diagnostic-imaging.net [/list]
Malicious URLs:
stathisranch.com/crossdomain.xml
stathisranch.com/c/index.php?<<snipped>>
0-= Spyware Sucks
=======================================================
Malvertizement featuring Suzuki...
Malicious URL:
track.megaplexer.com/statsa.php?campaign=<<snipped>>

ICANN Registrar: Estdomains, Inc
Created: 7 April 2003
NS: NS1.MEGAPLEXER.COM
NS: NS2.MEGAPLEXER.COM
Registrant:
Vasil pentykovich
(leonardo126@gmail.com - associated with 22 domains)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Domain suspended - previous IP 64.15.157.119

64.15.157.119 - Canada Iweb Dedicated Cl
0-= Spyware Sucks
=======================================================
Malvertizement featuring americansingles.com
Malicious URL:
mystats.com/crossdomain.xml

mystats.com - IP 208.87.33.150 - Bahamas - Secure Hosting Ltd
ICANN Registrar: FABULOUS.COM PTY LTD
Created 23 July 1997
NS: NS1.HITFARM.COM
NS: NS2.HITFARM.COM
NS: NS3.HITFARM.COM

Reverse IP - reverse DNS - wc40-main.medialogik.com
1,156,828 domains hosted on the same server !!!!

208.87.33.% - 1,156,841 domains !!!

medialogik.com - 72.51.27.100 - British Columbia - Vancouver - Nameview Inc
ICANN Registrar: Nameview Inc
Created 5 August 2001
WHOIS: Hidden behind "Whois Identity Shield"

Other sites at same IP:
    1. Aditcorp.com
    2. Bulkurl.com
    3. Exileddomains.com
    4. Gdei.com
    5. Hoststart.com
    6. Medialogik.com
    7. Proto.com
    8. Verticalaxis.com
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [3X Updates-Oct 15]

Postby TeMerc » Sun Oct 19, 2008 10:56 pm

Malvertizing domains: go-scan-pro.com (and friends)...
Hit this one today:

go-scan-pro.com -78.157.143.184 -Latvia, Vdhost Ltd
ICANN Registar: REGTIME LTD.
Created on: 7 October 2008
NS: NS1.SITELUTIONS.COM
NS: NS2.SITELUTIONS.COM
Registrant:
Petr Bernatzik
Email: feetecho--gmail.com
Organization: Bernatzik Co
Address: Dobevska 877/4
City: Praha
State: Kamyk
ZIP: 14300
Country: CZ
Phone: +420.60176712
Fax:

Shared IP:
    1. Cokiran.com
    2. Go-iascan.com
    3. Go-scan-pro.com
    4. Goscanpc.com
    5. Ia-free-scanner.com
    6. Ia-install-pro.com
    7. Ia-installs.com
    8. Ia-payment.com
    9. Ia-scan-now.com
    10. Ia-scan-pro.com
    11. Ia-scanner-pc.com
    12. Ia-scanner-pro.com
    13. Ia-scannerpro.com
    14. Ia-scanpro.com
    15. Ia-stat-ia.com
    16. Ia-stat-pro.com
    17. Internet-antivirus-2008.com
    18. Wa-payment.com
0-= Sontinued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [3X Updates-Oct 15]

Postby TeMerc » Thu Oct 30, 2008 8:30 pm

ALERT: please treat all content from metrixlab-tds.com with extreme caution
URLs used to facilitate the hijacking:

bannersrotator.com/fx22010/click.php
stl.0ups.com/stl/in.cgi?24&

Note that different SWF files are served to the potential victim, depending on the version of Flash being used...

I'll also emphasise that the malicious domain is not associated with the legitimate company Metrixlab at http://www.metrixlab.com.

AND, guess who is the ICANN Registrar.... DIRECTI.

I ask you, what possible excuse is there for accepting an WHOIS entry like the one for metrixlab-tds.com?

ad1.metrixlab-tds.com - 82.98.193.102
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sharing IP with A Record: tds1.onlineredirsystem.com
Registrant:
n/a
Josh Silver (metrixlab.uk@googlemail.com)
n/a
n/a
n/a
n/a
,000000
US
Tel. +999.999999999

bannersrotator.com - 82.98.193.165
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant:
N/A
Jonh Anderson (mailalexmail@gmail.com)
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774

stl.0ups.com - 82.98.193.166 and 82.98.235.104
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant:
N/A
Jonh Anderson (mailalexmail@gmail.com)
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774
0-= Bluetack Internet Security Solutions
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [metrixlab-tds.com -Oct 30]

Postby TeMerc » Mon Nov 10, 2008 7:47 am

ALERT: malvertizement featuring imin.com
The malvertizement itself scans clean at Adopstools:
http://www.adopstools.com/index.asp?pag ... gH5jyGpJ0D

The malvertizement SWF uses the _url variable to check the URL that the SWF is run from. It also checks the timezone of the displaying computer.

The SWF loads another SWF from the URL optimizedby.net/__utm.gif?utmwv=1.1&utmn=<<snipped>>.

Note that the bad guys have tried to hide the fact that a SWF is being downloaded from optimizedby.net by pretending that it is a "GIF" (optimizedby.net_utm.gif).

The SWF from optimizedby.net is detected as malicious by Adopstools:
http://www.adopstools.com/index.asp?pag ... pFem3Sax2e

So, who are optimizedby.net? You will not be surprised to read that the ICANN Registrar is ESTDOMAINS. The domain was created on 26 August 2008, so it has been around for a while, and is hosted at IP 212.95.32.166 at Berlin (Netdirekt E.k). It is registered to a Sergey Bolshakov (serg.bolshakov@mail.ru)

Name servers:
    NS1.OPTIMIZEDBY.NET (212.95.32.166 - internetserviceteam.com)
    NS2.OPTIMIZEDBY.NET (212.95.32.166 - internetserviceteam.com)

Netdirekt has been hosting several malicious domains in recent times, including:

premium-pc-scan.com, antivirus-live-scan.com, premiumlivescan.com and quick-live-scan.com. The first two were registered via REGTIME to a Vladimir Polilov; the second two were registered via ONLINENIC to a Shestakov Yuriy.
0-= Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [metrixlab-tds.com -Oct 30]

Postby TeMerc » Mon Nov 10, 2008 8:27 am

ALERT: malvertizement featuring diamondharmony.com
We saw malvertizements featuring diamondharmony.com back in June of this year.

The malvertizement code is similar to that used for the malvertizement that appeared on newsweek.com back in August of this year. This malvertizement is also created using Fuse, and references adoptserver.info.


Adoptserver.info's IP address is currently 64.28.187.77, hosted in California by Cernel. It is, apparently, registered to a Javier Vega, email softjoda@yahoo.com.

The Sponsoring Registrar is currently listed as Regtime Ltd. (R455-LRMS)

It is interesting that these changes are occurring, and that the ICANN Registrar is now listed as Regtime Ltd. Yes, the bad guys are diversifying and have learned not to "hide all their eggs in one basket" but sadly for those behind the domains that facilitate malvertizing, historical WHOIS and IP records are preserved and accessible.

We already know to keep a close eye on Regtime. That name is appearing in association with more and more malvertizing domains, for example:
    premium-pc-scan.com
    antivirus-pc-scan.com
    securityfullscan.com
    antivirus-live-scan.com
    updateyourprotection.com
    antivirus-premiumscan.com
    securitylivescan.com
    security-full-scan.com
    secured-liveupdate.com
    livepcupdate.com
    protection-update.com
    antivirus-scan-online.com
    go-scan-pro.com
    internet-antivirus-2008.com
    ia-stat-ia.com
    ia-scanner-pro.com
    ia-scanner-pro.com
    ia-scanpro.com
    ia-scannerpro.com
    online-antivirus.net
    virus-scan-online.com
    online-virus-scanning.com
    scanner-protection.com
    xpas2009.com
0-= Continued @ Spyware Sucks
Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Rogue Banner Ads [metrixlab-tds.com -Oct 30]

Postby TeMerc » Sun Nov 16, 2008 9:38 am

ALERT: Malvertizements at foxnews.com - treat all content from adserver.adtechie.net with extreme caution
Malvertizements - lots of them - from adtechie.net. And some are being served via AdMeld.

Here's an interesting snippet for you - as we know from this article's title, malvertizements from adtechie.net via AdMeld have been spotted on Fox news (see Kimberley's report). Guess who is CEO at AdMeld - none other than somebody who is apparently an ex employee of Fox Media Interactive - a Michael Barrett - "who was most recently Executive Vice President, Chief Revenue Officer for Fox Interactive Media. Mr. Barrett has previously held senior level positions at AOL, Yahoo, Disney Online and more over his 25-year career".

adtechie.net was registered on 3 October 2008 via none other than Directi. Their IP is 212.95.37.206 (Germany, Netdirekt E.k - another name appearing more often in association with malvertizement domains).

Let's take a look at WHOIS. The declared Registrant, "SD", apparently owns 294 other domains, and apparently goes by the name of Dietmar Hebels (hebels@gmx.ch).

The IP range, 212.95.37.% is shared with some charmingly named domains such as pornosupermodels.info, buyrxgeneric.com, cheapgenericrx.com and thegenericpills.com. That alone should raised alarm bells for AdMeld.

The full list of domains:

Code: Select all

Adclickmate.net | Sharemaster.ru | Smoomy.com | 123rt.net | Emazzo.com | Iiiosh.com | Info9f.com | Tizz3r.com | Answersaboutall.com | Ask-about-all.com | Findhm.com | Freeforcat.net | Freeforcat.org | Fuksu.net | Hmaxsite.com | Omerka.com | Servala.com | Vhmax.com | Virtul.net | Vuala.net | Zipkinci.com | Buyrxgeneric.com | Cheapgenericrx.com | Genericrxmed.com | Pornosupermodels.info | Thegenericpills.com | Seedtillubleed.com | Kuchnie.pl | Meine-kueche24.at | Meine-kueche24.de | Adtechie.net | Speakers4car.com | Azartgame.in | Aoaue.com | Axer52.com | Iiltt.net | Mtptpp.com | Tztxi.net | Uiui77.com | Mazers.net
0-= Continued @ Spyware Sucks
Image


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests