B.I.S.S. Forums > Flash Mystery

Help - Search - Members - Calendar

Full Version: Flash Mystery

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Pages: 1, 2, 3, 4, 5

Kimberly

Oct 14 2008, 04:20 AM

more adtds.adnewgeneration.com stuff ...

Redirect.

powertds.ws/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
internetprosecurity.com/2009/1/freescan.php?id=[*]

internetprosecurity.com - 89.149.241.106

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-10
Updated: 2008-10-13
Name Server: NS1.FREEFASTDNS.COM (has 37 domains)
Name Server: NS2.FREEFASTDNS.COM
Whois Server: whois.estdomains.com
IP Location - Berlin - Berlin - Netdirekt E.k

Registration Service Provided By: REGNAME.BIZ
Contact: +7.9033729049
Website: www.regname.biz

Registrant:
N/A
Annette Young-Ogata ()
475 22nd Avenue
Honolulu
Hawaii,96813
US
Tel. +808.5863124
______________________________

Redirect.

soft-traff4.com/go.php?id=[*]
scanner.rapidantivirus.com/41/?advid=[*]&ref=&p=[*]

scanner.rapidantivirus.com / rapidantivirus.com - 91.208.0.220

ICANN Registrar: INTERNET.BS CORP.
Created: 2008-09-29
Updated: 2008-09-29
Name Server: NS1.RAPIDANTIVIRUS.COM (has 1 domains)
Name Server: NS2.RAPIDANTIVIRUS.COM
Whois Server: whois.internet.bs
IP Location - Russian Federation - Still Trade Ltd
Registrar: Internet.bs Corp.

Registrant
Sawert Alliance
33 New Road, Upper Flat
not provided Belize City
Belize

Administrative Contact
Sawert Alliance
Peltonen Martti seodancer (at) gmail dot com
33 New Road, Upper Flat
not provided Belize City
Belize
Tel: +7.9602578790

Kimberly

Oct 14 2008, 02:54 PM

adnewgeneration.com & powertds.ws & quicktds.name ... related

Redirects.

tdsdefence.info/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
protectyworkpc.com/2009/1/freescan.php?id=[*]
______________________________

liveprotectioncheck.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
online-private-scan.com/2009/1/freescan.php?id=[*]
______________________________

flashwebscanner.com/soft.php?[*]&d=[*]&product=XPA&refer=[*]
online-private-scan.com/2009/1/freescan.php?id=[*]

IP Details

tdsdefence.info - 89.149.202.115

Created: 2008-09-16
Updated: 2008-10-03
Name Server:NS1.FREEFASTDNS.COM
Name Server:NS2.FREEFASTDNS.COM
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Registrant Name:Ternov Vladislav
Registrant Organization:N/A
Registrant Street1:Dimievskya 20-134
Registrant Street2:
Registrant Street3:
Registrant City:Odessa
Registrant State/Province:Odessa Oblast
Registrant Postal Code:220020
Registrant Country:UA
Registrant Phone:+380.935187553
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladislavternov@googlemail.com
______________________________

liveprotectioncheck.com - 208.72.169.100

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-09
Updated: 2008-09-26
Name Server: NS1.FREEFASTDNS.COM (has 37 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - New York - New York - Mccolo Corporation
Registrant:
N/A
Anrea Pandim ()
100 North Riverside
Chicago
Illinois,60606
US
Tel. +312.5442450
______________________________

flashwebscanner.com - 216.240.134.211

ICANN Registrar: TUCOWS INC.
Created: 2008-09-05
Updated: 2008-09-05
Registrar Status: ok
Name Server: NS.123-REG.CO.UK (has 410,552 domains)
Name Server: NS2.123-REG.CO.UK
IP Location - California - Irvine - Go2online Corp
Registration Service Provider: www.123-reg.co.uk
Registrant:
Xenia Sobchak
Baterman str 13
London, SW1A 0AA
GB
______________________________

protectyworkpc.com - 89.149.202.115

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-09-10
Updated: 2008-10-08
Name Server: NS1.FREEFASTDNS.COM (has 37 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provided By: REGNAME.BIZ
Registrant:
N/A
Maureen Whelan ()
25 Industrial Park Road
Middletown
Connecticut,6457
US
Tel. +860.8072110
______________________________

online-private-scan.com - 208.72.169.100

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-10-07
Updated: 2008-10-07
Name Server: SKY.EARTH.ORDERBOX-DNS.COM (has 37,572 domains)
Name Server: SKY.MARS.ORDERBOX-DNS.COM
Name Server: SKY.MERCURY.ORDERBOX-DNS.COM
Name Server: SKY.VENUS.ORDERBOX-DNS.COM
IP Location - New York - New York - Mccolo Corporation
Registration Service Provided By: NICS.NAME
Registrant: PrivacyProtect.org

Kimberly

Oct 17 2008, 07:09 PM

weblevelclicks.com - safeinternettool.com - litetds.info - defendyourpc.com - forcedscan.com

More adtds.gorotation.com / adtds.adnewgeneration.com redirects and defendyourpc.com has been created TODAY.

Redirects.

litetds.info/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
defendyourpc.com/2009/1/freescan.php?id=[*]
______________________________

weblevelclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
safeinternettool.com/2009/1/freescan.php?id=[*]
______________________________

adaptivetds.name/soft.php?[*]&d=[*]&product=XPA&refer=[*]
forcedscan.com/2009/1/freescan.php?id=[*]

IP Details

defendyourpc.com - 208.72.169.100

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-17
Updated: 2008-10-17 05:26:35
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - New York - New York - Mccolo Corporation
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

safeinternettool.com - 89.149.241.106 & 216.240.134.208

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Updated: 008-10-14 09:03:36
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

weblevelclicks.com - 216.240.134.208

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Updated: 2008-10-14 09:03:12
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
Whois Server: whois.onlinenic.com
IP Location - California - Irvine - Go2online Corp
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

forcedscan.com - 64.86.17.44 & 216.240.134.211

ICANN Registrar: ONLINENIC, INC.
Created: 2008-09-26
Updated: 2008-09-26
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Ontario - Brampton - Velcom
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

______________________________

litetds.info - 216.240.134.208

Created On:16-Sep-2008 10:19:58 UTC
Last Updated On:03-Oct-2008 23:26:39 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Registrant Name:Ternov Vladislav
Registrant Organization:N/A
Registrant Street1:Dimievskya 20-134
Registrant City:Odessa
Registrant State/Province:Odessa Oblast
Registrant Postal Code:220020
Registrant Country:UA
Registrant Phone:+380.935187553
Registrant Email:vladislavternov@googlemail.com

Kimberly

Oct 18 2008, 12:07 AM

Adobe Flash Player 10 & the new crossdomain policy ... what a joke

As many of you may know (or not), Adobe Flash Player 10 has been released. According to the release notes, some security changes *might* impact on the recurring malformed SWF files.

References to read.

Security Bulletin for Flash Player and Security Advisory for Flash Professional CS3
Understanding the security changes in Flash Player 10
Policy file strictness: Phase 2
With Phase 2 in Flash Player 10, the meta-policy default will change from "all" to "master-only." This will allow all master policy files (any policy file saved in the root of the domain with the name crossdomain.xml, such as hxxp://example.com/crossdomain.xml) to continue to function as expected. However, all other policy files defined in alternate locations will require an explicit meta-policy for them to work.

What is impacted?
This change can potentially affect any SWF file accessing cross-domain content. This change affects SWF files of all versions played in Flash Player 10 and later. This change affects all non-app content in Adobe AIR (however, AIR app content itself is unaffected).

What do I need to do?
Read the article, Policy file changes in Flash Player 9 and Flash Player 10.

If you have not already, define a meta-policy for your domain. Even if you are only using a master policy file, it is recommended you still explicitly define a meta-policy. Meta-policies can be set in the master policy file within a site-control directive, or through headers sent by the server.

If you depend on content from a domain outside of your control, you should contact that domain's administrator and make sure they have a meta-policy that is up to date.

______________________________

The crossdomain policy always has been a problem with malvertizements. Now did that issue change with Flash Player 10? The answer is NO. Why not? ... the answer is below.

... the meta-policy default will change from "all" to "master-only." This will allow all master policy files (any policy file saved in the root of the domain with the name crossdomain.xml, such as hxxp://example.com/crossdomain.xml) to continue to function as expected.

Sweet ain't it ... Need prove? Let's install Adobe Flash Player 10 as recommended - sigh - and simply take the Skype malvertizement hosted on weborama.fr. Might wanna uncheck the Google Toolbar Junk before installing, the darn thing comes pre-checked.

Let's load the offending malvertizement with our brand new player ...

Note the Flash version in the network capture ... x-flash-version: 10,0,12,36

Looks like the bad guys didn't wait after Adobe Flash Player 10 to put their crossdomain.xml files in the root of the domain.

A perfect Flash file is the one that is never loaded by your browser.

Kimberly

Oct 19 2008, 06:47 PM

www.allmusic.com - Bio Trainer

A new malvertizement is being served on www.allmusic.com featuring Bio Trainer weight loss system.

Screenshot in situ.

Banner.

web.checkm8.com/Ads/435513/bill_300x250-border.swf

Campaign.

clickmatter.net/stat.gif?url=http://[*]
windows-scannercenter.com/?id=[*]
onlinetds.info/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
forcedscan.com/2009/1/freescan.php?id=[*]

Adopstools was NOT able to flag the malvertizement.
______________________________

We've also got a clipboard hijacker here.

I've decided to analyse the malvertizement and I can't find any references to System.setClipboard. How is this archived then? Analysing the network capture to clickmatter.net/stat.gif reveals an interesting point, we are not loading a gif file but a Flash file - note the CWS in the header.

Further tests did confirm that clickmatter.net/stat.gif is the culprit for copying the malicious URL to the clipboard because when putting clickmatter.net in your hosts file, the clipboard remains empty and the redirect to windows-scannercenter.com doesn't even occur. On a side note, Adobe Flash Player 10 does protect against the clipboard hijacking as seen in the screenshot below. In the status bar we already see the malicious redirect happen, but our clipboard remains "clean".

In my eyes the "clipboard jacking" is a minor issue, when you paste some text into your browser, post, blog, document ... you never review what you did write? Redirects are still working, whether they lead to fake online scanners or download an executable. So what has changed ... NOTHING.
______________________________

The redirects reveal a yet unseen domain, clickmatter.net.

clickmatter.net - 216.195.59.78

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-11
Updated: 2008-09-22
Name Server: DNS251.3FN.NET (has 10,042 domains)
Name Server: NS2.3FN.NET
IP Location - Oregon - Portland - Aps Telecom
Registration Service Provided By: ESTDOMAINS INC
Registrant:
Domain Names copr.
Domain Names copr. ()

Tallin
Harjumaa,13514
EE
Tel. +37.26201114
______________________________

onlinetds.info - 216.240.134.211

IP Location - California - Irvine - Go2online Corp
Created On:16-Sep-2008 11:17:48 UTC
Last Updated On:03-Oct-2008 22:47:33 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Registrant Name:Ternov Vladislav
Registrant Organization:N/A
Registrant Street1:Dimievskya 20-134
Registrant City:Odessa
Registrant State/Province:Odessa Oblast
Registrant Postal Code:220020
Registrant Country:UA
Registrant Phone:+380.935187553

Kimberly

Oct 19 2008, 09:53 PM

clickmatter.net/stat.gif

I know, I can't resist a challenge.

QUOTE(Kimberly @ Oct 19 2008, 08:47 PM)
I've decided to analyse the malvertizement and I can't find any references to System.setClipboard. How is this archived then? Analysing the network capture to clickmatter.net/stat.gif reveals an interesting point, we are not loading a gif file but a Flash file - note the CWS in the header.
...
Further tests did confirm that clickmatter.net/stat.gif is the culprit for copying the malicious URL to the clipboard because when putting clickmatter.net in your hosts file, the clipboard remains empty and the redirect to windows-scannercenter.com doesn't even occur.

TIF (Temporary Internet Files)

clickmatter.net/stat.gif ... we clearly see the redirect to windows-scannercenter.com and the fact it ain't a gif file as it pretends.

In order to facilitate the analysis, let's rename stat.gif to stat.swf and we see the redirect to windows-scannercenter.com and also System.setClipboard. We saw those type of redirects in the past and sometimes they were not active and lead to google.com instead of the malicious URL ... it all makes sense now, doesn't it? The bad guys can stop or change a redirect whenever they want, the malvertizement only leads to a "fake gif" file, who's gonna pay attention to that anyways. By replacing stat.gif, they can modify about anything or simply disable / enable a campaign.

Doesn't stat.gif aka stat.swf reminds you of the infamous gnida.swf somehow? Well AV vendors have still WTG on this one ...

File stat_1_.gif received on 10.19.2008 23:48:13 (CET)
AhnLab-V3 2008.10.18.0 2008.10.19 -
AntiVir 7.9.0.5 2008.10.19 -
Authentium 5.1.0.4 2008.10.19 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.19 -
BitDefender 7.2 2008.10.19 -
CAT-QuickHeal 9.50 2008.10.18 -
ClamAV 0.93.1 2008.10.19 -
DrWeb 4.44.0.09170 2008.10.19 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6154 2008.10.17 -
Ewido 4.0 2008.10.19 -
F-Prot 4.4.4.56 2008.10.19 -
F-Secure 8.0.14332.0 2008.10.19 -
Fortinet 3.113.0.0 2008.10.19 -
GData 19 2008.10.19 -
Ikarus T3.1.1.44.0 2008.10.19 -
K7AntiVirus 7.10.498 2008.10.18 -
Kaspersky 7.0.0.125 2008.10.19 -
McAfee 5408 2008.10.17 -
Microsoft 1.4005 2008.10.19 -
NOD32 3536 2008.10.19 -
Norman 5.80.02 2008.10.17 -
Panda 9.0.0.4 2008.10.19 -
PCTools 4.4.2.0 2008.10.19 -
Prevx1 V2 2008.10.19 -
Rising 20.66.62.00 2008.10.19 -
SecureWeb-Gateway 6.7.6 2008.10.19 -
Sophos 4.34.0 2008.10.19 -
Sunbelt 3.1.1732.1 2008.10.18 -
Symantec 10 2008.10.19 -
TheHacker 6.3.1.0.119 2008.10.18 -
TrendMicro 8.700.0.1004 2008.10.17 -
VBA32 3.12.8.7 2008.10.19 -
ViRobot 2008.10.18.1426 2008.10.18 -
VirusBuster 4.5.11.0 2008.10.19 -

Additional information
File size: 1163 bytes
MD5...: 45d3ff141cb6c3214175598b2282dec8
SHA1..: a0a00b26308f4076053e4d2d21379db611de75ea
SHA256: 2857b5c27604c602b456a87126f8dad1dd99c704f70bf7f4884e446185240531
PEiD..: -
TrID..: File type identification
Macromedia Flash Player Compressed Movie (100.0%)
PEInfo: -
packers (Kaspersky): Swf2Swc

Kimberly

Oct 20 2008, 04:47 PM

tdspro.ws - safeinternetzone.com - watchmyclicks.com - quick-scanner.com

More adtds.gorotation.com / adtds.adnewgeneration.com redirects.

Redirects.

tdspro.ws/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
safeinternetzone.com/2009/1/freescan.php?id=[*]
______________________________

watchmyclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
quick-scanner.com/2009/1/freescan.php?id=[*]

IP Details

tdspro.ws - 89.149.202.115

Registrar Name: Rustelekom
Created: 2008-09-15
Updated: 2008-09-26
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
______________________________

safeinternetzone.com - 84.243.196.136

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Updated: 008-10-14 09:03:36
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Netherlands - Grafix Internet B.v
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

watchmyclicks.com - 216.240.134.208

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Updated: 2008-10-14 09:03:12
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - California - Irvine - Go2online Corp
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:

Registrant:
Shestakov Yuriy +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

quick-scanner.com - 89.149.241.106

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-17
Updated: 2008-10-17
Name Server: NS1.FREEFASTDNS.COM (has 55 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:

Registrant:
Shestakov Yuriy +7.9218839910 alexey(at)cocainmail.com
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

"Shestakov Yuriy" owns about 2,931 other domains
alexey(at)cocainmail.com is associated with about 1,903 domains

Kimberly

Oct 20 2008, 05:29 PM

www.billboard.com - Bio Trainer

The "Bio Trainer weight loss system" malvertizement discovered on allmusic.com yesterday is also displayed on the homepage of www.billboard.com.

Screenshot in situ.

Banner.

web.checkm8.com/Ads/435513/bill_300x250-border.swf

Campaign.

clickmatter.net/stat.gif?url=http://[*]
windows-scannercenter.com/?id=[*]
onlinetds.info/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
forcedscan.com/2009/1/freescan.php?id=[*]

Kimberly

Oct 24 2008, 03:57 PM

Warning: possible malvertizement on song lyrics website.

The presence of a malicious banner is possible on a song lyrics website and the clipboard seems to be hijacked also.

URL's apparently involved:

windowsxp-privacy.net/?id=[*]
seamastersoft.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
internetquarantinesite.com/2009/1/freescan.php?id=[*]

antivirusfree-scan.com - active-scanner.com - protection-freescan.com

More adtds.gorotation.com / adtds.adnewgeneration.com redirects.

Redirects.

watchmyclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
antivirusfree-scan.com/2009/1/freescan.php?id=[*]
______________________________

tdspro.ws/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
protection-freescan.com/2009/1/freescan.php?id=[*]
______________________________

protectedtds.name/soft.php?[*]&d=[*]&product=XPA&refer=[*]
protection-freescan.com/2009/1/freescan.php?id=[*]

IP Details

antivirusfree-scan.com - 89.149.241.132

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-22
Updated: 2008-10-22
Name Server: NS1.FREEFASTDNS.COM (has 86 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provider: Shestakov Yuriy
Registrant: Shestakov Yuriy alexeyvas@safe-mail.net +7.9218839910
Shestakov Yuriy +7.9218839910
Lenina 21 16
Mirniy,MSK,RU 102422
______________________________

active-scanner.com - 84.243.196.136

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-17
Name Server: NS1.FREEFASTDNS.COM (has 86 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Netherlands - Grafix Internet B.v
Registration Service Provider: Shestakov Yuriy
Registrant: Shestakov Yuriy
______________________________

protection-freescan.com - 89.149.241.106

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-17
Name Server: NS1.FREEFASTDNS.COM (has 86 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Berlin - Berlin - Netdirekt E.k
Registration Service Provider: Shestakov Yuriy
Registrant: Shestakov Yuriy
______________________________

internetquarantinesite.com - 64.86.17.44

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Name Server: NS1.FREEFASTDNS.COM (has 86 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - Ontario - Brampton - Velcom
Registration Service Provider: Shestakov Yuriy
Registrant: Shestakov Yuriy

Kimberly

Oct 26 2008, 04:28 AM

hacked .htaccess file: RW Lyall - www.rwlyall.com

Be very carefull if you visit www.rwlyall.com from a search engine. The .htaccess file has been hacked and is redirecting people to a fake online scanner. If you directly paste the website into your browser, you won't be affected.

Complete redirect.

89.28.13.200/in.html?s=sb
realtimeweb1.com/soft.php?aid=[*]&d=6&product=XPA&refer=[*]
internetquarantinesite.com/2009/1/freescan.php?id=[*]

______________________________

realtimeweb1.com - 216.240.134.211

ICANN Registrar: ONLINENIC, INC.
Created: 2008-10-14
Name Server: NS1.FREEFASTDNS.COM (has 82 domains)
Name Server: NS2.FREEFASTDNS.COM
IP Location - California - Irvine - Go2online Corp
Registrant: Shestakov Yuriy
______________________________

89.28.13.200

IP Location: Moldova, Republic Of Chisinau Starnet
Resolve Host: 89-28-13-200.starnet.md

Kimberly

Oct 27 2008, 06:14 PM

Photobucket ... more malvertizing problems

As said before, I'm pretty sure that at least 1 malicious banner (if not more) is circulating at Photobucket. The screen capture kinda proves it. You have a blog, want to show pictures on it and if the integrated viewer does not work, add a link to the album. But the link turns out to be malicious because the person was the victim of clipboard hijacking.

I did already explain how links are copied to the clipboard at Photobucket a while ago, that's why I'm 99,9% sure that the malvert is on Photobucket. More info about copy and clipboard hijacking can be found here and here. Unfortunately I have been unlucky in catching banner(s). The advertising crew at Photobucket is giving us a hard time because the ads are not only very geo specific, they depend also upon the fact if you are logged in or not as certain information such as gender, age & zip code is transmitted in the advertising requests if you have an account.

But today, I ran into another malware problem at Photobucket. It's a similar problem with rotating advertising and malware as seen in The "rotator.adjuggler.com" case.

The Page where it all started.

The actors ... Yahoo, Harren Media & AdJuggler advertising.

Below we see the request made by Photobucket to display an advertisement from Yahoo. The script at ad.yieldmanager feeds us with an advertisement from Harren Media and we see different references to efx.add50.com which is no one else than ... rotator.adjuggler.com

Let's follow and take a peek at efx.add50.com/servlet/ajrotator/428101/0/vh?ajecscp=1225121196641&z=ADD50&dim=300765.
We notice a link to a Flash creative (which is clean btw) followed by a huge amount of iframes. The Flash banner at scarygeek.com is the yellow "Don't click here" in the in situ capture.

From here on we will bounce to different websites, I did visit 252 links before my Internet Explorer crashed (probably due to the exploits).

During our "trip" we hit a page at 91.203.92.138. The page starts with an iframe pointing to a PDF containing shellcode, followed by the usual suspects (SnapshotViewer, SuperBuddy, createControlRange ...). The javascript has been "scrambled"; all function names, variables ... have been replaced with random stuff and are decoded via a function.

Additional reading: Rise Of The PDF Exploits

The result is below ... a popup from the PDF exploit because I don't have Acrobat Reader installed and two executables on the PC.

It seems that AdJuggler still didn't learn from their previous hickup because we still find the same websites / clients in the network captures. Yahoo and the Harren Media network also have a part of responsability since they keep repeating offenders in their advertising network. Concerned parties have been advised and a support ticket has been opened at AdJuggler. I strongly advise that any advertising content from Photobucket is blocked. Note that you might encounter this issue on other websites too as advertising content often isn't limited to a single website.

Virustotal

xcvb.pdf

File xcvb.pdf received on 10.27.2008 15:23:53 (CET)
AhnLab-V3 2008.10.27.3 2008.10.27 -
AntiVir 7.9.0.9 2008.10.27 -
Authentium 5.1.0.4 2008.10.27 -
Avast 4.8.1248.0 2008.10.27 -
AVG 8.0.0.161 2008.10.27 -
BitDefender 7.2 2008.10.27 Exploit.HTML.Agent.AQ
CAT-QuickHeal 9.50 2008.10.27 -
ClamAV 0.93.1 2008.10.27 -
DrWeb 4.44.0.09170 2008.10.27 -
eSafe 7.0.17.0 2008.10.26 -
eTrust-Vet 31.6.6168 2008.10.25 JS/MS05-054!exploit
Ewido 4.0 2008.10.27 -
F-Prot 4.4.4.56 2008.10.26 -
F-Secure 8.0.14332.0 2008.10.27 -
Fortinet 3.113.0.0 2008.10.27 -
GData 19 2008.10.27 -
Ikarus T3.1.1.44.0 2008.10.27 -
K7AntiVirus 7.10.509 2008.10.27 -
Kaspersky 7.0.0.125 2008.10.27 -
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 Exploit:JS/Mult.AB
NOD32 3559 2008.10.27 -
Norman 5.80.02 2008.10.24 -
Panda 9.0.0.4 2008.10.27 -
PCTools 4.4.2.0 2008.10.27 JS.IESlice.E
Prevx1 V2 2008.10.27 -
Rising 21.01.02.00 2008.10.27 -
SecureWeb-Gateway 6.7.6 2008.10.27 -
Sophos 4.35.0 2008.10.27 Troj/PDFEx-AA
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 Bloodhound.Exploit.196
TheHacker 6.3.1.1.131 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.27 -
VBA32 3.12.8.8 2008.10.25 -
ViRobot 2008.10.27.1438 2008.10.27 -
VirusBuster 4.5.11.0 2008.10.26 JS.IESlice.E

Additional information
File size: 3597 bytes
MD5...: eb471c4f31d2ab7b7df14514a5b288ad
SHA1..: b937894b7058416a08534aef69219e0f10f4dddd
SHA256: d1dbccfdc5f156a26f5f10743992cfe591d6d06aea5349f47d6cc7f371e9ac0e

install.exe - d3i.exe

File install.exe received on 10.27.2008 15:22:12 (CET)
AhnLab-V3 2008.10.27.3 2008.10.27 -
AntiVir 7.9.0.9 2008.10.27 BDS/UltimateDefender.ggu.1
Authentium 5.1.0.4 2008.10.27 -
Avast 4.8.1248.0 2008.10.27 Win32:Fabot
AVG 8.0.0.161 2008.10.27 Downloader.Generic7.BDTR
BitDefender 7.2 2008.10.27 Packer.Malware.Lighty.N
CAT-QuickHeal 9.50 2008.10.27 -
ClamAV 0.93.1 2008.10.27 -
DrWeb 4.44.0.09170 2008.10.27 Trojan.Packed.1205
eSafe 7.0.17.0 2008.10.26 Suspicious File
eTrust-Vet 31.6.6168 2008.10.25 Win32/Fakealert.IJ
Ewido 4.0 2008.10.27 -
F-Prot 4.4.4.56 2008.10.26 -
F-Secure 8.0.14332.0 2008.10.27 Backdoor.Win32.UltimateDefender.ggu
Fortinet 3.113.0.0 2008.10.27 W32/UltimateDefender.GGU!tr.bdr
GData 19 2008.10.27 Packer.Malware.Lighty.N
Ikarus T3.1.1.44.0 2008.10.27 VirTool.Win32.Obfuscator.DF
K7AntiVirus 7.10.509 2008.10.27 -
Kaspersky 7.0.0.125 2008.10.27 Backdoor.Win32.UltimateDefender.ggu
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 Trojan:Win32/Wantvi.I
NOD32 3559 2008.10.27 a variant of Win32/TrojanDownloader.Fakealert.NQ
Norman 5.80.02 2008.10.24 -
Panda 9.0.0.4 2008.10.27 -
PCTools 4.4.2.0 2008.10.27 -
Prevx1 V2 2008.10.27 Cloaked Malware
Rising 21.01.02.00 2008.10.27 -
SecureWeb-Gateway 6.7.6 2008.10.27 -
Sophos 4.35.0 2008.10.27 -
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 Trojan.Virantix.C
TheHacker 6.3.1.1.131 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.27 -
VBA32 3.12.8.8 2008.10.25 -
ViRobot 2008.10.27.1438 2008.10.27 -
VirusBuster 4.5.11.0 2008.10.26 -

Additional information
File size: 44032 bytes
MD5...: 3eb7b00e79674c440a8ce35eebb3cbc9
SHA1..: c6e4271a1bfc00a9961831c0e63d4a7b90bdbb76
SHA256: c4aefe312998d7f68b6b0469c9f1aa382b29e440d0cfd9b99def2b4b4afa7804

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...a8ce35eebb3cbc9

win32.exe - ly9.exe

File win32.exe received on 10.27.2008 15:22:47 (CET)
AhnLab-V3 2008.10.27.3 2008.10.27 -
AntiVir 7.9.0.9 2008.10.27 -
Authentium 5.1.0.4 2008.10.27 W32/Malware!OC-based
Avast 4.8.1248.0 2008.10.27 -
AVG 8.0.0.161 2008.10.27 Generic11.BLHF
BitDefender 7.2 2008.10.27 -
CAT-QuickHeal 9.50 2008.10.27 -
ClamAV 0.93.1 2008.10.27 -
DrWeb 4.44.0.09170 2008.10.27 -
eSafe 7.0.17.0 2008.10.26 -
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.27 -
F-Prot 4.4.4.56 2008.10.26 W32/Malware!OC-based
F-Secure 8.0.14332.0 2008.10.27 -
Fortinet 3.113.0.0 2008.10.27 -
GData 19 2008.10.27 -
Ikarus T3.1.1.44.0 2008.10.27 -
K7AntiVirus 7.10.509 2008.10.27 -
Kaspersky 7.0.0.125 2008.10.27 -
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 TrojanDownloader:Win32/Tibs
NOD32 3559 2008.10.27 a variant of Win32/Kryptik.AY
Norman 5.80.02 2008.10.24 -
Panda 9.0.0.4 2008.10.27 -
PCTools 4.4.2.0 2008.10.27 -
Prevx1 V2 2008.10.27 -
Rising 21.01.02.00 2008.10.27 -
SecureWeb-Gateway 6.7.6 2008.10.27 -
Sophos 4.35.0 2008.10.27 -
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 -
TheHacker 6.3.1.1.131 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.27 -
VBA32 3.12.8.8 2008.10.25 -
ViRobot 2008.10.27.1438 2008.10.27 -
VirusBuster 4.5.11.0 2008.10.26 -

Additional information
File size: 19456 bytes
MD5...: 450094b2395c67ccfc7a9988a9df6eb6
SHA1..: cade660ecd7554cd6cf3b165a3fe25f5bc19bee6
SHA256: 20f5d25635f0d91972a4a3d103f6793cc775e807d1bfe19c993345294ee03988

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...c7a9988a9df6eb6

Kimberly

Oct 28 2008, 07:49 PM

WARNING: ad1.metrixlab-tds.com

All advertising content from ad1.metrixlab-tds.com should be treated with EXTREME CAUTION.

Venus.

Gilette Fusion.

Boniva.

Honda.

All above advertisements don't have "weird" links inside except the last Honda one. The actual links are like this now.

bannersrotator.com/fx22010/click.php
stl.0ups.com/stl/in.cgi?24&
fit.honda.com
automobiles.honda.com/2009-fit/?from=http://fit.honda.com/

stl.0ups.com has been involved in malware in the past and the report shows exactly the same advertisement. Apparently the redirects did occur on msn.com - Reference.

So why all this fuss ... well ad1.metrixlab-tds.com has a couple of less trustworthy files laying around. There is start.html for example. start.swf is loaded in the browser, next a variable called show is assigned the value of banner1.swf - which could be any of the banners above btw.

start.swf

Pretty self explanatory isn't it? Retrieve Flash version and load the corresponding Flash file.

Note that if you run Flash version 9.0.124 or 10, tunnel.swf will be loaded. That file is clean, it's not the case of the other tunnel[ version number].swf files, they lead to an executable as seen below.

File analysis and IP details to follow.

Last minute link: Symantec report on bannersrotator.com - Reference.

Thx Micha for both references.

Kimberly

Oct 28 2008, 11:03 PM

IP details

First of all, ad1.metrixlab-tds.com has NOTHING in common / to do with MetrixLab, we have seen this trickery before with Byron Advertising. They choose such names - or a any resemblance - to mislead people and make them think they are legit companies, hence the importance to look up information about the name, the domain and IP. We have stressed that several times along these months and I’m doing it again today.

ad1.metrixlab-tds.com - 82.98.193.102

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS16.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Updated Date: 12-sep-2008
Creation Date: 12-sep-2008
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539

Registrant: Josh Silver (metrixlab.uk@googlemail.com)
,000000
US
Tel. +999.999999999
______________________________

tds1.onlineredirsystem.com - 82.98.193.102

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS16.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Status: clientTransferProhibited
Updated Date: 15-sep-2008
Creation Date: 15-sep-2008
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539

Registrant: alex (mailalexmail@gmail.com)
,000000
US
Tel. +999.999999999
______________________________

bannersrotator.com - 82.98.193.165

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS13.ZONEEDIT.COM
Name Server: NS16.ZONEEDIT.COM
Updated Date: 30-sep-2008
Creation Date: 31-jul-2008
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Registrant: Jonh Anderson (mailalexmail@gmail.com)
Mulwar str.46
New York
null,12576
US
Tel. +534.347324774

Malware Served Through Flash Exploits By MSN Norway.
tunnel28.swf - i1.exe
______________________________

stl.0ups.com - 82.98.193.166

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS.MYCYBERHOSTING.COM
Name Server: NS164.MYCYBERHOSTING.COM
Updated Date: 17-dec-2007
Creation Date: 28-jan-2007

MSN verspreidt Trojaans paard via Flash advertenties.
Malvertising på no.msn.com.

Note: The 2 links above confirm the Flash Exploits By MSN Norway report.
______________________________

82.98.235.173

inetnum: 82.98.235.0 - 82.98.235.255
netname: CYBERTECHNOLOGY
descr: Cyber Technology BV BA/SPRL
descr: Belgium
country: NL

Nancy Drew - Circulating malvertisement.

Virustotal

start.swf

File start.swf received on 10.28.2008 22:42:01 (CET)
AhnLab-V3 2008.10.28.3 2008.10.28 -
AntiVir 7.9.0.10 2008.10.28 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.28 -
BitDefender 7.2 2008.10.28 -
CAT-QuickHeal 9.50 2008.10.28 -
ClamAV 0.93.1 2008.10.28 -
DrWeb 4.44.0.09170 2008.10.28 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6177 2008.10.28 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.28 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.28 -
Ikarus T3.1.1.44.0 2008.10.28 -
K7AntiVirus 7.10.510 2008.10.28 -
Kaspersky 7.0.0.125 2008.10.28 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.28 -
NOD32 3563 2008.10.28 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.28 -
PCTools 4.4.2.0 2008.10.28 -
Prevx1 V2 2008.10.28 -
Rising 21.01.12.00 2008.10.28 -
SecureWeb-Gateway 6.7.6 2008.10.28 -
Sophos 4.35.0 2008.10.28 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.28 -
TheHacker 6.3.1.1.132 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.28 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.28.1441 2008.10.28 -
VirusBuster 4.5.11.0 2008.10.28 -

Additional information
File size: 1051 bytes
MD5...: b155176b48cc93f81c26e3dbe578b91e
SHA1..: 1aeac0077dd17694fd5446e478e974b0b03db11a
SHA256: 784a5e4ab6a152e0f406828d34dbc126e2efa76d4817aca794b284df0c44cfff
packers (Kaspersky): Swf2Swc

tunnel[Flash Version].swf

File tunnel47.swf received on 10.28.2008 22:42:23 (CET)
AhnLab-V3 2008.10.28.3 2008.10.28 -
AntiVir 7.9.0.10 2008.10.28 EXP/Flash.Gen
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 SWF:CVE-2007-0071
AVG 8.0.0.161 2008.10.28 -
BitDefender 7.2 2008.10.28 -
CAT-QuickHeal 9.50 2008.10.28 SWF.Exploit
ClamAV 0.93.1 2008.10.28 -
DrWeb 4.44.0.09170 2008.10.28 -
eSafe 7.0.17.0 2008.10.28 -
eTrust-Vet 31.6.6177 2008.10.28 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.28 -
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.28 SWF:CVE-2007-0071
Ikarus T3.1.1.44.0 2008.10.28 -
K7AntiVirus 7.10.510 2008.10.28 -
Kaspersky 7.0.0.125 2008.10.28 -
McAfee 5417 2008.10.28 -
Microsoft 1.4005 2008.10.28 Exploit:Win32/APSB08-11.gen!A
NOD32 3563 2008.10.28 -
Norman 5.80.02 2008.10.28 -
Panda 9.0.0.4 2008.10.28 -
PCTools 4.4.2.0 2008.10.28 -
Prevx1 V2 2008.10.28 -
Rising 21.01.12.00 2008.10.28 -
SecureWeb-Gateway 6.7.6 2008.10.28 Exploit.Flash.Gen
Sophos 4.35.0 2008.10.28 -
Sunbelt 3.1.1762.1 2008.10.28 -
Symantec 10 2008.10.28 Bloodhound.Exploit.193
TheHacker 6.3.1.1.132 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.28 -
VBA32 3.12.8.8 2008.10.28 -
ViRobot 2008.10.28.1441 2008.10.28 -
VirusBuster 4.5.11.0 2008.10.28 -

Additional information
File size: 1374 bytes
MD5...: dc932adde3009b84482df3495a8a8302
SHA1..: b4ca83d3db9bf55fdc7c0d27bca90743b5ce7b6d
SHA256: 8c2b6b34c59fc0ce186df8f0087fb7dcfa266bc997a93ee57bdf1402645631e4
packers (Kaspersky): Swf2Swc

i.exe

File i.exe received on 10.28.2008 17:02:30 (CET)
AhnLab-V3 2008.10.28.3 2008.10.28 -
AntiVir 7.9.0.9 2008.10.28 -
Authentium 5.1.0.4 2008.10.28 -
Avast 4.8.1248.0 2008.10.28 -
AVG 8.0.0.161 2008.10.28 Adload_r.AQ
BitDefender 7.2 2008.10.28 -
CAT-QuickHeal 9.50 2008.10.28 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.10.28 -
DrWeb 4.44.0.09170 2008.10.28 -
eSafe 7.0.17.0 2008.10.27 Suspicious File
eTrust-Vet 31.6.6177 2008.10.28 -
Ewido 4.0 2008.10.28 -
F-Prot 4.4.4.56 2008.10.28 -
F-Secure 8.0.14332.0 2008.10.28 Tibs.gen222
Fortinet 3.117.0.0 2008.10.28 -
GData 19 2008.10.28 -
Ikarus T3.1.1.44.0 2008.10.28 -
K7AntiVirus 7.10.510 2008.10.28 -
Kaspersky 7.0.0.125 2008.10.28 -
McAfee 5416 2008.10.28 -
Microsoft 1.4005 2008.10.28 Trojan:Win32/Vundo.gen!V
NOD32 3563 2008.10.28 -
Norman 5.80.02 2008.10.27 Tibs.gen222
Panda 9.0.0.4 2008.10.28 -
PCTools 4.4.2.0 2008.10.28 -
Prevx1 V2 2008.10.28 -
Rising 21.01.12.00 2008.10.28 -
SecureWeb-Gateway 6.7.6 2008.10.28 -
Sophos 4.35.0 2008.10.28 -
Sunbelt 3.1.1760.1 2008.10.27 -
Symantec 10 2008.10.28 Trojan Horse
TheHacker 6.3.1.1.132 2008.10.28 -
TrendMicro 8.700.0.1004 2008.10.28 -
VBA32 3.12.8.8 2008.10.27 -
ViRobot 2008.10.28.1441 2008.10.28 -
VirusBuster 4.5.11.0 2008.10.27 -

Additional information
File size: 35840 bytes
MD5...: 2a8d3776bed7307dcedc1757853622bb
SHA1..: c96b02698438338e7f14cbb7abce1d59c05b6614
SHA256: 4cbb9598abb48345c2eb7d31c440ee51c3f4786aa16d4e8d50fba329fe6bfc30

Practice Safe Flash!

Kimberly

Oct 31 2008, 05:13 PM

infoclicknow.com - premiumlivescan.com - orbitalclicks.com - scan-my-pc.com - bulkwatcher.com - antivirus-premiumscan.com ...

Redirects.

bulkwatcher.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
antivirus-premiumscan.com/2009/1/en/freescan.php?id=[*]
______________________________

infoclicknow.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
premiumlivescan.com/2009/1/en/freescan.php?id=[*]
______________________________

orbitalclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
scan-my-pc.com/2009/1/freescan.php?id=[*]
______________________________

Other fake scanners.

antivirus-pcscan.com/2009/1/freescan.php?id=[*]

livesecurityinfo.com/2009/1/freescan.php?id=[*]

best-online-antivirus-scanner.info/scan.php?campaign=[*]&landid=[*]&country=[*]&bs=[*]

IP details

infoclicknow.com / bulkwatcher.com - 216.240.134.211

Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Updated Date: 22-oct-2008
Creation Date: 22-oct-2008
Registrant: Alexey Vasiliev alexvasiliev1987@gmail.com +7.3834427722
Alexey Vasiliev
Ol. Duducha 21/2 53
Moskow,NSK,RUSSIAN FEDERATION 630122
______________________________

orbitalclicks.com - 208.72.169.100

Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Updated Date: 14-oct-2008
Creation Date: 14-oct-2008
Registrant: Shestakov Yuriy alexey@cocainmail.com +7.9218839910
______________________________

antivirus-premiumscan.com - 78.159.118.217 / 89.149.253.215 / 91.203.92.47

ICANN Registrar: REGTIME LTD.
Created: 2008-10-29
Name Server: NS1.FREEFASTDNS.COM (has 89 domains)
Name Server: NS2.FREEFASTDNS.COM
Registrar: RegTime.net Limited
Registrant: Pert Goligin
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Kosmonavtov 12-54
City: Moskva
State: Moskovskaya oblast
ZIP: 113431
Country: RU
Phone: +7.4954403856
______________________________

premiumlivescan.com - 89.149.253.215 / 216.240.134.211 / 78.159.118.217

Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Creation Date: 24-oct-2008
Registrant: Shestakov Yuriy alexeyvas@safe-mail.net +7.9218839910
______________________________

scan-my-pc.com - 89.149.251.56
antivirus-pcscan.com - 89.149.227.196 / 84.243.196.136
livesecurityinfo.com - 208.72.168.185

Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Creation Date: 22-oct-2008
______________________________

best-online-antivirus-scanner.info - 67.205.75.14

Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Name Server:NS1.BEST-ONLINE-ANTIVIRUS-SCANNER.INFO
Name Server:NS2.BEST-ONLINE-ANTIVIRUS-SCANNER.INFO
Created On:14-Oct-2008 15:06:19 UTC
Last Updated On:14-Oct-2008 16:23:51 UTC
Registrant Name:Kivvi Admin
Registrant Organization:KivviSoftware
Registrant Street1:pr. Pobedi 1
Registrant City:Kiev
Registrant State/Province:kiev
Registrant Postal Code:01001
Registrant Country:UA
Registrant Phone:+380.4365213
Registrant Email:leonardo126@gmail.com

Kimberly

Nov 1 2008, 12:16 AM

Photobucket - AdJuggler aka efx.add50.com / rotator.adjuggler.com

I did mention a nasty redirect involving AdJuggler aka efx.add50.com / rotator.adjuggler.com a few days back. As usual, notifications have been issued to concerned parties. I'm very disappointed about the results, as a matter of fact I’m ****** *** by those “so called” customer warnings and the “24h delay” to remove the offending advertiser from the system. Why … Well that’s very simple to answer, I still see the damn same offending websites in the network captures ... except their redirects / iframes are just leading to a different IP – what a joke isn’t it? In my eyes AdJuggler just worries about the $$$ and is as guilty as his dodgy customers.

I usually comment captures ... I won't do today ... I'm simply fed up with the "so called cleanup ticket support I issue when shit hits the news" - Hint ... make my day and REALLY CLEAN up the mess instead of changing domain names and so called support tickets.

Bounce ... bounce and bounce ... FYI we ain't talking about Timbaland

File winktR2TymurG6oF.exe received on 11.01.2008 00:52:09 (CET)

AhnLab-V3 2008.11.1.0 2008.10.31 -
AntiVir 7.9.0.10 2008.10.31 TR/Dldr.Agent.amui
Authentium 5.1.0.4 2008.11.01 -
Avast 4.8.1248.0 2008.11.01 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.31 Downloader.Generic8.GK
BitDefender 7.2 2008.11.01 -
CAT-QuickHeal 9.50 2008.10.31 -
ClamAV 0.94.1 2008.10.31 -
DrWeb 4.44.0.09170 2008.11.01 -
eSafe 7.0.17.0 2008.10.30 -
eTrust-Vet 31.6.6184 2008.10.31 Win32/SillyDl.FUH
Ewido 4.0 2008.10.31 -
F-Prot 4.4.4.56 2008.10.31 -
F-Secure 8.0.14332.0 2008.10.31 Trojan-Downloader.Win32.Agent.amui
Fortinet 3.117.0.0 2008.10.31 -
GData 19 2008.11.01 Win32:Trojan-gen {Other}
Ikarus T3.1.1.44.0 2008.10.31 Trojan-Dropper.Agent
K7AntiVirus 7.10.513 2008.10.31 Trojan-Downloader.Win32.Agent.amui
Kaspersky 7.0.0.125 2008.10.31 Trojan-Downloader.Win32.Agent.amui
McAfee 5419 2008.10.31 Downloader-BKX
Microsoft 1.4005 2008.11.01 -
NOD32 3575 2008.10.31 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.10.31 -
PCTools 4.4.2.0 2008.10.31 -
Prevx1 V2 2008.11.01 Malicious Software
Rising 21.01.42.00 2008.10.31 -
SecureWeb-Gateway 6.7.6 2008.10.31 Trojan.Dldr.Agent.amui
Sophos 4.35.0 2008.11.01 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.10.31 Downloader
TheHacker 6.3.1.1.135 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 TROJ_DLOADER.YE
VBA32 3.12.8.9 2008.11.01 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 4.5.11.0 2008.10.31 -

Additional information
File size: 4608 bytes
MD5...: 4ab03732d414c43b461d49c438562c46
SHA1..: 1653a71629c3b7c2863d823aa99382bd34ccbb48
SHA256: 186497296327352180106bd4616609feeda271643a915066c72bc41b6c21e314

Kimberly

Nov 1 2008, 06:36 PM

stoneholl.cn - viruslivescan.com - globalskytransfer.com - securityproscan.com

Redirects.

globalskytransfer.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
securityproscan.com/2009/1/en/freescan.php?id=[*]
______________________________

Other fake scannners.

stoneholl.cn/bp/_freescan.php?id=[*]&time=[*]

viruslivescan.com/2009/100/freescan.php?id=[*]

IP details

stoneholl.cn - 66.197.152.21

Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2008-10-30 21:30
Registrant Organization: DomansReg
Registrant Name: NizovGrisha
Administrative Email: grishanizov@gmail.com
______________________________

viruslivescan.com - 78.159.118.217 / 89.149.253.215 / 91.203.92.47

Registrar: REGTIME LTD.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Creation Date: 31-oct-2008
Registrant: Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536
______________________________

globalskytransfer.com - 208.72.169.100

Registrar: ONLINENIC, INC.
Creation Date: 22-oct-2008
Name Server: NS1.FREEFASTDNS.COM (has 89 domains)
Name Server: NS2.FREEFASTDNS.COM
Registrar: RegTime.net
Registrant:Alexey Vasiliev alexvasiliev1987@gmail.com +7.3834427722
Ol. Duducha 21/2 53
Moskow,NSK,RUSSIAN FEDERATION 630122
______________________________

securityproscan.com - 208.72.169.100

Registrar: ONLINENIC, INC.
Creation Date: 16-oct-2008
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Registrar: REGTIME LTD.
Registrant: Tupolev Vladimir
Email: VladimirTypolev@gmail.com
Organization: Private person
Address: pr. Dneprovskij 44a, kv.12
City: Novaya Kahovka
State: Hersonskaya oblast
ZIP: 74900
Country: UA
Phone: +3.0805432540

Kimberly

Nov 1 2008, 11:03 PM

Microsoft Malware Protection Center - SWF for malware deployment

Spotlight on SWF for malware deployment.
Original article.

"More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry."

I'm not happy with the statement made by Marian Radu either ... that put aside let's have a deeper look "inside" the Flash file.

ActionScript.

"Real life" situation.

While the modus operandi used might sound scary, I’m not impressed at all by the multiple links inside the Flash content because if pop-ups are blocked nothing will happen.

If you allow them, hell will break loose of course and you’ll be confronted to several Internet Explorer windows presenting different exploits.

Note: In dept analysis of the different htm pages show additional exploits.

Off Topic.

I personally kinda retain a single one, it’s rather unusual to see a vbs script in those “exploit packs".

In other words, on a fully patched system you still might end up infected if Windows Script Host is allowed.
Solution: Secure your system and disallow Windows Script Host on your computer. This can be easily archived with xp-AntiSpy. Be aware that several local scripting files will not run on the computer when disabling this option.

Note: xp-AntiSpy is a tweaking tool, please read the associated help file.

Conclusion: Regular readers of our respective blogs have been confronted to more complicated & dangerous links inside Flash content IMHO.

Kimberly

Nov 4 2008, 04:11 PM

WARNING: olandon.com

Anything related to olandon.com should be handled with extreme caution for several reasons.

Presence of Nancy Drew banner under the different Flash version names such as fo115.swf · fo45.swf · fo47.swf · i115.swf · i45.swf · i47.swf. The banner is clean at the time of the write-up.
Presence of small swf files containing a link hidden in the "so called image". The URL doesn't make any sense for the time being as it refers localhost.
All files are dated from 27 october 2008 and that's also the date when the whois record from olandon.com was updated.
olandon.com shares its nameserver with dergamend.com, involved in the redirect at www.rebondottignies.be.
The nearby presence of 82.98.235.173, IP found in several malicious banners featuring Nancy Drew on Aug 8 2008 & Sep 20 2008 and a couple of days ago in the tunnel[Flash Version] files on the ad1.metrixlab-tds.com server.

olandon.com - 82.98.235.52

Registrar: YESNIC CO. LTD.
Updated Date: 27-oct-2008
Creation Date: 06-nov-2007
Name Server: NS1.OLANDON.COM
Name Server: NS2.OLANDON.COM
Registrant::
Name : Denis
Email : ddenkin@gmail.com
Address : Voroshilova, 16
Zipcode : 90099
Nation : RU
Tel : 70965674701

inetnum: 82.98.235.0 - 82.98.235.255
netname: CYBERTECHNOLOGY
descr: Cyber Technology BV BA/SPRL

Today's new redirect

onlinecounter1.net/s/in.cgi?[*]
infoclicknow.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
premium-pc-scan.com/2009/1/freescan.php?id=[*]

onlinecounter1.net - 92.48.201.39

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Updated Date: 04-oct-2008
Creation Date: 02-oct-2008
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Registration Service Provided By: NKVD.PRO

Registrant: Viktor K Bratikov (viktorbratikov@gmail.com)
ul.Gospitalnyj val, 5/6, 165
Moscow
Moskovskaya oblast,105094
RU
Tel. +7.9039908132
______________________________

premium-pc-scan.com - 78.159.118.217 / 89.149.253.215 / 91.203.92.47

Registrar: REGTIME LTD.
Updated Date: 31-oct-2008
Creation Date: 31-oct-2008
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Registrar: RegTime.net Limited

Registrant: Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

Hacked .htaccess file at Gold Coast Helicopters

If you visit Gold Coast Helicopters - goldcoasthelicopters.com - from a search engine, you are redirected to a fake online scanner.

Current Redirect.

87.248.180.90/in.html?s=ipw2
infoclicknow.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
premium-pc-scan.com/2009/1/freescan.php?id=[*]

Kimberly

Nov 4 2008, 10:32 PM

WARNING: host5.porenads.net / porenads.net

Anything related to porenads.net MUST be handled with extreme caution.

Screenshot in situ.

Banner.

______________________________

Yaw another poisoned banner ... well nope, the flash content itself is not responsable for the warning, flashwrite_1_2.js hosted on the same server, normally used by many advertising agencies for browser & flash version detection has been a lil’ bit tweaked by the bad guys with an iframe leading too the infamous ya-tracker.com domain.

Cool ain't it ... more details about ya-tracker exploits & files can be found here.
______________________________

For historical purposes only ... clicksor references >> especially kept for u wagdoll.

IP details

host5.porenads.net / porenads.net - 93.190.137.99

Updated Date: 14-oct-2008
Creation Date: 11-sep-2008
Name Server: NS18.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Registration Service Provided By: ESTDOMAINS INC
Registrant: Paret co.
Michael Voronin (info@wtsexp.com)
Bure Peapostkontor, pk. 12
Bure
Itä-Suomenläsni,50001
FI
Tel. +321.433125670

Kimberly

Nov 5 2008, 04:26 PM

DrivenWide - www.drivenwide.com

Every forum, blog ... owner has to deal with spammers. Today I removed such a spam post. Below is a screenshot of it's content and in a few moments it will become cristal clear why I decided to post about it in this particular topic.

Most of the time I do check out the links posted and this time I did fall on an advertising agency. The www.drivenwide.com/whatwedo.html page got me thinkering.

From Advertiser -> DrivenWide -> Forums, Blogs, Wiki, Classified ... hmm okay ... but this statement stroke me most:

We Create The Message Content Describing Your Product And Service.

We Review Created Message Content.

We Post ad in Highly Ranked, Visited and Relevant Forum, Blog, classified,wiki And User polls,General comments etc..

We Post The Ad As Per The Rules Of Each Website.

Ariticle That Is Posted Relevant To The Link To Product And Service As Specified By You .

Wait ... I didn't ask for ads on our forum. Does that mean we will have to modify the forum rules to reflect that any advertising content will be removed and the member banned? Will blog owners have to disable comments or approve them one by one?

Take a look at the Whois details and regular readers will immediately understand why I’m freaked out today. The registrar is no one else than DIRECTI ... involved in many malicious redirects, hosting of fake scanners & rogue antivirus products. Malicious Flash banners, hidden iframes, hacked .htaccess files … just name it and now this so called “New Way To Advertise”!
NO THANKS, Internet is already looking bad enough with links to various rogue products and fake scanners plastered all over the place without DrivenWide adding their 2cts.

Domain Name: DRIVENWIDE.COM
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS3.OVERSEASCOUNSELLORS.COM
Name Server: NS4.OVERSEASCOUNSELLORS.COM
Updated Date: 18-oct-2008
Creation Date: 19-aug-2008
IP Address: 210.48.146.98
IP Location - Malaysia - Tm Net Sdn Bhd
Registration Service Provided By: LAKSHMI COMMUNICATIONS

Registrant:
Driven Wide
S Om Prakash (prakashinspire@yahoo.com)
383, 100 feet road,
karpagam complex bus stop tatabad
coimbatore
Tamil Nadu,641012
IN
Tel. +091.9789719697

There is a DrivenWide Ad(vertising) - ad.drivenwide.com - too hosted on the same IP, the website is still under construction. Something to keep an eye on I guess ...

Kimberly

Nov 7 2008, 04:47 PM

transferallsource.com - powerfullantivirusscan.com - quick-antivirus-scan.com - pc-antivirus-scan.com

Redirects.

transferallsource.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
powerfullantivirusscan.com/2009/1/en/freescan.php?id=[*]
______________________________

Other fake scanners.

quick-antivirus-scan.com/2009/1/freescan.php?id=[*]

pc-antivirus-scan.com/2009/1/freescan.php?id=[*]

IP details

transferallsource.com - 208.72.168.185

Creation Date: 22-oct-2008
Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Registration Service Provider: Regtime.net
Registrant: Alexey Vasiliev alexvasiliev1987@gmail.com +7.3834427722
______________________________

powerfullantivirusscan.com - 78.159.118.217 / 89.149.253.215

Updated Date: 06-nov-2008
Creation Date: 04-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Registrant Contact: Fedor Ibragimov cndomainz@yahoo.com
+74956438235 fax: +74956438235
ul. Studencheskay 84-76
Moskva Moskovskay oblast 117345
ru
______________________________

quick-antivirus-scan.com 84.243.196.136 / 91.203.92.47

Creation Date: 31-oct-2008
Registrar: REGTIME LTD.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Registrar: RegTime.net Limited
Registrant: Vladimir Polilov
Email: gpdomains@yahoo.com
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536
______________________________

pc-antivirus-scan.com - 208.72.169.100

Creation Date: 31-oct-2008
Registrar: REGTIME LTD.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Registrar: RegTime.net Limited
Registrant: Vladimir Polilov
Email: gpdomains@yahoo.com
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

Kimberly

Nov 7 2008, 11:05 PM

video.swf - Adobe_flash_codec.exe or X reasons to block Flash content.

A number of unlimited "social engineering" tricks to get the victim to load a page containing an embedded malicious Flash file …

video.swf or 26 reasons to detect a file ...

QUOTE
File video.swf received on 11.07.2008 23:00:11 (CET)
AhnLab-V3 2008.11.7.1 2008.11.07 -
AntiVir 7.9.0.26 2008.11.07 -
Authentium 5.1.0.4 2008.11.07 -
Avast 4.8.1248.0 2008.11.07 -
AVG 8.0.0.161 2008.11.07 -
BitDefender 7.2 2008.11.07 -
CAT-QuickHeal 9.50 2008.11.07 -
ClamAV 0.94.1 2008.11.07 -
DrWeb 4.44.0.09170 2008.11.07 -
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6198 2008.11.07 -
Ewido 4.0 2008.11.07 -
F-Prot 4.4.4.56 2008.11.07 -
F-Secure 8.0.14332.0 2008.11.07 -
Fortinet 3.117.0.0 2008.11.07 -
GData 19 2008.11.07 -
Ikarus T3.1.1.45.0 2008.11.07 -
K7AntiVirus 7.10.519 2008.11.07 -
Kaspersky 7.0.0.125 2008.11.07 -
McAfee 5427 2008.11.07 -
Microsoft 1.4104 2008.11.07 -
NOD32 3596 2008.11.07 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.07 -
PCTools 4.4.2.0 2008.11.07 -
Prevx1 V2 2008.11.07 -
Rising 21.02.42.00 2008.11.07 -
SecureWeb-Gateway 6.7.6 2008.11.07 -
Sophos 4.35.0 2008.11.07 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.07 -
TheHacker 6.3.1.1.144 2008.11.07 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.07 -

Additional information
File size: 20067 bytes
MD5...: 6a5e3b2cec16a426806042a0417cf5b1
SHA1..: 6c84d79df719946bfeb01dec031fc5b8810c8b11
SHA256: 7870d9d4cf5a75536fa6d970e26028a01dcaa173786415df286a8915680eb740
SHA512: e40d79c595a5b29f22bbf45d8b815bf13c3f690c6690e75fae50dc6f1abe5f6d
5ad255e58312c29ca5c01cc190464e845c4d6612d9b968786bb94f453aaf832a
PEiD..: -
packers (Kaspersky): Swf2Swc

Adobe_flash_codec.exe or a good reason to refrain clicking ...

QUOTE
File Adobe_flash_codec.exe received on 11.07.2008 22:47:59 (CET
AhnLab-V3 2008.11.7.1 2008.11.07 -
AntiVir 7.9.0.26 2008.11.07 -
Authentium 5.1.0.4 2008.11.07 -
Avast 4.8.1248.0 2008.11.07 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.11.07 Adload_r.DK
BitDefender 7.2 2008.11.07 -
CAT-QuickHeal 9.50 2008.11.07 -
ClamAV 0.94.1 2008.11.07 -
DrWeb 4.44.0.09170 2008.11.07 -
eSafe 7.0.17.0 2008.11.06 Suspicious File
eTrust-Vet 31.6.6198 2008.11.07 Win32/Kvol!generic
Ewido 4.0 2008.11.07 -
F-Prot 4.4.4.56 2008.11.07 -
F-Secure 8.0.14332.0 2008.11.07 -
Fortinet 3.117.0.0 2008.11.07 PossibleThreat
GData 19 2008.11.07 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2008.11.07 -
K7AntiVirus 7.10.519 2008.11.07 -
Kaspersky 7.0.0.125 2008.11.07 Trojan.Win32.BHO.hfx
McAfee 5427 2008.11.07 Boaxxe.dr
Microsoft 1.4104 2008.11.07 -
NOD32 3595 2008.11.07 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.07 -
PCTools 4.4.2.0 2008.11.07 -
Prevx1 V2 2008.11.07 Worm
Rising 21.02.42.00 2008.11.07 -
SecureWeb-Gateway 6.7.6 2008.11.07 -
Sophos 4.35.0 2008.11.07 -
Sunbelt 3.1.1783.2 2008.11.05 Trojan.Win32.BHO.hfx
Symantec 10 2008.11.07 -
TheHacker 6.3.1.1.144 2008.11.07 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.06 -
ViRobot 2008.11.7.1457 2008.11.07 Trojan.Win32.BHO.120832.C
VirusBuster 4.5.11.0 2008.11.07 -

Additional information
File size: 120832 bytes
MD5...: b3e5369900a6ee41dbd3cc33d51995bc
SHA1..: de63653a8f62dc2ecd7b6705c92203b7ef86f405
SHA256: e3f1a3d2a7f181f5bb5552e96b76f3d48a45b56a489636788cb04691d3c81298
PEiD..: -

tsss ...

Registry changes.
Adds the following Values.
QUOTE
HKEY_CLASSES_ROOT\CLSID\{76B55C28-D088-42F1-B738-AC36D2A7CC22}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\credu.dll
HKEY_CLASSES_ROOT\CLSID\{76B55C28-D088-42F1-B738-AC36D2A7CC22}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings "bf"
Type: REG_BINARY
Data: 9D, 5D, EA, 98, 47, F9, A2, 50, 69, 54, 4A, 1C, 17, 24, 32, DA, F3, 94, 44, 53, AD, 85, C3, 3B, 8B, 69, B2, C3, 42, 97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings "bk"
Type: REG_BINARY
Data: A5, 50, 80, 8D, 3B, 82, A5, 2D, 06, 2A, 52, 5F, 56, 6F, 6B, 8B, AC, E1, 47, 22, 8C, C0, 95, 67, D3, 06, 95, 9C, 18, D3, 34, BE, 69, A4, 75, 7D, BC, 4A, 66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings "iu"
Type: REG_DWORD
Data: F8, 0B, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings "mu"
Type: REG_BINARY
Data: 7B, 14, AE, 47, E1, 7A, 84, 3F
Files added.
QUOTE
%System%\credu.dll
Date: 8/4/2004 1:00 PM
Size: 93,184 bytes
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Visible signs.
O2 - BHO: (no name) - {76B55C28-D088-42F1-B738-AC36D2A7CC22} - C:\WINDOWS\system32\credu.dll

Note: the CLSID 76B55C28-D088-42F1-B738-AC36D2A7CC22 is random.
credu.dll.
QUOTE
File credu.dll received on 11.07.2008 23:48:17 (CET)
AhnLab-V3 2008.11.7.1 2008.11.07 -
AntiVir 7.9.0.26 2008.11.07 TR/BHO.Gen
Authentium 5.1.0.4 2008.11.07 -
Avast 4.8.1248.0 2008.11.07 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.11.07 BHO.X
BitDefender 7.2 2008.11.07 -
CAT-QuickHeal 9.50 2008.11.07 Trojan.BHO.hhy
ClamAV 0.94.1 2008.11.07 -
DrWeb 4.44.0.09170 2008.11.07 -
eSafe 7.0.17.0 2008.11.06 Suspicious File
eTrust-Vet 31.6.6195 2008.11.06 Win32/Kvol!generic
Ewido 4.0 2008.11.07 -
F-Prot 4.4.4.56 2008.11.07 W32/Podnuha.A.gen!Eldorado
Fortinet 3.117.0.0 2008.11.07 W32/BHO.HFX!tr
GData 19 2008.11.07 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2008.11.07 Virus.Win32.Podnuha.BJ
K7AntiVirus 7.10.519 2008.11.07 Trojan.Win32.BHO.hfx
Kaspersky 7.0.0.125 2008.11.07 Trojan.Win32.BHO.hfx
McAfee 5427 2008.11.07 Boaxxe.dll
Microsoft 1.4104 2008.11.07 Trojan:Win32/Boaxxe.B
NOD32 3596 2008.11.07 Win32/Rootkit.Podnuha
Norman 5.80.02 2008.11.07 W32/BHO.FRI
Panda 9.0.0.4 2008.11.07 Adware/WebSearch
PCTools 4.4.2.0 2008.11.07 -
Prevx1 V2 2008.11.07 -
Rising 21.02.42.00 2008.11.07 -
SecureWeb-Gateway 6.7.6 2008.11.07 Trojan.BHO.Gen
Sophos 4.35.0 2008.11.07 Troj/Boaxxe-F
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.07 Trojan Horse
TheHacker 6.3.1.1.144 2008.11.07 -
TrendMicro 8.700.0.1004 2008.11.07 TROJ_BHO.KB
VBA32 3.12.8.9 2008.11.07 Trojan.Win32.Boaxxe
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.07 -

Additional information
File size: 93184 bytes
MD5...: f595eeabe80513954c4a81aa0ca0bdf6
SHA1..: 5870ccfeae5c00e2c8b4f8354780cf275389f892
SHA256: ecd1313d937d8417bf7d6638c1e9d94034988f4e4671feb19a8b280eff0af9a4
PEiD..: -

Kimberly

Nov 8 2008, 11:34 PM

WARNING: ads.imgrep.net & se.muk.aklum.net

Initially this topic - started almost a year ago - was exclusively dedicated to malicious Flash banners aka “malvertizements” as Sandi started accidentally to call them. During that laps of time we saw some evolutions such as being triggered into downloading a file instead of being redirected to a fake online scanner. Several new bad advertising agencies also saw the dawn and finally this topic started to cover other aspects of malicious advertisements and / or advertising agencies for the simple reason that all roads lead to Rome …

The bad guys adapted their methods of distribution accordingly but the main objective & the actors remained the same over and over again. Several main advertising agencies are now taking very seriously some of the vector attacks and / or fabulous Whois information, while others still don’t seem to be concerned …

Anyways, enough blabbering and I hope you still all enjoy the reading so fasten your seatbelts for the eve and let’s take off for another ride.

Lately we came across the combo ya-tracker / Clicksor several times, today I got 2 on the same page and the “TalkTalk” banner is rather wild spread while the "VW" one was a premiere for me.

One step closer ...

The dreadful warning … win32upd.exe

ads.imgrep.net

The Banner ... VW.

The script ....

Again flashwrite_1_2.js - hosted at ads.imgrep.net this time - contains a malicious iframe.
ya-tracker.com/pdfdoc/index.php?id=[*] contains a very obfuscated javascript leading to 3 exploits:
the usual BD96C556-65A3-11D0-983A-00C04FC29E36 aka MS06-014 triggered through a lil' redirect with session ID.

a malcious Flash banner containing a link to the same executable.

a malicous Adobe Acrobat PDF linking to the same executable.

se.muk.aklum.net

The Banner ... TalkTalk.

The script ....

In this case DocumentDotWrite.js hosted at se.muk.aklum.net contains a malicious iframe.
ya-tracker.com/pdfdoc/index.php?id=[*] ... same obfuscated javascript leading to the same sploits as seen above.

Note: Once hit ... as long as cookies are still present and not expired you won't be hit twice.

IP details

ads.imgrep.net - 93.190.137.99

Registrar: ESTDOMAINS, INC.
Name Server: NS18.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Updated Date: 14-oct-2008
Creation Date: 27-jul-2008
Registrant: Protect Details, Inc
Domain Manager (privatecontact@protectdetails.com)
29 Kompozitorov st.
Saint Petersburg
,194358
RU
Tel. +7.8129342271
______________________________

se.muk.aklum.net - 78.109.18.211

Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Name Server: NS0.DIRECTNIC.COM
Name Server: NS1.DIRECTNIC.COM
Updated Date: 25-sep-2008
Creation Date: 24-sep-2008
Registrant: Sijan
3211 Bretu St.
Tartu, NA 52113
EE
238 443211x33
Fax:238 443211
______________________________

Is Clicksor incompetent, blind or accomplice ...

Kimberly

Nov 9 2008, 10:22 PM

WARNING: data2.33storage.com

Same story as above with data2.33storage.com/120eir/flashwrite_1_2.js - a malicious iframe to ya-tracker.com/pdfdoc/index.php?id=[*]

Unfortunately I only have the link to the flashwrite_1_2.js file and not a screenshot of the banner.

data2.33storage.com - 93.190.137.99

Updated Date: 14-oct-2008
Creation Date: 15-aug-2008
Registrar: ESTDOMAINS, INC.
Name Server: NS18.ZONEEDIT.COM
Name Server: NS8.ZONEEDIT.COM
Registration Service Provided By: ESTDOMAINS INC
Registrant:
Protect Details, Inc
Domain Manager (privatecontact@protectdetails.com)
29 Kompozitorov st.
Saint Petersburg
,194358
RU
Tel. +7.8129342271

Kimberly

Nov 10 2008, 11:14 PM

antivirusonlivescan.com - totalantivirusscan.com - total-antivirus-scan.com

Fake scanners.

antivirusonlivescan.com/2009/1/freescan.php?id=[*]

totalantivirusscan.com/2009/1/freescan.php?id=[*]

total-antivirus-scan.com/2009/1/freescan.php?id=[*]

IP details

antivirusonlivescan.com - 78.159.118.217 / 89.149.253.215

Updated Date: 09-nov-2008
Creation Date: 07-nov-2008
Registrar: BIZCN.COM, INC
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
______________________________

totalantivirusscan.com - 84.243.196.136 / 91.203.92.47

Updated Date: 09-nov-2008
Creation Date: 07-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant Contact: Timur Elchin gpdomains@yahoo.com
+74958766435 fax: +74958766435
ul. Krupskoy 76-243
Moskva Moskovskay oblast 121345
ru
______________________________

total-antivirus-scan.com - 208.72.169.100

Updated Date: 09-nov-2008
Creation Date: 07-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant Contact: Timur Elchin gpdomains@yahoo.com
+74958766435 fax: +74958766435
ul. Krupskoy 76-243
Moskva Moskovskay oblast 121345
ru

Warning: malvertizement featuring imin.com

Malvertizement featuring imin.com - Courtesy of Sandi.

Banner.

Redirect.

optimizedby.net/__utm.gif?[*]

optimizedby.net - 212.95.32.166

Updated Date: 06-nov-2008
Creation Date: 26-aug-2008
Registrar: ESTDOMAINS, INC.
Name Server: NS1.OPTIMIZEDBY.NET
Name Server: NS2.OPTIMIZEDBY.NET

Registrant: OOO "NetOboz"
Sergey Bolshakov (serg.bolshakov@mail.ru)
Gogolya str. 49/55
Penza
Penzenskaya oblast,440052
RU
Tel. +7.8412209003
Fax. +7.8412322137

Kimberly

Nov 11 2008, 12:30 AM

Photobucket.com - Appartmentguide.com

A yet unseen malvertizement featuring Appartmentguide.com is being displayed on Photobucket. (Ya really hafta love that website ...)

Unfortunately no screenshot in situ available as I did set the PC to visit a couple of URL's on it's own. Time to seek the source when I discovered st-ation-appraisals.com/crossdomain.xml in the network log and a lil' bit lower our well known friend profitabill.com.

Banner.

photobkt-images.adbureau.net/photobkt/50028_apartment_guide_160x600.swf

The banner's date / timestamp is fairly recent: Tuesday, October 28, 2008, 12:03:20 AM.
Btw, notice the spelling error in the first screenshot ... seach instead of search ...

Campaign.

st-ation-appraisals.com/crossdomain.xml
st-ation-appraisals.com/c/index.php?id=[*]
profitabill.com/?cmpid=hepeculate
webstatsmaster.com/in.cgi?[*]
windowslovingyou.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
antivirusonlivescan.com/2009/1/freescan.php?id=[*]

IP details

st-ation-appraisals.com - 79.135.187.88

Registrar: ENOM, INC.
Name Server: NS1.ST-ATION-APPRAISALS.COM
Name Server: NS2.ST-ATION-APPRAISALS.COM
Updated Date: 13-oct-2008
Creation Date: 10-oct-2008
IP Location - Turkey - Sistemnet Telekomunikasyon Ve Bilgi Tek. Tic. Ltd. Sti
Registration Service Provided By: NameCheap.com

Registrant Contact: ITmeter INC
Sergey Belonozhko
Dmitrienko 7
Odessa, State 65000
UA
______________________________

webstatsmaster.com - 74.50.114.164

Registrar: TLDS, LLC DBA SRSPLUS
Name Server: NS1.ONLINEPROMOSTATS.COM
Name Server: NS2.ONLINEPROMOSTATS.COM
Name Server: NS3.ONLINEPROMOSTATS.COM
Name Server: NS4.ONLINEPROMOSTATS.COM
Updated Date: 07-nov-2008
Creation Date: 03-jul-2008

Registrant: Robinson Deka (ma3xezpfn4x@privateregistration.srsplus.com)
Doggi
ATTN: webstatsmaster.com
c/o SRSPlus Private Registration
P.O. Box 447
Herndon, VA 20172-0447
570-708-8760
______________________________

windowslovingyou.com - 208.72.168.185

Registrar: ONLINENIC, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Updated Date: 22-oct-2008
Creation Date: 22-oct-2008
IP Location - New York - New York - Mccolo Corporation

Registrant: Alexey Vasiliev alexvasiliev1987@gmail.com +7.3834427722
Alexey Vasiliev
Ol. Duducha 21/2 53
Moskow,NSK,RUSSIAN FEDERATION 630122
______________________________

antivirusonlivescan.com - 78.159.118.217 / 89.149.253.215

Registrar: BIZCN.COM, INC
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM
Updated Date: 09-nov-2008
Creation Date: 07-nov-2008
IP Location - Germany - Netdirekt E.k

Registrant Contact: Timur Elchin gpdomains@yahoo.com
+74958766435 fax: +74958766435
ul. Krupskoy 76-243
Moskva Moskovskay oblast 121345
ru

Kimberly

Nov 11 2008, 07:19 PM

onlinecounter1.net related

Redirect.

viewallclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
antivirusonlivescan.com/2009/1/en/freescan.php?id=[*]

viewallclicks.com - 208.72.168.185

Updated Date: 09-nov-2008
Creation Date: 05-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant Contact: Artur Voroncov gpdomains@yahoo.com
+74952876425 fax: +74952876425
ul. Komunisticheskay 76-23
Moskva Moskovskay oblast 114345
ru

webstatsmaster.com related

www.win-security-scanner.org - 208.85.178.140

Created On:22-Oct-2008 15:32:19 UTC
Last Updated On:23-Oct-2008 11:56:50 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Registrant ID:DI_8871659
Registrant Name:Levinzon Natalija
Registrant Street1:ul. Rolana, 40, kv. 19
Registrant City:Kiev
Registrant State/Province:Kievskaja
Registrant Postal Code:03162
Registrant Country:UA
Registrant Phone:+38.0444526851
Registrant Phone Ext.:
Registrant Email:natalevinson@gmail.com
______________________________

sgscanner.com - 116.50.14.185

Updated Date: 07-nov-2008
Creation Date: 24-oct-2008
Registrar: REGTIME LTD.
Name Server: NS1.SGSCANNER.COM
Name Server: NS2.SGSCANNER.COM

Registrant: Vrenk Tihomil
Email: gray444371@gmail.com
Address: Kolodvorska 73, Sl3270 Lasko
City: Lasko
State: LaskoLasko
ZIP: Sl1355
Country: SI
Phone: +386.14588324

BIZCN.COM & REGTIME LTD ... 2 registrars appearing more and more lately when it comes to malware domains.

Kimberly

Nov 12 2008, 07:01 PM

softwareclicks3.com - allprotectionscan.com

Redirect.

softwareclicks3.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
allprotectionscan.com/2009/1/en/freescan.php?id=[*]

IP details

softwareclicks3.com - 89.149.227.232

Updated Date: 09-nov-2008
Creation Date: 06-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant Contact: Vitaly Skvorcov gpdomains@yahoo.com
+74957676435 fax: +74957676435
Ul. Suhaveva 76-23
Moskva Moskovskay oblast 116345
ru
______________________________

allprotectionscan.com 89.149.241.106 / 91.203.93.68 / 89.149.227.196

Updated Date: 10-nov-2008
Creation Date: 10-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant Contact: Leontiy Kravcov cndomainz@yahoo.com
+74957539435 fax: +74957539435
pr. Mira 76-123
Moskva Moskovskay oblast 112945
ru

Photobucket - Appartmentguide.com

The Apartmentguide.com malvertizement has been pulled. I still would suggest extreme caution when visiting Photobucket as I highly suspect this was not the only malvert circulating.

Kimberly

Nov 13 2008, 04:55 PM

ad1.metrixlab-tds.com bites the dust

I accidentally checked back on ad1.metrixlab-tds.com and what a lovely way to start a day ... ad1.metrixlab-tds.com did bite the dust on the 30th October 2008.

Btw, Norton Safe Web demonstrates one of the ways how start.swf was exploited.

CODE
http://ad1.metrixlab-tds.com/go51038/start/tunnel45.swf?show=http://ad1.metrixlab-tds.com/go35012/def/300x250.swf

Kimberly

Nov 15 2008, 06:51 PM

WARNING: foxnews.com - imin.com

A yet unseen malvertizement featuring imin.com is being displayed on Fox News.

Banner.

adserver.adtechie.net/adiframe|3.0|20|47983383|4|1|ADTECH;loc=700;grp=spcimin/spcimin-728x90.swf

On Nov 11 2008 we already discovered another malvertizement featuring imin.com.

Campaign.

optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&utmsr=[*]&utsc=[*]&ul=[*]
windows-scannercenter.com/?id=83119387197
viewallclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
pro-scan-online.com/2009/1/freescan.php?nu=[*]
pro-scan-online.com/2009/1/en/freescan.php?id=[*]

Special notes

Below we see the request made at tag.admeld.com to display an advertisement on Fox News.

AdMeld is a huge network with many clients, adopt.specificclick.net is one of them and it's on their server we first spot a reference to adserver.adtechie.net.
Below is a snipit of the script used at adserver.adtechie.net to display the malvertisement.

Once the malvertizement displayed, we are of course redirected. You will notice that optimizedby.net/__utm.gif is NOT being listed as image/gif but as application/octect-stream.

A closer look at the network capture reveals us that we are dealing with a Flash file instead.

As expected we discover a malicious URL inside leading to windows-scannercenter.com and the reason why our clipboard has been hijacked ... System.setClipoard.

adserver.adtechie.net

All advertsing content from adserver.adtechie.net should be handled with EXTREME CAUTION as the Registrar is none other than ... DIRECTI.

Don’t be fooled either by the resemblance with adserver.adtech.net aka Adtech Solutions, they're probably counting on that. At the time of the writing, Adopstools is unable to detect the malvertizment.

adserver.adtechie.net - 212.95.37.206

Updated Date: 13-oct-2008
Creation Date: 03-oct-2008
Name Server: NS1.ADTECHIE.NET
Name Server: NS2.ADTECHIE.NET
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant: SD
Dietmar Hebels (hebels@gmx.ch)
Mythenquai 61
Zurich
Zurich,8002
CH
Tel. +44.2015161

Status:LOCKED

Note: This Domain Name is currently Locked. In this status the domain
name cannot be transferred, hijacked, or modified. The Owner of this
domain name can easily change this status from their control panel.
This feature is provided as a security measure against fraudulent domain name hijacking.

WTF ... who would like to hijack that anyway ...

Reverse lookup leads to 212-95-37-206.internetserviceteam.com

pro-scan-online.com

pro-scan-online.com - 89.149.227.196 / 89.149.241.106

Updated Date: 09-nov-2008
Creation Date: 04-nov-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEFASTDNS.COM
Name Server: NS2.FREEFASTDNS.COM

Registrant details will be filled in as the service returns a time out error for now.

Kimberly

Nov 15 2008, 11:04 PM

More adserver.adtechie.net malvertizements

180x150.swf

Banner.
Redirect.
adoptserver.info/_utm.gif?click=[*]/[*].expedia.com/[*]

______________________________

babycenter_curves_728x90.swf

Banner.
Redirect.
adoptserver.info/_stat.gif?src=http://view.atdmt.com/DEN/iview/[*]

______________________________

biotrainer_160x600.swf

Banner.
Redirect.
adoptserver.info/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]
windows-scannercenter.com/?id=73039228833

Redirects to Google right now.

______________________________

elitstrimin_728x90.swf

Banner.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]

______________________________

imin468.swf

Banner.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]

______________________________

lclshp_freeretailrewards_728x90.swf

Banner.

Touch down! :p~~

Redirect.
adoptserver.info/__utm.gif?ver=http://view.atdmt.com/DNR/iview/[*]

______________________________

panimin160x600.swf

Banner.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]

______________________________

sparkimin_728x90.swf

Banner.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]

______________________________

spcimin-300x250.swf

Banner.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&[*]&utmsr=[*]&[unique ref]&utsc=24-bit&ul=[*]
windows-scannercenter.com/?id=43147576394
viewallclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
pro-scan-online.com/2009/1/freescan.php?nu=[*]
pro-scan-online.com/2009/1/en/freescan.php?id=[*]

______________________________

spcimin_728x90.swf

Banner seen on Fox News.
Redirect.
optimizedby.net/__utm.gif?utmwv=1.1&utmn=[*]&utmsr=[*]&utsc=[*]&ul=[*]
windows-scannercenter.com/?id=83119387197
viewallclicks.com/soft.php?aid=[*]&d=[*]&product=XPA&refer=[*]
pro-scan-online.com/2009/1/freescan.php?nu=[*]
pro-scan-online.com/2009/1/en/freescan.php?id=[*]

______________________________

typimin728.swf

Banner.