<h4></h4>
Another malvertizement featuring Swatch is being displayed at LetsSingIt. The malicious banner has been acquired by LetsSingIt and is redirecting people to total-virusprotection.com.

Screenshot in situ.

Banner.

includes.letssingit.com/ads/SWATCH300x250.swf

Campaign.

cosmotraf.net/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=wel-cmpid[*]
truconv.com/?a=[*]&s=[*]
top-name.cn/in.cgi?default&a=[*]&s=[*]
total-virusprotection.com/xpprot/3/?a=[*]&s=[*]&z=[*]

<h4></h4>
A new malvertizement featuring Ebay is currently being distributed via blogads.com.

Ebay 300x250

Ebay 728x90

Ebay 160x600

Campaign

All malicious banners are using the same redirects.

statcluster.com/crossdomain.xml
statcluster.com/c/index.php?id=[*]
enjoyspringtime.com/?cmpid=[*]&subaff=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=[*]
justwebsecurity.com/[*]

<h4></h4>
statcluster.com - 174.37.196.175

Updated Date: 16-apr-2009
Creation Date: 03-apr-2009
Registrar: YESNIC CO. LTD.
Name Server: NS1.STATCLUSTER.COM - NS2.STATCLUSTER.COM

enjoyspringtime.com - 38.99.168.101

Updated Date: 17-apr-2009
Creation Date: 20-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

crustat.com - 94.76.213.234

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

justwebsecurity.com - 91.212.65.55

Updated Date: 20-apr-2009
Creation Date: 20-apr-2009
Registrar: REGTIME LTD.
Name Server: NS1.JUSTWEBSECURITY.COM - NS2.JUSTWEBSECURITY.COM

Registrant:
Rene Clay
Email: RenePClay@text2re.com
Organization: Private person
Address: 1555 Lake Floyd Circle
City: Chevy Chase
State: MD
ZIP: 20815
Country: US
Phone: +1.3019415618

<h4></h4>
A new malicious banner ft. Toshiba is being distributed by celebritiesfans.com

Banner

celebritiesfans.com/banner728x90.swf

Campaign

statcluster.com/c/index.php?id=[*]
enjoyspringtime.com/?cmpid=[*]

<h4></h4>
Today I ran into a strange message box being displayed while viewing Google images ... HTML ActiveX Object Error ... don't be fooled, it's yet another trick to push a rogue antivirus progam on your computer.

A quick look at the network captures reveals a 302 redirect.

But why are we getting redirected to blackporn1.com or blackpornmix.com? The answer is simple, the htaccess files on those websites have been hacked.

From blackporn1.com or blackpornmix.com we bump to tubeontvgl.com and uploadmoviez.com. Interesting point ... win-pc-defender.com, uploadmoviez.com and tubeontvgl.com share the same IP. blackpornmix.com has already been caught in htaccess hacks back in March 2009 - Ref.

Needless to say that the redirect will happen from other search engines too as seen below.

codec.exe.

Additional information
File size: 106499 bytes
MD5...: 9a6d60840a24cc36af6436622275387b
SHA1..: 2e37689944f1dc26dbf058037e855568d422e158
SHA256: e26a8b03dcf2ae9a7fe27fe936d9a8c984d4fec0ff21eefc86ddba643079d7ec
PEiD..: -

ThreatExpert info.

File codec.exe received on 04.27.2009 17:08:02 (CET)

QUOTE

a-squared 4.0.0.101 2009.04.27 Trojan-Downloader.Win32.FakeRean!IK
AhnLab-V3 5.0.0.2 2009.04.27 Dropper/Agent.106499
AntiVir 7.9.0.156 2009.04.27 TR/Dldr.FakeRean.8
Antiy-AVL 2.0.3.1 2009.04.27 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 Win32:Trojan-gen {Other}
AVG 8.5.0.287 2009.04.27 SHeur2.ACOF
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.27 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.04.27 -
Comodo 1137 2009.04.27 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.27 Win32.TrojanDownload
eTrust-Vet 31.6.6478 2009.04.27 -
F-Prot 4.4.4.56 2009.04.27 -
F-Secure 8.0.14470.0 2009.04.27 Trojan-Dropper.Win32.Agent.ankj
Fortinet 3.117.0.0 2009.04.27 W32/Agent.SR!tr.dldr
GData 19 2009.04.27 Win32:Trojan-gen {Other}
Ikarus T3.1.1.49.0 2009.04.27 Trojan-Downloader.Win32.FakeRean
K7AntiVirus 7.10.717 2009.04.27 -
Kaspersky 7.0.0.125 2009.04.27 Trojan-Dropper.Win32.Agent.ankj
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.04.27 Trojan.Dldr.FakeRean.8
Microsoft 1.4602 2009.04.27 TrojanDownloader:Win32/FakeRean
NOD32 4036 2009.04.27 Win32/Adware.WinPCDefender
Norman 6.00.06 2009.04.27 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.27 Trj/CI.A
PCTools 4.4.2.0 2009.04.27 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.02.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 Mal/EncPk-HH
Sunbelt 3.2.1858.2 2009.04.24 Packer.Lighty.Gen (v)
Symantec 1.4.4.12 2009.04.27 Downloader.MisleadApp
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.27 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1710 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.27 Trojan.DR.Agent.JLJP

<h4></h4>
blackporn1.com - 195.190.13.234

Updated Date: 30-mar-2009
Creation Date: 19-sep-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CRIMENEWS.ASIA - NS2.CRIMENEWS.ASIA
Registrant: PrivacyProtect.org

blackpornmix.com - 195.190.13.234

Updated Date: 28-feb-2009
Creation Date: 19-sep-2008
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.CRIMENEWS.ASIA - NS2.CRIMENEWS.ASIA
Registrant: PrivacyProtect.org

uploadmoviez.com - 194.165.4.77

Updated Date: 24-apr-2009
Creation Date: 24-apr-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Pish Upyachka
Constantine Teplyakov constnw@gmail.com
+66 (456) 355540 fax: +66 (456) 456456
My adress str
Pattaya Chon Buri 10152
th

tubeontvgl.com - 194.165.4.77

Updated Date: 24-apr-2009
Creation Date: 24-apr-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Constantine Teplyakov constnw@gmail.com
+66 (456) 355540 fax: +66 (456) 456456
My adress str
Pattaya Chon Buri 10152
th

win-pc-defender.com - 194.165.4.77

Updated Date: 06-apr-2009
Creation Date: 15-mar-2009
Registrar: BIZCN.COM, INC.
Name Server: NS2.NAMESERVERS01.COM - NS3.NAMESERVERS01.COM

Registrant Contact: Nexton Limited
Sergey Ryabov director@climbing-games.com
+79219270961 fax:
Scherbakova st., 6-38
Saint-Petersburg Saint-Petersburg 197375
ru

My adress str in the whois details ... ya gotta be joking.

<h4></h4>
A malvertizement ft. HP is displayed at www.wwe.com, the official site of World Wrestling Entertainment. The malicious banner is identical as those discovered at guardian.co.uk and electronicsnews.com.au but located on a different server.

Screenshot in situ.

Banner.

m1.2mdn.net/989589/hp_728x90.swf

Campaigns.

ydmstats.com/c/index.php?id=[*]
measurehits.com/?cmpid=[*]&subaff=[*]

<h4></h4>
A malvertizement ft. HP is being displayed at www.bestvenues.com.au by DoubleClick. It's the same malicious banner as discovered earlier at the official site of World Wrestling Entertainment www.wwe.com. The malvertizement is again located on a "different server".

Screenshot in situ.

Banner.

m1.au.2mdn.net/989589/hp_728x90.swf

______________________________

Double trouble for www.motogp.com ...

Banners.

m1.emea.2mdn.net/989589/hp_728x90.swf
m1.emea.2mdn.net/989589/hp_300x250.swf

<h4></h4>
DoubleClick busted again ... 2 malvertizements ft. BestWestern are displayed at comcast.vehix.com.

Screenshot in situ.

Banners.

m1.2mdn.net/2198329/bestwestern728x90-new.swf



m1.2mdn.net/2198329/bestwestern300x250-new.swf

Campaigns.

cosmotraf.net/c/index.php?id=[*]
pleaselinkmeto.com/?cmpid=[*]&url=bestwestern&id=[*]

cosmotraf.net - 88.198.8.15

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

pleaselinkmeto.com - 212.117.165.128

Updated Date: 05-mar-2009
Creation Date: 05-mar-2009
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Name Server: DNS1.COMMUNIGAL.NET - DNS2.COMMUNIGAL.NET

<h4></h4>
A malvertizement ft. Classmates is displayed at www.ifood.tv.

Screenshot in situ.

Banner.

m1.2mdn.net/2282252/classmates300x250.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]
crustat.com/ts/in.cgi?[*]&se=[*]&ur=[*]&HTTP_REFERER=[*]
truconv.com/?a=[*]&s=[*]
total-virusprotection.com/xpprot/2/?a=[*]&s=[*]

I have the impression that DoubleClick's vigilance is going downhill lately. This is the fourth malicious banner being discovered since April 10 2009 on high frequented websites.

1. April 10: Rhapsody
2. April 28: HP
3. May 1: BestWestern

One can easily imagine how many people got infected in the past month by rogue antivirus products such as Antivirus 360 / 2009 / 2010, TotalVirusProtection etc ... especially if they use flash files to force downloads on peoples computers as seen below and because advertising companies release their attention again in the checking process of creatives.

Load.swf takes 2 parameters transmitted in the URL, t and u which represents the location of a download php script.

justwebsecurity.com/load.swf?&p=0&t=_self&u=download.php?affid=[*]

Oh .. btw, a 468x60 version of the malvertizement ft. Classmates is present on the DoubleClick servers ... it's actually listed as being the 728x90 banner size but its real size is 468x60. Surprised? I'm not ...

m1.2mdn.net/2282252/classmates728x90.swf

<h4></h4>
Remember I did highlight the existence of a horizontal malicious banner hosted at DoubleClick earlier today? The malvertizement is being served at www.fitnessmagazine.com and www.ifood.tv.

www.fitnessmagazine.com.

www.ifood.tv.

Banner.

m1.2mdn.net/2282252/classmates728x90.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]

<h4></h4>
The 300x250 version of the malvertizement ft. Classmates is displayed at Better Homes & Gardens - www.bhg.com.

Screenshot in situ.

Banner.

m1.2mdn.net/2282252/classmates300x250.swf

Campaign.

hitoptimist.com/c/index.php?id=[*]
welovesandi.com/?cmpid=[*]&url=[*]

<h4></h4>
Gilmours Media has been caught distributing malvertizements. Full Story by Sandi.

Gilmours Media has also advertised themselves on AdRoll and this simple fact does reveal some other interesting points to meditate about.

As seen on the screenshot below, they associate themselves with BioTrainer Weight Loss System - biotrainerusa.com - and regular readers will remember that we discovered several malicious banners featuring BioTrainer in the past. References here, here and here.

Furthermore the link Public Relations/Media at the bottom of the webpage not only goes to another domain - www.biotrainer.info - but reveals some interesting "behavior" too.

Succesive visits bring us a new page each time ...

Network capture shows us that we are visiting a search portal called searchportal.information.com

<h4></h4>
biotrainerusa.com - 68.178.206.224

Registrar: GODADDY.COM, INC.
Name Server: NS.BIOTRAINERWEB.COM - NS1.BIOTRAINERWEB.COM
Updated Date: 13-oct-2008
Creation Date: 02-dec-2004
Registrant: Domains by Proxy, Inc.
______________________________

www.biotrainer.info - 208.73.210.121

Created On:16-Jun-2005 03:40:15 UTC
Last Updated On:13-Apr-2009 22:41:47 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Name Server:NS1.DSREDIRECTION.COM - Name Server:NS2.DSREDIRECTION.COM
Registrant Organization:Deerwood Investments, LLC
Registrant Street1:7362 Remcon Circle
Registrant City:El Paso
Registrant State/Province:Texas
Registrant Postal Code:79912
Registrant Country:US
Registrant Phone:+1.3124924577
Registrant FAX Ext.:
Registrant Email:deerwooddomains@gmail.com
______________________________

searchportal.information.com - 208.73.210.121

Registrar: NAMEKING.COM, INC.
Name Server: NS1.OVERSEE.NET - NS2.OVERSEE.NET
______________________________

Note: 208.73.210.121 is associated with a ZeuS domain. See also: ntos.exe and oembios.exe

<h4></h4>
Today 2 banners have been brought to my attention for suspicious behavior / whois registration. The advertisements feature Nokia and are distributed by internetnetworkads.com. Currently there is no malicious redirect but the link inside the creatives is very typical of a rotator (see below). internetnetworkads.com is registered by DIRECTI INTERNET SOLUTIONS PVT. LTD. and the creative contains obfuscated actionscript code ... 3 reasons to threat all content from internetnetworkads.com with extreme caution.

Banner.

Links.

internetnetworkads.com/url3/in.php?id=9

www.surveyclub.com/?aip=[*]&cid=[*]

Banner.

Links.

internetnetworkads.com/url3/in.php?id=9&refer=[*]=[*]=&lang=[*]=&opsys=[*]==&mac=[*]==&xD=[*] ....

internetnetworkads.com/cmp/click.php?id=9

Note: second URL's are the click URL's.

internetnetworkads.com returns a 404 error while the cmp folder pops up a login box.

Rotator.

A rotator is a link to a "Traffic Management System" which points to different destinations when requested several times. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL. Usually the redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Rotators typically look like:

www.example.com/in.cgi?default
www.example.com/tds/in.cgi?1
www.example.com/sutra/in.cgi?6

<h4></h4>
internetnetworkads.com - 94.76.213.227

Updated Date: 15-jun-2009
Creation Date: 16-apr-2009
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Name Server: NS1.REG.RU - NS2.REG.RU

Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No. 6B , 6th Floor of M-6
New Delhi
New Delhi,110001
IN
Tel. +91.2230611555
Fax. +91.2230611555

domains sharing nameservers

a-mart.ru | adao.ru | adcart.net | adman.com | afy.ru | anyavto.com | anyclassics.com | anycomedy.com | anycredits.com | anyfantastic.com | anyflirt.com | anyhorror.com | anyinform.com | anymebel.com | anymobil.com | anyoptics.com | anypersonal.com | anypolitician.com | anyseach.com | anysmi.com | baldinini.net | beautyprorus.ru | botservice.ru | coolmaskarad.com | cottage-millenium.ru | cybersquatting.ru | defense-chelny.ru | deffence.ru | dobrovoz.ru | ealbum.ru | em-service.ru | hotelhelsinki.ru | inter-line.ru | lin2world.net | loadclip.ru | mebel-ekt.ru | multimedia-catalog.ru | n-photo.ru | naraboty.com | olgafomina.ru | ooodias.ru | ostprod.ru | pomoyka.ru | reg.ru | rf-perm.ru | ribca.net | robainapalomino.com | rublewka.ru | runetovec.ru | serverx.ru | sezam-service.ru | shanson.ru | stepnpay.ru | tempru.com | tic-rus.ru | trustindesign.ru | untex-sib.ru | untouchable.name | vsecargo.ru | worldsex.ru | x4u.ru

ip numbers of nameservers

81.177.8.189 | 92.241.180.114

The email address shreeadarsha@gmail.com is also associated to ADVERTISEDCLICKS.BIZ

advertisedclicks.biz - 81.177.22.95

Domain Registration Date: Fri Feb 20 09:40:41 GMT 2009
Domain Last Updated Date: Wed Apr 22 02:49:44 GMT 2009
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrant Name: Shree Adarsha
Registrant Organization: N/A
Registrant Address1: Singha Durbar of.3
Registrant City: Kathmandu
Registrant State/Province: Karnali
Registrant Postal Code: 3987
Registrant Country: Nepal
Registrant Country Code: NP
Registrant Phone Number: +977.14211892
Registrant Email: shreeadarsha@gmail.com

<h4></h4>
JBM Advertising has been caught distributing the Nokia malvertizement we saw a couple of days ago.

When we lookup the contact details in Google maps we stumble on another advertising agency at the same address called bfw Advertising - www.gobfw.com. bfw Advertising seems to be created in 1999. Both websites are identical and wear the same pagetitle : South Florida Advertising Agency.

www.jbmadvertising.com - 88.214.200.145

Updated Date: 22-may-2009
Creation Date: 22-may-2009
Name Server: NS0.HQHOST.NET - NS1.HQHOST.NET
Registration Service Provided By: REGNAME.BIZ
Registrant: Mr Shigetoshi Kudoh (kudohshigetoshi@googlemail.com)
1-7-8 Higashi-Kanda
Chiyoda-ku
Tokyo,6523
JP
Tel. +812.38618231