This topic will be dedicated to other types of advertisement techniques that redirect visitors to the same fake online scanners as those seen with the malicious Flash banners.

opensubtitles.org - WinSpywareProtect

Type of advertisement.

Popup when entering the website of opensubtitles.org

.Online scanner.

scan.winspywareprotectscan.com/280/509/1

Network traces.

opensubtitles.org request for popup advertisment.

CODE

<script language="javascript">
var rm_host = "http://ad.media-servers.net";
var rm_section_id = 184462;
var rm_banned_pop_types = 29;
var rm_pop_times = 1;
var rm_pop_frequency = 3600;
rmShowPop();

Let's head over to the Right Media Ad Server thus.

CODE

var pop = fStart('http://ad.media-servers.net/iframe3?[removed],,
http://www.opensubtitles.org/en','','height=800,width=800,left='+l+',top='+t+',toolbar=1,
status=1,menubar=1,resizable=1,scrollbars=1,location=0');
pop.blur();
window.focus();

From here we jump to ad.media-servers.net/iframe3?[removed] where we encounter a 302 not found and we are thus redirected to ad.yieldmanager.com/iframe3?[removed] which is btw just another alias for ad.media-servers.net because they have exactly the same IP.

CODE

GET /iframe3?[removed],,http://www.opensubtitles.org/en HTTP/1.1
Accept: */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ad.media-servers.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Mon, 14 Jul 2008 15:22:35 GMT
Server: Right Media Ad Server/405
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?[removed],,http://www.opensubtitles.org/en
Cache-Control: no-store
Last-Modified: Mon, 14 Jul 2008 15:22:35 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

Arrived on our page, we stumble again on a redirect and this time when following "the location" of the popup advertisement, the visitor will be presented with a fake online scanner.

Note : The advertisment URL's have been shorted and some lines have been wrapped for visibility reasons.

scan.winspywareprotectscan.com - winspywareprotectscan.com

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-06-18
Expires: 2009-06-18
Updated: 2008-06-18

ns1.everydns.net 208.76.56.56 ns1.tahoe.everydns.net
ns2.everydns.net 204.152.184.150 ns2.everydns.net
ns3.everydns.net 208.96.6.134 unknown.everybox.com
ns4.everydns.net 64.158.219.3 ns4.everydns.net

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: WINSPYWAREPROTECTSCAN.COM

Registrant:
Rocking Stars
Georges Nichu (georges.nichu@gmail.com)
rue Arnoux, bld. 88
Paris
Other,78132
FX
Tel. +33.143359837
Fax. +33.143359837

Administrative Contact:
Rocking Stars
Georges Nichu (georges.nichu@gmail.com)
rue Arnoux, bld. 88
Paris
Other,78132
FX
Tel. +33.143359837
Fax. +33.143359837

Technical Contact:
Rocking Stars
Georges Nichu (georges.nichu@gmail.com)
rue Arnoux, bld. 88
Paris
Other,78132
FX
Tel. +33.143359837
Fax. +33.143359837

Billing Contact:
Rocking Stars
Georges Nichu (georges.nichu@gmail.com)
rue Arnoux, bld. 88
Paris
Other,78132
FX
Tel. +33.143359837
Fax. +33.143359837

uploadjockey.com - Antivirus 2009

Type of advertisement.

Popup when entering the website of uploadjockey

.Online scanner.

virus9-webscanner.com/2009/1/freescan.php?aid=77000423

Network traces.

uploadjockey.com request for popup advertisment.

CODE

<script type='text/javascript'>
//default pop-under house ad url
clicksor_enable_pop = true; clicksor_frequencyCap = -1;
durl = 'http://uploadjockey.com/popup.php';
clicksor_layer_border_color = '';
clicksor_layer_ad_bg = ''; clicksor_layer_ad_link_color = '';
clicksor_layer_ad_text_color = ''; clicksor_text_link_bg
= '';
clicksor_text_link_color = ''; clicksor_enable_text_link = false;
</script>

Let's head over to the Clicksor thus.

CODE

function clicksorpop(){if(!popedCLK)
{if(!usingXPSP2){popwinCLK=open('http://ads101.clicksor.com/serving/links.php?zone=...

CODE

GET /serving/links.php?zone=[removed]&durl=http%3A%2F%2Fuploadjockey.com%2Fpopup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ads101.clicksor.com
Connection: Keep-Alive
Cookie: TRUID=12168251938592

HTTP/1.1 200 OK
Date: Wed, 23 Jul 2008 15:01:36 GMT
Server: Apache/2.2.3 (Fedora)
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 1520
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML>
<HEAD>
<title>.</title>
</HEAD>
<body>
<img src='http://ads101.clicksor.com/serving/tracking_id.php' width='1' height='1'>
<script language="javascript">
<!--
function maximizeWindow() {
self.blur();
if (parseInt(navigator.appVersion)>3) {
.  if (navigator.appName=="Netscape") {
.   //if (self.screenX>0 || self.screenY>0) self.moveTo(0,0);
..   if ( ''==0 && ''==0 ){// full page
...   if (self.outerWidth < screen.availWidth)
....  self.outerWidth=screen.availWidth;
...   if (self.outerHeight < screen.availHeight)
....  self.outerHeight=screen.availHeight;
..   }else{
....self.outerWidth=parseInt('');
....self.outerHeight=parseInt('');
..   }  
.  }else {
..    if ( ''==0 && ''==0 ){// full page
...   //self.moveTo(-4,-4);
...   self.resizeTo(screen.availWidth+8,screen.availHeight+8);
...}else{ //var popunder ?>
... //self.moveTo(50,50);
...   var specWidth=parseInt('');
...   var specHeight=parseInt('');
...   if(specWidth>screen.availWidth){ specWidth= screen.availWidth; }
...   if(specHeight>screen.availHeight){ specHeight= screen.availHeight; }
...   self.resizeTo(specWidth+20,specHeight+8);
...   //self.resizeTo(720+20,300+8);
...}
.  }
}
self.blur();
}

try{
.maximizeWindow();
.self.blur();
}catch(e){}

self.location = "http://ad.byronadvertising.eu/drive/click.php?id=438";

try{
.if (navigator.appName=="Netscape") {
..if(window.opener){
...window.opener.focus();
..}
.}
}catch(e){}
// -->
</script>
</BODY>
</HTML>

From here we jump to ad.byronadvertising.eu/drive/click.php?id=438 where we encounter a obfuscated javascript.

Decoded we are redirected to ad.byronadvertising.eu/drive/scr.php? That page reveals us the location of our fake online scanner.

CODE

GET /drive/scr.php?a=754749&lang=en-us&id=438&ref= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ad.byronadvertising.eu
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 23 Jul 2008 15:02:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Set-Cookie: par=1; expires=Wed, 23-Jul-2008 15:02:30 GMT
Content-Length: 99
Keep-Alive: timeout=5, max=499
Connection: Keep-Alive
Content-Type: text/html

<script>location.href = 'http://virus-webscanner.com/soft.php?aid=000423&d=3&product=XPA';</script>

CODE

GET /soft.php?aid=000423&d=3&product=XPA HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: virus-webscanner.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 23 Jul 2008 15:02:31 GMT
Server: Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7a PHP/4.4.8 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.8
Set-Cookie: soft=1; expires=Thu, 24 Jul 2008 15:02:31 GMT
Location: http://virus9-webscanner.com/2009/1/freescan.php?aid=77000423
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Note : The advertisment URL's have been shorted and some lines have been wrapped for visibility reasons.

virus-webscanner.com - 89.149.197.240

Website Title: XP antivirus protection - Official web site
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-06-19
Expires: 2009-06-19
Updated: 2008-06-19
Name Server: NS1.MYNICK.NAME (has 1,148 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

Server Type: Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7a PHP/4.4.8 mod_perl/1.29 FrontPage/5.0.2.2510
IP Address: 89.149.197.240
IP Location - Berlin - Berlin - Netdirect

Domain Name: VIRUS-WEBSCANNER.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Websites.

1. Securedstats.com
2. Virus-webscanner.com
3. Virus9-webscanner.com
4. Windows-virus-scanner.com

ad.byronadvertising.eu - 78.159.114.116

Let's have a closer look at Byronadvertising because this is another dodgy advertising company as seen below.

ad.byronadvertising.eu - 78.159.114.116 / byronadvertising.eu - 88.214.204.40

Website Title: Media Agency London UK
Meta Description: Byron Advertising is a fully recognised media agency providing online and traditional media planning and media buying services
iFrames: 1 ( Parts of page not indexable by most search engines. )

Registry Data
Created: 2008-05-21
Whois Server: whois.eu

IP Address: 88.214.204.40
IP Location - United Kingdom - Real International Business Corp

Whois Record
Domain: byronadvertising
Status: ON HOLD (*)
Registered: Wed May 21 2008

Registrant:
Please visit www.eurid.eu for webbased whois.

Agent Technical Contacts:
Phone: +1.2013775952
Fax: +1.3202105146
Email:

Registrar:
Name: PublicDomainRegistry.com
Website: www.publicdomainregistry.com

Nameservers:
ns1.hqhost.net
ns0.hqhost.net

(*) http://www.eurid.eu/en/faq#on_hold

Why is the domain name I want on hold? What does this mean?
When a domain name has a status of on hold it means that it has been registered, but is currently unavailable to be traded or transferred, pending the outcome of legal activity. Unless you are party to the legal proceedings, EURid staff may not provide you with any more information on the domain name other than that mentioned above.

whois.eu does not allow to copy records but you can check it out here. (captha code requested).

Websites.

1. I-need-love.com
2. 18virgingirls.com
3. 20searchonlinesite.net
4. Adultxxxvideomovie1.com
5. Airline333tickets.com
6. Airline379tickets.com
7. Allxxxpornogerlsx.com
8. Asleysexygirlxcom.info
9. Awmgraphics.com
10. Belmondas.net
11. Bestpills2008.com
12. Bez-lekarstv.info
13. Blogs4y.net
14. Bondagekinky.com
15. Bondagemeat.com
16. Bondagenote.com
17. Bondageworm.com
18. Buycleocin.com
19. Buypills2008.com
20. Cialis-gl-pills.com
21. Cialis-l-pills.com
22. Darrambas.com
23. Deliciousbigtits.com
24. Derzolla.com
25. Dlya-dvoih.info
26. Dvizhenie-zhizn.info
27. Exgirlfriendsextape.info
28. Farmasearch2008.com
29. Femnapks.org
30. Flaxxvid.com
31. Freelongsexvidsfr.com
32. Freesexyassgirlsx.com
33. Freshapples.info
34. Fuckmodelasssexy.com
35. Fullsitehost.info
36. Garpy.info
37. Girlnudegallaryvideox.com
38. Hans2fucksexgirl.com
39. Hedgecourtscouts.com
40. Hotgirlpussy.net
41. Hotowomensxxxgirls.com
42. Housesolutionsforyou.com
43. Hptallc.com
44. Income-technologies.com
45. Infodist1.com
46. Jamie-eats.com
47. Jproshin.info
48. Land-to-mobile.com
49. Lovespb.com
50. Malosexaxxxgirls.com
51. Maxstart.net
52. Megapornuploadsxxx.com
53. Megasexxxgerlxfr.com
54. Mordasexxxuopgirl.info
55. Moreaboutmen.com
56. Myxtgerlsfuck.com
57. Naughty-for-teens.org
58. New-music-mp3.com
59. Ohoosexyfuckgerlsx.info
60. Oldmatureworld.com
61. Onlinejobform.com
62. Payday-gl-loans.com
63. Payday333loans.com
64. Phentermine-1-pills.com
65. Phentermine-gl-pills.com
66. Pills-diet-pills.com
67. Platinka.com
68. Polovoe-vospitanie.info
69. Proekt-a.info
70. Proekt-b.info
71. Proekt-c.info
72. Proektus.info
73. Russian-history-art.net
74. Russiantarot.com
75. Sevaren.com
76. Sexboxfreexxxgirls.com
77. Sexgeshiaxgirls.info
78. Sexiestgirlsintheworl.info
79. Sexiestgirlsxlist.info
80. Sexygirlsstripeachothe.com
81. Sexyswimgirls10.info
82. Sexywomenbrasxxx.com
83. Sockdesign.com
84. Stroitelnye-mashiny.info
85. Sweetiebabes.com
86. Teen-sex-free.com
87. Teensgirlsf.com
88. Teensssxpornocrut.com
89. The1pixel.com
90. Theloveis.com
91. Toolsforyounow.com
92. Topgadgets.info
93. Trefullsexgirlsa.com
94. Tri-anagram.com
95. Uoisexyassmovie.com
96. Uplogirlsxxxsexyass.com
97. Vashi-dengi.net
98. Viagra-77-pills.com
99. Viagra-gl-pills.com
100. Wap4ik.com
101. Wasasexysgirlsmodel.com
102. Wildgirlsexposedcax.info
103. Wotoxxxsexwomenssite.com
104. Xanax-gl-pills.com
105. Xanax777pills.com
106. Xgirlsblogmonster.com
107. Xxxdownloadmegsexyg.com
108. Xxxfreedirect.com
109. Xxxgirlswosexyss.com
110. Yamaha-sevastopol.com
111. Youngirlfucksexsite.info
112. Your-own-advisor.com
113. Yourcameraguide.info
114. Rusbd.com
115. Autoloan2008mw.com
116. Datiss79nn.com
117. Debthelp2008mw.com
118. Loanpayday911mw.com

density.extra.hu - Power Antivirus 2009

Type of advertisement.

Instant redirect through advertising.

Online scanner.

scanner.power-antivirus-2009.com/?aff=1064

Network traces.

density.extra.hu request for advertisment.

CODE

GET /images/header.php HTTP/1.1
Accept: */*
Referer: http://density.extra.hu/steel-ro4f/installing-wamp.html
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: w1_densit_steel-ro4f.yourcatchy.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 02 Aug 2008 18:15:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 138
Connection: close
Content-Type: text/html; charset=UTF-8

function LoadAd()
{
.parent.location.href="http://densit_steel-ro4f.yourcatchy.com/index.html?Ref="+encodeURIComponent(ref);
}

LoadAd();

Let's head over to index.html thus.

CODE

GET /index.html?Ref= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: densit_steel-ro4f.yourcatchy.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 02 Aug 2008 18:15:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: http://scanner.power-antivirus-2009.com/?aff=1064
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

scanner.power-antivirus-2009.com - 91.208.0.233

Website Title: Power Antivirus 2009
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-29
Expires: 2009-07-29
Updated: 2008-07-29
Registrar Status: clientTransferProhibited
Name Server: NS1.POWER-ANTIVIRUS-2009.COM (has 1 domains)
Name Server: NS2.POWER-ANTIVIRUS-2009.COM
Whois Server: whois.estdomains.com

IP Address: 91.208.0.233
IP Location - Russian Federation - Still Trade Ltd
Dedicated Hosting: power-antivirus-2009.com is hosted on a dedicated server.

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: POWER-ANTIVIRUS-2009.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Creation Date: 29-Jul-2008
Expiration Date: 29-Jul-2009

Domain servers in listed order:
ns2.power-antivirus-2009.com
ns1.power-antivirus-2009.com

Administrative Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Technical Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Billing Contact:
Sawert Alliance ltd.
Peltonen Martti ()
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Status:ACTIVE

Still Trade Ltd was seen in the Flash redirects too.

Thx Moore.

Byron Advertising (byronadvertising.eu)

On 23 July 2008 Byron Advertising (byronadvertising.eu) was caught redirecting people to fake online scanners using the Clicksor advertising system. Today, they are again implicated in a fraudware / hijacking incident. You can read the full story on Sandi's Blog.