Movement in the malvertisement world

There has been a lot going on over the past few weeks, and it's time to bring everybody up to speed on recent discoveries. First, a malicious advertisement has been discovered at ADECN again, the URL being: cds.adecn.com/resource/ads/875_9159_1202999742.swf As you will see, visually the advertisement is identical to the malicious advertisement that appeared on diepresse and washingtonpost.com From acedn we are redirected to station-appraisals.com/crossdomain.xml, and to: station-appraisals.com/c/index.php?id=WjM0VnExOHBjeDMza0dEUDdnUGRoPTEyMDI4MjE3MjYmcG56Y252dGE9dnFyYWd2c2xmYgYNkiDgNmYNkiDgNm We then hit blessedads.com/?cmpid=identifyso, and prevedmarketing.com/?tmn=mwatmp&aid=identifyso&lid=&ax=1&ed=2&mt_info=5586_5581_2358, before we finally hit: scanner2.malware-scan.com/9_swp/?tmn=null&aid=identifyso_ma9s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5586_5581_2358:3958_0_15362 ----------------------------------------------------------------------------------------- Now, station-appraisals.com is a relatively new name in the malvertising world, which we will take a closer look at shortly, but first, let's have a look at another recently reported malicious SWF - the speedbit one that I reported on earlier. It has now been analysed and reveals some interesting information. We have discovered two URLs thanks to the Speedbit SWF: staticglobalsources.net/c/index.php?id=m7NkiZnRhRDh6RVRudHpXm7NkiZHJsm7NkiZFUwVEloPTEyMDQwNDcyMzImcG56Y252dGE9bmV0aHpyYWdim7NkiZQYNkiDgNmYNkiDgNm and waytotheprofit.com/?cmpid=argumentor We'll have a closer look at those two URLs later in this article. ----------------------------------------------------------------------------------------- Next, let's look at another malicious SWF - this one featuring Weightwatchers: The above SWF, when analysed, reveals the URL adtds2.promoplexer.com/statsa.php?campaign=interveco. Promoplexer is a newer (as distinct to new) name that also bears a closer examination. The above promoplexer URL redirects to the URL adsraise.com/mbuyers/statistics.html. The adsraise.com domain is very interesting. It is hosted in the Ukraine, with WNET, a name that has appeared on my blog before as host of the now infamous cleanator and macsweeper - therefore, I'd be EXTREMELY suspicious of anything hosted by that network. Oh, and we have a new name... promoplexer shares A records with maxconvert.com - a sneaky peak at that domain reveals lots of references to macsweeper - why are we not surprised? ----------------------------------------------------------------------------------------- As we know, there have also been several campaigns recently using the domain iexplorer-security.org, which is hosted by MCHOST in Russia and which has name servers supplied by estboxes.com (aka estdomains, hosted by Intercage) I have long since recommended wholesale blocking of Intercage, Interhoster and Nevacon - obviously that advice still stands. ----------------------------------------------------------------------------------------- Ok, so obviously there is movement in the malvertising world - we are seeing new domain names and we are also seeing old names that are moving on to new hosts and service providers. Therefore, I think it is also worthwhile checking out some more traditional names to see what they are up to - my regular readers will remember that many malvertising domains featured on this blog took refuge at securehost. Let's see if they are still there, and if not, where they are now. First, let's look at akamahi.net, which is very revealing in and of itself. Akamahi.net is still has its A records with securehost, but guess who it shares names servers with: quinquecahue.com, aboutstat.com, newstat.com, officialstat.com, stat-diagnostic-imaging.net, statthisranch.net, staticglobalsources.com, station-appraisals.com, station-appraisals.net, statnation.net, thetechnorati.com, vozmiliogaranon.com. See the highlighted? Not only is akamai.net sharing name servers with many already known bad names, it is sharing a name server with station-appraisals.com, a new name in the malvertising world. The name servers are provided by TMIDC-MY TELEKOM MALAYSIA and Hostfresh. ----------------------------------------------------------------------------------------- Next is newbieadguide.com which seems to be the abandoned child, and still has all of its eggs in the securehost basket. ----------------------------------------------------------------------------------------- Next, thetechnorati.com. This one is not an orphan, because it too has name servers provided by TMIDC-MY TELEKOM MALAYSIA and Hostfresh, although its A record is still with securehost. ----------------------------------------------------------------------------------------- On to vozemiliogaranon.com. It also has its A records with securehost but its name servers with TMIDC-MY TELEKOM MALAYSIA and Hostfresh. ----------------------------------------------------------------------------------------- Now, let's look at the NEW player, station-appraisals.com. First, it is currently hosted by Denit Networks - yes, that's right - the same DENIT that was host to akamahi, newbieadguide, thetechnorati and vozemiliogaranon. And (why am I not surprised). station-appraisals.com's name servers are provided by none other than TMIDC-MY TELEKOM MALAYSIA and Hostfresh. A connection can be drawn between station-appraisals.com and the following domains, all of which should be treated with EXTREME caution: aboutstat.com, aboutstat.net, newstat.net, officialstat.com, officialstat.net, stat-diagnostic-imaging.net, statetstr.com, statgroup.net, stathisranch.com, stathisranch.net, stathome.net, staticglobalsources.com, staticglobalsources.net, station-appraisals.com, station-appraisals.net, statnation.net, statsite.net, statsla.net, statuas.net and statworld.net You may recall that staticglobalresources.com is involved with the malicious speedbit advertisement that I highlight earlier in this article. Oh, and that reminds me, we need to look at waytotheprofit.com which was also implicated in the malicious speedbit advertisement. That domain shares A records with: ad2profit.com, adgurman.com, adredired.com, adsolutio.com, astalaprofit.com, bizmarketads.com, brandmarketads.com iddgdmarketing.com, intervarioclick.com, invulnerableads.com, luckyadcoin.com, luckyadsols.com and mythmarketing.com All of those domains have been associated in the past with securehost - see this URL: http://msmvps.com/blogs/spywaresucks/archive/2007/12/08/1386804.aspx ----------------------------------------------------------------------------------------- Ok, that will do for now - there is a lot more to share, but *my* head is spinning - I hate to think how you may be feeling. There is a lot of work to be done in coming weeks, uncovering and exposing the latest maneuverings by the bastards behind the malvertisements. There can be no doubt that the bad guys are on the move. The challenge is to keep the world informed about their latest pseudonyms. More later.... Sandi