For a long time now, we have been focusing on SWF (Flash) based malvertizements where the SWF itself contains malicious code. Over time, our detection abilities have improved (thanks in no small part to adopstools) and it is getting harder and harder for malvertizers to get their wares on to web pages.
Then the malvertizers started misusing Fuse, and for a while their malvertizements were not being detected by adopstools. That situation was shortlived.
In recent days, I have seen signs that the malvertizers are diversifying, and using tricks other than maliciously coded SWF.
**surfonline.com**
When we look at the surfline.com incident, there was a particular URL loaded which contained a lot of script. This script controlled all of the advertisements on the page and included this snippet:
image
That adsmng.com URL (which is now dead), in turn, redirected to:
prior-network.com/_rd/go-js.asp?url=http%3A//securetds.ws/soft.php%3Faid%3DSNIPPED%26d%3D6%26product%3DXPA%26refer%3DdcSNIPPED
That prior-network.com URL, again using document.write, loaded:
securetds.ws/soft.php?aid=SNIPPED&d=6&product=XPA&refer=SNIPPED
We also see - tdmng.com/in.cgi?<
prior-network.com/_rd/red.asp
Before we end up at a trusted-scanner.com URL (now dead) or antivirus-fullscan.com
adsmng.com, prior-network.com, tdmng.com and securetds.ws are all domains that I do not remember seeing before.
I must admit, they are getting better at hiding.
Publicly accessible information about the domains includes:
adsmng.com (IP 38.113.169.140 - Canada, Performance Systems International Inc)
Registered 19 August 2008
Registrar: Netfirms, Inc
WHOIS: Hidden behind "Domain Privacy Group"
Hosted on a dedicated server.
NS: Supplied by Netfirms.
prior-network.com (IP 38.113.174.69 - USA, Performance Systems International Inc)
Registered: 3 September 2008
Registrar: Netfirms, Inc
WHOIS: Hidden behind "Domain Privacy Group"
Hosted on a dedicated server.
NS: Supplied by Netfirms.
securetds.ws (IP 216.240.134.211 - California, Irvine, Go2online Corp)
Registered:
Registrar: Rustelekom
WHOIS: No useful information
NS: Supplied by freefastdns.com
tdmng.com (IP 74.208.131.124 - USA, 1&1 Internet)
Registered: 8 September 2008
Registrar: Oneandone Private Registration
WHOIS: Hidden behind Oneandone Private Registration
NS: Supplied by oneandone
domainprivacygroup.com (IP 38.113.184.26 - USA, Performance Systems International Inc)
Registered: 22 June 2006
Registrar: Netfirms, Inc
WHOIS: Domain Privacy Group Details
NS: Supplied by Netfirms
Fraudware domains:
trusted-scanner.com (IP 74.55.100.7 - theplanet.com)
Registered: 30 September 2008
Registrar: Directi Internet Solutions
WHOIS: Hidden behind privacyprotect.org
antivirus-fullscan.com (IP 64.86.17.44 - Canada, Velcom)
Registered: 7 October 2008
Registrar: Directi Internet Solutions
WHOIS: Hidden behind privacyprotect.org
NS: Supplied by freefastdns
**careerbuilder.com**
Again, when we look at the careerbuilder.com incident, there was a particular URL loaded which contained a lot of script. This script controlled all of the advertisements on the page and included this snippet:
image
Kimberley has already done a lot of the hard work with regards to the domains used to facilitate this hijack (being adnewgeneration.com, gorotation.com and scanner.antivirus-2009-pro.net) but I know that she will not mind that I am repeating and expanding on the information below. I will also highlight her discovery that adtds.adnewgeneration.com drops a cookie referencing the well known malware domain promoplexer.com.
WHOIS records note that promoplexer.com (Registrant: Estdomains) has allegedly been suspended - there is no A record either - a situation identical to doubleclickadvertising.com (see below).
adnewgeneration.com (IP 70.38.11.165 - California, Santa Ana, Iweb Dedicated)
Registered: 16 September 2008
Registrar: Enom, Inc
WHOIS: Ivan Durov, Kiev, UA
NS: doubleclickadvertising.com
gorotation.com (IP 67.205.93.102 - Ukraine, private customer, Iweb
Registered: 3 October 2008
Registrar: Enom, Inc
WHOIS: Hidden behind Whoisguard
NS: gorotation.com
Shares IP with "browsersecurityalert.com"
scanner.antivirus-2009-pro.net (IP 217.20.175.44 - Ukraine, W Net Isp)
Registered: 1 October 2008
Registrar: Enom, Inc
WHOIS: Ivan Durov, Kiev, UA (again)
NS: antivirus-2009-pro.net
Note: SSL Certificate is "secure.extrabilling.com" (how ironic, when we remember how many times bucksbill has been caught charging twice as much to credit cards for fraudware as was originally authorised by the card holder).
doubleclickadvertising.com (IP - No A Record)
Registered: 29 May 2008
Registrar: Estdomains, Inc
WHOIS: Doubleclick, USA, Sacramento (there is NO WAY this is legitimate)
NS: doubleclickadvertising.com
Note: WHOIS records that the domain name is allegedly suspended.
privatedns.com (IP 209.172.41.50 - Ontario, Toronto, Groupe Iweb Technologies Inc
Registered 11 March 2000
Registrar: Melbourne IT
WHOIS: Private DNS
NS: your.privatedns.com
secure.extrabilling.com (IP 127.0.0.1 aka localhost)
Previous IP address: 216.195.56.148 - USA< Aps Telecom
Rgistered 25 July 2008
Registrar: Yesnic Co Ltd
WHOIS: Fabien Cibik, UK
NS: extrabilling.com
Note: There are apparently 25,847 other web sites with an IP address of 127.0.0.1.
It is worth pointing out that secure.extrabilling.com (see the SSL note for scanner.antivirus-2009=pro.net) used to share A records with ultimatepayment.com, which in turn used to share IP with bucksbill.com. bucksbill.com, the last time I checked, no longer had an A record.
ultimatepayment.com is still around, although the domain is now "parked" and sitting at IP 216.40.33.252 - its IP address was changed on or about 3 October 2008. Its previous IP address (216.195.56.148 ) is/was shared with several domains, including Adult-billing.com, Billhlp.com, Billingcenteronline.com, Billinghost.net, Billingintegrator.com, Billingmill.com, Billingserviceonline.com, Billingsquad.net, billinternet.com, Billsvc.com, Customerhlp.com, Ebillingcenter.com, Fantazybill.com, Legalbillingsystems.com, Mainbillingcenter.com, Orderhlp.com, Paymentbit.com, paymentbit.net, Paymentforge.com, Safepaymentsonline.com, Softwbill.com, Spankyhosting.com, Support-wizard.com, Truebillingservices.com and Ultimatepayment.com.
All of the above domains should be treated with extreme caution.
Published Fri, Oct 10 2008 15:40 by sandi
Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits
Comments
# re: New malvertizement trickery affecting surfline.com and careerbuilder.com
Friday, October 10, 2008 6:24 AM by Rustelekom Abuse
Hello,
Domain securetds.ws have been hold.
Regards,
Dmitry
# re: New malvertizement trickery affecting surfline.com and careerbuilder.com
Friday, October 10, 2008 11:17 AM by Surfline
Regarding the Surfline incident - we quickly realized there was an issue with the ads being served via external tags from AdShaven ad agency (which has not returned our phone calls or email), and took action to remove and terminate the campaign.
# re: New malvertizement trickery affecting surfline.com and careerbuilder.com
Friday, October 10, 2008 4:04 PM by Joseph Cook
Amazed at your knowledge, your website, your visitor's comments, willingness to share info.
Thank you.
(a victim of securetds.ws and company)
No comments:
Post a Comment