Spyware Sucks

Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files... I wonder what implication this has with regards to the security landscape surrounding malicious SWF.   Are we going to have to watch out for PDFs which contain malicious SWF? 

I simply do not have enough information to judge the safety implications (or otherwise) of this new Adobe Reader feature...  I quote from the announcement on the Adobe reader blog:

"Adobe Reader 9 can natively display rich media content, which you'll notice immediately with Portfolios. Interested in viewing SWF and FLV files? Adobe Reader 9 is the answer."

The first thing that occurs to me that is our number one complaint about malicious SWF is that there is no way for the end user to stop the initial hijack that exposes them to malicious domains.  If Adobe Reader 9 prompts for user permission before opening a web browser, then in that way Adobe Reader is a safer way to view SWF.  If, on the other hand, the Reader allows an SWF to open a web browser without user interaction, then we are facing yet another conduit to danger.

Source:  http://blogs.adobe.com/adobereader/2008/06/adobe_reader_9_is_here_1.html

Oh, and while I think of it - the ActiveX changes in Internet Explorer 8 have the potential to make things safer for users when it comes to malicious SWF (and other ActiveX controls).  This is because IE8 will allow the user to choose to install ActiveX for all users, or just one user on the computer, AND it also will also introduce "per site" ActiveX.  That is, when you are prompted to allow an ActiveX control to run, you will be able to choose to allow the control to run at that one web site, or all web sites.  So, if you need Flash for one particular site, but don't want Flash to be available to other sites, then you will be able to approve Flash for just that one site - cool, yes?

I've been keeping a close eye on Australian web sites that have been affected by malicious SQL injection attacks, specifically concentrating on sites that are 'repeat offenders'.

One of the repeat offenders is walkingchallenge.gov.au.  On that site I found code pointing to the domain ucomddv.com (created today, 2 July 2008), and what may be a new JS naming convention, being ngg.js. 

A search for ngg.js reveals even more domains, being mainbvd.com (created today), cont67.com (created on 1 July 2008) and portwbr.com (created today).

A close look at the new domains reveals a treasure trove of relational information.

Some of the domains below that can be tied in with the newly created malicious domains have been identified in association with SQL injection incidents.  Others have been used for phishing - the bad guys certainly believe in diversity.

adupd.mobi | adwste.mobi | app52.com | appid37.com | asp23.net | asp27.com | asp63.com | asp707.com | asp72.com | aspssl63.com | bnrupdate.mobi | capitalonebank.com.pag23.com | chase.com.id746.com | chk52.com | cls37.com | coldwop.com | com.id746.com | com.pag23.com | comm62.com | cont67.com | cookie83.com | core45.com | hdadwcd.com | hyperadw.com | id294.com | id746.com | kadport.com | mode64.com | mx1.updatead.com | ns1.adupd.mobi | ns1.adwste.mobi | ns1.app52.com | ns1.appid37.com | ns1.asp23.net | ns1.asp27.com | ns1.asp63.com | ns1.asp72.com | ns1.aspssl63.com | ns1.bnrupdate.mobi | ns1.chk52.com | ns1.cls37.com | ns1.coldwop.com | ns1.comm62.com | ns1.cont67.com | ns1.cookie83.com | ns1.core45.com | ns1.hdadwcd.com | ns1.hyperadw.com | ns1.id294.com | ns1.id746.com | ns1.kadport.com | ns1.mode64.com | ns1.pag23.com | ns1.portwbr.com | ns1.sid36.com | ns1.ssl39.com | ns1.supbnr.com | ns1.ucomddv.com | ns1.update34.com | ns1.updatead.com | ns1.view62.com | ns1.www.appid37.com | ns10.www.appid37.com | ns11.www.appid37.com | ns12.www.appid37.com | ns13.www.appid37.com | ns14.www.appid37.com | ns15.www.appid37.com | ns2.adupd.mobi | ns2.adwste.mobi | ns2.app52.com | ns2.appid37.com | ns2.asp23.net | ns2.asp27.com | ns2.asp63.com | ns2.asp72.com | ns2.aspssl63.com | ns2.bnrupdate.mobi | ns2.chk52.com | ns2.cls37.com | ns2.coldwop.com | ns2.comm62.com | ns2.cont67.com | ns2.cookie83.com | ns2.core45.com | ns2.hdadwcd.com | ns2.hyperadw.com | ns2.id294.com | ns2.id746.com | ns2.kadport.com | ns2.mode64.com | ns2.pag23.com | ns2.portwbr.com | ns2.sid36.com | ns2.ssl39.com | ns2.suppadw.com | ns2.ucomddv.com | ns2.update34.com | ns2.updatead.com | ns2.view62.com | ns2.www.appid37.com | ns3.adupd.mobi | ns3.adwste.mobi | ns3.app52.com | ns3.appid37.com | ns3.asp23.net | ns3.asp27.com | ns3.asp63.com | ns3.asp72.com | ns3.aspssl63.com | ns3.bnrupdate.mobi | ns3.chk52.com | ns3.cls37.com | ns3.coldwop.com | ns3.comm62.com | ns3.cont67.com | ns3.cookie83.com | ns3.core45.com | ns3.hdadwcd.com | ns3.hyperadw.com | ns3.id294.com | ns3.id746.com | ns3.kadport.com | ns3.mode64.com | ns3.pag23.com | ns3.portwbr.com | ns3.sid36.com | ns3.ssl39.com | ns3.supbnr.com | ns3.suppadw.com | ns3.ucomddv.com | ns3.update34.com | ns3.updatead.com | ns3.view62.com | ns3.www.appid37.com | ns4.adupd.mobi | ns4.adwste.mobi | ns4.app52.com | ns4.appid37.com | ns4.asp23.net | ns4.asp27.com | ns4.asp63.com | ns4.asp72.com | ns4.aspssl63.com | ns4.chk52.com | ns4.cls37.com | ns4.coldwop.com | ns4.hdadwcd.com | ns4.hyperadw.com | ns4.id294.com | ns4.id746.com | ns4.kadport.com | ns4.mode64.com | ns4.pag23.com | ns4.sid36.com | ns4.ssl39.com | ns4.supbnr.com | ns4.suppadw.com | ns4.update34.com | ns4.updatead.com | ns4.www.appid37.com | ns5.www.appid37.com | ns6.www.appid37.com | ns7.www.appid37.com | ns8.www.appid37.com | ns9.www.appid37.com | pag23.com | ssl39.com | supbnr.com | suppadw.com | towernet4.capitalonebank.com.pag23.com | ucomddv.com | update34.com | view62.com | ww4.chase.com.id746.com | www .appid37.com | www .aspssl63.com

Do you ever get the feeling that people are not listening?

I blogged about malicious advertisements featuring XM Radio on Sunday here:
Report- Malvertizements that have been circulating

Now Kimberley has discovered that those same XM Radio malvertizements are appearing on the ifrance.com web site - info here:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87888&mode=threaded&show=&st=90&#entry87888

I admit to feeling a lot of frustration about ifrance.com.  As noted by Kimberley, this is the 3rd malvertizement that has been discovered on the ifrance.com website since the 12th of June.  They seem to be completely incapable of vetting advertising creatives that are being submitted to them, or acting to get rid of malvertizements that are reported to them within a reasonable period of time (if at all).

I rarely do this, but I now advise that all advertising that appear on ifrance.com should be blocked unless and until they can assure us that they have removed the malvertizements, and that that they have put procedures in place to prevent the problem in future.  The same goes for isuisse.com (guilty by association).  Heck, let's also pay close attention to ibelgique.com, iespana.es, iitalia.com and iquebec.com, all of which are closely related to ifrance.com and isuisse.com (also subject to guilt by association).

Other incidents affecting ifrance

ifrance.com - malicious banners featuring FirstChoice and again here

ifrance.com - malicious banner featuring Curves

ifrance.com - still serving malvertizements

The Internet Explorer team have published 3 new articles about IE8 that are well worth a read.

First, the SmartScreen filter:
IE8 Security Part III- SmartScreen® Filter

The feature that I want to call out about the SmartScreen filter is the antimalware support - SmartScreen not only blocks access to known phishing and malware sites, it will block downloads from known malicious sites, meaning that victims are protected even if they don't visit a known malware site directly.  For example, if a victim is tricked into clicking on a link in an email or Instant Message window that will download malware, then as long as IE is your default browser, SmartScreen will block the download.  I can think of a whole slew of fake security software aka fraudware aka betrayware that I believe should be blocked via the SmartScreen filter.

Of course, such blocking can be overridden if need be (for example, because of false positives).  For those of you that are responsible for network management and security, you will be pleased to know that Group Policy can be used to stop users from overriding the SmartScreen Filter.

The SmartScreen user interface has also been improved.

Second, cross site scripting (XSS) vulnerabilities - XSS filtering
IE8 Security Part IV- The XSS Filter

"When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing."

Third, security improvements:
IE8 Security Part V- Comprehensive Protection

"As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."

Neowin says:

"Spybot - Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven't intentionally installed, if your browser crashes inexplicably, or if your home page has been "hijacked" (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don't see the symptoms, your computer may be infected, because more and more spyware is emerging."

First up, spyware is NOT a "relatively new kind of threat" - it has been around for years.  Second, it is INCORRECT to claim that spyware is "not yet covered by common antivirus applications". 

It's well and truly time for Spybot S&D to update their advertising blurb.

XM Radio

Exposed domain: aboutstat.net

XM Radio again

Exposed domains: waytotheprofit.com/?cmpid=weannalist and officialstat.com/c/index.php, both of which are known malvertizement domains.

waytotheprofit.com/?cmpid=weannalist leads us to an adverdaemon.com URL which then leads on to diskretter.com.

adverdaemon.com is hosted by PEER1, with name servers supplied by none other than securehost in the Bahamas.  Lots and lots of known bad domains are sharing name servers with adverdaemon.com

Hostnames sharing ip with a-records
ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
waytotheprofit.com
popadprovider.com

perfectmatch.com

Domains exposed:

profitabill.com/?cmpid=cancrineso

stat-diagnostic-imaging.net/c/index.php

profitabill.com

Hosted by Plusserver, Germany.  Administrative contact is the infamous Serg Moon - WHOIS details are, of course, unhelpful.

Note: WHOIS notes that registration services are provided by NameCheap.com, which shares IP indirectly via cnames with davidrohlf.com, georgerohlf.com, kristinerohlf.com and therohlfs.com.

Registar is the well known Enom, Inc - created on 25 March 2008

hostnames sharing ip with a-records
manzano181.serv.lt
xen-su-01.serv.lt

Lots and lots and LOTS of bad domains sharing name servers with profitabill.com

First Choice in French (we have seen malvertizements featuring First Choice before - eg: this one in English)

This malvertizement exposes a domain to us, waytotheprofit.com/?cmpid=atrecreant and click.adlbrite.com. 

adlbrite.com is hosted by nine.ch in Switzerland (yes, the same nine.ch that has hosted domains used by malvertizements in the past).

click.adlbrite.com is also sharing name servers with several well known malvertizement domains, including:

aboutstat.com
akamahi.net
entrerrenglonadura.com
newstat.net
officialstat.com
quinquecahue.com
stat-diagnostic-imaging.net
stat-diagnostic-imaging.com
stathisranch.net
station-appraisals.com
station-appraisals.net
thetechnorati.com
vozmiliogaranon.com
googiesindication.com
statestr.com
statgroup.net
staticglobalsources.com
staticglobalsources.net
statnation.net
statsla.net
statworld.net

adlbrite.com's registrar is TLDS, LLC DBA SRSPLUS.  The WHOIS is unhelpful, being:

Sara Sen  (mail@adlbrite.com)
Hight  str  45 
Baltim, NONE  8232
CL
152656555

waytotheprofit.com is just as interesting, sharing IP with A-Records and mail servers with many known malvertizement domains including:

ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
popadprovider.com

waytotheprofit.com also shares name server with many, many, MANY known fraudware and malvertizement domains, as well as domains associated with the sale of malvertizements.

Information courtesy of Intego, a company specializing in security products for the Mac.

Intego has released a security memo describing a trojan horse for the Mac - a poker game that, when run, harvests the username, password and IP address of the victim and transmits it to a server, as well as enabling ssh on the victim's Mac computer.  As noted by Intego, once ssh is enabled, the attacker can "attempt to take control of [the Mac], delete files, damage the operating system, or much more".

The poker game is an effective example of social engineering, and demonstrates that anybody, whether he be a Windows or Mac user, can be tricked into handing over our username and password, and the existence of the software is worth publicizing in the hope that it will make all of us stop and think the next time we are asked to enter our admin password when installing software.

Already I am reading about comments deriding Intego's "financial incentive for discovering and reporting" on Mac specific trojan horses and whatnot.  Those making such comments are not doing anybody any favours and, to be honest, they need to get over themselves.  Yes, Intego can gain a financial benefit from such publicity - after all, they sell security software for the Mac - but reality is that the malicious software is out there, and is a good example of an effective mechanism for tricking Mac users.

Screenshot:

:o)

Source: http://ars.userfriendly.org/cartoons/?id=20080623

Downloadable here:
http://www.microsoft.com/downloads/details.aspx?familyid=671355c2-4002-4671-8619-95c96c8a897f&displaylang=en&tm

The worldwide average was malware removal from 1 out of every 123 Windows-based computers in the second half of 2007.

Summary - Australia

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 204 Windows-based computers it was executed on.

Zlob (Trojan) 6.9%
Starware (Potentially unwanted software) 4.4%
Hotbar (Adware) 2.7%
WhenU (Adware) 3.3%
Winfixer (Potentially unwanted software) 2.7%
Agent (Trojan and trojan downloader) 2.6%
All others - 77.7%

Summary - Canada

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 172 Windows-based computers it was executed on.

Zlob - 6.4%
Hotbar - 4.6%
Agent - 4.2%
Starware - 4.0%
ZangoSearchAssistant (Adware) - 3.1%
WhenU - 3.1%
All others - 73.6%

Summary - Germany

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 226 Windows-based computers it was executed on.

Zlob - 12.2%
WhenU - 5.9%
Hotbar - 3.9%
Renos (Trojan downloader) - 2.6%
Zango Search Assistant - 2.6%

Summary - Japan

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 685 Windows-based computers it was executed on.

CnsMin (Spyware) - 8.6%
Zlob - 4.3%
Antinny (Worm) - 3.9%
Rbot (Backdoor) - 3.4%
WhenU - 2.9%
All others - 76.9%

Summary - Netherlands

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 170 Windows-based computers it was executed on.

Zlob - 7.4%
WhenU - 4.7%
Virtumonde (Trojan and adware) - 3.3%
Hotbar - 3.1%
ConHook (Trojan) - 2.9%
All others - 78.6%

Summary - Norway

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 160 Windows based computers it was executed on.

Zlob - 12.5%
WhenU - 4.7%
Winfixer - 3.7%
Zango Search Assistant - 3.5%
Hotbar - 3.4%
All others - 72.2%

Other important notes from the key findings summary (all countries)

• The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) increased over 40% during the second half of 2007 to more than 450 million unique computers worldwide per month.
• During the second half of 2007 there was a 300% increase in the number of trojan downloaders and droppers detected and removed.
• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions.
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of 2007.
• Adware remained the most prevalent category of potentially unwanted software in the second half of 2007.
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar.

I have received a copy of a new malvertizement featuring gifttree.com.

Analysis reveals two malicious URLs, being:

waytotheprofit.com/?cmpid=itlocation
station-appraisals.com/c/index.php?

The waytotheprofit.com URL leads us to an adnetserver.com URL which in turns leads us to a german language fraudware site, being diskretter.com (which, by the way, shares IP with A-records and mail servers with several domains including securepccleaner.com and exterminadordevirus.com.

Details here:
http://msmvps.com/blogs/bradley/archive/2008/06/16/houston-we-have-a-problem.aspx

Update: We'll be offline until as late as Friday:
http://msmvps.com/blogs/bradley/archive/2008/06/16/offline-for-a-couple-of-days.aspx

I am pleased to announce that I have joined Truste as an Online Compliance Researcher.  The Press Release is here:
http://www.truste.org/about/press_release/06_12_08.php

I am very excited about this new opportunity.  It has always been my dream to be able to focus all of my energies on studying, and tracking down the distributors of, spyware and malware and now that dream is coming true.

Wayne Small, SBS MVP, has also written an announcement about my new role.  I couldn't help but smile when I read it.  MInd you, I can't claim to have singlehandedly saved all those MSN Messenger users - it was Patchou of Messenger Plus! fame who first alerted me to the fact that there was a malvertizement appearing in the Windows Live Messenger advertising pane.
http://blog.sbsfaq.com/Lists/Posts/Post.aspx?ID=191

Screenshot of diamondharmony.com malvertizement

The full press release is below.  The section most relevant to this blog is the new laws related to spyware.  A change that I anticipate will have a great impact is that the new laws "Create liability for web hosting services who ignore violators’ use of their products".  I believe that this new law will encourage web hosting services to act quickly when malvertizement activity is reported to them.  Far too often web hosting services have responded to my complaints by saying that they are not responsible for what their clients are doing, or they say that all they can do is contact their client and tell them that there has been a complaint, or they don't respond at all.  Now that web hosting services can be found to be directly liable for the activities of their clients, it is going to be harder to ignore or fob off our complaints.

Here is the House Bill 2879 (the Bill related to changes to spyware laws):
http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Passed%20Legislature/2879-S.PL.pdf

The important changes as relate to malvertizings follow - the changes are bold and underlined, or struck through:

The definition of "Transmit" has been changed to ensure that if a web hosting service "knows or reasonably should have known" that the chapter is being violated, then that web hosting service is liable for violations under the chapter.

"Transmit" means to knowingly, or with conscious avoidance of knowledge, transfer, send, or make available computer software, or any component thereof, via the internet or any other medium, including local area networks of computers, other nonwire transmission, and disc or other data storage device.  "Transmit" does not include any action by a person providing:

(a) The internet connection, telephone connection, or other means of transmission capability ((such as a compact disk or digital video disk)) through which the software was made available;

(b) The storage or hosting of the software program or a web page through which the software was made available, unless the person providing the storage or hosting services knows or reasonably should know there is or will be a violation of this chapter, and participates in or ratifies the actions constituting the violation;"

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

PRESS RELEASE:

OLYMPIA – New laws requested by Attorney General Rob McKenna dealing with mortgage foreclosure schemes, identity theft, spyware and third-party marketing of cell phone numbers will go into effect on Thursday.

“These new laws address critical threats to consumers from the purveyors of modern frauds—from mortgage rescue schemes to identity theft and online spying” McKenna said. “Also beginning this week, consumers’ cell phone numbers will be protected from solicitors, since they can no longer be published without express consent. I want to thank legislators from both parties who helped pass these crucial protections.”

The following laws go into effect on Thursday, June 12:

Prohibiting third-party marketing of cell phone numbers

House Bill 2479 requires any person in the business of compiling, marketing or selling phone numbers for commercial purposes to obtain a consumer’s express opt-in consent before publishing his or her wireless phone number in a directory. A violation of the law is punishable by a fine of up to $50,000. The Attorney General may bring actions to enforce compliance and may notify first-time violators with a letter of warning.

Mortgage Foreclosure Legislation

House Bill 2791 adds protections for homeowners from losing their homes in “mortgage rescue” scams by:

·       Requiring a written contract with clearly disclosed terms be completed, signed and dated by the homeowner and the purchaser prior to the property’s transfer;

·       Providing the foreclosed homeowner the right to cancel the contract within five business days;

·       Requiring that the purchaser demonstrate that the foreclosed homeowner is able to meet the terms of the contract including making interest and lease payments and is capable of purchasing the property within the allowable period;

·       Requiring that the homeowner must receive at least 82 percent of the difference between the property’s fair market value and the underlying mortgage in the event of a sale to a third party.

A violation of the law is a per se violation of the Consumer Protection Act, making the outcome of litigation against foreclosure rescue schemes substantially certain and resulting in broad deterrence.

Identity Theft Legislation

Senate Bill 5878 creates a statutory requirement for police to take reports from victims of the identity theft.

·       Victims have the option to file a report in their local jurisdiction or with the agency where the crime occurred.

·       Allows prosecutors to bring separate charges against an accused identity thief for each use of a particular piece of someone’s personal information. This bill reverses policy set in State v. Leyda (2006), where the Washington Supreme Court held that a defendant may only be charged once for use of someone else’s information even when that information is used in multiple locations multiple times.

House Bill 2637 allows records provided by out-of-state businesses to be authenticated by affidavit, rather than in person, in criminal cases. When properly served with a request for records, the recipient must provide the records within 20 business days and verify the authenticity by providing a signed affidavit, declaration or certification. This allows for the more effective prosecution of identity thieves.

Shutting Down Spyware

House Bill 2879 remedies loopholes and weaknesses in the state’s Computer Spyware Statute by:

·       Removing onerous requirements that hinder the ability to prove cases against violators;

·       Creates liability for web hosting services who ignore violators’ use of their products;

·       Adds violations for new forms of spyware; and

·       Clarifies the standards for proof of violations and the circumstances under which actions may be brought.

First, driveway:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

statgroup.net/c/index.php?id=WmhuaHhDTEFpUXm7NkiZmOVpYVnd4cGtoPTEyMDgxNjk3MDUmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

Next, dreammates:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

stat-diagnostic-imaging.net/c/index.php?id=eklscHhaSzFya3JIUElYNjNm7NkiZeUloPTEyMTIwNzc5MjYmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

You can see that both malvertizements use the same waytotheprofit campaign URL.

I ended up at goldenantispy.com on one occasion, and antispyarewaremaster on another and performanceoptimizer.com on another. You will end up at different sites depending on what country you reside in.

goldenantispy and antispywaremaster try to download software to visiting computers using the infamous Microsoft Dynamic HTML Editing Control (Safe for Scripting) that has been removed from Vista.  If a computer is running Windows Vista, and is up to date with security patches, then infection is difficult if not impossible to achieve without user interaction.  Be warned, though, that I was testing with a bare metal version of Windows. There is every chance that other exploits affecting non-Microsoft products could be used at any time to attempt to infect systems.

The site also utilises archive.easydownloadsoft.com to distribute its wares, specifically:

archive.easydownloadsoft.com/goldenantispy.com/GoldenAntiSpy/install_en.cab

I'm also seeing adnetserver.com and b2adz.com, as well as prevedmarketing.com, waytotheprofit.com and statgroup.net.

There are several domains related to goldenantispy.com, including:

meinbesterschutz.com, virusvakt.com, zebraantivirus.com, pcprivacytool.com and virusstopper.com, as well as antispyarecontrol.com, antispywaresuite.com, winanonymous.com, winpcdoctor.com, winspycontrol and anchisupaisutsu.com

goldenantispy.com is registered via tucows, and has as an admin contact webstarhosting@yahoo.com.

Its mail server is mail.prevedhosting.com (regular readers of my blog will recognize that name).

antispyaremaster.com is also registered via tucows, and has an administrative contact that I recognize, being "no_name_inc@yahoo.com" aka "John Green".

antispywaremaster.com has "relationships" with diskretter.com (a name I recognize as being involved with malvertizement incidents in the past), schijfbewaker.com, toolsicuro.com, exterminadordevirus.com and securepccleaner.com.

If we dig deeper using robtex, we find relationships wiht antivirusmaqique.com, defensedudisque.com, erreuchasseur.com, fairukyua.com, qubbishremover.com, limpietodo.com, as well as name server relationships withadvancedcleaner.com, antispywaresuite.com and avsystemcare.com as well as old classics such as drivecleaner.com, errorsafe.com, systemdoctor.com, winspycontrol.com and yourprivacyguard.com.

These criminals, whoever they are, have absolutely no shame.  I thought that they were the scum of the earth when they impersonated Oxfam; now they are getting their malvertizements onto popular chidren's sites.

As reported by Kimberley - the malvertizements have been reported to RealMedia:

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_SKY_CINEMA_NOW/cinemanow_120x600.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650098
xponlinescanner.com/soft.php?aid=024217&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77024217

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_MEGA_CINEMA_NOW/cinemanow_728x90.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650097
xponlinescanner.com/soft.php?aid=024218&d=3&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024218

Adopstools.com was not able to analyse the sample that I have, but there is more than one way to get things done.

The malicious SWF exposes victims to two different URLs:

impressiontracker.com/url/sc_6.php

and

yourredirect.com/soft.php?aid=000417&d=3&product=XPA

The yourredirect.com URL redirects to a fraudware site, being:

onlinescannerxp.com/2008/3/freescan.php?aid={removed}

yourredirect.com was created on 4 April 2008 and is protected by privacyprotect.org

impressiontracker.com was created on 8 April 2008, and WHOIS refers us to a "Carol Hamilton" of eosads.com .

Both impressiontracker.com and yourredirect.com use mynickname.com name servers...

eosads.com (the domain revealed by a WHOIS check of impressiontracker.com) is, in turn, registered via none other than the infamous estdomains.  The domain was created on 8 February 2007, updated on 10 March 2008 and expires on 8 February 2009.

Screenshots of the malvertizement:

The malicious SWF is hosted by content.yieldmanager.edgesuite.net.  The appropriate parties have been notified.

Regular readers may recall the new eBooks malvertizement highlighted the other day - this one:

Here's another version, slightly tweaked. You'll notice the different wording and different font: