Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Forceup.com caught trying to sell a malicious advertisement featuring firstchoice.com

February 27th 2008 in Uncategorized

I received an email tonight warning me that a Diane Samuels from forceup.com is contacting web sites wanting to place an advertising banner.  I was contacted by those behind a web site with checks in place that identified the advertising banner as “a virus of some sort”.

The creative’s name was firstchoise_728x90.swf.

“Diane Samuels” did not respond to emails from the web site’s staff once they discovered that the advertisement was bad – a failure to respond is standard operating procedure for the b*stards behind the malicious advertisements – if they get caught by one web site, they just move on to the next one.

Forceup.com is a well known name to those of us who watch and report on malicious banner advertisements – if you search this blog for that name you will find that forceup is mentioned nine times.

First, I am *very* pleased that the intended victim site’s checks and balances alerted them to a problem, aka “a virus of some sort”.

Second, I am *very* pleased that the creative was detected as a virus.

Third, I have a copy of the actual creative that I can analyse it and report on, and provide screenshots.

An analysis of the creative at adopstools reveals that the creative contains “a sprite/movieclip which is containing Malware actionScript code”.

Here are screenshots of the advertisement provided by forceup.com – you have been warned. 

If I receive further information I will blog again.

image

image

image


2 comments to...
“Forceup.com caught trying to sell a malicious advertisement featuring firstchoice.com”

Conrad Longmore

Ahhh… adopstools.net. Now that *is* a useful looking site. It looks a lot more useful than Trillix for this type of analysis, that’s for sure. Thanks!



James Smith

Forceup.com seems to be at it again.  Eric Gordon contracted my company to run a dating offer. 6MM impressions later…no response.


Those of you with a technical mindset may find this explanation about what happened, and the timeline, informative:http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml
Some chatter at NANOG (with a few glimmers of paranoia to add spice):http://www.merit.edu/mail.archives/nanog/threads.html#06347
 

Previous Entry

The SWF has been analysed.  We find this URL in the code:quinquecahue.com/statsa.php?u=1202136191&campaign=oseximious 
The allowed countries for this particular malicious campaign are ZA, US and UK
Banned IPs: 
209.160.0.0-209.160.255.255 Hop One Internet Corporation196.36.0.0-196.36.255.255 (Internet Solutions (Pty) Ltd (South Africa)
Banned cities: Johannesburg, Tukwila
Kudos to Kimberley for decrypting the SWF contents.
 

Next Entry