Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail…

November 18th 2008 in Uncategorized

Edit: BTW, it is Spaces and Hotmail – I haven’t seen the malvert at Skydrive yet.


Kimberley saw the first one, a malvertizement featuring perfectmatch.com:


image


I have discovered another malvertizement featuring IMIN – we have seen this advert several times in recent days in different places:


image


Details of hijack:


IMIN malvertizement undetectable using adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=j5WPzf37aZeMUVbT


Encrypted dynamic text in use


Hash: 11c8f432a9e70c56a171ddfa9df43a3a


Refers victims user to this URL (SWF disguised as GIF)
optimizedby.net/__utm.gif?<<snipped>>


Scans malicious at adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=8010nJ21nJm6q02M


Hash: d730fba801a56311f9cf73587826821a


Leads victim fraudware domains, including windows-scannercenter.com/?id=<<snipped>>


optimizedby.net

ICANN Registrar: Regtime Ltd
Created 26 August 2008
NS1.OPTIMIZEDBY.NET (has 1 domain)
NS2.OPTIMIZEDBY.NET
Registrant: Sergey Bolshakov (serg.bolshakov@mail.ru)
IP: 212.95.32.166 – Netdirekt E.k

windows-scannercenter.com

ICANN Registrar: Directi
Created 21 September 2008
NS1.WINDOWS-SCANNERCENTER.COM (has 1 domain)
NS2.WINDOWS-SCANNERCENTER.COM
Registrant: Ali Said (kanobeliz@googlemail.com)
IP: 83.229.251.28 – Moskva – Moscow – Mchost.ru Inc

Domains sharing IP range 83.229.251.%

Tarapiska.ru |  Mymyt.ru |  Sexytales.ru |  Building-msk.ru |  Mjsk.ru  |  Ndcompany.ru |  Euro44.ru |  Romeld.biz |  Allkarnaval.ru |  Keramzit-moscow.ru |  Print-sign.biz |  Promo-extra.ru |  Rukoyatki.ru |  Vein-lux.com |  3anpetob.net |  Belwap.info |  Bigtraf.net |  Erokat.org |  Maxclicks.net |  Mtraf.net |  Oksex.ru |  Onsexi.info |  Smartam.net |  Xwen.biz |  Zgruz.ru |  Bluray-disk.ru |  Justkino.ru |  Majorno.ru |  Justkino.com |  Justkino.net |  Bangkok-lux.com |  Mashulya.ru |  Xlxlxlxl.ru |  Rostr-promo.ru |  Super-prorab.ru |  Allstroiki.ru |  Build-all.biz |  Domturciya.com |  Doska-ok.com |  Krezz.ru |  Vip-stroi.com |  Popbank.ru |  Advertise-your.name |  Internet-project.info |  Legko.org |  Ofigennoe.info |  Ohuennoe.info |  Senpa.ru |  Slonotop.com |  F-i-l-e-s.biz |  Morekalendarey.ru |  Morepaketov.ru |  Morepolygraphy.ru |  Moreupakovki.ru |  Microdelo.ru |  Lovra.ru |  Cat-in.ru |  Cathelp.ru |  Catmania.ru |  Catngo.ru |  Catomic.ru |  Grigoriev.su |  U-fm.ru |  Udvarta.com |  Udvarta.ru |  Acnenet.ru |  Medaest.ru |  Windows-scannercenter.com |  Windowsxp-privacy.net |  Bynker.net |  Mirki.ru |  Otravi.ru |  Walom.ru |  Wara.ru |  Wara.us |  Seomasteroff.net |  Incestru.com |  048-design.ru |  Mykostroma.ru |  Runlive.org |  Allnewsline.ru |  Fene4ek.net |  Lfsisrael.com |  Sperli.net |  Dirmovie.com |  Dirsound.ru |  Hdkino.tv |  Moldavan.net |  7ven.su |  Iog.su |  Cwazo.net |  Xlaguna.ru |  Nafani.net |  Xlivetv.ru |  Maximfans.ru |  Rapside.ru |  Mediaportal.ru  |  Loveinlife.ru |  Truefashion.ru |  6s9.ru |  Lux-turkey.com |  Paris-lux.net


2 comments to...
“ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail…”

Ian Oxley (UK)

Ah, now you see I have been ‘told off’ for blocking ads from g.msn and other servers, blocking ad content in Messenger too, because I am ‘messing up the business model of free services’. But if I can’t even trust content from Microsoft servers then, sorry, I’ll just go right on running the Messenger patch, using hosts entries, adblock in Firefox, tweaking IEPro, forcing IE and Messenger through the url blocker in Avast… etc! The ads can go to hell.

I understand from a Messenger Team blog that ad content in the beta of Messenger 2009 was also of concern at some point. How on Earth does this all happen?



Samuel Loirat

the first file is now catchable by the tool


I received an interesting email via the contact facility for this blog.  You can see a screenshot of the email to the left of screen.
A Russian-speaking associate tells me that the email text translates as:
“You, dummy, aren’t you worried about your skin? F u c k you.”
Nice.  It seems that I may have upset [...]

Previous Entry

Yep, yet another quality assurance/security procedure breakdown. Via Cyberinsecure:http://cyberinsecure.com/software-package-supplied-by-lenovo-contained-malware/ And ZDNET:http://blogs.zdnet.com/security/?p=2203 “The malicious file was identified by Microsoft as Win32/Meredrop, a Trojan dropper that is used to install and execute multiple malicious executables on an infected computer. Other anti-virus vendors are detecting the threat as a virus or a porn dialer.”

Next Entry