Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Malvertizement featuring Crawler

April 30th 2009

  Same old same old.  The malvertizement hits the domains statcluster.com and enjoyspringtime.com (both domains have been mentioned on this blog several times). The Adopstools results make it obvious that there is something suspicious: http://www.adopstools.net/index.asp?section=quicklink&id=R59g0m36S016WwBW From statcluster.com and enjoyspringtime.com we end up at crustat.com then on to either free-webscaners.com or truconv.com or olinredr2.com From olinredr2.com […]

Read On Comments Off

A frightening tale of computer infection and its consequences

April 29th 2009

“It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.” Yep, that one simple act turned into an infection nightmare lasting three weeks.  I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as […]

Read On Comments Off

More information about the malvertizements that appeared on guardian.co.uk and electronicsnews.com.au

April 27th 2009

There are two malvertizements that I highlighted, being: m1.au.2mdn.net/1949664/hp_300x250.swf m1.emea.2mdn.net/989589/hp_728x90.swf The 300×250 malvert touches hit-detect.com and measurehits.com. The 728×90 malvert touches ydmstats.com and measurehits.com.   Redirects: We go from measurehits.com to crustat.com. From there we go to one of several different domains: olinredr2.com/<<redacted>> truconv.com/<<redacted>> free-webscaners.com/<<redacted>> <— fraudware domain   If a victim is redirected to […]

Read On Comments Off

Further information regarding the malvertizements touting ebay discovered at perezhilton.com

April 27th 2009

The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below). These are the URLs that are hit by the malvertizement – we have seen all of them before: statcluster.com/crossdomain.xml statcluster.com/c/index.php?id<<redacted>> crustat.com/ts/in.cgi?<<redacted>> olinredr2.com/?accs=<<redacted>> pyani.com/in.cgi?<<redacted>> offer-provider.com/<<redacted>> truconv.com/<<redacted>> justwebsecurity.com/<<redacted>>   […]

Read On Comments Off

ALERT: Malvertizing at perezhilton.com

April 27th 2009

perezhilton.com is an extremely popular site, and the potential audience for the malvertizers is *huge*. Kimberley and I make a great team.  I knew that there was a malvertizement being displayed on perezhilton.com, but I hadn’t been able to get definitive proof – Kimberley got it. Check out the screenshot below – note that the […]

Read On Comments Off

ALERT: Malvertizing at electronicsnews.com.au

April 27th 2009

  Edited to fix subjectline It is a malvertizement featuring HP (visually identical to the HP malvertizement described in my earlier article): http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674634.aspx The malvertizement itself is at this URL: m1.au.2mdn.net/1949664/hp_300x250.swf Adopstools test results here: http://www.adopstools.com/index.asp?section=quicklink&id=ZdWLlE0YcK7rkK5C Yes, it is the same advert that we found on guardian.co.uk http://msmvps.com/blogs/spywaresucks/archive/2009/04/27/1691363.aspx The malvertizement has been reported to the […]

Read On Comments Off

ALERT: Malvertizing at guardian.co.uk

April 26th 2009

There are two of them, both featuring HP (the ads have been documented on this blog in the past). Both advertisements are being served via 2mdn.net and have been reported to the appropriate parties.   m1.emea.2mdn.net/989589/hp_728x90.swf   m1.au.2mdn.net/1949664/hp_300x250.swf  

Read On 2 Comments

ALERT: blogads.com is serving malvertizements

April 26th 2009

The malvertizements have been reported to blogads.com. z.blogads.com/www/delivery/afr.php?n+a91736e9&zoneid=86&cb=INSERT_RANDOM_NUMBER_HERE z.blogads.com/www/delivery/afr.php?n+aa00ce7a&zoneid=87&cb=INSERT_RANDOM_NUMBER_HERE   The adverts hit statcluster.com, enjoyspringtime.com and crustat.com (all known bad domains).

Read On 1 Comment

Another fake Phoenix University malvertizement

April 24th 2009

  This one is using the same domains as the previous version (although it should be noted that, although visually identical, this one had a different Hash to the one I looked at yesterday). Victims end up at one of two fraudware sites, scanspywareonline.com or justwebsecurity.com. I have written about justwebsecurity.com already, so let’s take […]

Read On 2 Comments

ALERT: Malvertizement featuring Phoenix University

April 23rd 2009

PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION   Adopstools scan results: http://www.adopstools.net/index.asp?section=quicklink&id=36xxrvvFRC85pkp7 Malvertizement host: perfect-banner.com Hits the domains statcluster.com and enjoyspringtime.com From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220. —– perfectbanner.com ICANN Registrar: ENOM, INC. Created 10 March 2009 NS1.PERFECT-BANNER.COM NS2.PERFECT-BANNER.COM NS3.PERFECT-BANNER.COM NS4.PERFECT-BANNER.COM IP: 89.149.244.137 – Hessen, Frankfurt Am Main, Netdirekt […]

Read On Comments Off