Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malvertizing at boingboing.net

January 13th 2010 in Uncategorized

image

Original source: Dynamoo
http://www.dynamoo.com/blog/2010/01/boingboingnet-bootcampmediacom-ad-leads.html

We have seen problems at bootcampmedia for a LONG time (at least a year) – Jamie Dalgetty needs to start cleaning up bootcampmedia.

Historical evidence:
http://www.google.com/cse?cx=007665253733268001951:qtjb7x6vodw&ie=UTF-8&q=bootcampmedia&sa=Search&siteurl=www.google.com/cse/home%3Fcx%3D007665253733268001951:qtjb7x6vodw

 

Now, I’ve been able to reproduce Dynamoo’s findings, but I saw a different advertisement (I’m sure I’ve seen that fake craigslist advert before), and different domains.

I bounced from bootcampmedia.com to firedogred.com to deliver.azrielwhereincozen.com (which hosted the advert itself) to content.bookletjigsawsenam.com (which redirected us to bonnapet.com).  bonnapet.com is the domain that was used to attempt to download malicious content to my test machine (an attempt that was easily thwarted, thanks to IE8’s infobar).

Domain details are below the screenshot.

The malicious behaviour has been reported to Right Media (Yieldmanager) with supporting evidence.

image

bootcampmedia.com
ICANN Registrar: GODADDY
Created: 11 dECEMBER 2007

IP: 69.163.209.214 – New Dream Network LLC

Shares IP with 26 other sites.

Registrant hidden by domainsbyproxy.com

*****

firedogred.com
ICANN Registrar: GODADDY
Created:15 September 2009

IP: 68.178.232.100 – Godaddy.com, inc.

Registrant – anonymised…
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
USA

Aren’t 555 phone numbers always fake? 800 555 1212

*****

azrielwhereincozen.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 74.207.232.202 – New Jersey – Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bookletjigsawsenam.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 69.164.196.55 – New Jersey – Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bonnapet.com
ICANN Registrar: ENOM, INC
Created: 11 January 2010

IP: 217.2.114.40 – Berlin – Netdirekt E.K.

Registrant:
Wade Cook (wade.cooke@yahoo.com)
12 Hull Street
Boston MA 02113
US


3 comments to...
“Malvertizing at boingboing.net”

Steven

The /mirror/ directory on bonnapet.com seems to have been removed (404’s for me), but there’s exploit code still present on the bonnapet.com homepage, which when decoded, shows someone isn’t a fan of AVG;

hosts-file.net/…/imgbonnapet_com_-_source.gif

hosts-file.net/…/imgbonnapet_com_-_source2.gif

Decoding the code shows the payload comes from the following, which surprisingly, also 404’s for me atm;

bonnapet.com/friends/umgo.php



sandi

Nah, I suspect that the mirror directory is not gone; it is simply hiding. I was seeing the same error immediately after seeing the original hijack when I tried to load the URL directly. I suspect something like an HTACCESS manipulation where the contents of the directory only load under precise conditions.



Steven

You read my mind ;o)


The most important piece of advice that is generally given to users of Adobe Reader to protect them from malicious exploits in PDF documents is to disable JavaScript, but it has always been an “all or nothing” situation – the chances that somebody would heed our advice, disable JavaScript, only to need to turn it [...]

Previous Entry

  Hmm, it seems that my mail server has learned a foreign language – that or it is swearing at me ;o) Ok, so what’s the diagnosable problem?  0x800CCC6C SMTP_452_NO_SYSTEM_STORAGE No space to store >sigh<  I blame the IMAP accounts.  

Next Entry