Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

MalwareAlarm again.. this time it’s www.ok-magazine.com

November 14th 2007 in Uncategorized

This afternoon, let’s have a look at the hijack that is affecting www.ok-magazine.com, right on the front page.

The dangerous SWF is hosted by r2d2advertising:

r2d2adverising.com/edges/fast_get.php?bs=763392451522918384433822949288977796434723741732

From there we’re dragged through to newbieadguide.com:

newbieadguide.com/statsa.php?campaign=2fact0ry&u=1194994157514

We then bound over to blessedads:

blessedads.com/?cmpid=2fact0ry&adid=gsd2

And prevedmarketing.com:

prevedmarketing.com/?tmn=mwatmp&aid=2fact0ry&lid=gsd2&ex=1&ed=2

And end at, you guessed it, scanner2.malware-scan.com:

scanner2.malware-scan.com/4_swp/?tmn=mwatmp&aid=2fact0ry&lid=gsd2_ao_3958_0_10228_ao_&ex=1&ed=2&tmn=null&mt_info=3958_0_10228

I am sure, gentle reader, that you will recognise blessedads and prevedmarketing from the incident that hit whitepages.com.au over the past 24 hours or so.

Screenshots follow of the malicious advertisement itself, a shot of the advertisement in-situ at www.ok-magazine.com and a screenshot of an unrefutable packet capture. Of course, the appropriate authorities are welcome to a copy of the data.

 

The advertisement

malware_2

malware_4

malware_3

 

The advertisement in-situ at www.ok-magazine.com

malware_5

The proof that the advertisement is malicious…

malware_1


2 comments to...
“MalwareAlarm again.. this time it’s www.ok-magazine.com”

Mark

DNS Redirector (see http://www.dnsredirector.com) has all these domains in their advertisement block list, if you’re using it you’ll never be bothered by this nonsense again. While I’m running it on a server, providing filtered DNS service to all the PCs running on the network, you can also accomplish this simple protection for free – by adding the domains to your windows HOSTS file or by using DNS Redirector Personal Edition …which is new, and I haven’t tried yet, but I suspect this is just as an administrative nightmare as individual hosts files on each PC.



Jonathan

I really appreciate the work you have been doing. I just ran into scanner2.malware-scan.com on a commercial, but I am not sure from where it jumped up at me. Once I limit it down (this is twice it has happened) I may send you an email to see if you can bring attention to it. I have not your skills to do so, but reading this blog has put my mind at ease about what was going on. You are doing great work.

Jonathan


Previous Entry

Check this out:http://msmvps.com/blogs/hostsnews/archive/2007/11/14/1309806.aspx I ask you, can you trust an antivirus product that cannot distinguish an advertisement or cookie related URL and a “if you can’t get to this address you can’t update your antivirus” URL? In the current environment, where advertising networks are being compromised all over the world, and any web site could serve […]

Next Entry

Archives