Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Allmusic responds…

November 21st 2007 in Uncategorized

Yep, they know what’s going on…

image

And, I’ve received an email response (via my blog’s Contact Me link, not in response to the email that I sent).

In all fairness, I’ll show you the response that they sent – it’s only fair that they get the right of reply.  Please forgive the blocking out of some sensitive information – Steve’s name remains because it’s on Wikipedia anyway.

image

Sadly, my test system was hijacked again after I read the email from allmusic.com and after they had added the notification to their web site – the advertisement still had not been pulled.  Mind you, that was quite  a few hours ago; I have some test systems running as I type to see if the advertisement is still there (this is where Fiddler, and an application that forces a web page to reload every X seconds or minutes comes into its own – set and forget at its best.

(Edit: I’ve just been hit by another redirect many hours later – the problem is still there) – my test system is bouncing between two URLs and going no further, which is interesting.  The URLs are as follows, including the amazingly immature l33t speak aka “c10t4ing” – do they *really* think that’s impressive or clever?

adtraff.com/statsg.php?u=23423424&campaign=c1ot4ing 
adtraff.com/swf/gnida.swf?campaign=c1ot4ing&u=23423424

Check this out –  to be honest it is very antisocial for the victim – I have *two* systems trapped in the same loop – talk about jumping out of the frying pan into the fire!!  I don’t think I like the way that (presumably) adtraff is dealing with this problem  – the victim’s web browser is stuck on a blank white page, in an infinite loop.

Don’t be fooled by this small screen shot – my other system is sitting at 2,762 lines of capture, with the count increasing by 2 lines every few seconds.  It’s nuts!

image

What URL caused the above havoc?  Well, here is the referrer – I’m sure you’ll find it familiar….

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickT

Anyway, this afternoon’s hijack let me to MalwareAlarm, not Deuce Cleaner, so let’s have a look at this afternoon’s incident – did I find a 2nd infective advertisement or was it the same one? And, why did I end up at a different site?

My original report indicated that this URL was dangerous:

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag=http://web.checkm8.com/
adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clickTag2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag2=http://web.checkm8.com/
adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS

This afternoon it was this – same SWF but I ended up at a different site.

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_
AMG_allmusic.Homepage&clicktag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTag2=http://web.checkm8.com/adam/
em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clicktag2
=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage

and again tonight – the same advertisement, but this time I was stuck in a loop at adtraff.

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.
Homepage&clicktag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTag2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_
AMG_allmusic.Homepage&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clicktag2=http://web.checkm8.com/adam/em/other2/
342369/cat=vnu_AMG_allmusic.Homepage

So, what does this tell us?  It tells us that the same SWF is being used to redirect users to different sites.

I have to ask though… what the heck is so hard about simply pulling the advertisement or, even better, deleting the aberrant afilliate’s account entirely?  It is *not* an acceptable solution to allow victims to be hijacked by a constantly looping adtraff setup.


Comments are closed.

“Portions of Monster.com went black on Monday after attackers hijacked job listings hosted on the popular employment website and used them to spread malware to visitors, a security researcher said.”

“the site had been subject to an iFrame attack that was redirecting visitors to servers that hosted exploits from Neosploit, a nasty attack toolkit that competes […]

Previous Entry

Good news everybody.  I have just received an email from allmusic.com advising that the malicious banner advertisement discussed on this blog has been pulled.
As always, please feel free to contact me whenever you find a site that has been compromised by a malicious banner advertisement, and I will work to get the advertisement off the […]

Next Entry

Archives