Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malicious SWF advert captured on NationalGeographic.com

November 25th 2007 in Uncategorized

I only have time to post screenshots at the moment – the malicious advertisement can be seen at:
66.179.234.173/images/1847_560766_7006263_90_728.html


A Google search reveals that the IP address 66.179.234.173 has a history of involvement with malicious banner advertisements:
http://www.google.com/search?q=66.179.234.173&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1


The SWF itself is being pulled from:
rmedia.adonnetwork.com/images/560766_90_728_200711011430_tubesnow_728x90.swf


With javascript being pulled from:
rmedia.adonnetwork.com/adon_flash_v2.js
 



and



I’ll post more specific details in roughly 9 hours time… I won’t have time before then to go through the Wireshark capture evidencing the redirect.


 


3 comments to...
“Malicious SWF advert captured on NationalGeographic.com”

Torq Cisek

I came across this post in the effort to research both Adon and this banner that a company Proximogroup wants to run on our channels (Vlaze.com). Do you have any additional information on this and can you tell me what this banner was attempting to do? Thanks



sandi

The banner attempts to hijack visitors to a web site that displays the advertisement, and redirects them to a fraudware site – fake registry cleaners and what not – scary pop up boxes appear warning of various problems, and the site uses various trickery to get the fraudware on the system. A scan takes place, the fraudware finds non existent infections, and then offers to clean the non-existent infections for between $20 and $70 USD.

Be very grateful that you did not buy this banner. You would have lost visitors, you would have received a stack of complaints, and your site’s reputation would have taken a hammering.

If you want to provide with further information about Proximogroup, I’ll see what I can do about stopping the continuing sale of this banner advertisement.



Reggie Mullen

Are you kidding me? I came across this post searching “Vlaze” and “spyware” because this site (vlaze.com) has somehow taken over my computer. Endless pop-ups, over and over again, refreshing over and over again. I have to unplug my computer (literally) to get it to stop.

And here I find a post by someone FROM vlaze.com saying that they are worried about another company doing the same thing they are guilty of.

Something is very fishy here.


Posted to Shark Bait not long ago [:)]http://sharkbait.computerworld.com/?q=node/1902

Previous Entry

 HTTP capture of a visitor to the National Geographic website being hijacked and redirected to scanner2.malware-scan.com.  As we know, we’ve traced the guilty advertisement as far back as 66.179.234.173/images/1847_560766_7006263_90_728.html
 

Next Entry

Archives