Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

rhapsody.com hit by malicious banner advertisement

January 28th 2008 in Uncategorized

rhapsody.com has been hit by a malicious banner advertisement – rhapsody.com is owned by RealNetworks.

 

Victim site rhapsody.com (207.188.21.32)
SWF host RealOne / Doubleclick
SWF Source  
Target fraudware domain scanner2.malware-scan.com
Banned cities, countries and IPs 207.188.0.0-207.188.255.255 (note this IP range captures rhapsody.com)
newjersey, newyork, california, washington, virginia
paris, aarhus, velizycedex, jarrestr, amsterdam, rotterdam, zaanstad, koogaandezaan, seattle
Permitted cities, countries and IPS US, NL, FR, SE, DK, NO, UA
SWF URL i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http: // ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231
Special notes
Incident reported to Doubleclick
rhapsody.com
Resolution  

 

As always, let’s work backwards from the final target site. 

URL Referrer

scanner2.malware-scan.com/9_swp/?tmn=null&aid=&lid=&affid=&ax=&ed=&aid=mi1eroof_ma9_mb1t&lid=728&affid
=&ax=1&ed=2&mt_info=3958_0_13496

prevedmarketing.com/?tmn=mwatmp&aid=mi1eroof&lid=728&ax=1&ed=2&mt_info=4957_3064_2358

blessedads.com/?cmpid=mi1eroof&adid=728

newbieadguide.com/statss.php?campaign=mi1eroof&u=23423424

newbieadguide.com/swf/gnida.swf?campaign=mi1eroof&u=23423424

newbieadguide.com/swf/gnida.swf?campaign=mi1eroof&u=23423424

newbieadguide.com/statsg.php?u=23423424&campaign=mi1eroof
newbieadguide.com/statsa.php?u=23423424&campaign=mi1eroof i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http: // ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231
i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http :// ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231 rhapsody.com/-search?query=U2&searchtype=RhapArtist

 

Screenshot of malicious SWF – yep, its the infamous Skyauction advertisement – again

image


8 comments to...
“rhapsody.com hit by malicious banner advertisement”

Samuel Loirat

Hi,

Here is my website which is containing a a tools called “click checker” this tool can also find secury holes and malware presence in swf files, here is the url: http://www.adopstools.net.
Some adnetworks are using it a lot and have already avoid to run malware ads thanks to this tool.

Enjoy.



MysteryFCM

@Samuel

Strange ….. your post just looks like a spam op to me

I also tried to scan the skyauction.com and i.realone.com url’s using your site and it told me it wasn’t a valid swf file?



Samuel Loirat

@MysteryFCM.

I was able to check the file remotely, I guess you haven’t enter the correct url for it, also when you want to scan a remote file you need to select remote file first then you can enter the url. And this is definitly not a spam, the tool has been made public only 3 months ago and have received some very good feedbacks.



sandi

Samuel,

The gnida.SWF that is involved in a redirect affecting expedia.com is not scanning properly – there is a code error.

The URL is:
quinquecahue.com/swf/gnida.swf?

Also, a SWF that is known to be redirecting visitors to the gnida.swf above is scanning clean.

The URL is media.expedia.com/ads/FXSound/728×90.swf.

Can you investigate?

Sandi &c.



Samuel Loirat

@Sandi,

I check the 728×90.swf file, and it seems that the degre of encoding has reach an other level, I can see url from quinquecahue.com ( http://quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni) but I can’t see the necessary actionscript to allow its call : System.security.allowDomain(“*”);

Sam



Me

@Sam: They change the obfuscation tools from time to time. Back in Decmber 2007 all URL were visible, just prefixed with many whitespaces.



Rusty

I found this thread via Google as I was researching a Virus alert. While visiting MAYOCLINIC.COM looking up info on a knee condition, my system stopped and alerted to a trojan (thanks go to McAfee). The URL had changed to quinquecahue.com/statsg.php?u=1200910285&campaign=fabulistor. I wasn’t aware MAYO had banners, and I didn’t purposefully click on one as I absolutely never do.

If I follow this correctly (and you folks are more up on this stuff than I am), it looks like you can add mayoclinic.com to the other sites this problem is affecting (so far I’ve seen rhapsody.com and expedia.com).

I’m curious if this info helps or, for that matter, I am correct in my assessment.



Samuel Loirat

@Sandi,

thanks for all the file you provide on your blog, I was able to update my tool ;o). so If you want to can test it as much as you can, If you found out that a file went through the net just drop me a message from the contact from under the “About” section as it will be very gratefull for me as I can keep the tool updated to the latest possible tread.

Thanks
Sam


The malware domains we have been featuring have moved on again – they are no longer hosted by Denit Internet Services, Amsterdam.
But it looks, this time, like the bad guys need a break from moving to host to host to host [H]
akamahi.net (190.15.64.185) (securehost.com)newbieadguide.com (190.15.64.188) (securehost.com)thetechnorati.com (190.15.64.191) (securehost.com)vozemiliogaranon.com (190.15.64.192) (securehost.com)
Now remember, there is a slew […]

Previous Entry

Expedia.com has been infiltrated by a malicious banner advertisement – a new one that I have not seen before.

Victim site
Expedia.com (216.251.114.10)

SWF host
media.expedia.com

SWF Source
 

Target fraudware domain
scanner2.malware-scan.com

Banned cities, countries and IPs
199.3.0.0-199.3.255.255216.251.0.0-216.251.255.255172.30.0.0-172.30.25.255 (note: expedia.com’s IP is banned)IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AEcolorado, washington, california, massachusetts, ontario, texas, hawaii, missouri, illinois

Permitted cities, countries […]

Next Entry

Archives