Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

A couple more malicious banner advertisements…

January 29th 2008 in Uncategorized

The bad guys are certainly expanding their stable of advertisements.


Both lead victims to malicious quinquecahue.com URLs.  More later… 






 


One comment to...
“A couple more malicious banner advertisements…”

m

There appears to be a new URL under quinquecahue.com/statsg.php

You then get redirected to scanner2.malware-scan.com

The payload is Trojan.win32 agent (variant of)


Expedia.com has been infiltrated by a malicious banner advertisement – a new one that I have not seen before.

Victim site
Expedia.com (216.251.114.10)

SWF host
media.expedia.com

SWF Source
 

Target fraudware domain
scanner2.malware-scan.com

Banned cities, countries and IPs
199.3.0.0-199.3.255.255216.251.0.0-216.251.255.255172.30.0.0-172.30.25.255 (note: expedia.com’s IP is banned)IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AEcolorado, washington, california, massachusetts, ontario, texas, hawaii, missouri, illinois

Permitted cities, countries […]

Previous Entry

This incident was reported via a comment on this blog. 
We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:quinquecahue.com/swf/gnida.swf?campaign=fabulistor&u=1200910285
We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim’s computer falls within the following […]

Next Entry

Archives