Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Yet another malicious banner advertisement at www.123greetings.com

March 31st 2008 in Uncategorized

OK, so tell me oh gentle reader… just how many “free passes” should a website get?


123greetings.com is, once again, displaying a malicious banner advertisement.  This is the third incident that I have personally experienced thanks to an advertisement accepted by those responsible for 123greetings.com, and enough is enough.


 


The URL of the malicious advertisement is:
imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf


As you can see, the campaign is new to this blog:


image 


image



When we analyse the SWF we find this URL:

adtds2.promoplexer.com/statsa.php?campaign=123


Yes, Promoplexer.com are known badguys.  We also hit adsraise.com/mbuyers/statistics.html


adsraise.com and promoplexer are both hosted by WNET who also provide the name servers.  WNET have been mentioned several times in this blog.


The advertisement dumped me at tds.promoplexer.com/statsg.php


That URL led me to the now infamous gnida.swf (tds.promoplexer.com/swf/gnida.swf)


And from there to adtds2.promoplexer.com/in.cgi?12


before I finally ended up at antispywaredeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=


5 comments to...
“Yet another malicious banner advertisement at www.123greetings.com”

alunj

It seems to me that if anyone’s getting free passes, it’s not the web site on which you see the advert, but the advertising agency which approves the campaigns hosted on that site.
For various reasons – bandwidth, control, experience, etc – the web sites themselves generally “lease out” space to advertisers. Every day/week/month, the web site owners receive a list of links to media, and a count of how many times those media can be displayed. The web sites randomly attach an appropriate link’s media to a page sent to the user’s web browser, and the user’s web browser displays the content.
Now, the web site could preview the media before sending it to the user – but there’s that ‘experience’ thing again – the web site software doesn’t know what to look for; there’s that ‘bandwidth’ thing again – the web site can’t afford the bandwidth to host the media, it sure can’t afford the bandwidth to scan the media every time; and the web site can’t simply scan on first display, or the malware would simply have to wait until it hits the tenth display to enable itself.
Also, as you’ve noted yourself, it’s clear that the malware authors are careful to prevent the web site owners from seeing the malicious effects of the advert.
I think that the group that should be scanning the adverts, as they are originally uploaded, and at regular intervals, is the media hoster – in this case, that would appear to be 247realmedia.com – “24/7 Real Media”.
Why are they still accepting and hosting these malicious adverts?



Conrad Longmore

Perhaps time for Google to give 123greetings.com a “This site may harm your computer” tag?

Actually, it’s already red flagged at SiteAdvisor – http://www.siteadvisor.com/sites/123greetings.com



sandi

@Conrad,

That could possibly be arranged, but I think that the Google warning is more for compromised web sites than malicious banner advertisements.

It would be Haute Secure that blocks sites based on the appearance of malicious advertisements.

Sandi



laureli

google will flag sites for the ads contained therein. report it!

part of the responsibility should rest with the site itself, and that may result in using different advertising agencies. it seems like companies should take steps to avoid distributing malware to their users.



turkey

Thanx You.. Perfect Docs


I received the following email today: “I need to uninstall ie 8 beta it sucks .. <<name removed>> addressremoved@thevillages.net Ie 8 is the worst program from Microsoft EVER” Our (un)friendly correspondent doesn’t seem to understand the implications of downloading and installing a BETA program – especially an early beta that is called Internet Explorer […]

Previous Entry

It has been reported that Joseph Bochner’s lawsuit against a some people allegedly behind the distribution of “Winfixer” type software has been dropped.
I have correspondeded several times with Joseph over the past year or so, and am disappointed for him.  You’ll see from the article that one of the accused, James Reno, was never served and […]

Next Entry

Archives