Circulating malvertizements: driveway and dreammates

First, driveway:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

statgroup.net/c/index.php?id=WmhuaHhDTEFpUXm7NkiZmOVpYVnd4cGtoPTEyMDgxNjk3MDUmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

Next, dreammates:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

stat-diagnostic-imaging.net/c/index.php?id=eklscHhaSzFya3JIUElYNjNm7NkiZeUloPTEyMTIwNzc5MjYmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

You can see that both malvertizements use the same waytotheprofit campaign URL.

I ended up at goldenantispy.com on one occasion, and antispyarewaremaster on another and performanceoptimizer.com on another. You will end up at different sites depending on what country you reside in.

goldenantispy and antispywaremaster try to download software to visiting computers using the infamous Microsoft Dynamic HTML Editing Control (Safe for Scripting) that has been removed from Vista.  If a computer is running Windows Vista, and is up to date with security patches, then infection is difficult if not impossible to achieve without user interaction.  Be warned, though, that I was testing with a bare metal version of Windows. There is every chance that other exploits affecting non-Microsoft products could be used at any time to attempt to infect systems.

The site also utilises archive.easydownloadsoft.com to distribute its wares, specifically:

archive.easydownloadsoft.com/goldenantispy.com/GoldenAntiSpy/install_en.cab

I’m also seeing adnetserver.com and b2adz.com, as well as prevedmarketing.com, waytotheprofit.com and statgroup.net.

There are several domains related to goldenantispy.com, including:

meinbesterschutz.com, virusvakt.com, zebraantivirus.com, pcprivacytool.com and virusstopper.com, as well as antispyarecontrol.com, antispywaresuite.com, winanonymous.com, winpcdoctor.com, winspycontrol and anchisupaisutsu.com

goldenantispy.com is registered via tucows, and has as an admin contact webstarhosting@yahoo.com.

Its mail server is mail.prevedhosting.com (regular readers of my blog will recognize that name).

antispyaremaster.com is also registered via tucows, and has an administrative contact that I recognize, being “no_name_inc@yahoo.com” aka “John Green”.

antispywaremaster.com has “relationships” with diskretter.com (a name I recognize as being involved with malvertizement incidents in the past), schijfbewaker.com, toolsicuro.com, exterminadordevirus.com and securepccleaner.com.

If we dig deeper using robtex, we find relationships wiht antivirusmaqique.com, defensedudisque.com, erreuchasseur.com, fairukyua.com, qubbishremover.com, limpietodo.com, as well as name server relationships withadvancedcleaner.com, antispywaresuite.com and avsystemcare.com as well as old classics such as drivecleaner.com, errorsafe.com, systemdoctor.com, winspycontrol.com and yourprivacyguard.com.