Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Malvertizement at allmusic.com and billboard.com

October 20th 2008 in Uncategorized

image

 

Note: the incident has been reported to a contact at allmusic.

Originally discovered by Kimberley.

Malicious SWF: web.checkm8.com/Ads/435513/bill_300x250-border.swf

Encrypted dynamic text within malvertisement:

image
image

 

 

 

From web.checkm8.com we hit clickmatter.net, which loads a “static.gif” which is actually an SWF.  From there I was bounced to windows-scannercenter.com to onlinetds.info and forcedscan.com.

web.checkm8.com were involved in other malvertizement outbreaks affecting allmusic:
http://msmvps.com/blogs/spywaresucks/search.aspx?q=checkm8&o=Relevance

 

checkm8.com – 65.216.116.106 – Massachusetts – Woburn – Mirror Image Internet
ICANN Registrar: Network Solutions Inc
Created: 3 July 1999
NS: DNS01.CHECKM8.COM
NS: DNS02.CHECKM8.COM

clickmatter.net – 216.195.59.78 – Oregon – Portland – Aps Telecom
ICANN Registrar: Estdomains Inc
Created 11 July 2008
NS: DNS251.3FN.NET
NS: NS2.3FN.NET

Shared IP:
1.  6incest.com
2.  Cash-traffic.com
3.  Clickmatter.net
4.  Comix6.com
5.  Delmy.com
6.  Dragondusk.net
7.  Fakerape.net
8.  Free-sex-webcams.net
9.  Freeringtonesplace.com
10. Full3gp.com
11. Happy-pearls.com
12. Hexinfo.com
13. Incest-team.com
14. Krasavcy.com
15. Listsitepro.com
16. Lyjine.com
17. Masculinaes.com
18. Mondakalendaro.org
19. Mylovegirls.com
20. Pariclub.com
21. Rusexvideo.org
22. Signweeklyhoroscopes.com
23. Sildenafilcitrato.info
24. Sis69.com
25. Sochiss.com
26. Unclezaebiz.com
27. Us-secured.com
28. Violence-action.com
29. Weatherstantion.com
30. Yadirect.com
31. Yourrealsex.com
32. Zadnic.net

windows-scannercenter.com – 83.229.251.28 – Moskva – Moscow – Mchost.ru Inc
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Creatd 21 Sept 2008
NS: NS1.WINDOWS-SCANNERCENTER.COM
NS: NS2.WINDOWS-SCANNERCENTER.COM

onlinetds.info – 216.240.134.211 – California – Irvine – Go2online Corp
ICANN Registrar: Estdomains Inc
Created: 16 Sept 2008
NS: NS1.FREEFASTDNS.COM
NS: NS2.FREEFASTDNS.COM

forcedscan.com – 64.86.17.44 – Ontario – Brampton – Velcom
ICANN Registrar: Onelinenic, Inc
Created: 26 Sept 2008
NS: NS1.FREEFASTDNS.COM
NS: NS2.FREEFASTDNS.COM

3FN.NET – 64.124.84.145 – California – San Jose – Aps Communication
ICANN Registrar: Intercosmos Media Group, Inc D/B/A directnic.com
Created: 2 Sept 2002
NS: NS5.3FN.NET
NS: NS8.3FN.NET

FREEFASTDNS.COM
ICANN Registrar: Onlinenic, Inc
Registrant, “Igor Goroshko”, Moscow, RU
Created 17 Sept 2008
NS: NS1.FREEFASTDNS.COM (91.203.92.47)
NS: NS2.FREEFASTDNS.COM (77.244.220.138)

NS1.FREEFASTDNS.COM (91.203.92.47) – United Kingdom Isp Uatelecom
Reverse IP: protectiononlineinfo.com

protectiononlineinfo.com – 91.203.92.47 – United Kingdom – Isp Uatelecom
ICANN Registrar: Wild West Domains Inc
Created: 8 Sept 2008
NS: NS51.DOMAINCONTROL.COM
NS: NS52.DOMAINCONTROL.COM

NS2.FREEFASTDNS.COM (77.244.220.138) – Russian Federation St. Petersburg Allocation For Our Customer Primenet

77.244.220.%
1.  A-vxp2008.com
2.  Anti-virus-xp.com
3.  Anti-virusxp2008.net
4.  Antivir08.com
5.  Antivirxp.net
6.  Av-xp08.net
7.  Av-xp2008.net
8.  Avx08.net
9.  Eantivirus-payment.com
10.  Xp-protector.com
11.  Xpprotector.com
12.  Youpornzztube.com
13.  Counterlog.net
14.  Dumps4your.biz
15.  Optdns.org
16.  Google-analyzing.com
17.  Besenok.net
18.  Gibrportable.net
19.  Chronotimex.com
20.  Flagclubx.com
21.  Umanoid.org
22.  X0x0l.com


2 comments to...
“ALERT: Malvertizement at allmusic.com and billboard.com”

david gunnells

Saw the same thing this morning, except it was a user who visited classmates.com. 🙁



DJ Allyn

Okay, I have a WP blog with Viper’s Video Quicktags plugin and if I activate it and use the Flash Video (flv) it will start trying to reach http://onlinetds.info if I am trying to display any flash video from within my domain.

If I try to access an FLV file outside of my domain, it works fine.

Now today, it changed to start seeking a different domain: realtimeweb1.com. But the IP address is still the same:

87.248.180.90

This is becoming very irritating for me. I have identical installations on the same server under different domains and it isn’t acting this way. ONLY under this particular domain.

I have even gone as far as to create a new installation under a sub of this particular domain and it STILL seems to want to seek out this IP address. I am using fresh installations and fresh software.

What is causing this?


Adobe Flash keeps its title as the “Typhoid Mary of the Internet”. Kimberley has put in some hard yards, and posted a comprehensive article that proves that Flash 10 is NOT stopping SWF malvertizement hijacks. You can read all about it here:http://www.bluetack.co.uk/forums/index.php?s=f3bfcacbac0c1eba459283546fb127e9&showtopic=18064&st=150&p=89649&# “A perfect Flash file is the one that is never loaded by […]

Previous Entry

Its all marketing spiel, but somebody may find it useful ;o)http://www.microsoft.com/downloads/details.aspx?familyid=75973693-9a7f-4a42-9ddd-8b029361e766&displaylang=en&tm

Next Entry

Archives