Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Spot the similarities

November 28th 2008 in Uncategorized

What I am trying to do is show my readers not only where malvertizements are coming from and what they look like, what they do and how they work, but also reveal the ties that bind between the various domains associated with the facilitation of malvertizing.  You would be surprised how often the same names, the same Registrars, the same IP addresses (or IP range) are used, and even how often the same words are repeated on web pages at different web sites.  The bad guys have always been, to put it bluntly, lazy … and they were lazy because we let them get away with it.

Below is an example of duplicate content on just two web sites for domains that have been associated with facilitating the distribution of malware via malvertizement.  Don’t get me wrong – the people behind sites such as this one are not quite as lazy as they used to be, and their grasp of the English language is certainly improved…

 

image image
image 

Note: “Sunwell Corporation” appears elsewhere on the site, quoted as a “client” of Zappinads.  Perhaps coincidentally, there is a Sunwell Corporation website at sunwellcorp.com that was registered via Yesnic (just like Zappinads).

image
image image

 

zappinads.com

ICANN Registrar: YESNIC CO. LTD
Created: 29 March 2007
NS1.ZAPPINADS.COM (has 1 domains)
NS2.ZAPPINADS.COM
NS3.ZAPPINADS.COM
NS4.ZAPPINADS.COM
IP: 67.205.103.146 – Canada – Iweb Dedicated Cl
Registrant details: Zappinads Inc (zappinads@yahoo.com)

Reverse IP:

bestadmedia.com, elanads.com, favouriteshop.com, infyte.com, keywordcpv.com, zappinads.com

—–

adtraff.com

ICANN Registrar: TUCOWS INC
Created: 13 April 2007
NS1.ADTRAFF.COM (has 1 domains)
NS2.ADTRAFF.COM
NS3.ADTRAFF.COM
NS4.ADTRAFF.COM
IP: 84.243.252.84 – Netherlands – Gfx-cust-worldstream
Registrant details: Adtraff Inc, moon.serg@gmail.com

—–

Note: A check of the IP range reveals Onlinepromostats.com at IP 84.243.252.86 – that domain was implicated in a malvertizement at photobucket.com

Cite:  malvertizing at photobucket.


Comments are closed.

Those of us who are regular readers of my blog will know that newstat.net has been associated with malvertizing in the past.  Its WHOIS details have recently been changed. Old details: SergMoonmoon.serg@gmail.comKrokus str.AmsterdamNL31 334558757 New details: John Brisbone  (larsonown@gmail.com)Active Solutions8255 S Michigan Ave  Chicago, IL  60608US5676876812 John Brisbone is associated with 3 […]

Previous Entry

<sigh> This is what happens when the code used by a web site to detect (and adapt to) different browser versions is not properly written.  According to Facebook I am running IE6 – I’m not, I’m running IE8 Beta 2 (as you can see from the screenshot). If I view the Facebook site […]

Next Entry

Archives