ALERT: malicious content (including malware via security exploit) seen via MySpace chat
Kimberley reports on the incident.
Userplane is a wholly owned subsidiary of AOL (yes, I have written to my contacts there), and Kimberley is getting in touch with the appropriate people at MySpace to try and get this shut down ASAP.
Some important notes for the curious.
The advertisement itself is a simple JPEG
You will not see the malicious script at the prolinar.com URL unless there an appropriate referrer detected (screenshots at end of report).
This means that if somebody sells you advertising, and they say, for example “here’s the URL – prolinar.com/?id=200811191551179”, you’d better make darned sure that you don’t just type the address into your web browser’s address bar and hit enter to view the URL – you need a referrer. AND, even worse, sometimes the referrer needs to contain specific content to work.
The bad domains discovered in relation to this incident are newlyclickssystem.cn, virusandspywarescan.com, securedliveclicks.com, advanced-antivirus-scanner.com, test.3tmp3.com and media-drive.com. Let’s see what we can discover about them – I ask you this, why do they feel confident enough to re-use the same email addresses, same Registrar, same name server, same IP address?? That would be because there are no useful checks and balances when domains are registered and sent live. The bad guys can pretty much do whatever the heck they want whenever they want and it is you, gentle reader, that pays the price.
newlyclickssystem.cn
Registrar: 广东时代互联科技有限公司 (which translates to "Guangdong Time Interconnection Science and Technology Limited Company" according to Babel Fish)
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Administrative email: promasteryouth@gmail.com
NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM
promasteryouth@gmail.com aka "Andrey V Vernikov" (secured-live-scan.com and securedliveclicks.com and antivirusdefencescanner.com and securedprotectedclicks.com and liveantiviruspccheck.com and advancedantivirusscan.com and securedonlinewebspace.com)
promasteryouth@gmail.com aka "Nikolai V Chernikov" (antivirus-pc-full-scan.com)
*****
virusandspywarescan.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) – owns about 34 other domains including antivirussuperscan.com
NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM
*****
securedliveclicks.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Andrey Vernikov (promasteryouth@gmail.com) – owns about 28 other domains
NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM
*****
advanced-antivirus-scanner.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 – Berlin – Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) – owns about 34 other domains including antivirussuperscan.com
NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM
***
3tmp3.com
Registrar: Directi Internet Solutions (why am I not surprised?)
Registered: 17 February 2008 !!!!
IP: 74.54.203.66 – Texas – Dallas – Theplanet.com Internet Services
Registrant: Konstantin Fetisov (akafitis@gmail.com) – owns about 165 other domains
Shares IP with brandapothecary.com, brandmedication.com, brandpharmacy.net, brandpharmacyworld.com, deepmp3.com, labelpharmacy.com, mp3mutant.cm, mp3rob.com, mp3tem.com
NS1.MUSICXHOST.COM
NS2.MUSICXHOST.COM
*****
media-drive.com
Registrar: Directi Internet Solutions (again)
Registered: 13 October 2008!
IP: 94.76.208.14 – United Kingdom – Poundhost
Registrant: Thomas Schultz (ts8317@googlemail.com) – owns about 40 other domains
Shares IP with 7realmedia.com, media-drive.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com, prolinar.com
*****
musicxhost.com
Registrar: Directi Internet Solutions (again)
Registered: 17 February 2008 !!!
IP: No web site
Registrant: Konstantin Fetisov (akafitis@gmail.com) – owns about 165 other domains
NS1.MUSICXHOST.COM (74.54.203.92 – Theplanet.com)
NS2.MUSICXHOST.COM (74.54.203.93 – Theplanet.com)
*****
freehostns.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: No web site
Registrant: Azer O Bestavros (azerbestavros@googlemail.com)
NS1.FREEHOSTNS.COM (91.211.64.47 – UralComp)
NS2.FREEHOSTNS.COM (78.46.205.70 – Berlin – Hetzner-rz-nbg-net)
NS3.FREEHOSTNS.COM (64.86.17.44 – Velcom)
No referrer
Referrer:
“ALERT: malicious content (including malware via security exploit) seen via MySpace chat”