Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution – do we find DIRECTI? Yes we do!

January 16th 2009 in Uncategorized

I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows:

osmedlin.com/?id=<<removed>>

To quote my correspondent, topstarmedia’s approach had "[a]ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc."

topstarmedia.net
ICANN Registrar: Oneandone
Created: 31 August 2008
nserver: ns2.3fn.net 216.195.48.10

nserver: dns346.3fn.net 216.195.56.230

IP: 216.195.57.52 – Oregon – Portland – Aps Telecom

WHOIS hidden behind "Private Registration"

According to Google Maps, topstarmedia.net shares its stated address (518 W 6th St, Los Angeles, CA 90014 United States) with a pizza shop and locksmith 🙂

 

osmedlin.com is especially interesting.  At time of writing it is hosted at IP 94.76.208.14, an IP with a problematic history:

osmedlin.com
Registrar: Directi Internet Solutions (Are we surprised? No, we are not)
Created: 2 January 2009
NS1.OSMEDLIN.COM
NS2.OSMEDLIN.COM
IP: 94.76.208.14 – United Kingdom – "Canonical Range For 27w"

Shares IP with 7realmedia.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com

WHOIS:
Registrant Tim Robertson (jlmrtdgf@gmail.com)
81 Hayden Street, Toronto, Ontario

Note, listed phone number for osmedlin.com, +001.4163657775, apparently belongs to Keys Plus, 100 King W, Toronto:
http://www.yellowpages.ca/bus/Ontario/Toronto/Awards-Engraving-At-Keys-Plus/3084017.html?adid=14457680aa&what=Trophies-Retail&where=Toronto+ON

 

Here is where it gets even more interesting … there used to be two other domains at IP 94.76.208.14, being media-drive.com and the infamous prolinar.com.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/31/1658179.aspx

Both domains are no longer at that IP address.

 

media-drive.com – now "on hold" (suspended domain) according to WHOIS

prolinar.com – no longer has a web site but is still listed as ACTIVE according to WHOIS – you may recall that Kimberley and I have been questioning why prolinar.com has not been suspended when its stable-mate has been – both have the same Registrant details (see end of article for WHOIS screenshots).  I’m sure that I read somewhere that Directi had promised to investigate *all* domains associated with a rogue Registrant back when it was getting all the negative press about Atrivo/Intercage.

Dig prolinar.com@ns2.prolinar.com (94.76.192.188) …
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
  prolinar.com NS (Nameserver) ns1.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns1.prolinar.com
  ns1.prolinar.com A (Address) 94.76.208.14
  ns2.prolinar.com A (Address) 94.76.192.188

Dig prolinar.com@ns1.prolinar.com (94.76.208.14) …
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
  prolinar.com NS (Nameserver) ns1.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns1.prolinar.com
  ns1.prolinar.com A (Address) 94.76.208.14
  ns2.prolinar.com A (Address) 94.76.192.188

Could it be that osmedlin.com is a replacement/stablemate for prolinar?  If so, it is very revealing that the bad guys still feel confident enough to continue to use Directi, and even use the same IP address.

 

The identical IP address is not the only similarity.

See this screenshot of the prolinar javascript used as part of the MySpace chat malicious redirect?  I used it for my article about the MySpace Chat incident.

Let’s compare it to an osmedlin.com javascript… please forgive my need to obscure identifying code on this occasion, but I’m sure that you can still see lots of similarities – everything from the format of the URL to the software running on the server, to the folder path for the adverts, to the script itself.  Note that there is no referrer in the screenshot, therefore if we assume identical behavior to prolinar.com incidents, it is to be expected that there is no malicious code to be seen in this experiment, because there is no referrer.  But what would happen if the correct referrer was present?

 image

image image


Comments are closed.

  Adopstools results: http://www.adopstools.net/index.asp?page=quicklink&id=26gBv5P94L5CW849  Touches the domain adclickmate.net Registrar: DIRECTI (yet again) Created 24 March 2008 NS1.ADCLICKMATE.NET NS2.ADCLICKMATE.NET IP: 212.95.37.133 – Germany, Netdirekt WHOIS hidden behind privacy protect […]

Previous Entry

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to […]

Next Entry

Archives