Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: malvertizement on display at jeuxvideo.com

February 17th 2009 in Uncategorized

Hat tip to Malekal

Deja vu – guess what domains are involved in the jeuxvideo.com incident – adclickmate.net and smartadserver.net.

IMPORTANT NOTE: PLEASE DO NOT CONFUSE THE MALICIOUS DOMAIN SMARTADSERVER.NET WITH THE LEGITIMATE SMARTADSERVER.COM.

image

Adopstools results – positive:
http://www.adopstools.com/index.asp?page=quicklink&id=GOS8G5jCpshG1DtK

 

Malicious code is hidden within the SWF creative as dynamic text:

image

image 

 

 

We saw an incident involving adclickmate.net back in January described hereKimberley also posted a warning about smartadserver.net on 30 January.  How unsurprising it is to see that Directi has done nothing to shut down adclickmate.  The WHOIS and IP information for adclickmate.net remain unchanged (except for the fact that the IP address 212.95.37.133 is now listed as Turkey, Netdirect-lnwservers.

adclickmate.net

Registrar: DIRECTI (yet again)
Created 24 March 2008
NS1.ADCLICKMATE.NET
NS2.ADCLICKMATE.NET

IP: 212.95.37.133 – Turkey, Netdirekt
WHOIS hidden behind privacy protect (note the nonsense

Domain originally registered via ESTDOMAINS – WHOIS protection temporary removed around late August 2008, which revealed:

Domain Corp.
Jacob Tua (jackyouthere@gmail.com)
Maltiskam 12-67
Belgrade
Belgrade, 11008
RS
Tel: +381.113114094

Later changing to:

Domain Names copr.
markhaagland@gmail.com
Tallin
Harjumaa, 13514
EE
Tel. +37.26201114

WHOIS was again hidden behind PrivacyProtect on or about 9 January 2009.

 

smartadserver.net

Registrar: INTERNET/BS CORP
Created 18 November 2008
NS1.SMARTADSERVER.NET
NS2.SMARTADSERVER.NET

IP: 85.17.177.176 – Netherlands, Blue-ace-inc

WHOIS hidden behind the privacy protection service "privatewhois.net".  Note the nonsense telephone number +1.23456789

It is interesting note that the web page at smartadserver.net used to display the text “adserver.adtechie.net” (adtechie.net is a DIRECTI registered domain, now suspended).  That text has since been changed to “smartadserver.net”.

 

image

image

The domain adtechie.net is interesting in and of itself; it was involved in the malvertizing incident that hit Fox News back in November 2008.  You can see my report here.  Its IP address has changed from “212.95.37.206” to “212.95.37.133” and now shares IP with the domain mojocounter.biz.

mojocounter.biz

Registrar: DIRECTI
Created 16 January 2009
NS1.MOJOCOUNTER.BIZ
NS2.MOJOCOUNTER.BIZ

IP: 212.95.37.133 – Turkey, Netdirect-lnwservers

Registrant:
Andelka Kucinic (andelkakucinic@rocketmail.com)
Gosposka ulica 101
Nova Gorica
Pomurska
S15000
Slovenia
+386.031939326


Comments are closed.

Filed – Consent motion to withdraw motion to dismiss for lack of personal jurisdiction of defendants James Reno and ByteHosting Internet Services, LLC – 12 February 2009 “By agreement of the Plaintiff the Federal Trade Commission and Defendants James Reno and ByteHosting Internet Services, LLC, and in anticipation of […]

Previous Entry

The comment was posted here.  I quote: “My company was approached by a client claiming to represent Best Western with a lower tech version of this.  We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image.  […]

Next Entry

Archives