Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Interesting comment – Best Western malvertizing

February 26th 2009 in Uncategorized

The comment was posted here.  I quote:

My company was approached by a client claiming to represent Best Western with a lower tech version of this.  We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image. 

I ran the code in AddOps tools and it did nothing.  Getting suspicious I checked the src URL for the Javascript which was "http:// st-aticglobalsources.com" and found a lot of trouble associated with it. 

We refused to run the ad with the code. Client claimed ignorance saying code came from their client and would provide new tags.  New tags arrived, similar to the first but sourcing the J-script from "http:// st-ation-appraisals.net" this time.  Running this code through AdOps tools at least generates a Best Western banner, but I ran the URL through search engines, found associated with ITmeter INC, and did not run the ad.

As my regular readers will know, both of the URLs are well known to those of us who study malvertizing.  I hope that the commentator will tell us the name and email addresses used by the person who tried to sell them the malicious advertisement.

st-aticglobalsources.com (79.135.187.86 – Istanbul – Istanbul – Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax: 
   Dmitrienko 7
   Odessa, State 65000
   UA

st-ation-appraisals.net (79.135.187.89 – Istanbul – Istanbul – Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax: 
   Dmitrienko 7
   Odessa, State 65000
   UA

It is important to note that although both bad domains have “dedicated hosting” and unique IP addresses, they are both hosted by the same company, and are within the same IP range.  A check of the entire IP range, 79.135.187.% reveals 266 domains, all of which should be treated with extreme caution.

1spam.ru | 1yandex.ru | Abusehost.ru | Abuzhost.ru | Advert1.ru | Aloincognito.ru | Buildhost.ru | Business-orders.ru | Cammin.ru | Compaq-hp-dv.ru | Cpammagazin4.ru | Detiamdo.ru | Email-s.ru | Email-spam.ru | Emailspam.ru | Enterboom.ru | Evroreklama.ru | Farma-reklama.ru | Flovermag.ru | Forum-it.ru | Generatorcompany.ru | Goohost.ru | Goosoft.ru | Gottobe.ru | Hotmailer.ru | Hrumer2007.ru | Igrushki-detiam.ru | Irkmailer.ru | Junar-trade.com | Kuklasex.ru | Magazinreklamy.ru | Mailadvertising.ru | Mnogonarodu.ru | Montenegrovilla.ru | Neintim.ru | Nochklub.ru | Notebook7.ru | O-la-la.ru | Online-email.ru | Online-mailer.ru | Online-master.ru | Online-standart.ru | Ppkurort.ru | Proektclty.ru | Reklamabiznesa.ru | Reklamict.ru | Reklmagazin.ru | Robotraff.ru | Rukinomania.ru | Saitbaz.ru | Seosuper.ru | Setevaya-reklama.ru | Shablon1.ru | Sitepostroim.ru | Spam502.ru | Spamarena.ru | Spamchik.ru | Spamim.ru | Spammagazin.ru | Spammagazine3.ru | Spammagazine5.ru | Spmagazin.ru | Starshe18.ru | Super-fuel-max.ru | Super-mailer.ru | Turistmag.ru | Wmir.biz | Wreklama.ru | Wsws.ru | Wtorg.ru | Xmailer.ru | Yandex1.ru | L-state.com | P-state.com | R-state.com | V-state.com | 4utraffic.cc | 4utraffic.net | Cashpopup.cc | Cashpopup.info | Newprogress.tv | Einrock.com | Makomset.com | Ribcot.com | Megavipsite.cn | Installing.cc | Loader.cc | Windowscentersite.com | Tgspk.com | Statbroun.com | Loots-leg.com | Newprogress.asia | Newprogress.biz | Alertplump.com | Bdgerggggs.com | Beatstrust.com | Chiefgracious.com | Circlesensational.com | Clearorganized.com | Eagermulti.com | Fizzpeak.com | Fizzslick.com | Hardyfab.com | Humbleoxygen.com | Notablebase.com | Proudlucky.com | Royalmeek.com | Rx13.com | Safetyunselfish.com | Sdggfdfgd.com | Serviceclear.com | Sfdgsvddsdfs.com | Sgdfgdfgdf.com | Sgdfgsdfsddfgdf.com | Sjbisdgergess.com | Stayunsurpassed.com | Thankfulmountain.com | Topseductive.com | Usdrugstorebest.com | Westcharming.com | Zestloyal.com | Zipbold.com | Skype-security.net | Afrogruster.com | Agiromentop.com | Agrostergio.com | Akierodentos.com | Aportobrasok.com | Atopresorgo.com | Aviorebato.com | Awrentoblasgo.com | Beshragos.com | Counterprise.com | Diomertona.com | Dresmondas.com | Equalcrowd.ru | Frododkoone.com | Frododkotwo.com | Hortesoda.com | Kioretions.com | Kordanoser.com | Krombustor.com | Massachuret.com | Notifisarto.com | Privatesecuritycenter.com | Rx-online-order.com | Twopgoslyso.com | Filarmon.info | Gvatemal.biz | Jumpingo.org | Grandtraf.com | Loaddasig.com | Zetross.com | 5traff.cn | Axa3.cn | Beencn.cn | Centerifart.cn | Ftalyl.cn | Londoncn.cn | Mostdey.cn | Originalcn.cn | Traxxk.cn | Typecn.cn | Hibucks.com | Moviesforall.info | Musicscollection.com | Welovemovie.com | Ds1ff.com | Googlesearchingweb.net | Index938.com | 2ndattempt.net | Angelok.org | Anxietypedia.net | Anxinews.org | Any-doctor.net | Availmeds.com | Balmpro.net | Balzaks.net | Bighealthy.net | Bigremedy.net | Caremedicals.net | Delivery-services.net | Discountmeds.name | Docclive.net | Doctor11.net | Doctor5.net | Doctor6.net | Doctorlive.net | Doctorr.org | Easy-meds.org | Fresh-infa.net | Generecs.net | Generikes.net | Generiks.net | Getphen.net | Gomedy.net | Healtn.net | Helth-life.net | Hotnewlette.net | Hotnewslette.net | Hotnewsletter.net | Hotnewsletter.ru | Hydrophen.com | Index333.com | Index345.com | Lodono.com | Medguide.in | Medicalaz.net | Medsizi.net | Most900.com | Mostsearch.net | My-order.org | Myangst.net | Myhomemed.net | Noconsult.net | Normalmed.net | Opapapa.net | Pharmaenergi.net | Phenhydro.net | Rx-free.net | Rxfair.net | Rxneds.com | Rxneds.net | Savehealth.net | Search-traffic.net | Seedeals.net | Singleslady.com | Suicide-forum.com | Theclinical.net | Track-order.com | Trialpack.net | Vicod.net | Vicodi.net | Webadvices.net | Webremedies.net | Winyourhealth.net | Wwwhotnewsletter.net | Officialstat.net | Ne-wstat.net | Of-ficialstat.com | Ourstats-online.com | Statgroup.net | St-at-diagnostic-imaging.net | St-atetstr.com | Stats-manager-online.com | St-atgroup.net | Staticglobalsources.net | Traffic-ad-manager.com | Station-appraisals.com | St-athisranch.com | St-athisranch.net | St-athome.net | St-aticglobalsources.com | St-aticglobalsources.net | St-ation-appraisals.com | St-ation-appraisals.net | S-tatetstr.com | S-tathisranch.com | S-tathisranch.net | Track-your-stats.com | S-tatgroup.net | Freegreenstats.com | Of-ficialstat.net | Themonitoring.net | Statstrackingmanager.com | Traffic-analytics.com


Comments are closed.

Hat tip to Malekal Deja vu – guess what domains are involved in the jeuxvideo.com incident – adclickmate.net and smartadserver.net. IMPORTANT NOTE: PLEASE DO NOT CONFUSE THE MALICIOUS DOMAIN SMARTADSERVER.NET WITH THE LEGITIMATE SMARTADSERVER.COM. Adopstools results – positive: http://www.adopstools.com/index.asp?page=quicklink&id=GOS8G5jCpshG1DtK   Malicious code is hidden within […]

Previous Entry

Well well, it looks like Sam Jain, fugitive from justice, is still around… Court activity: 17 February 2009 – RESPONSE in Opposition re MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets filed by Sam Jain. Replies due […]

Next Entry

Archives