Same old same old. The malvertizement hits the domains statcluster.com and enjoyspringtime.com (both domains have been mentioned on this blog several times). The Adopstools results make it obvious that there is something suspicious: http://www.adopstools.net/index.asp?section=quicklink&id=R59g0m36S016WwBW From statcluster.com and enjoyspringtime.com we end up at crustat.com then on to either free-webscaners.com or truconv.com or olinredr2.com From olinredr2.com […]
“It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.” Yep, that one simple act turned into an infection nightmare lasting three weeks. I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as […]
There are two malvertizements that I highlighted, being: m1.au.2mdn.net/1949664/hp_300x250.swf m1.emea.2mdn.net/989589/hp_728x90.swf The 300×250 malvert touches hit-detect.com and measurehits.com. The 728×90 malvert touches ydmstats.com and measurehits.com. Redirects: We go from measurehits.com to crustat.com. From there we go to one of several different domains: olinredr2.com/<<redacted>> truconv.com/<<redacted>> free-webscaners.com/<<redacted>> <— fraudware domain If a victim is redirected to […]
The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below). These are the URLs that are hit by the malvertizement – we have seen all of them before: statcluster.com/crossdomain.xml statcluster.com/c/index.php?id<<redacted>> crustat.com/ts/in.cgi?<<redacted>> olinredr2.com/?accs=<<redacted>> pyani.com/in.cgi?<<redacted>> offer-provider.com/<<redacted>> truconv.com/<<redacted>> justwebsecurity.com/<<redacted>> […]
perezhilton.com is an extremely popular site, and the potential audience for the malvertizers is *huge*. Kimberley and I make a great team. I knew that there was a malvertizement being displayed on perezhilton.com, but I hadn’t been able to get definitive proof – Kimberley got it. Check out the screenshot below – note that the […]
Edited to fix subjectline It is a malvertizement featuring HP (visually identical to the HP malvertizement described in my earlier article): http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674634.aspx The malvertizement itself is at this URL: m1.au.2mdn.net/1949664/hp_300x250.swf Adopstools test results here: http://www.adopstools.com/index.asp?section=quicklink&id=ZdWLlE0YcK7rkK5C Yes, it is the same advert that we found on guardian.co.uk http://msmvps.com/blogs/spywaresucks/archive/2009/04/27/1691363.aspx The malvertizement has been reported to the […]
There are two of them, both featuring HP (the ads have been documented on this blog in the past). Both advertisements are being served via 2mdn.net and have been reported to the appropriate parties. m1.emea.2mdn.net/989589/hp_728x90.swf m1.au.2mdn.net/1949664/hp_300x250.swf
The malvertizements have been reported to blogads.com. z.blogads.com/www/delivery/afr.php?n+a91736e9&zoneid=86&cb=INSERT_RANDOM_NUMBER_HERE z.blogads.com/www/delivery/afr.php?n+aa00ce7a&zoneid=87&cb=INSERT_RANDOM_NUMBER_HERE The adverts hit statcluster.com, enjoyspringtime.com and crustat.com (all known bad domains).
This one is using the same domains as the previous version (although it should be noted that, although visually identical, this one had a different Hash to the one I looked at yesterday). Victims end up at one of two fraudware sites, scanspywareonline.com or justwebsecurity.com. I have written about justwebsecurity.com already, so let’s take […]
PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION Adopstools scan results: http://www.adopstools.net/index.asp?section=quicklink&id=36xxrvvFRC85pkp7 Malvertizement host: perfect-banner.com Hits the domains statcluster.com and enjoyspringtime.com From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220. —– perfectbanner.com ICANN Registrar: ENOM, INC. Created 10 March 2009 NS1.PERFECT-BANNER.COM NS2.PERFECT-BANNER.COM NS3.PERFECT-BANNER.COM NS4.PERFECT-BANNER.COM IP: 89.149.244.137 – Hessen, Frankfurt Am Main, Netdirekt […]