Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat advertising content from checkm8.com with extreme caution

April 14th 2009 in Uncategorized

Reported to checkm8.com over 9 hours ago.

Checkm8.com is serving several malicious advertisements that hijack web site visitors and redirect them to various fraudware web sites as follows.

logiagroup.checkm8.com/data/478089/HP_728x90.swf
logiagroup.checkm8.com/data/478091/HP_468x60.swf
logiagroup.checkm8.com/data/479231/HP_300x250.swf
logiagroup.checkm8.com/data/479237/HP_728x90.swf

SWF analysis via Adopstools:

adopstools.com/index.asp?section=quicklink&id=950rk4Ik9bh3WaWF
adopstools.com/index.asp?section=quicklink&id=I7c2TVDD2X6zf9I7
adopstools.com/index.asp?section=quicklink&id=1bB5k3GOLOvb5iSN
adopstools.com/index.asp?section=quicklink&id=aD6g49HnzyF8anGV

Further information:

logiagroup.checkm8.com/data/478089/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/478091/HP_468x60.swf touches the following URLs:

hit-detect.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479231/HP_300x250.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

logiagroup.checkm8.com/data/479237/HP_728x90.swf touches the following URLs:

hitoptimist.com/c/index.php?id=<<redacted>>
measurehits.com/?cmpid=<<redacted>>

Domain details:

hitoptimist.com:
ICANN Registrar – COMMUNIGAL COMMUNICATIONS LTD
Created 10 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 88.198.8.15 – Bayern – Gunzenhausen – Hetzner-rz-nbg-net

Sharing IP address with cosmotraf.net, hit-detect.com, statisticsishere.com and ydmstats.com (all domains should be treated with extreme caution)

Registrant details hiden behind WHOIS privacy service

hit-detect.com:
ICANN REGISTRAR – YESNIC CO. LTD
Created 10 March 2009
NS1.HIT-DETECT.COM (116.50.15.1 – previously HostFresh AS23898, now AS10026 – ANC Asia Netcom Corporation)
NS2.HIT-DETECT.COM (116.50.15.1 – previously HostFresh AS23898, now AS10026 – ANC Asia Netcom Corporation)
NS3.HIT-DETECT.COM (89.149.226.121 – Netdirekt)
NS4.HIT-DETECT.COM (212.117.162.90 – AS root eSolutions)

IP: 88.198.8.15 – Bayern – Gunzenhausen – Hetzner-rz-nbg-net (see above)
Previously at 195.62.37.14 – Sardegna – Olbia – Geonic.net Ltd

Registrant: Gabriel Jenks (gabrielcjenks17@mail.com) – email address associated with 3 other domains.
3515 Cooks Mine Road, NM 88101
1-505-763-5453

IMPORTANT: Let’s not forget that the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico.  I cannot find a "Cooks Mine Road" in Clovis.  Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

Historical information re hit-detect.com:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/13/1677837.aspx

measurehits.com:

Already mentioned on this blog here:
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676761.aspx

Now sharing IP with the following domains:

enterprisestat.net, givemystats.com, pleaselinkmeto.com, statsnclick.com, waytotheprofit.com, welovesandi.com


One comment to...
“ALERT: Please treat advertising content from checkm8.com with extreme caution”

Rhett

Please add reviews to their SiteAdvisor page at:
http://www.siteadvisor.com/sites/checkm8.com


Cool!  They join Atrivo, McColo and UkrTelegroup in the “De-peered Hall of Shame”. Cite: http://securehomenetwork.blogspot.com/2009/03/rbn-domains-fleeing-hostfresh.html Cite: http://www.cidr-report.org/cgi-bin/as-report?as=AS23898&view=(null) Cite: http://www.robtex.com/as/as23898.html   BTW, in case you didn’t know, Brian Krebs published a report entitled “Rogue Antivirus Distribution Network Dismantled” on 20 March: “On Monday, […]

Previous Entry

   Note: the malicious SWF has been reported to beyond.com.   Beyond.com is displaying a malicious advertisement with this URL: ads.beyond.com/banners/jobfox_468x60.swf   Adopstools test results for jobfox_468x60.swf: http://www.adopstools.com/index.asp?section=quicklink&id=4K57pJYUj1f874Sr "The file has a sprite/movieclip which is containing Malware actionScript code." […]

Next Entry

Archives