Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

More information about the malvertizements that appeared on guardian.co.uk and electronicsnews.com.au

April 27th 2009 in Uncategorized

There are two malvertizements that I highlighted, being:

m1.au.2mdn.net/1949664/hp_300x250.swf
m1.emea.2mdn.net/989589/hp_728x90.swf

The 300×250 malvert touches hit-detect.com and measurehits.com.
The 728×90 malvert touches ydmstats.com and measurehits.com.

 

Redirects:

We go from measurehits.com to crustat.com.

From there we go to one of several different domains:

olinredr2.com/<<redacted>>
truconv.com/<<redacted>>
free-webscaners.com/<<redacted>> <— fraudware domain

 

If a victim is redirected to olinredr2.com then they end up at pyani.com,then offer-provider.com.  offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

If a victim is redirected to truconv.com then they end up at total-virusprotection.com, another fraudware domain.


Comments are closed.

The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below). These are the URLs that are hit by the malvertizement – we have seen all of them before: statcluster.com/crossdomain.xml statcluster.com/c/index.php?id<<redacted>> […]

Previous Entry

“It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.” Yep, that one simple act turned into an infection nightmare lasting three weeks.  I’m hoping Micky will work out exactly where he got the drivers from, and let us know […]

Next Entry

Archives