Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: malvertizement featuring “Blue Nile”

July 13th 2009 in Uncategorized

image

 

The SWF advertisement pictured above retrieves content from the domain adburau.net.  That content is yet another SWF.  At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.

The “Blue Nile” SWF contains the easily recognizable encrypted dynamic text:

image

 

Let’s take a close look at adburau.net – we dig up some interesting information.

adburau.net
ICANN Registrar: DIRECTI
Created: 21 September 2008
NS1.ADBURAU.NET
NS2.ADBURAU.NET

IP: 212.95.37.133 – Netdirekt, E.k

Registrant:
Al Jabber
Said Fahtihma (saidfahtih@gmail.com)
A. Kodiri, 65
Tashkent
Kishlak, 100060
UZ
Tel: 998.348.754.198

 

Hostnames sharing IP with a-records:

212-95-37-133.internetserviceteam.com
adclickmate.net
ns1.adclickmate.net
ns2.adclickmate.net

 

Historical information about adclickmate.net

A known "bad actor" reported on here:

http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=180

adclickmate.net is currently "suspended" by Directi.  The Registrant is noted as:

Mark Haagland (markhaagland@gmail.com)
Harjumaa str. 546-5
Tallin
Harjumaa,13514
EE
Tel: 37.262.01114

 

Previous Registrant details – adclickmate.net:

Hidden by privacyprotect for a while, but before that was registered to:

Jacob Tua (jackyouthere@gmail.com) (a well known malvertizing associated name/email address)
Maltiskam 12-67
Belgrade
Belgrade,11008
RS
Tel: 381.113114094

 

I find it concerning that DIRECTI allowed a “bad actor” domain (adburau.net) to replace one that they had suspended (adclickmate.net).  I also find it concerning that adburau.net replaced adclickmate.net so rapidly. See screenshots below.  According to domaintools.com, adclickmate.net was suspended from IP address 212.95.37.133 on or about 19 February 2008.  adburau.net appeared at the same IP address on or about 23 February 2009.

Call me a cynic, but it seems that the bad guys are finding it too easy to use/abuse Directi.

 

image

 

image


Comments are closed.

 
Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware).  In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit […]

Previous Entry

There are malvertizements being displayed on digitalspy.co.uk that attempt to take advantage of various security vulnerabilities.  Research and evidence-gathering is happening as I type, and the appropriate parties will be contacted on an urgent basis. For the time being, be extremely cautious when visiting the web site.  There is a thread warning of malicious […]

Next Entry

Archives