Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Update re digitalspy.co.uk

July 21st 2009 in Uncategorized

My apologies for the delay.  For what its worth, I received an email within 3 hours of my report to the ad network in question, advising me that the malicious creatives had been identified and deactivated.

So, now to the details.  Technically, the incident was very similar to that which I wrote about here, but there were some new domains involved, all of which should be treated with extreme caution.

content.bannersulike.com
r.banner0709.com (Response = 302 Found moved to "masters-woodworks.com" and “worwink.com”)
masters-woodworks.com
worwink.com
xn-18ba.example.com (example.com is a domain reserved for use in documentation and not available for registration (RFC 2606, Section 3))
viorfjoj-1.com

There are screenshots of the advertisements displaying during a hijack, and other events, at the end of this article.

masters-woodworks.com
ICANN Registrar: DIRECTI
Created 8 June 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 – Namibia – Grinvich3 – Vladimir Gubarenko

Shares IP with awiron-work.com, freshy-girls.com, masterwood-works.net, sleazy-dreams.net

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

viorfjoj-1.com
ICANN Registrar: DIRECTI
Created: 8 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 221.5.74.34 – Guangdong, Guangzhou, China Unicom Guangdong Province Network

Shares IP with 24-stunden-voegeln.com, Leevitra-viaagra.com, Original-vjiagra.com, Originalpillen.com, P0tenz-pillen.com, P0tenzpillen-bestellung.com, P0tenzpillen.com, Pillensh0p.com, Potent-hart-guenstig.com, Potenz-pillen-dienst.com, Potenzpillen-24.com, Potenzpillen-einkaufen.com, Potenzpillen-service.com, Potenzpusher-bestellen.com, Sichere-viagra-bestellung.com, Viaagra-bestellung.com, Viaagra-kaufen.com, Viagra-ohne-zoll.com, Viorfjoj-1.com, Viorfjoj-2.com, Viorfjoj-3.com, Vjiagra-einkaufen.com, Vjiagra-ohne-zoll.com, Vsalso-dkgj1.com, Vsalso-dkgj2.com, Vsalso-dkgj3.com

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

worwink.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created: 15 July 2009
NS1.WORWINK.COM
NS2.WORWINK.COM

IP: 212.95.37.186 – Netdirekt E.k

Registrant:
Mark Vinson (mvinson98@count.com)
8 Panorama Cir
Kunkletown PA US
Phone: 6106817173

*****

r.banner0709.com
ICANN Registrar: GODADDY.COM, INC
Created: 29 June 2009
NS37.DOMAINCONTROL.COM
NS38.DOMAINCONTROL.COM

IP: 68.178.232.100 – Arizona, Scottsdale, Godaddy.com Inc

Registrant:
Bryan Hunter (bryan@modenainc.com)
921 SW Washington Street
Suite 228
Portland, Oregon, 97205

*****

content.bannersulike.com
ICANN Registrar: GODADDY.COM, INC
Created: 13 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 – Arizona, Scottsdale – Godaddy.com Inc

Registrant:
Modena Inc
921 SW Washington St
Suite 228
Portland, Oregon 97205

*****

modenainc.com (because of its association with bannersulike.com and banner0709.com)
ICANN Registrar: GODADDY.COM, INC.
Created: 21 February 2001
NS15.DOMAINCONTROL.COM
NS16.DOMAINCONTROL.COM

IP: 38.100.208.45 – Oregon, Portland, Psinet Inc

Shares IP with 117 other sites

Registrant:
Incorporated, Modena (domains@modenainc.com)
921 SW Washington St
Suite 228
Portland, Oregon, 97205
Tel: 5032411091

 

 

image   image

image

image

image

 image

 image

image

 image

Malware downloaded – analysis results:
http://www.virustotal.com/analisis/3c9b52614c508cd168c3bd1d96dff6b3a6374a63d2334c754a31463bad791a5a-1248226154 

 

Another incident….

image

image

image


2 comments to...
“Update re digitalspy.co.uk”

Mark

What tool are you using above to display the headers and data?

Thanks,
mkealiher@gmail.com



sandi

@Mark,

Fiddler. There is an advert for the free application to left of screen.


There are malvertizements being displayed on digitalspy.co.uk that attempt to take advantage of various security vulnerabilities.  Research and evidence-gathering is happening as I type, and the appropriate parties will be contacted on an urgent basis. For the time being, be extremely cautious when visiting the web site.  There is a thread warning of malicious […]

Previous Entry

Kimberley wrote about a couple of incidents on 18 July 2009 and again yesterday – they are not the same incidents as I have written about: http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=240#

Next Entry

Archives