Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Confirmed – the FarmTown application on Facebook is displaying malicious advertising

April 12th 2010 in Uncategorized

image

IMPORTANT NOTE: THE APPLICATION AFFECTED IS FARM TOWN, NOT FARMVILLE.  THE ORIGINAL ARTICLE HAD ‘FARMVILLE’ IN THE TITLE – THAT WAS QUICKLY AMENDED BUT SOME RSS FEEDS MAY HAVE PICKED UP THE ORIGINAL TITLE.

Google Chrome’s protections stopped the bad advert from working by rejecting the content from justimpression.com – Internet Explorer’s various protections did NOT.  Are you listening Microsoft?

 

Here is the advertisement in question:

image

image

 

So, we bounce from social.bidsystem.com to icons.cubics.com and ads.cubics.com.

From there we get to justimpression.com, then 64.120.176.42.

We also hit avatar-secrets.com and finally we make it to 2web-antivirus.com, which is your run-of-the-mill fake antivirus software.

I have to ask, after putting together the data below, why Registrars don’t cross check data that is coming in?  In this case we have "Roy S Robert", "Megan M Jasey", "Paul J Raul" and "Lloyd G William" all using the same email address (test@now.net.cn) AND the same Registrar (TODAYNIC.COM).  It simply isn’t good enough.

justimpression.com
ICANN Registrar: DIRECTI
Created 17 December 2009

IP: 64.120.176.42 – Pennsylvania – Scranton – Network Operations Center Inc, Burstnet Technologies Inc (64-120-176-42.hostnoc.net)

Shares IP with impressionclub.com

Registrant: Armand Gregori (armandgregory3@gmail.com)

*****

impressionclub.com
ICANN REGISTRAR: DIRECTI
Created 4 January 2010

Registrant hidden behind PrivacyProtect.org

*****

64.120.176.42 – see above

*****

avatar-secrets.com
ICANN Registrar: TODAYNIC.COM, INC
Created 30 March 2010

IP: 193.105.134.113 – Sweden – Christian Maurice Sebastiaan Hein

Shares IP with cnn-videos1.com, facebookamazing.com, googl-videos.com, yahoo-videos1.com

Registrant:
Roy S Robert (test@now.net.cn)

*****

2web-antivirus.com
ICANN Registrar: TODAYNIC.COM
Created 10 April 2010

IP: 93.174.95.154 – Noord-holland – Hoofddorp – Co-location Customers Pa Block Ienetworks

Shares IP with lots of fake antivirus URLs, including:

100-your-scanner.com, 11-best-scanner.com, 110-your-scanner.com, 111-your-scanner.com, 211-your-scanner.com, 22-best-scanner.com, 221-your-scanner.com, 222-your-scanner.com, 2try-best-scanner.com, 3try-best-scanner.com, 44-best-scanner.com, 50virus-scanner.com, 55-best-scanner.com, 5try-best-scanner.com, 700virus-scanner.com, 7try-best-scanner.com, 9try-best-scanner.com, antivirus-test66.com, antivirus200scanner.com, antivirus600scanner.com, antivirus800scanner.com, antivirus900scanner.com, av-scanner200.com, av-scanner300.com, av-scanner400.com, av-scanner500.com, defend-computer82.com, novirus-scan00.com, stop-all-virus1.com, stop-all-virus3.com, stopvirus-scan11.com, stopvirus-scan13.com, stopvirus-scan16.com, try2-your-scanner.com, try4-your-scanner.com, try6-your-scanner.com, try8-your-scanner.com, virus77scanner.com

Registrant: Megan M Jasey (test@now.net.cn)

*****

cnn-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

 

 

facebookamazing.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Lloyd G William (test@now.net.cn)

*****

googl-videos.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

yahoo-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)


2 comments to...
“Confirmed – the FarmTown application on Facebook is displaying malicious advertising”

steve

cool, good job writing up this.

how did you get the list of urls, from browser history or do you have wireshark or something that monitors tcp/ip connections?



sandi

Fiddler – you can see a link to the application to the left of screen.


Seen when a computer was used to access the FarmTown game on Facebook.

Previous Entry

Graham Cluney writes: http://www.sophos.com/blogs/gc/g/2010/04/12/farm-town-virus-warning-malvertising-work/   And there is a *big* thread on the Farm Town forums: http://slashkey.com/forum/showthread.php?s=0ac5ce13b15397a9577dee639cf9e205&t=204626   I’m going to join that forum and post to that thread.   And here’s a screenshot of the malvertisement in situ:

Next Entry

Archives