Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malvertizing activity

December 6th 2011 in Uncategorized

There has been a lot going on in the malvertizing world lately, with a spike in the number of reports coming in about malvertizing incidents that are occurring because the Ad Server in question is running an old and exploitable version of OpenX – people, we need to be running version 2.8.8.

The bad guys have been able to insert malicious iframe scripts in tandem with legitimate advertising, and sometimes obfuscated JavaScript that causes various requests to domain names within the *.dyndns.org namespace.

A couple of domains implicated in malvertizing incidents are reonmedia.com and malidie.com

reonmedia.com (registered 19 June 2011 – reonmedia.com cookie spotted in a conversation about an infected computer here)
IP address at time of writing 176.65.162.61 – Zexotek It-services, Gmbh
Registrar: DIRECTI
Registrant: LEGAZ Inc, Anthony White (anthonywhite@gmail.com)
Sharing IP with adtiara.net

adtiara.net (registered 15 July 2011)
Registrar: DIRECTI
Registrant hidden by privacyprotect.org

malidie.com (registered 21 July 2011)
IP address at time of writing 188.72.204.48 – Hessen, Frankfurt, Netdirect
Registrar: BIZCN.COM, INC
Registrant hidden behind privacy-protect.cn
Sharing IP with inviasat.ru and gennetron.com

gennetron.com (registered 21 July 2011)
Registrar: DIRECTI
Registrant hidden behind privacy-protect.cn

inviasat.ru (registered 1 June 2011)
Registrar: REGRU-REG-RIPN
Registrant: “Private Person”

 

Also mentioned in recent times – trekmedia.net – including here:
http://stopmalvertising.com/tag/trekmedia.net.html

trekmedia.net (registered 14 February 2011)
IP address at time of writing 173.236.89.200
Registrar: ENOM, INC
Registrant hidden behind WhoisGuard

Also adveritising.com (note the extra letter i)

adveritising.com (registered 17 July 2011)
IP address at time of writing 50.17.195.149
Registrar: DYNADOT, LLC
Registrant hidden behind Dynadot Privacy


One comment to...
“Malvertizing activity”

Conrad Longmore

188.72.204.48 is suballocated to a Serbian host called inferno.name, it’s all black hat as far as I can see, but spread over lots of different IP blocks.

I did a write-up a few months ago – http://blog.dynamoo.com/2011/08/something-evil-on-95168177144.html – it’s all worth blocking IMO.


A friend received the email below the other day.  Note that not only do International Checkout advise that “an intruder accessed and potentially compromised [their] system”, but the intruder / intruders also “gained access to part of [their] system that contained credit card numbers of customers” AND the intruder / intruders were able to “access […]

Previous Entry

Unbelievable, isn’t it: http://www.theage.com.au/it-pro/it-news/telstra-probes-privacy-breach-amid-network-outage-20111210-1ooez.html Email, online billing, BigPond self-care and “My Account” have been down since Friday evening, and Twitter has been in meltdown.  Note: it seems that only *incoming* email is affected now – reports indicate that outgoing email is working just fine at time of writing (2:54 EST) A […]

Next Entry

Archives