Spyware Sucks

I was prompted to install the latest update to Sun Java a short while ago, and the installer still sucks.

1. The installer still triggers a UAC prompt.
2. The installer still does NOT remove old versions of Java - old versions that take 136 megabytes per version.
   
3. The option to install Open Office is still enabled by default, and the English language skills of whoever it was that coded the text on the installer screen need attention. 
   
   I swear, if I see a press releases trumpeting an increase in "users" of OpenOffice...
   
4. There is still no cancel button, and the openoffice.org graphic sucks ... look how pixelated the text and graphics are.
   

As always, Kimberley's report makes for fascinating reading:

http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=88026

What is especially interesting is that the advertisement in question that started the whole thing was NOT a SWF - it was a GIF - hosted by 247mediadirect.com.  The end target, a malicious SWF, is hosted at the same IP.

Hosted (again) in Malaysia, a Robtex search reveals many connections between 247mediadirect.com and known malvertizement domains:

Hostnames sharing IP with A-Records
ns1.aboutstat.com | ns1.adlbrite.com | ns1.akamahi.net | ns1.entrerrenglonadura.com | ns1.googiesindication.com | ns1.newstat.net | ns1.officialstat.com | ns1.quinquecahue.com | ns1.stat-diagnostic-imaging.net | ns1.statetstr.com | ns1.stathisranch.net | ns1.stathome.net | ns1.staticglobalsources.com | ns1.staticglobalsources.net | ns1.station-appraisals.com | ns1.station-appraisals.net | ns1.statnation.net | ns1.statsla.net | ns1.statworld.net | ns1.thetechnorati.com | ns1.vozemiliogaranon.com

Domains using this as nameserver
aboutstat.com | adlbrite.com | akamahi.net | entrerrenglonadura.com | googiesindication.com | newstat.net | officialstat.com | quinquecahue.com | stat-diagnostic-imaging.net | statetstr.com | stathisranch.net | stathome.net | staticglobalsources.com | staticglobalsources.net | station-appraisals.com | station-appraisals.net | statnation.net | statsla.net | statworld.net | thetechnorati.com | vozemiliogaranon.com

WHOIS:

Registrant: Media Hosting Ltd. 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

Domain Name: 247MEDIADIRECT.COM

Administrative Contact: Pearson, Ross rpearson79@yahoo.com 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

Technical Contact: Pearson, Ross rpearson79@yahoo.com 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

247mediadirect.com was created on 18 May 2008.

The WHOIS information looks legitimate, BUT, the phone number has one too many digits for Melbourne (or the whole of Australia for that matter), and as far as I can tell there is no such company as Media Hosting Ltd - and the address is a parking area close to the ocean.

The building that you see in the picture is "Donovans", a restaurant:

BTW, we have seen 247mediadirect.com before (back in January):
http://www.bluetack.co.uk/forums/lofiversion/index.php/t18306.html

Campaign URLS (you will note that the campaign is identical to the one for the Skype malvertizement):

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>

No company is safe from impersonation....

Campaign URLS:

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>

The waytotheprofit URL leads us to an adverdaemon.com URL, and from there to the fraudware site - I ended up at a German site, being sicherheitstool.com.

Robtex reports that "sicherheitstool.com is a domain controlled by two nameservers at sicherheitstool.com themselves. They are on the same IP network. Incoming mail for sicherheitstool.com is handled by one mailserver which are also at sicherheitstool.com. sicherheitstool.com has one IP record . virusvakt.com, winanonymous.com, avsystemcare.com and at least seven other hosts point to the same IP."

sicherheitstool.com is hosted by Webair Internet Development Inc (http://www.webair.com/).  Feel free to complain to them ;o)

Hostnames sharing IP with A-Records
anchisupaisutsu.com | .anchiwamu2008.com | .antiespiadorado.com | .antispionagepro.com | .antispywaresuite.com | .antivirusforalle.com | .antiviruspcsuite.com | .antiworm2008.com | .avsystemshield.com | .bugdokter.com | .debellaworm2008.com | .defensaantimalware.com | .discosemerros.com | .diskfejlfri.com | .diskrensare.com | .driveproteccion.com | .errorsoshi.com | .fjernervirus.com | .ingavirus.com | .ingenmulighetforvirus.com | .keineviren.com | .kyouikyuuen.com | .maximumantivirus.com | .meinbesterschutz.com | .menacerescue.com | .mistikotitatuipologisti.com | .nettordinateur.com | .onlinepcguard.com | .orantiespion.com | .pcprivacytool.com | .pcrengoringsmaskine.com | .pcsikker.com | .pcveiligheidstool.com | .pcvirusless.com | .plattefehlerfrei.com | .pp-total.com | .privacidadeprotegida.com | .protecaoconfiavel.com | .proteccionconfiable.com | .puliscitutto.com | .rescatedeamenazas.com | .riscattodaminacce.com | .safepctool.com | .shinraihogo.com | .sikkerpcredskap.com | .sistemaimune.com | .skyddsverktyg.com | .smittfri.com | .solutionreg.com | .suiteantispyware.com | .supashuri.com | .suspenzorpc.com | .trojansfiltre.com | .trustedprotection.com | .turvapc.com | .utiledereparation.com | .utilisateursur.com | .virtualpcguard.com | .virusdeteccion.com | .virusfrittsystem.com | .virusstopper.net | .virusuwadame.com | .virusvakt.com | .winanonymous.com | .winsecureav.com | .winspycontrol.com | adioserrores.com | alltiettantivirus.com | anchisupaisutsu.com | anchiwamu2008.com | antiespiadorado.com | antiespionspack.com | antigusanos2008.com | antispionage.com | antispionagepro.com | antispypremium.com | antispywarecontrol.com | antispywareseigyo.com | antispywaresuite.com | antiver2008.com | antivirusaskeladd.com | antivirusgenial.com | antivirusordi.com | antiviruspcpakke.com | antiviruspcsuite.com | antiviruspertutti.com | antivirusscherm.com | antivirussolusjon.com | antiworm2008.com | antiwurm2008.com | aucunsvirus.com | avsystemcare.com | avsystemshield.com | bedreigingsmonitoor.com | bedsteantivirus.com | bereiniger.com | beschermingstool.com | besutohogo.com | bogyotsuru.com | bortmedvirus.com | bugdokter.com | bugsdestroyer.com | debellaworm2008.com | defectshuri.com | diannaoqingjieji.com | discerrorfree.com | discosemerros.com | discosenzaerrori.com | discosinerrores.com | diskfejlfri.com | diskrensare.com | disqudurprotection.com | dokterfix.com | doraibuhogo.com | drivedefender.com | driveproteccion.com | echterschutz.com | effaceurvirus.com | einaprivadesapc.com | elmejorantivirus.com | errclean.com | errorfri.com | errorout.com | errorskydd.com | errorsoshi.com | fehlerbeseitiger.com | fejlrenser.com | fejlreparering.com | felfixare.com | festplattenreiniger.com | fiksfeil.com | filtrodetrojan.com | filtrotroiani.com | fixmenaces.com | fullsystemprotection.com | goldenantispy.com | gorudenanchisupai.com | harddiskvakt.com | harddrevvagt.com | herramientadereparacion.com | hukommelsesbeskytter.com | keinegefahr.com | keinestoerungen.com | konsekieraser.com | kontentsueraser.com | kyoishusei.com | kyouikyuuen.com | liberapc.com | lifelongpc.com | lungavitapc.com | maskinpcpro.com | maximumantivirus.com | megaviruskit.com | megliopc.com | meinbesterschutz.com | melhorpc.com | memoiredefenseur.com | menacerescue.com | menacesecure.com | mendingtool.com | miavcompleto.com | mijnantivirus.com | minnesverktyg.com | mistikotitatuipologisti.com | moncontenuassistant.com | munazifalhasob.com | nettordinateur.com | nientevirus.com | nochanceforvirus.com | nocompromaat.com | noespias.com | norwayvirus.com | nowayvirus.com | nulinfektioner.com | oczyszczaczkomputerza.com | onlinepcguard.com | pasokoneiju.com | pc-prot.com | pcbeskyttelse.com | pcohneviren.com | pcopschoner.com | pcopschoningsstel.com | pcprivacytool.com | pcrengoringsmaskine.com | pcsegura.com | pcsikker.com | pcsikkerhed.com | pcsod.com | pcsuanbukkon.com | pcvirusless.com | pembersihkomputer.com | plattefehlerfrei.com | pp-total.com | privacidadeprotegida.com | privacidadplus.com | proteccionconfiable.com | protectingtool.com | protectioncomplete.com | protejaseudrive.com | protejasudrive.com | protezionesoft.com | puliscitutto.com | puliturasystem.com | regbotemedel.com | regrensere.com | rejishufuku.com | rensningverktyg.com | reparameacas.com | reparamenazas.com | repareja.com | reparetudo.com | rescatedeamenazas.com | riscattodaminacce.com | sanitardiska.com | schijfhersteller.com | schutztool.com | semerros.com | senzaerrori.com | shinraihogo.com | shufukutsuru.com | sikkerpcvaerktoj.com | sininfecciones.com | sistemaimune.com | skyddsverktyg.com | sletingenvirus.com | solutionreg.com | stoltbeskyttelse.com | suiteantispyware.com | supashuri.com | suspenzorpc.com | sysdepannage.com | syskontroller.com | systemesansvirus.com | systemordnare.com | tabortvirus.com | toroianfiruta.com | trojanerfilter.com | trojansfilter.com | trojansfiltre.com | tryggdator.com | turvapc.com | utiledeprotection.com | vacinatotal.com | varrevirus.com | vigilamenazas.com | virenfrierpc.com | virenloescher.com | virenstopper.com | virtual-leatherman.com | virtualpcguard.com | virusdeteccion.com | virusdifesa.com | viruseffaceur.com | virusfjernere.com | virusforsvar.com | virusfrittsystem.com | virusgarde.com | virusschlacht.com | virusseigyo.jp | virusstopper.net | virusudryddet.com | virusuwadame.com | virusvakt.com | virusvanguard.com | wegvonviren.com | winadsiz.com | winanonyme.com | winanonymitet.com | winanonymous.com | winanzen.com | winbescherming.com | windefensa.com | winhogo.com | winpcalmeglio.com | winpcdocteur.com | winpcdoctor.com | winpcdoktor.com | winpckontroll.com | winpcrensare.com | winpcrensere.com | winriservatezza.com | winsecureav.com | winsikkerantivirus.com | winsikretav.com | winspycontrol.com | winsurffilter.com | wintemizleyicisi.com | wintrygghet.com | wirusumuryokuka.com | www.antiwurm2008.com | www.avsystemcare.com | www.besutohogo.com | www.ingavirus.com | zebraantivirus.com

Domains sharing mailservers
acchiappavirus.com | adiosvirus.com | allertaminacce.com | antiamenazas.com | antievidence.com | antivirusfiable.com | antivirusforalle.com | antivirusmagique.com | anzentsuru.com | apagahistorico.com | apolloantivirus.com | archivoprotector.com | archivosenestado.com | atemaiserro.com | atrapavirus.com | aucunchoixpourvirus.com | aucunefaute.com | aucuninfection.com | aucunmenace.com | avseguro.com | bandoaivirus.com | bandoalleinfezioni.com | bastioneantivirus.com | beskyttelseonline.com | beskyttendevaerktoj.com | blanchdisc.com | borresuspasos.com | bossedeserreurs.com | brossedesfautes.com | bugseraser.com | caiforavirus.com | chasseurdeserreures.com | cleanpctool.com | confidentsurf.com | confidentuser.com | contenteraser.com | curerrores.com | dataconfidentiality.com | defensecelebre.com | defensededriver.com | defensedinformation.com | defensedudisque.com | defensenetsurfage.com | defensivesystem.com | dejitarufukugen.com | dejitarukyoikira.com | dejitaruwakuchin.com | detapurotekuta.com | detaripea.com | detectaerrores.com | diskassistent.com | disksizesaver.com | disksparare.com | disukushuri.com | driversecurise.com | einwandfreierpc.com | eliminadordeamenazas.com | elmejorantivirus.com | emperahogo.com | enmiendaerrores.com | eracheisa.com | erasutoppu.com | erreurchasseur.com | errorfighter.com | essentialeraser.com | extremuclean.com | fairukyua.com | feilvakt.com | fejlreparering.com | felfixare.com | ferramentasegura.com | festplattentool.com | fiksdinpc.com | filtredetraces.com | fixthemnow.com | fjernervirus.com | foutenwacht.com | geheugenredder.com | guardiandelaprivacidad.com | gubbishremover.com | hackerstaisaku.com | herramientasegura.com | historialout.com | ingavirus.com | ingenmulighetforvirus.com | inmunepc.com | kakujitsutsuru.com | keinespurenlassen.com | keineviren.com | knowhowprotection.com | konsekiauto.com | kontentsufiruta.com | kurinkonseki.com | kyoiireza.com | largavidapc.com | limpietodo.com | lomejorenantivirus.com | longlifepc.com | lungavitapc.com | manutencaopc.com | menacefighter.com | menacemonitor.com | menacescrubber.com | monitordeamenazas.com | mycontentassistant.com | nettoyeurdeserreures.com | nettoyeurdevirus.com | ohnespurensurfen.com | omelhorantivirus.com | onlineverktyg.com | onrainpurotekuta.com | oruripea.com | pasderreurs.com | pasdesfautes.com | pasendommagement.com | pasplusdespertes.com | pasplusdevirus.com | pcantiviruspro.com | pcassertor.com | pcboosterpro.com | pcbunan.com | pceternel.com | pcforfender.com | pchealthkeeper.com | pchjaelper.com | pckairyo.com | pclibredevirus.com | pcpropre.com | pcredskab.com | pcsansbug.com | pcsecuresystem.com | pcsecurise.com | pctoolpro.com | pcultralimpia.com | pcveiligheidstool.com | perfektantivirus.com | preservingtool.com | privacidadyseguridad.com | privacywarrior.com | protecaoconfiavel.com | proteccioncompleta.com | proteccionimperial.com | protecteurdinfo.com | protectionassuree.com | protectionconue.com | protectiondedriver.com | protectiondenetsurfage.com | proteggidati.com | puraibashihosho.com | puraibashitoshinrai.com | rendimientototal.com | rensanu.com | reparaerrores.com | reparemenaces.com | repareya.com | rimuoviciarpame.com | riparaminacce.com | riparasubito.com | safeharddrive.com | safepctool.com | safudaijoubu.com | salvaspaziosudisco.com | sansendommagement.com | sansinfections.com | sayonarabaggu.com | schijfruimteredder.com | schutzderdaten.com | schutzfuerpc.com | secretosasalvo.com | secretoseguro.com | sefunahimitsu.com | sekretessforsvarare.com | senzadoppioni.com | shingaidome.com | shinraihogo.com | shinraipafomansu.com | shisutemudifensu.com | sichererschutz.com | sikkerbrukere.com | sikkerpcredskap.com | sikkersystem.com | sinataques.com | sinrrastros.com | sinsenales.com | sistemaprotegido.com | sistemupyua.com | sisutemuantei.com | sisutemuorugurin.com | skyddsprogram.com | smittfri.com | speichertool.com | stopbedreiging.com | stopminacce.com | storageprotector.com | succesantivirus.com | surfforsure.com | syssauvegarde.com | systemesansfaute.com | systemhoover.com | systemschild.com | tackanejvirus.com | tilforlatelig.com | trasheraser.com | trojansdestroyer.com | trustedantivirus.com | trustedprotection.com | trygpcbruger.com | turnkeyantivirus.com | uk.prevedhosting.net | unidadessanas.com | usuarioprotegido.com | utiledereparation.com | utilisateursur.com | vaktmotvirus.com | virenvernichter.com | virusbekaemper.com | viruskrakker.com | virussperr.com | virusurimuva.com | virusvanger.com | virusvijand.com | volumformatredskap.com | wirusufinisshu.com | wirusukyua.com | wirusushattodaun.com | yourprivacyguard.com | zentaiwakuchin.com

Domains sharing nameservers
acchiappavirus.com | adiosvirus.com | antiamenazas.com | antievidence.com | antivirusfiable.com | antivirusforalle.com | antivirusmagique.com | anzentsuru.com | apagahistorico.com | apolloantivirus.com | archivosenestado.com | atemaiserro.com | atrapavirus.com | aucunchoixpourvirus.com | aucunefaute.com | aucuninfection.com | aucunmenace.com | avseguro.com | bandoalleinfezioni.com | bastioneantivirus.com | beskyttelseonline.com | beskyttendevaerktoj.com | blanchdisc.com | borresuspasos.com | bossedeserreurs.com | brossedesfautes.com | bugseraser.com | chasseurdeserreures.com | cleanpctool.com | cleanuptool.com | confidentsurf.com | confidentuser.com | contenidoseguros.com | contenteraser.com | curerrores.com | dataconfidentiality.com | defensecelebre.com | defensededriver.com | defensedinformation.com | defensedudisque.com | defensivesystem.com | dejitarufukugen.com | dejitarukyoikira.com | dejitaruwakuchin.com | detapurotekuta.com | detaripea.com | detectaerrores.com | diskassistent.com | disksizesaver.com | disksparare.com | disukushuri.com | doubledefender.com | driversecurise.com | einwandfreierpc.com | eliminadordeamenazas.com | emperahogo.com | enmiendaerrores.com | erasutoppu.com | errorfighter.com | essentialeraser.com | extremuclean.com | fairukyua.com | feilvakt.com | fejlfripc.com | fejlreparering.com | felfixare.com | ferramentasegura.com | festplattentool.com | filtredetraces.com | fixthemnow.com | fjernervirus.com | foutenwacht.com | geheugenredder.com | guardiandelaprivacidad.com | gubbishremover.com | hackerstaisaku.com | herramientasegura.com | historialout.com | ingavirus.com | ingenmulighetforvirus.com | inmunepc.com | keinespurenlassen.com | keineviren.com | knowhowprotection.com | konsekiauto.com | kontentsufiruta.com | kurinkonseki.com | kyoiireza.com | largavidapc.com | limpietodo.com | lomejorenantivirus.com | longlifepc.com | lungavitapc.com | manutencaopc.com | menacefighter.com | menacemonitor.com | menacescrubber.com | monitordeamenazas.com | mycontentassistant.com | netsurfageassure.com | nettoyeurdeserreures.com | nettoyeurdevirus.com | ohnespurensurfen.com | omelhorantivirus.com | onlineverktyg.com | onrainpurotekuta.com | oruripea.com | pasderreurs.com | pasdesfautes.com | pasdesmenaces.com | pasendommagement.com | pasplusdespertes.com | pasplusdevirus.com | pcantiviruspro.com | pcassertor.com | pcboosterpro.com | pcbunan.com | pceternel.com | pcforfender.com | pchealthkeeper.com | pchjaelper.com | pcinforedder.com | pclibredevirus.com | pcredskab.com | pcsansbug.com | pcsecurise.com | pctoolpro.com | pcultralimpia.com | pcveiligheidstool.com | poseidonantivirus.com | preservingtool.com | privacidadgarantizada.com | privacidadyseguridad.com | privacywarrior.com | protecaoconfiavel.com | proteccionasegurada.com | proteccioncompleta.com | proteccionimperial.com | protecteurdinfo.com | protectiondedriver.com | protectiondenetsurfage.com | proteggidati.com | puraibashihosho.com | puraibashitoshinrai.com | rendimientototal.com | rensanu.com | reparaerrores.com | repareja.com | reparemenaces.com | repareya.com | rimuoviciarpame.com | riparaminacce.com | riparasubito.com | safeharddrive.com | safepctool.com | safudaijoubu.com | salvaspaziosudisco.com | sansendommagement.com | sansinfections.com | sayonarabaggu.com | schijfruimteredder.com | schutzderdaten.com | schutzfuerpc.com | secretosasalvo.com | secretoseguro.com | sefunahimitsu.com | sekretessforsvarare.com | senzadoppioni.com | shingaidome.com | shinraihogo.com | shinraipafomansu.com | shisutemudifensu.com | sikkerbrukere.com | sikkerpcredskap.com | sikkersystem.com | sinataques.com | sinrrastros.com | sinsenales.com | sistemaprotegido.com | sistemupyua.com | sisutemuantei.com | sisutemuorugurin.com | skyddsprogram.com | smittfri.com | speichertool.com | stopbedreiging.com | stopminacce.com | succesantivirus.com | surfforsure.com | syssauvegarde.com | systemesansfaute.com | systemhoover.com | systemschild.com | tackanejvirus.com | tilforlatelig.com | trustedantivirus.com | trustedprotection.com | trygpcbruger.com | turnkeyantivirus.com | uk.prevedhosting.net | unidadessanas.com | usuarioprotegido.com | utiledereparation.com | utilisateursur.com | vaktmotvirus.com | virenvernichter.com | virusbekaemper.com | virussperr.com | virusurimuva.com | virusvanger.com | virusvijand.com | volumformatredskap.com | winchesterprotector.com | wirusufinisshu.com | wirusukyua.com | wirusushattodaun.com | zentaiwakuchin.com

Edit: the Geobytes flag has been removed from the blog being discussed below - YAY!!!

I was pinged by another MVP tonight, who was very concerned because he had visited a blog on msmvps.com, only to have his web browser immediately hijacked - redirected away from the blog he wanted to read to ozdirect.com.au.  So, I went to take a look.

I, also, was immediately redirected away from the blog to ozdirect.com.au.

Thankfully I had made sure that Fiddler was running in the background, just in case, because the hijack occurred once, and I can confirm that the free Geobytes Geoflag on the blog is what is hijacking visitors to the blog in question.

This is what happens.

When the blog loads, I see the following request and response:

Note the window.open and reference to ozdirect.com.au

Now, look what happens if I refresh the blog:

Request and

No more window.open or ozdirect.com.au.

Now, it just so happens that Geobytes states on their web page that, if you add the free Geoflag to your site, the following will occur:

Source: http://www.geobytes.com/GeoPhrase.htm

The site then goes on to say:

The problem is, the "new window [with] the original intended content" did not open - not for me, and not for my MVP correspondent.

I mean, seriously, what website owner in his or her right mind would agree to allowing his or her visitors to be hijacked - dragged away from their site and dumped somewhere else under such circumstances in a world where pop-up blockers are the rule, rather than the exception.  Oh, and by the way, I have long since disabled the pop-up blocker in IE8 on my system - I need to see pop-ups as part of my role as an Online Compliance Researcher, so we can't even blame a pop-up blocker for Geobytes' failure to open the promised new window on this system.

We will report the problem to the blog's owner, so hopefully the nasty little flag will be gone soon...  What nasty flag?  This nasty flag - the Australian flag that you can see in the screenshot below:

Kimberly, who is monitoring the ongoing malvertizement problems at isuisse.com, ibelgique.com and iquebec.com, has discovered a new malvertizement featuring Forex Autopilot.

"A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. This is now the FOURTH malicious banner discovered since June the 12th on websites belonging to the group iEUROP. Just on a site note, the XM Radio malvertizement is also being displayed at isuisse on the portal page. This brings the count up to THREE active malvertizements being served to the visitors!!! Imagine the number of users being redirected to fake online scanners ... Enough is enough, this has to stop."

Malicious domains:

adoptserver.info/_statis.gif?url=[removed]
windowsxp-privacy.net/?id=198760063
xponlinescanner.com/soft.php?aid=024202&d=3&product=XPA
xponlinescanner9.com/2009/1/freescan.php?aid=77024202 (registered 1 July 2008)

Fraudware sites:

antivirus-2009.com
antivirus-database.com
antivirus2009professional.com
xpantivirusonline.com
xponlinescanner.com
xponlinescanner9.com

Images courtesy of Kimberley

Source: http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87978&mode=threaded&show=&st=90&#entry87978

Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files... I wonder what implication this has with regards to the security landscape surrounding malicious SWF.   Are we going to have to watch out for PDFs which contain malicious SWF? 

I simply do not have enough information to judge the safety implications (or otherwise) of this new Adobe Reader feature...  I quote from the announcement on the Adobe reader blog:

"Adobe Reader 9 can natively display rich media content, which you'll notice immediately with Portfolios. Interested in viewing SWF and FLV files? Adobe Reader 9 is the answer."

The first thing that occurs to me that is our number one complaint about malicious SWF is that there is no way for the end user to stop the initial hijack that exposes them to malicious domains.  If Adobe Reader 9 prompts for user permission before opening a web browser, then in that way Adobe Reader is a safer way to view SWF.  If, on the other hand, the Reader allows an SWF to open a web browser without user interaction, then we are facing yet another conduit to danger.

Source:  http://blogs.adobe.com/adobereader/2008/06/adobe_reader_9_is_here_1.html

Oh, and while I think of it - the ActiveX changes in Internet Explorer 8 have the potential to make things safer for users when it comes to malicious SWF (and other ActiveX controls).  This is because IE8 will allow the user to choose to install ActiveX for all users, or just one user on the computer, AND it also will also introduce "per site" ActiveX.  That is, when you are prompted to allow an ActiveX control to run, you will be able to choose to allow the control to run at that one web site, or all web sites.  So, if you need Flash for one particular site, but don't want Flash to be available to other sites, then you will be able to approve Flash for just that one site - cool, yes?

I've been keeping a close eye on Australian web sites that have been affected by malicious SQL injection attacks, specifically concentrating on sites that are 'repeat offenders'.

One of the repeat offenders is walkingchallenge.gov.au.  On that site I found code pointing to the domain ucomddv.com (created today, 2 July 2008), and what may be a new JS naming convention, being ngg.js. 

A search for ngg.js reveals even more domains, being mainbvd.com (created today), cont67.com (created on 1 July 2008) and portwbr.com (created today).

A close look at the new domains reveals a treasure trove of relational information.

Some of the domains below that can be tied in with the newly created malicious domains have been identified in association with SQL injection incidents.  Others have been used for phishing - the bad guys certainly believe in diversity.

adupd.mobi | adwste.mobi | app52.com | appid37.com | asp23.net | asp27.com | asp63.com | asp707.com | asp72.com | aspssl63.com | bnrupdate.mobi | capitalonebank.com.pag23.com | chase.com.id746.com | chk52.com | cls37.com | coldwop.com | com.id746.com | com.pag23.com | comm62.com | cont67.com | cookie83.com | core45.com | hdadwcd.com | hyperadw.com | id294.com | id746.com | kadport.com | mode64.com | mx1.updatead.com | ns1.adupd.mobi | ns1.adwste.mobi | ns1.app52.com | ns1.appid37.com | ns1.asp23.net | ns1.asp27.com | ns1.asp63.com | ns1.asp72.com | ns1.aspssl63.com | ns1.bnrupdate.mobi | ns1.chk52.com | ns1.cls37.com | ns1.coldwop.com | ns1.comm62.com | ns1.cont67.com | ns1.cookie83.com | ns1.core45.com | ns1.hdadwcd.com | ns1.hyperadw.com | ns1.id294.com | ns1.id746.com | ns1.kadport.com | ns1.mode64.com | ns1.pag23.com | ns1.portwbr.com | ns1.sid36.com | ns1.ssl39.com | ns1.supbnr.com | ns1.ucomddv.com | ns1.update34.com | ns1.updatead.com | ns1.view62.com | ns1.www.appid37.com | ns10.www.appid37.com | ns11.www.appid37.com | ns12.www.appid37.com | ns13.www.appid37.com | ns14.www.appid37.com | ns15.www.appid37.com | ns2.adupd.mobi | ns2.adwste.mobi | ns2.app52.com | ns2.appid37.com | ns2.asp23.net | ns2.asp27.com | ns2.asp63.com | ns2.asp72.com | ns2.aspssl63.com | ns2.bnrupdate.mobi | ns2.chk52.com | ns2.cls37.com | ns2.coldwop.com | ns2.comm62.com | ns2.cont67.com | ns2.cookie83.com | ns2.core45.com | ns2.hdadwcd.com | ns2.hyperadw.com | ns2.id294.com | ns2.id746.com | ns2.kadport.com | ns2.mode64.com | ns2.pag23.com | ns2.portwbr.com | ns2.sid36.com | ns2.ssl39.com | ns2.suppadw.com | ns2.ucomddv.com | ns2.update34.com | ns2.updatead.com | ns2.view62.com | ns2.www.appid37.com | ns3.adupd.mobi | ns3.adwste.mobi | ns3.app52.com | ns3.appid37.com | ns3.asp23.net | ns3.asp27.com | ns3.asp63.com | ns3.asp72.com | ns3.aspssl63.com | ns3.bnrupdate.mobi | ns3.chk52.com | ns3.cls37.com | ns3.coldwop.com | ns3.comm62.com | ns3.cont67.com | ns3.cookie83.com | ns3.core45.com | ns3.hdadwcd.com | ns3.hyperadw.com | ns3.id294.com | ns3.id746.com | ns3.kadport.com | ns3.mode64.com | ns3.pag23.com | ns3.portwbr.com | ns3.sid36.com | ns3.ssl39.com | ns3.supbnr.com | ns3.suppadw.com | ns3.ucomddv.com | ns3.update34.com | ns3.updatead.com | ns3.view62.com | ns3.www.appid37.com | ns4.adupd.mobi | ns4.adwste.mobi | ns4.app52.com | ns4.appid37.com | ns4.asp23.net | ns4.asp27.com | ns4.asp63.com | ns4.asp72.com | ns4.aspssl63.com | ns4.chk52.com | ns4.cls37.com | ns4.coldwop.com | ns4.hdadwcd.com | ns4.hyperadw.com | ns4.id294.com | ns4.id746.com | ns4.kadport.com | ns4.mode64.com | ns4.pag23.com | ns4.sid36.com | ns4.ssl39.com | ns4.supbnr.com | ns4.suppadw.com | ns4.update34.com | ns4.updatead.com | ns4.www.appid37.com | ns5.www.appid37.com | ns6.www.appid37.com | ns7.www.appid37.com | ns8.www.appid37.com | ns9.www.appid37.com | pag23.com | ssl39.com | supbnr.com | suppadw.com | towernet4.capitalonebank.com.pag23.com | ucomddv.com | update34.com | view62.com | ww4.chase.com.id746.com | www .appid37.com | www .aspssl63.com

Do you ever get the feeling that people are not listening?

I blogged about malicious advertisements featuring XM Radio on Sunday here:
Report- Malvertizements that have been circulating

Now Kimberley has discovered that those same XM Radio malvertizements are appearing on the ifrance.com web site - info here:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87888&mode=threaded&show=&st=90&#entry87888

I admit to feeling a lot of frustration about ifrance.com.  As noted by Kimberley, this is the 3rd malvertizement that has been discovered on the ifrance.com website since the 12th of June.  They seem to be completely incapable of vetting advertising creatives that are being submitted to them, or acting to get rid of malvertizements that are reported to them within a reasonable period of time (if at all).

I rarely do this, but I now advise that all advertising that appear on ifrance.com should be blocked unless and until they can assure us that they have removed the malvertizements, and that that they have put procedures in place to prevent the problem in future.  The same goes for isuisse.com (guilty by association).  Heck, let's also pay close attention to ibelgique.com, iespana.es, iitalia.com and iquebec.com, all of which are closely related to ifrance.com and isuisse.com (also subject to guilt by association).

Other incidents affecting ifrance

ifrance.com - malicious banners featuring FirstChoice and again here

ifrance.com - malicious banner featuring Curves

ifrance.com - still serving malvertizements

The Internet Explorer team have published 3 new articles about IE8 that are well worth a read.

First, the SmartScreen filter:
IE8 Security Part III- SmartScreen® Filter

The feature that I want to call out about the SmartScreen filter is the antimalware support - SmartScreen not only blocks access to known phishing and malware sites, it will block downloads from known malicious sites, meaning that victims are protected even if they don't visit a known malware site directly.  For example, if a victim is tricked into clicking on a link in an email or Instant Message window that will download malware, then as long as IE is your default browser, SmartScreen will block the download.  I can think of a whole slew of fake security software aka fraudware aka betrayware that I believe should be blocked via the SmartScreen filter.

Of course, such blocking can be overridden if need be (for example, because of false positives).  For those of you that are responsible for network management and security, you will be pleased to know that Group Policy can be used to stop users from overriding the SmartScreen Filter.

The SmartScreen user interface has also been improved.

Second, cross site scripting (XSS) vulnerabilities - XSS filtering
IE8 Security Part IV- The XSS Filter

"When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing."

Third, security improvements:
IE8 Security Part V- Comprehensive Protection

"As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."

Neowin says:

"Spybot - Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven't intentionally installed, if your browser crashes inexplicably, or if your home page has been "hijacked" (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don't see the symptoms, your computer may be infected, because more and more spyware is emerging."

First up, spyware is NOT a "relatively new kind of threat" - it has been around for years.  Second, it is INCORRECT to claim that spyware is "not yet covered by common antivirus applications". 

It's well and truly time for Spybot S&D to update their advertising blurb.

XM Radio

Exposed domain: aboutstat.net

XM Radio again

Exposed domains: waytotheprofit.com/?cmpid=weannalist and officialstat.com/c/index.php, both of which are known malvertizement domains.

waytotheprofit.com/?cmpid=weannalist leads us to an adverdaemon.com URL which then leads on to diskretter.com.

adverdaemon.com is hosted by PEER1, with name servers supplied by none other than securehost in the Bahamas.  Lots and lots of known bad domains are sharing name servers with adverdaemon.com

Hostnames sharing ip with a-records
ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
waytotheprofit.com
popadprovider.com

perfectmatch.com

Domains exposed:

profitabill.com/?cmpid=cancrineso

stat-diagnostic-imaging.net/c/index.php

profitabill.com

Hosted by Plusserver, Germany.  Administrative contact is the infamous Serg Moon - WHOIS details are, of course, unhelpful.

Note: WHOIS notes that registration services are provided by NameCheap.com, which shares IP indirectly via cnames with davidrohlf.com, georgerohlf.com, kristinerohlf.com and therohlfs.com.

Registar is the well known Enom, Inc - created on 25 March 2008

hostnames sharing ip with a-records
manzano181.serv.lt
xen-su-01.serv.lt

Lots and lots and LOTS of bad domains sharing name servers with profitabill.com

First Choice in French (we have seen malvertizements featuring First Choice before - eg: this one in English)

This malvertizement exposes a domain to us, waytotheprofit.com/?cmpid=atrecreant and click.adlbrite.com. 

adlbrite.com is hosted by nine.ch in Switzerland (yes, the same nine.ch that has hosted domains used by malvertizements in the past).

click.adlbrite.com is also sharing name servers with several well known malvertizement domains, including:

aboutstat.com
akamahi.net
entrerrenglonadura.com
newstat.net
officialstat.com
quinquecahue.com
stat-diagnostic-imaging.net
stat-diagnostic-imaging.com
stathisranch.net
station-appraisals.com
station-appraisals.net
thetechnorati.com
vozmiliogaranon.com
googiesindication.com
statestr.com
statgroup.net
staticglobalsources.com
staticglobalsources.net
statnation.net
statsla.net
statworld.net

adlbrite.com's registrar is TLDS, LLC DBA SRSPLUS.  The WHOIS is unhelpful, being:

Sara Sen  (mail@adlbrite.com)
Hight  str  45 
Baltim, NONE  8232
CL
152656555

waytotheprofit.com is just as interesting, sharing IP with A-Records and mail servers with many known malvertizement domains including:

ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
popadprovider.com

waytotheprofit.com also shares name server with many, many, MANY known fraudware and malvertizement domains, as well as domains associated with the sale of malvertizements.

Information courtesy of Intego, a company specializing in security products for the Mac.

Intego has released a security memo describing a trojan horse for the Mac - a poker game that, when run, harvests the username, password and IP address of the victim and transmits it to a server, as well as enabling ssh on the victim's Mac computer.  As noted by Intego, once ssh is enabled, the attacker can "attempt to take control of [the Mac], delete files, damage the operating system, or much more".

The poker game is an effective example of social engineering, and demonstrates that anybody, whether he be a Windows or Mac user, can be tricked into handing over our username and password, and the existence of the software is worth publicizing in the hope that it will make all of us stop and think the next time we are asked to enter our admin password when installing software.

Already I am reading about comments deriding Intego's "financial incentive for discovering and reporting" on Mac specific trojan horses and whatnot.  Those making such comments are not doing anybody any favours and, to be honest, they need to get over themselves.  Yes, Intego can gain a financial benefit from such publicity - after all, they sell security software for the Mac - but reality is that the malicious software is out there, and is a good example of an effective mechanism for tricking Mac users.

Screenshot:

:o)

Source: http://ars.userfriendly.org/cartoons/?id=20080623

Downloadable here:
http://www.microsoft.com/downloads/details.aspx?familyid=671355c2-4002-4671-8619-95c96c8a897f&displaylang=en&tm

The worldwide average was malware removal from 1 out of every 123 Windows-based computers in the second half of 2007.

Summary - Australia

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 204 Windows-based computers it was executed on.

Zlob (Trojan) 6.9%
Starware (Potentially unwanted software) 4.4%
Hotbar (Adware) 2.7%
WhenU (Adware) 3.3%
Winfixer (Potentially unwanted software) 2.7%
Agent (Trojan and trojan downloader) 2.6%
All others - 77.7%

Summary - Canada

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 172 Windows-based computers it was executed on.

Zlob - 6.4%
Hotbar - 4.6%
Agent - 4.2%
Starware - 4.0%
ZangoSearchAssistant (Adware) - 3.1%
WhenU - 3.1%
All others - 73.6%

Summary - Germany

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 226 Windows-based computers it was executed on.

Zlob - 12.2%
WhenU - 5.9%
Hotbar - 3.9%
Renos (Trojan downloader) - 2.6%
Zango Search Assistant - 2.6%

Summary - Japan

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 685 Windows-based computers it was executed on.

CnsMin (Spyware) - 8.6%
Zlob - 4.3%
Antinny (Worm) - 3.9%
Rbot (Backdoor) - 3.4%
WhenU - 2.9%
All others - 76.9%

Summary - Netherlands

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 170 Windows-based computers it was executed on.

Zlob - 7.4%
WhenU - 4.7%
Virtumonde (Trojan and adware) - 3.3%
Hotbar - 3.1%
ConHook (Trojan) - 2.9%
All others - 78.6%

Summary - Norway

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 160 Windows based computers it was executed on.

Zlob - 12.5%
WhenU - 4.7%
Winfixer - 3.7%
Zango Search Assistant - 3.5%
Hotbar - 3.4%
All others - 72.2%

Other important notes from the key findings summary (all countries)

• The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) increased over 40% during the second half of 2007 to more than 450 million unique computers worldwide per month.
• During the second half of 2007 there was a 300% increase in the number of trojan downloaders and droppers detected and removed.
• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions.
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of 2007.
• Adware remained the most prevalent category of potentially unwanted software in the second half of 2007.
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar.

I have received a copy of a new malvertizement featuring gifttree.com.

Analysis reveals two malicious URLs, being:

waytotheprofit.com/?cmpid=itlocation
station-appraisals.com/c/index.php?

The waytotheprofit.com URL leads us to an adnetserver.com URL which in turns leads us to a german language fraudware site, being diskretter.com (which, by the way, shares IP with A-records and mail servers with several domains including securepccleaner.com and exterminadordevirus.com.

Details here:
http://msmvps.com/blogs/bradley/archive/2008/06/16/houston-we-have-a-problem.aspx

Update: We'll be offline until as late as Friday:
http://msmvps.com/blogs/bradley/archive/2008/06/16/offline-for-a-couple-of-days.aspx

I am pleased to announce that I have joined Truste as an Online Compliance Researcher.  The Press Release is here:
http://www.truste.org/about/press_release/06_12_08.php

I am very excited about this new opportunity.  It has always been my dream to be able to focus all of my energies on studying, and tracking down the distributors of, spyware and malware and now that dream is coming true.

Wayne Small, SBS MVP, has also written an announcement about my new role.  I couldn't help but smile when I read it.  MInd you, I can't claim to have singlehandedly saved all those MSN Messenger users - it was Patchou of Messenger Plus! fame who first alerted me to the fact that there was a malvertizement appearing in the Windows Live Messenger advertising pane.
http://blog.sbsfaq.com/Lists/Posts/Post.aspx?ID=191