More on the hijacking Flash banner ads....

Y'all may remember in this article that I mentioned that I was concerned that, because we had found an advertisement that hijacked users and sent them to a MalwareAlarm site (scanner.malware-scan.com) that the original complaint, about redirects to Performance Optimizer sites, may still be outstanding - in short, that there may be more than one SWF out there, or the SWF was redirecting users to different sites depending on circumstance.

Well, it turns out that the latter was correct. The SWF that was redirecting some victims to scanner.malware-scan.com, wad redirecting other victims to performanceoptimizer.com (via blessedads).

I had the opportunity to analyse a 9 megabyte txt file today, being a Fiddler capture of a Performance Optimizer redirect at the same site that was hit by the MalwareAlarm redirect ... and let me tell you, a 9 megabyte TXT file can have a seriously detrimental effect on PC performance; even my ACER Ferrari 5000 struggled under the load.

Anyway, the URL for the SWF that redirected users to a Performance Optimizer site and which was identical to that which has been proven to force users to scanner.malware-scan.com, is now dead. Yay us!!

Published Thu, Nov 8 2007 20:56 by sandi
Filed under: ,

Comments

# re: More on the hijacking Flash banner ads....

Thursday, November 08, 2007 11:27 AM by Doug Woodall

Im curious if this type of exploit will increase with the coming holiday buying season.

Great job checking this out. Its appreciated.

# re: More on the hijacking Flash banner ads....

Saturday, November 10, 2007 11:37 PM by Tim S.

I was just redirected to malware-scan.com from a page on tvguide.com, but it happened so fast that I had no idea what triggered it.

# re: More on the hijacking Flash banner ads....

Sunday, November 11, 2007 2:10 AM by sandi

Hi Tim,

We're having a look-see, but so far haven't been able to reproduce the redirect.

Assuming that tvguide.com was the *only* that you had open, can you remember what area of the site you were looking at?

Sandi

# re: More on the hijacking Flash banner ads....

Sunday, November 11, 2007 2:27 PM by bif

www.economist.com [the website for The Economist magazine] gives the same problem, but only the first time that you visit it from a computer.  Use another computer, even on the same router & firewall, and it shows up again.  You can clean out all of your history but it won't reappear.

bif

# re: More on the hijacking Flash banner ads....

Sunday, November 11, 2007 3:19 PM by sandi

Hi Bif,

What you describe is to be expected.  If you clean out your IE cache, cookies and the Flash cache, then generally you can trigger the redirect as often as you wish.

Sandi

# re: More on the hijacking Flash banner ads....

Sunday, November 11, 2007 8:08 PM by Bob

Hi, I just visited Economist.com and boom - redirect to malware-scan.com via: htt*://scanner2.malware-scan.com/5_swp/?tmn=mwatmp&aid=ang1eann&lid=728_ao_3958_0_10229_ao_&ed=2&ex=1&tmn=null&mt_info=3958_0_10229

not sure what is does but I killed it double quick - just in case!

-Bob

# re: More on the hijacking Flash banner ads....

Sunday, November 11, 2007 8:46 PM by sandi

Bob, what country are you located in, and can you please download Fiddlercap as per my advice in the News pane of this blog, install it, and follow the instructions to try and capture the redirect at www.economist.com.

You will need to delete your Flash cache, cookies and normal cache before going back to www.economist.com.  You can clear the Flash cache here:

www.macromedia.com/.../settings_manager02.html

# re: More on the hijacking Flash banner ads....

Tuesday, November 13, 2007 12:02 AM by Luc dTM

Hi,

I just stumbled onto this site after getting a redirect to scanner2.malware-scan.com from www.allmusic.com/.../amg.dll (Irony being that I was currently running Ubuntu)

After seeing that you were looking for logs, I took a look at fiddlercap but it apparently is only used for Windows.  However, I managed to recreate the redirect while running wireshark and thus have a wireshark / tcpdump log that you may be interested in.  If so send me an email to my gmail account, username is 3maisons.

Luc

# re: More on the hijacking Flash banner ads....

Tuesday, November 13, 2007 12:10 AM by Dave

I have now seen this twice in the past day. Did not understand it until reading your write-up -- thank you. Both times I was redirected to malware-scan.com from allmusic.com.

# re: More on the hijacking Flash banner ads....

Tuesday, November 13, 2007 4:52 PM by Frontrow

Any info on how to get rid of this?

# re: More on the hijacking Flash banner ads....

Wednesday, November 14, 2007 3:19 PM by stewart

Another data point for you: I get this redirect once a day on mlb.com.  From the front page, following any one of the story links on the panel on the right hand side.  I'm in the UK.

My temporary solution is to block access to the IP address range that contains those servers (I went for their ISP's entire block: 77.91.224.0/21)

# re: More on the hijacking Flash banner ads....

Wednesday, November 14, 2007 5:19 PM by sandi

Hi Stewart,

You are a perfect candidate to use Fiddler or Fiddlercap to capture the redirect when it hits your system.

You'll see instructions in my News pane to left of screen.  Save the Fiddler data as a SAZ file (a special type of zip archive) - accept the option to save *all* sessions.

Note that you'll need to click in the Fiddler window to highlight a line of information before you can save the capture.

If you get that SAZ to me, we can publicize what's going on.

# re: More on the hijacking Flash banner ads....

Sunday, November 18, 2007 8:05 AM by Bluheart

There is now a new URL for that one.

scanner2.malware-scan.com/.../scan.php

It's back in action.

# re: More on the hijacking Flash banner ads....

Sunday, November 18, 2007 7:17 PM by KC Bell

I've been running into this flash phenomenon repeatedly at AllMusic site. I use only Firefox, which blocks any cookies, but seems unable to stop the hijacking. Offered the option to cancel or continue, cancel just starts the process anyway! In all cases, I hit stop and close my browser to stop it. I've also contacted AllMusic, which responded with some irrelevant bromide thanking me for commenting on their advertising.

# re: More on the hijacking Flash banner ads....

Monday, November 19, 2007 5:42 AM by sandi

KC,

Download Fiddler, get a capture of the redirect and then get in touch with me.  I'll get AllMusic to listen... ;o)

# re: More on the hijacking Flash banner ads....

Monday, November 19, 2007 7:44 AM by sandi

BTW, I've been able to capture a redirect affecting www.allmusic.com - I've blogged and sent the information to the site in question.

Do they dare give me the brushoff? Time will tell....

Sandi

# re: More on the hijacking Flash banner ads....

Thursday, November 29, 2007 3:46 PM by Tetranitrocubane

I wasn't able to capture it, unfortunately, but I received the same redirect from hotmail (which I guess is windows livemail now... www.hotmail.com is how I still get there.) after I had logged in. I hope it was via their banner ads, and can't think of any other way it might've happened.

# re: More on the hijacking Flash banner ads....

Friday, November 30, 2007 1:35 PM by Jay

Hello, I operate a fairly large site (see link in name) and have been getting a ton of complaints from users regarding the redirects, only problem is I can't replicate the problem for the life of me. I've installed fiddler, cleared all cache/temp files and nothing. If anyone can be of any help please let me know.

Regards,

# re: More on the hijacking Flash banner ads....

Friday, November 30, 2007 5:04 PM by sandi

Hi Jay,

I'm not surprised that you can't see the problem; web site owners rarely can.

I'll see what I can do about capturing proof for you.

Sandi

# re: More on the hijacking Flash banner ads....

Sunday, December 02, 2007 1:22 PM by Tony Berdahl

Received the redirect from this page

msn.foxsports.com/.../gameTrax

# re: More on the hijacking Flash banner ads....

Sunday, December 02, 2007 8:17 PM by Zeb

Sandi

I have noticed this for about six weeks now - I can't believe that the sites concerned (Major League Baseball, the NHL, the Economist are the ones I've encountered) haven't done anything about it. I've got a fiddler capture from mlb, but it probably won't be much use since that seems to be the one that is affected the most and there must, therefore, be tons of captures out there.

It seems to affect about one in five of my visits to mlb.com, less than one in twenty to nhl.com and I've only seen it about four times in a month on the Economist site. On another forum, I've found posts that suggest that the ads are being served up by DoubleClick's DART programme - which allows publishers to manage their ads. What the ****bags behind malware-scan/blessedads/preved et. al are apparently doing is registering a load of sites, contacting publishers and paying for ads with stolen credit cards, then injecting their compromised flash files into the ad.

These people truly are the scum of the Earth - when you think about the potential money to be made from ransomware injected onto sites that non-technical people visit regularly its frightening.

# re: More on the hijacking Flash banner ads....

Sunday, December 02, 2007 8:39 PM by sandi

Hi Zeb

Please send the capture to me.  We really do need any and all that we can get out hands on.  My email address is in my most recent blog post.

I do not, as yet, have a copy of a capture affecting MLB, so please send it to me.

Best wishes,

Sandi