Malicious SWF advert captured on NationalGeographic.com

I only have time to post screenshots at the moment - the malicious advertisement can be seen at:
66.179.234.173/images/1847_560766_7006263_90_728.html

A Google search reveals that the IP address 66.179.234.173 has a history of involvement with malicious banner advertisements:
http://www.google.com/search?q=66.179.234.173&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

The SWF itself is being pulled from:
rmedia.adonnetwork.com/images/560766_90_728_200711011430_tubesnow_728x90.swf

With javascript being pulled from:
rmedia.adonnetwork.com/adon_flash_v2.js
 

and

I'll post more specific details in roughly 9 hours time... I won't have time before then to go through the Wireshark capture evidencing the redirect.

 

Published Mon, Nov 26 2007 7:37 by sandi
Filed under: , , ,

Comments

# re: Malicious SWF advert captured on NationalGeographic.com

Wednesday, December 19, 2007 9:41 AM by Torq Cisek

I came across this post in the effort to research both Adon and this banner that a company Proximogroup wants to run on our channels (Vlaze.com). Do you have any additional information on this and can you tell me what this banner was attempting to do? Thanks

# re: Malicious SWF advert captured on NationalGeographic.com

Wednesday, December 19, 2007 2:31 PM by sandi

The banner attempts to hijack visitors to a web site that displays the advertisement, and redirects them to a fraudware site - fake registry cleaners and what not - scary pop up boxes appear warning of various problems, and the site uses various trickery to get the fraudware on the system.  A scan takes place, the fraudware finds non existent infections, and then offers to clean the non-existent infections for between $20 and $70 USD.

Be very grateful that you did not buy this banner.  You would have lost visitors, you would have received a stack of complaints, and your site's reputation would have taken a hammering.

If you want to provide with further information about Proximogroup, I'll see what I can do about stopping the continuing sale of this banner advertisement.

# re: Malicious SWF advert captured on NationalGeographic.com

Thursday, January 17, 2008 1:52 AM by Reggie Mullen

Are you kidding me? I came across this post searching "Vlaze" and "spyware" because this site (vlaze.com) has somehow taken over my computer. Endless pop-ups, over and over again, refreshing over and over again. I have to unplug my computer (literally) to get it to stop.

And here I find a post by someone FROM vlaze.com saying that they are worried about another company doing the same thing they are guilty of.

Something is very fishy here.