Spyware Sucks

Blog: a diverse portfolio of fake security software

I just found this blog entry, and it ties directly in with what I have just written.  Again, Limelight Networks are mentioned

"The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical."

It is fantastic to see so many turning their attention to online malware, and writing about it :o)

Malicious advertisements and advertising fraud. What do we know?

Regards to Suzy of Spywarewarrior who grabbed the data pertaining to 190.15.73.254.

Ok, this is NOT going to be light reading, it's heavy going, but for those of you interested in seeing behind the smoke and mirrors that is internet advertising and web hosting, especially as it pertains to malicious banner advertising and scareware/fraudware software, it's worth wading through. 

My regular readers know that skyauction.com allege that networkmediagroup.net used a fake "letter of mandate" to fool web sites into allowing unauthorised, maliciously coded, advertisements to be displayed on their web sites.

We also know that emusic.com allege that uniqueads.com, adtraff.com and forceup.com fraudulently purchasing advertising on eMusic's behalf.

We also know that the same names seem to appear over and over and over again when we investigate malicious banner advertisements. For example:

1. soccernet - burnads.com, adtech.de, blessedads.com, performanceoptimizer.com
2. allmusic - checkm8.com, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
3. defsounds - r2d2adverising, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
4. allmusic again - checkm8.com, adtraff.com, blessedads.com, prevedmarketing.com, shivanetworking.com, deuscleaneronline.com
5. ok-magazine - r2d2adverising, newbieadguide.com, blessedads.com, prevedmarketing.com, malware-scan.com
6. sensis - mysurvey4u, blessedads, prevedmarketing, malware-scan.com
7. Large website - prevedmarketing, malware-scan.com

Are we seeing a pattern here?  Of course we are - the same names kept popping up over and over during the recent outbreak of malicious banner advertisements.  But, thing get even more interesting if we dig a little deeper.  Let's concentrate on just one IP address that keeps appearing:

adtraff.com - 190.15.73.254

forceup.com - 190.15.73.254

burnads.com - 190.15.73.254

blessedads.com - 190.15.73.254

prevedmarketing.com - 190.15.73.254

r2d2adverising.com - 190.15.73.254

shivanetworking.com - 190.15.73.254

Who else is associated with the IP 190.15.73.254? 

Search Results for 190.15.73.254 [reverse DNS - 190-15-73-254.securehost.com]

Ad2cash.net Ad2profit.com Adcomatoz.com Adgurman.com Adhokuspokus.com Adnetserver.com Adredired.com Adsolutio.com Adtraff.com Adverdaemon.com Adverlounge.com Adzyclon.com Antivirussecuritypro.com Astalaprofit.com B2adz.com Bestadmedia.com Bestpharmacydeals.com Bestsearchnet.com Bestshopz.com Bestwnvmovies.com Bizadverts.com Bizmarketads.com Blessedads.com Brandmarketads.com Bucksinsoft.com Burnads.com Cancerno.com Cashloanprofit.com Casinoaceking.com Casinodealsgalore.com Cheap-auto-deals.com Co-search.com Cryptdrive.com Deuscleanerpay.com Easybestdeals.com Eroticabsolute.com Fantazybill.com Favouriteshop.com Fileprotector.com Forceup.com Freepcsecure.com Freetvnow.net Friedads.com Getfreecar.com Glorymarkets.com Great4mac.com Greyhathosting.com Hebooks-service.com Iddqdmarketing.com Infyte.com Installprovider.com Internetadaultfriend.com Internetanonymizer.com Intervarioclick.com Invulnerableads.com Keywordcpv.com Libresystm.com Luckyadcoin.com Luckyadsols.com Magicsearcher.com Manage-search.com Marketingdungeon.com Mediatornado.com Megashopcity.com Mightyfaq.com Misc-search.com Mobilesoftmarketing.com Moneycometrue.com Moneypalacecash.com Myfavouritesearch.com Myhealth-life.org Myonlinefinance.com Mysurvey4u.com Mythmarketing.com Mytravelgeek.com Netmediagroup.net Netturbopro.com Onestopshopz.com Opensols.com Pcsoftw.com Pcsupercharger.com Popadprovider.com Popsmedia.com Popupnukerpro.com Prenetsearch.com Prevedmarketing.com Prizesforyou.com R2d2adverising.com Rocktheads.com Roller-search.com Rombic-search.com Searchcolours.com Sellmoresoft.com Selvascreensaver.com Sharpadverts.com Shivanetworking.com Shopshot.com Softwcs.com Stratosearch.com Swiftcleaner.com Tallgrass-seach.com Traffalo.com Traveltray.com Uniqads.com Vitecmedia.com Waytotheprofit.com Windefender.com Wontu-search.com Workhomecenter.com Yourseeker.com Yourshopz.com Yourteacheronline.com Zappinads.com Zooworld-search.com

Look at who appears in the reverse IP search of 190.15.73.254 - none other than netmediagroup.net

Yep, securehost.com hosts adtraff.com, forceup.com, networkmediagroup.net and uniqueads, all of which are accused of fraudulently claiming to represent reputable web sites, and of distributing malicious banner advertisements.

Look who else is there - mysurvey4you.com, traveltray, getfreecar, prevedmarketing, B2adz.com, blessedads, burnads, R2d2adverising.com, Shivanetworking.com - all of which have been associated, in one way or the other, with malicious banner advertisements.

Let's look at Mike On Ads' blog entry about ErrorSafe (aka Winfixer).  He refers to mysurvey4you, traveltray.com and getfreecar.com.  BTW, cannis.org (mentioned on Mike's blog) shares an IP address with none other than systemdoctor.com, yet another winfixer type site.

In short, securehost is a problem.  But so is Limelight Networks, and Innovative Marketing.  Let's go a little further afield, and check out Mike Burgess's blog. Mike, by the way, is the MVP behind the MVP Hosts File.

First, lets look at "Limenetworks serving up malware".  In this article Mike shows how Limelight Networks are hosting sundry malware downloads.  b2adz (190.15.73.254) pops up in relation to two scareware/fraudware sites being securityonpage.com and storageprotector.com.  A reverse IP check reveals that protectroom.com, savetheinformation.com, wayforprotection.com and ieerror404.com are all at the same IP as securityonpage.com (208.96.58.52). 

336 domains resolve to the same IP as storageprotector.com (87.117.252.11) many of which seem to be antivirus, antispyware, privacy protection sites and the like.  I'll leave it to you to decide how many of those 336 domains are legitimate and how many are fraudware/scare (see the end of this blog for a list of domains that resolve to 87.117.252.11 as at time of writing).

Next, take a look at "LimeLight Networks and connecting the dots", which builds an association between LimeLight Networks and Innovative Marketing Group (aka Winfixer)

Finally, let's look at "More on Innovative Marketing", which briefly points out the hosting services that are affiliated with Innovative Marketing Group.

I know, there is a lot of data here, a lot of names and IP addresses, but it serves to give you a glimpse into how close the ties can be between various names associated with scareware, fraudware, malicious banner advertisements and fraudulent activity such as that reported by skyauction.com and emusic.  The information shows us that malicious activities and incidents that can seem to be scattered and too prevalent and widespread to be easily shut down, can sometimes be treated as a "job lot" and that a lot of difference could be made to the safety of internet users as a whole if only we could get the primary sources/hosts to cooperate and shut things down.

Now, the question is - is securehost.com simply a stooge?  An unwitting host and victim?  Or a collaborator?

What about whoever is behind 87.117.252.11 - stooge and victim, or collaborator?

Over the next day or so we will take a look at how the advertising networks that we know have been infiltrated are responding to the risks - we'll focus just on the advertisements that have been discussed on this site and take a look to see if the malicious SWF files are still around, or if they have been deleted or moved.

Addendum: Sites that resolve to 87.117.252.11

Acchiappavirus.com Adiosvirus.com Ahorrememoria.com Altalimpeza.com Anonimutente.com Antiamenazas.com Antiespiamaestro.com Antievidence.com Antispionimaestro.com Antispywareconductor.com Antispywarecontrol.com Antispywaremaster.com Antispywaremeister.com Antivirusfiable.com Antivirusforall.com Antivirusforalla.com Antivirusforalle.com Antivirusfueralle.com Antivirusgenial.com Antivirusmagique.com Antivirusparatodos.com Anzentsuru.com Apagahistorico.com Apolloantivirus.com Archivosenestado.com Atemaiserro.com Atrapavirus.com Aucunchoixpourvirus.com Aucunefaute.com Aucuninfection.com Aucunmenace.com Aucunserreurs.com Avcompleto.com Avsecurityplus.com Avseguro.com Bandoaivirus.com Bandoalleinfezioni.com Barreraintegral.com Bastioneantivirus.com Beskyttelseonline.com Beskyttendevaerktoj.com Bestsellerantivirus.com Blanchdisc.com Borresuspasos.com Bossedeserreurs.com Brossedesfautes.com Bugseraser.com Caiforavirus.com Ceroamenazas.com Cerovirus.com Chasseurdeserreures.com Cleanerpotente.com Cleanpctool.com Cleanuptool.com Confidentsurf.com Confidentuser.com Contenidoseguros.com Contenteraser.com Controledemenaces.com Controlloreprivacy.com Curerrores.com Dataconfidentiality.com Defensaantivirus.com Defensecelebre.com Defensededriver.com Defensedinformation.com Defensedudisque.com Defensenetsurfage.com Defensivesystem.com Dejitarufukugen.com Dejitarukyoikira.com Dejitaruwakuchin.com Detapurotekuta.com Detaripea.com Detectaerrores.com Discoseguro.com Diskassistent.com Diskretter.com Disksaeuberung.com Disksizesaver.com Disksparare.com Disukushuri.com Doubledefender.com Driversecurise.com Einwandfreierpc.com Eliminadordeamenazas.com Elmejorantivirus.com Emperahogo.com Enmiendaerrores.com Equipoantiespia.com Eracheisa.com Erasutoppu.com Erreurchasseur.com Errorfighter.com Essentialeraser.com Expertdantispyware.com Exterminadordevirus.com Extremuclean.com Fairukyua.com Feilvakt.com Fejlfripc.com Fejlreparering.com Felfixare.com Ferramentadesolucao.com Ferramentasegura.com Festplattencleaner.com Festplattentool.com Fiksdinpc.com Filtredetraces.com Filtrototal.com Fixthemnow.com Fjernervirus.com Foutenwacht.com Geheugenredder.com Guardiandelaprivacidad.com Guardianodelpc.com Gubbishremover.com Hackerstaisaku.com Hadodoraibugado.com Harddriveguard.com Herramientasegura.com Historialout.com Hotbevakning.com Ingavirus.com Ingenmulighetforvirus.com Inhaltsaeuberung.com Inhaltspeicher.com Inmunepc.com Kakujitsutsuru.com Keinespurenlassen.com Keineviren.com Knowhowprotection.com Konsekiauto.com Kontentsufiruta.com Kurinkonseki.com Kyoiireza.com Kyoikanshi.com Kyoryokucleaner.com Largavidapc.com Laufwerkcleaner.com Limpiapc.com Limpietodo.com Lomejorenantivirus.com Longlifepc.com Lungavitapc.com Maechtigerreiniger.com Malwareschutz.com Manutencaopc.com Memorisebu.com Menacecontrole.com Menacefighter.com Menacemonitor.com Menacescrubber.com Menacesprotection.com Miavcompleto.com Mightycleaner.com Minnesparere.com Monitordeamenazas.com Moteurpcpro.com Mycontentassistant.com Netsurfageassure.com Nettoyeurdepc.com Nettoyeurdeserreures.com Nettoyeurdevirus.com Nettoyeurpuissant.com Neuerantivirus.com Neuerschild.com Nientetracce.com Nouvelantivirus.com Nurdeinpc.com Ohnespurensurfen.com Omelhorantivirus.com Onlinehelpmate.com Onlineverktyg.com Onrainpurotekuta.com Ordureffaceur.com Oruripea.com Pasderreurs.com Pasdesfautes.com Pasdesmenaces.com Pasendommagement.com Pasplusdespertes.com Pasplusdevirus.com Pcantiviruspro.com Pcassertor.com Pcbewaker.com Pcboosterpro.com Pcbunan.com Pceternel.com Pcforfender.com Pchealthkeeper.com Pchjaelper.com Pcinforedder.com Pclibredevirus.com Pcohnespuren.com Pcredskab.com Pcsansbug.com Pcsecuresystem.com Pcsecurise.com Pcsentineru.com Pcsiemprenueva.com Pctoolpro.com Pcultralimpia.com Pcveiligheidstool.com Pcvirussweeper.com Perfektantivirus.com Personalityprotector.com Poseidonantivirus.com Poupememoria.com Preservingtool.com Privacidadconductor.com Privacidadgarantizada.com Privacidadyseguridad.com Privacyredder.com Privacywaker.com Privacywarrior.com Privatsicherer.com Protecaoconfiavel.com Proteccionasegurada.com Proteccioncompleta.com Proteccionimperial.com Protecteurdinfo.com Protectionassuree.com Protectionconue.com Protectiondedriver.com Protectiondenetsurfage.com Proteggidati.com Protezioneesperta.com Protezionefidata.com Pulituraestrema.com Puraibashihosho.com Puraibashimaneja.com Puraibashitoshinrai.com Rendimientototal.com Rensanu.com Reparaerrores.com Reparateurdesysteme.com Repareja.com Reparemenaces.com Repareya.com Rimuoviciarpame.com Riparaminacce.com Riparasubito.com Riservatezzanet.com Safeharddrive.com Safepctool.com Safudaijoubu.com Salvaspaziosudisco.com Sansendommagement.com Sansinfections.com Sayonarabaggu.com Schijfbewaker.com Schijfcontroleur.com Schijfredder.com Schijfruimteredder.com Schutzderdaten.com Schutzfuerpc.com Secretissimosoft.com Secretopertutti.com Secretosasalvo.com Secretoseguro.com Securepccleaner.com Sefunahimitsu.com Sekretessforsvarare.com Senzadoppioni.com Shingaidome.com Shinraihogo.com Shinraipafomansu.com Shisutemudifensu.com Sichererantivirus.com Sichererschutz.com Sicherheitstool.com Sikkerbrukere.com Sikkerpcredskap.com Sikkersystem.com Sinataques.com Sinrrastros.com Sinsenales.com Sistemaprotegido.com Sistemupyua.com Sisutemuantei.com Sisutemuorugurin.com Skyddsprogram.com Smittfri.com Solelunaantivirus.com Speichertool.com Spyguardpro.com Spywaretaisakumaster.com Stopbedreiging.com Stopminacce.com Storageprotector.com Succesantivirus.com Superanonimo.com Surfforsure.com Surfremover.com Sutoppuwirusu.com Syssauvegarde.com Systemerrorfixer.com Systemesansfaute.com Systemesansvirus.com Systemhoover.com Systemschild.com Tackanejvirus.com Tilforlatelig.com Toolsicuro.com Topsalgantivirus.com Trasheraser.com Trusselovervagning.com Trustedantivirus.com Trustedprotection.com Tryggpcverktyg.com Trygpcbruger.com Turnkeyantivirus.com Unidadessanas.com Usuarioprotegido.com Utiledereparation.com Utilisateursur.com Vaktmotvirus.com Veiligheidsagent.com Virenvernichter.com Virusbekaemper.com Viruskrakker.com Virussperr.com Virusurimuva.com Virusvanger.com Virusvijand.com Volumformatredskap.com Wirusufinisshu.com Wirusuk.com Wirusukyua.com Wirusumuryokuka.com Wirusushattodaun.com Wirusushuryo.com Yourprivacyguard.com Yuzasefu.com Zentaiwakuchin.com

HOTFIX: After you use the Internet Explorer Customization Wizard to remove the default elements of some features in Internet Explorer 7, these elements still exist in Internet Explorer 7

On a computer that has Windows Internet Explorer 7 installed, you run the Internet Explorer Customization Wizard. You use this wizard to create an Internet Explorer 7 customized package. In the wizard, you remove the default elements of the following features:

• Favorites
• Feeds
• Links

Note The Internet Explorer Customization Wizard is a component of the Internet Explorer Administration Kit (IEAK). 

You build the customized package, and you install the package on a destination computer. However, the default elements of the features that you removed still exist.

Source: http://support.microsoft.com/default.aspx/kb/941938

I know of some people who are going to be real pleased about this - they found it very irritating that they could not remove default MS resource links and RSS feeds without jumping through all sorts of hoops...

New SWF analysis tools - thanks to TeMerc for pointing this out

Yay, a new tool.  Thank you TeMerc, I owe you a drink of your choice when I am next in town...

"In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files.  The timing for this is excellent, as I have personally only learned of this tool just this morning.  This particular tool is the OWASP hosted project named 'SWFIntruder'."

There is a *lot* going on right now with regards to malicious advertising - too much to write about now - but watch this space. There may be FUN times ahead (for us, that is, not the purveyors of the malicious banner advertisements) :o)

Breaking news: skyauction.com, unauthorised malicious advertisements, a fake letter of mandate.. oh my...

My regular readers may recall my recent article about emusic's claim that various advertising networks (uniqueads.com, adtraff.com and forceup.com) were fraudulently claiming to represent emusic.  Said advertising networks were apparently selling unauthorised, malicious, advertisements touting emusic.com; advertisements that hijacked users in an attempt to spread malware.

Well, I have received an email from the Chief Technology Officer at skyauction.com and he has quite a story to tell.  Here is a quote from his email - information shared with permission:

"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate" (which I can email you) to one of their targets saying that they represent us.  As with our logo, they were pretty sloppy creating this fake "mandate" because there are some obvious errors. In this case, someone with the pseudonym (one can only guess) of "Jim Burch" (jim@netmediagroup.net) contacted the site claiming to represent us and asking to put up ads on the contact's site. The the ads go up and deliver the fake malcious Skyauction ads until someone complains and they are finally taken down. NetMediaGroup appears at first glance to be a real company, but they are probably a completely
 fraudelent one. The domain name is registered to some organization in Germany, but the contact us phone number seems to be in the Netherlands. All of the names on the web site are just generic (i.e. they don't give full names)."

Here is a picture of the fake letter of mandate as sent to me by skyauction.com - click on the graphic to view a full size copy:

Ok, so who are netmediagroup.net?  Let's do a Whois search (copied below) - hmm, note the email address burnads_c@yahoo.com.  Yep, that rings a bell - thinking back to the fake skyauction.com advertisement that hit soccernet.com, I remember that the name burnads appeared.  The referrer for performanceoptimizer was: burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424. That URL, when I just loaded it in my system, redirected me immediately to fraudware site.

I think it is time to get in touch with the CTO of emusic and find out what *his* story is.  The CTO of skyauction and I both believe that the best way to fight the fraudsters is to expose their activities.

Domain Name : netmediagroup.net

::Registrant::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18,  Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Administrative Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18,  Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Technical Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18,  Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Name Servers::
ns1.netmediagroup.net
ns2.netmediagroup.net

::Dates & Status::
Created Date   2006-06-29 05:38:33 EDT
Updated Date   2007-06-27 17:59:00 EDT
Valid Date     2008-06-29 05:38:33 EDT
Status         ACTIVE

Is this the beginning of the end for malicious SWF files?

Oh, I hope so.  Mind you, it's going to take me quite a while to get my head around this 7 page document, and all of the extra pages referred to ... anybody want to give me a crash course, or explain to my readers what sort of difference this will make in the fight against malicious banner advertisements? ;o)

Source: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

"In 2003, Flash Player 7 software introduced a channel of client-server communication that was new to the web: direct cross-domain data loading, authorized by policy files. Before policy files, web content could only perform two-way communication with its own server, such as runtime configuration or transactions without page reloads. Policy files allowed servers to open up their data selectively to client content from other domains, or generally to content from anywhere. Since the introduction of policy files, domain boundaries have been less of a barrier for authors of rich Internet applications.

Like most new technologies, policy files weren't perfect when they were first introduced. After four years, the Internet security community has found two undesirable situations (described later in this article) that can arise from the existence of policy files. The basic premise of policy files remains valid, and Flash developers can continue to rely on policy files just as they have since Flash 6. To address the new concerns, however, Adobe is specifying some stricter rules for the use of policy files. Additionally, there are a number of improvements that make policy files more useful and usable. We will try to explain the reasons for our changes clearly and simply."

Scott Adams doesn't like blogging much anymore....

He said on November 26:

"Readership of The Dilbert Blog is growing rapidly, but at about the same rate people figure out how to use RSS feeds to get the content without the ads. So there’s no longer a correlation between how hard I work and the ad income I earn. It topped out at “trivial,” even while the audience grew to substantial."

I sympathise with Scott with regards to his concerns about earning an income - after all, every tradesman is entitled to a fair wage, and heaven knows I've had my own issues in recent times with regards to financial support for the online work that I do but, to be honest, I have to say that people moving to RSS to read content can only be a good thing, especially in the current threat environment of malicious advertisments and web site hackings.  With RSS, we don't have to worry as much about such dangers.

Why do I say "as much"? Because I'm not 100% certain of the potential threat environment of RSS - it is something worth taking a closer look at.

Unfortunately, advertisements are slowly appearing in RSS feeds, but as far as I know they don't bring with them the risks associated with more traditional advertising.

So here's a question for those of you who use RSS - do you use it for convenience sake? How much of your preference for RSS comes from the fact that you can avoid so much advertising content?  There are no pop-ups, few banner ads, we don't need to worry about being hit by an iframe hack or (I think) malicious banner advertisements.  Note, that I am uncertain about the potential risk posed by advertisements in RSS feeds.

A blank Web page is displayed when you start Internet Explorer 7

When you start Windows Internet Explorer 7, your home page does not open. Instead, a blank Web page is displayed.

Additionally, you may receive an error message that resembles the following:

Line 56
Char:2
Error: Element not found
Code: 0
URL:http://runonce.msn.com/runonce2aspx
This problem typically occurs after you install Internet Explorer 7, after you install Windows, or after you reset Internet Explorer settings. This problem may occur only for certain users.

Note from Sandi - the blank page will most likely be blue in colour.

This problem occurs if the Customize Your Settings Web page in Internet Explorer 7 is not loaded correctly or if the Customize Your Settings Web page opens with restricted security settings.

Resolution:

"RunOnceHasShown" - set dword to 00000001

"RunOnceComplete" - set dword to 00000001

(Note: Yes, this information is already on www.ie-vista.com - that being said, it is nice to have an official KB available.

http://support.microsoft.com/default.aspx/kb/945385

Press Release by eMusic

Wow, check out what Mike Burgess (the MVP behind the ever-popular MVP Hosts file) alerted me to this morning...

"NOTE: It has come to our attention that Uniqads.com, Adtraff.com and Forceup.com have been fraudulently purchasing advertising on eMusic's behalf. These companies are not authorized to act on eMusic's behalf and are distributing malware."

Them's fighting words.  eMusic are justifiably upset about the unauthorised advertisements touting their web site which are maliciously coded to redirect viewers to various Winfixer type web sites.  But eMusic are certainly not the only victims of such behaviour.  Skyauction.com is one web site that immediately comes to mind - unauthorised advertisements touting that site were what was causing the redirects that hit Sensis and soccernet.com and Skyauction has also been quoted as being justifiably upset at the negative impact the unauthorised advertisements have on their site's reputation.  I've also seen unauthorised advertisements touting British Airways, and getsafeonline.org, and many other big names (Mike of mikeonads.com has collected quite a few screenshots of such advertisements).

You know, there is a big difference between an advertising network unwittingly hosting a malicious banner advertisement, and being fooled into accepting unauthorised, maliciously coded advertisements and being an active, willing participant in such activities.  Is eMusic alleging that Uniqads.com, Adtraff.com and Forceup.com are active participants as distinct to unwitting stooges?  Have eMusic been in touch with the company and warned them that they are hosting unauthorised advertisements touting the eMusic web site?  If so, what was their response?  I think it behooves eMusic, if they are going to allege "fraudulent purchasing" via such a public statement to outline their approaches to the advertising companies, and the companies responses.

As far as I know, it is not standard industry practice for an advertising network to contact the business or web site that is the subject of an advertisement to ensure that the advertisement they plan to host is authorised and legitimate.  Perhaps this is something that advertising networks need to start doing but, realistically, it may be a difficult question to answer.  I don't profess to be anywhere near an expert in how the online advertising world works, but the impression that I get is that there are so many brokers out there, so much onselling and other carry-on that it may not be a simple matter to pick up the phone, call a company and say "is this advertisement authorised"?

It's a quiet night tonight...

I don't know whether to be grateful, or bored.  My cell phone hasn't been bouncing around on my desk tonight (I use silent on vibrate when working).  Email is fairly quiet insofar as there are no glaring, the-world-is-going-to-end-if-you-don't-respond-to-my-email-right-now, emergencies that need my attention.  I have a few bits and pieces to deal with from a couple of advertising networks and whatnot, but all in all, things are quite peaceful.  Here's hoping it is not the calm before the storm.

There have been some very interesting conversations going on, in the background, regarding the malicious banner advertisements that have been the focus of attention on this blog in recent times.

For example, as far as I am concerned, it is a *glaring* deficiency on the part of Macromedia/Adobe that there is no way for the end user to stop a malicious Flash advertisment from hijacking them.  Unlike Web browsers, which have various security "zones" and other menu options where you can turn off active content, Flash does not provide that ability. 

Realistically, what can the end user do to avoid malicious banner advertisments?  Uninstall Flash?  Yeah, but that kills everything Flash related.  Block all advertisements using a HOSTS file or similar?  This is not fool-proof (yes, that's right, the HOSTS file is sometimes ignored as I have learned from a fascinating discussion on a private security based mailing list), and then there is the ethical dilema of web sites losing income from banner advertisements - you see, every tradesman is entitled to his wage, even if his "trade" is writing content for whatever web site, but that wage should not be earned in such a way that places a client (even a freeware client who doesn't actually pay anything) at risk.  Remember, there is no such thing as a free lunch, and, in the end, the web sites that are hit by the malicious banner advertisements as as much of a victim as we are. 

Do we set IE's security settings for the Internet Zone so high that it "breaks the web"?  The end result of *that* protocol is that your users, if they can, will add all of the sites that they know and love to IE's Trusted Sites Zone, and you and I know what will happen if a web site in the Trusted Sites Zone is hit by a malicious banner advertisement.  If the user is running the Trusted Sites Zone in its default settings, then the PC will be 0wned.

Some people are saying that the current outbreak of malicious banner advertisements will kill online advertising - and they may be right at least insofar as Flash based advertisements are concerned, if we can't get this under control.

I honestly believe that avoiding all advertising is the wrong way to go.  Some say that if something is free then it not only has no monetary value, it has no other value.  But, for those of you that think that, did you read Vlad's blog post about the issue of free content? It puts across, quite succinctly, why we need to provide some sort of financial support to those who provide free support and content.   I ask you, do you want my blog to remain as it is, or do you want it to end up like this one, teetering under the weight of crappy advertising?   Please, let me never get to the stage where I am willing to host advertisements that say "Do not click here unless you are 18".

 You see, I flat out refuse to ask for monetary support from the Web sites or companies that I help.  I don't care if they are AOL, or MSN, or Yahoo, or Google, or Sensis, or ESPN, or Akamai.  All I care about is protecting users who view their advertisements, and getting the malicious advertisements out of circulation.

BTW, you may have seen Wayne's post about me ... guess how much was donated to my Paypal account after that missive was published... nothing, nada ... a big, fat, zero.  Wayne's verbatim response, when I told him about the zero donations, was "Yup - I figured - sorry that your efforts amount to nothing.  I can understand if you want to give up - I would too."

"your efforts amount to nothing" .. they are harsh words.  But I won't give up.  Maybe "they" are right.  Maybe I am a fool to keep doing this, for free, getting up at 4.00am, going to bed at midnight or later, and not charging a cent for my efforts.  I look at my credit card debt and get so tired - but then I take a phone call from an advertising network or computer naivette asking or help  and I just keep going - sometimes they are old and naive - sometimes they are young and naive - but I just can't leave them to cope as best they can.  Even when the big advertising networks phone.. I don't see the megarich conglomerate... I see the naive Mom and Dad and all I want to do is protect them.

So, I am going to go to bed and get my 4 hours of sleep.  I am going to shove my credit card debt in a conveniently deep desk drawer, and if the phone rings tomorrow because somebody wants help with a high traffic web site that has been hit by malicious advertisements, then I will find the bad guys and I will get them shut down.  And when the bad adverts are shut down I will smile, shoo my visitor out of my home, or my web site, and go on to the next task.

Let the you-are-not-wothy-to-be-an-MVP-or-even-breathe-on-the-ground-on-which-I-tread flames commence....

Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure

Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

Source: http://www.microsoft.com/technet/security/advisory/945713.mspx

Soccernet.com

1. As far as I know, no response has been received from ESPN
   
   
2. News of the malicious banner advertisement has hit the popular press (http://www.securecomputing.net.au/news/66209,malware-bandits-go-looking-for-goals-on-espns-soccernetcom.aspx)
   
   
3. I have contacted Akamai via email, warning them of the malicious SWF and asking that they remove it from circulation immediately.  If anybody in the USA would like to contact Akamai via their emergency contact number as listed on their web site, please do so and leave a comment to let us know this has happened.  Hopefully Akamai will respond quickly.
   

We're still searching for proof of the alleged redirect hitting msn.foxsports, Hotmail and Neopets.

soccernet.com hit by malware

My cell phone rang a few minutes ago to warn me that soccernet.com has been hit by malware - again, it is a Skyauction.com advertisement (similar to the one that hit Sensis not that long ago) that is the malicious party.

Let's have a look at what happens this time - as always the network capture is available for review by the appropriate authorities.  Screenshots of the malicious advertisement are at the end of this article.

We start here:
soccernet.espn.go.com/?cc=3436

The above page has an advertisement in the top right hand corner. That advertisement is:

a1767.g.akamai.net/v/1767/18689/7d/img-dc2.adtech.de/apps/162/Ad1600674St3Sz225Sq1148279V0Id1/468x60.swf

That SWF hijacks visitors to soccernet.com, and forces them to performanceoptimizer.com.  As always, the performanceoptimizer site throws up fake alerts etc etc etc.

This time there is no sign of prevedmarketing.  Instead, we see burnads and adtech.de, specifically:

burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424

ad.dc2.adtech.de/addyn%7C3.0%7C605%7C1181102%7C0%7C225%7CADTECH;loc=100;target=_blank;key=soccernet+index+AUS;kvsection=soccernet;kvpagetype=index;kvcc=AUS;grp=6644402;misc=1196658487765

ad.dc2.adtech.de/addyn%7C3.0%7C605%7C1181102%7C0%7C225%7CADTECH;loc=100;target=_blank;key=soccernet+index+AUS;kvsection=soccernet;kvpagetype=index;kvcc=AUS;grp=6644402;misc=1196658487765

We also see:

blessedads.com/?cmpid=flatfootup&adid=468

Before we finally end up at:

performanceoptimizer.com/.landing/index.php?cmp=tmsmsposl&poa=flatfootup&pol=468&apo=1&epo=1&edpo=2&mt_info=5010_3112_2759

The referrer for performanceoptimizer is: burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424

allmusic.com hit by another malicious banner advertisement

Note: allmusic.com approached me for assistance in tracking down a malicious banner advertisement that was redirecting visitors away from allmusic.com to a malware-scan website.  allmusic.com already have the results of the investigation, which have been passed on to the advertisign network in question.

Screenshots of the malicious advertisement, allegedly for something called "MyWord Coach" are at the end of this article.

Ok, so let's follow the bouncing ball, once again.  As always, there are some familiar names to be seen.

We start here:
wm06.allmusic.com/

That page displays the following malicious advertisement:
ny.checkm8.com/Ads/345051/mwc_300x250.swf?

The ny.checkm8.com advertisement hijacks the visitor to allmusic.com and starts down the path to scanner2.malware-alarm.com.  From the ny.checkm8.com advertisement we hit the following:

newbieadguide.com/statsa.php?u=23423424&campaign=5ett4er5

newbieadguide.com/swf/gnida.swf?campaign=5ett4er5&u=23423424

Which bounces us to:

blessedads.com/?cmpid=5ett4er5

prevedmarketing.com/?tmn=mwatmp&aid=5ett4er5&lid=&ax=1&ed=2&mt_info=4685_2800_2358

And finally we end up here:

scanner2.malware-scan.com/3_swp/?tmn=null&aid=5ett4er5_ma3&lid=&affid=&ax=1&ed=2&mt_info=3958_0_10991

scanner2.malware-scan.com throws up the standard scary error messages and tries to download a MalwareAlarm activex control. Yay them.

Yes, nycheckm8.com, newbieadguide, blessedads and prevedmarketing have made appearances in the past in association with malicious banner advertisements.

Screenshots:

Please... if you hit a malicious redirect - get us proof using Fiddler or Fiddlercap

I am currently investigating reports that the following sites have been hit by malicious banner advertisements:

msn.foxsports.com
neopets.com
hotmail.com

All are high traffic sites and it is essential that we track down, and shut down, whatever is causing the redirects as soon as possible.

This is what we need from you if you have been hit by a malicious redirect.

1. Download and install Fiddler or Fiddlercap (Fiddlercap is recommended for the inexperienced).
   
   
2. Delete all cookies and temporary internet files (including offline content).
   
   
3. Go to the Flash Player Settings Manager web page and delete *all* cached web site content.  The Settings Manager that you will see on the page is not an image; it is the actual Settings Manager.  Click on the Delete All Sites button then click on the Confirm button.
   
   
4. Close all other Internet Explorer tabs so that you have only Web page open then start Fiddler - you should see a Fiddler button on Internet Explorer's Command Bar.  Click on that and allow Fiddler to finish loading before proceedings. The Fiddler window will appear, minimise that to keep the programme running.
   
   
5. Once Fiddler is running go to the site affected by the malicous banner advertisement, and browse the site until you are redirected.
   
   
6. Save the proof of redirect as a SAZ file, and then send it to me at columnfeedback@mvps.org.

Performanceoptimizer malware hits www.defsounds.com

Yep, we've got another one.   First, thank you to the owner of defsounds.com for asking for help.

Second, thank you to Susan (you know who you are) for capturing the redirect.

Third, thank you to Camtasia for their SnagIt software, which makes it extremely easy to catch malware screenshots on the fly.

Also - I have a special warning for the bad guys - you can hide from some of us, but you can't hide from all of us, and you most certainly cannot hide from your victims.

Ok, so let's have a look at the redirect that has hit defsounds.com.  You will find screenshots of the malicious advertisement at the end of this article. 

In short, we start at defsounds.com and end up at a fake security website, as you can see from the following:

GET /3_swp/?tmn=null&aid=c1imbart_ma3&lid=&affid=&ax=1&ed=2&mt_info=3958_0_10991 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Referer: newbieadguide.com/swf/gnida.swf?campaign=c1imbart&u=23423424
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: scanner2.malware-scan.com

HTTP/1.1 200 OK
Server: nginx/0.5.31
Date: Sat, 01 Dec 2007 08:56:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.3
Content-Encoding: gzip

So, how do we get from defsounds to malware-scan.com?  Once again, some very familiar names are involved.

First we are hijacked by this advertisement:

r2d2adverising.com/edges/fast_get.php?bs=883102651722718984233422549688677996734923441432&aid=keyin&lid=keyin&affid=

r2d2adverising.com is referrer for:

newbieadguide.com/statsa.php?u=23423424&campaign=c1imbart

We also see:

blessedads.com/?cmpid=c1imbart

and:

prevedmarketing.com/?tmn=mwatmp&aid=c1imbart&lid=&ax=1&ed=2&mt_info=4964_3080_2358

We end up at:
scanner2.malware-scan.com/3_swp/?tmn=null&aid=c1imbart_ma3&lid=&affid=&ax=1&ed=2&mt_info=3958_0_10991

(blessedads, prevedmarketing and scanner2.malware-scan.com all share the same referrer, being newbieadguide)

As always, a network trace is available for review by the appropriate authorities.

Screenshot of malware advertisement in situ:
 

Who are r2d2adverising?

Whois info for, r2d2adverising.com:
Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: R2D2ADVERISING.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jul-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS1.R2D2ADVERISING.COM 190.15.73.251 NS2.R2D2ADVERISING.COM 190.15.73.252

190.15.73.252:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are newbieadguide.com?

Registrant: Newbieadguide Inc. 2024 Silverlake Rd. NW Saint Paul, MN 55112 US Domain name: NEWBIEADGUIDE.COM Administrative Contact: Hostmaster, Newbieadguide Inc. newbieadguide@yahoo.com 2024 Silverlake Rd. NW Saint Paul, MN 55112 US (651) 222-9375 Technical Contact: Hostmaster, Newbieadguide Inc. newbieadguide@yahoo.com 2024 Silverlake Rd. NW Saint Paul, MN 55112 US (651) 222-9375 Registrar of Record: TUCOWS, INC. Record last updated on 24-Apr-2007. Record expires on 20-Apr-2008. Record created on 20-Apr-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS2.NEWBIEADGUIDE.COM 190.15.73.252 NS1.NEWBIEADGUIDE.COM 190.15.73.251

190.15.73.251:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are blessedads.com?

Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: BLESSEDADS.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jul-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS1.BLESSEDADS.COM 190.15.73.251 NS2.BLESSEDADS.COM 190.15.73.252

Who are prevedmarketing.com

Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: PREVEDMARKETING.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 08-Nov-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS2.PREVEDMARKETING.COM 190.15.73.252 NS1.PREVEDMARKETING.COM 190.15.73.251

Who are scanner2.malware-scan.com?

Whois info for, malware-scan.com:
Domain Name: MALWARE-SCAN.COM Registrar: ESTDOMAINS, INC. Whois Server: whois.estdomains.com Referral URL: http://www.estdomains.com Name Server: NS1.MALWARE-SCAN.COM Name Server: NS2.MALWARE-SCAN.COM Status: ok Updated Date: 16-oct-2007 Creation Date: 27-sep-2007 Expiration Date: 27-sep-2008

Domain Name: MALWARE-SCAN.COM Registrant: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Creation Date: 27-Sep-2007 Expiration Date: 27-Sep-2008 Domain servers in listed order: ns2.malware-scan.com ns1.malware-scan.com Administrative Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Technical Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Billing Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670

A failure of education - a user switches to Linux because he is "click happy" and "gullible"

I found this blog via Digg today, and I am shaking my head in despair.  It is a classic example of a failure on the part of a technician to *EDUCATE* his client about the dangers of the internet instead of taking the easy way out via a wipe and reload, and a classic example of why depending on software for protection, without education, will always fail.

He says "With that said the big question, “How can I keep this from happening.” I didn’t have a real good answer for him. I’ve tried different virus scanners, firewalls, spyware programs and the like. He is too gullible when it comes to the internet. Then it struck me, he only surfs the web, email, newsgroups and downloading pictures from his digital camera. I had a solution all along."

I ask you this - why the hell did this supposed computer savy friend simply depend on 'virus scanners, firewalls, spyware programs and the like'?  Any real security professional knows that safe-hex is just as important, if not more so, than whatever feel-good layer of security software is installed.  All is fallable.

And why the hell is the user still "gullible" despite an admitted monthly wipe and reload of his OS by his Linux-loving "friend" over who knows how long a period of time.  What does his Linux using friend do while reimaging the computer?  Does his Linux friend explain how the victim is getting infected and why?  Does he teach him safe-hex?  As for the friend's question "how can I keep this from happening", some honest talk about what the guy is doing wrong and how he is being infected would likely have gone a long way towards resolving the situation.  But sadly, in my experience, when asked such a question Linux fans, Firefox fans, Opera fans, MAC fans etc etc will generally brush off the question with "oh, well, Windows/IE is really insecure, swap to <<software X>> and you'll be SAFE" without bothering to take things further and teach about safe-hex.

The MAC world is starting to feel the heat of malicious web content such as codecs.  Do you really think that a "gullible" MAC user will hesitate to enter an admin password and install a fake codec so that he can view his video of choice when he has been told, and believes, that he is "safe"?  Do you really believe that a "gullible" Linux user will not hesitate to take the steps necessary to install a malicious codec so that he can view the video of his choice, especially a Linux user who is "an avid porn surfer"?

A safety sytem that is built on "oh, but nobody is targetting it" or "there are no viruses for <<whatever>>" is no protection at all in the end.

In case you hadn't realised, yes I am angry.  I get angry when *any* software or operating system is held up as some sort of miraculous "If he gets a virus now, I will be REALLY SURPRISED" panacea, because I *know* that sooner or later that software or OS will be targeted, and if people are being herded to whatever alternative without being taught how to be safe then, in the end, they are in just as much danger as before they switched.  You see, all it takes is *ONE* exploit for whatever they are now using, and they're screwed.

Internet Explorer versus Firefox

Source: Jeff Jones Security Blog

"For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.

Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.

This report documents the results of my analysis of Internet Explorer and Firefox vulnerabilities over the past few years since Internet Explorer 6 on Windows XP SP2 became available and Mozilla launched Firefox.

The report in detail examines vulnerabilities over the past 3 years, breaks them down by severity, looks at version-over-version trends for each browser and finally examines how each browser is doing in terms of unfixed vulnerabilities."

The report is available for download at Jeff's blog, and makes for interesting reading.