Performanceoptimizer malware hits www.defsounds.com

Yep, we've got another one. First, thank you to the owner of defsounds.com for asking for help.

Second, thank you to Susan (you know who you are) for capturing the redirect.

Third, thank you to Camtasia for their SnagIt software, which makes it extremely easy to catch malware screenshots on the fly.

Also - I have a special warning for the bad guys - you can hide from some of us, but you can't hide from all of us, and you most certainly cannot hide from your victims.

Ok, so let's have a look at the redirect that has hit defsounds.com. You will find screenshots of the malicious advertisement at the end of this article.

In short, we start at defsounds.com and end up at a fake security website, as you can see from the following:

GET /3_swp/?tmn=null&aid=c1imbart_ma3&lid=&affid=&ax=1&ed=2&mt_info=3958_0_10991 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Referer: newbieadguide.com/swf/gnida.swf?campaign=c1imbart&u=23423424
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: scanner2.malware-scan.com

HTTP/1.1 200 OK
Server: nginx/0.5.31
Date: Sat, 01 Dec 2007 08:56:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.3
Content-Encoding: gzip

So, how do we get from defsounds to malware-scan.com? Once again, some very familiar names are involved.

First we are hijacked by this advertisement:

r2d2adverising.com/edges/fast_get.php?bs=883102651722718984233422549688677996734923441432&aid=keyin&lid=keyin&affid=

r2d2adverising.com is referrer for:

newbieadguide.com/statsa.php?u=23423424&campaign=c1imbart

We also see:

blessedads.com/?cmpid=c1imbart

and:

prevedmarketing.com/?tmn=mwatmp&aid=c1imbart&lid=&ax=1&ed=2&mt_info=4964_3080_2358

We end up at:
scanner2.malware-scan.com/3_swp/?tmn=null&aid=c1imbart_ma3&lid=&affid=&ax=1&ed=2&mt_info=3958_0_10991

(blessedads, prevedmarketing and scanner2.malware-scan.com all share the same referrer, being newbieadguide)

As always, a network trace is available for review by the appropriate authorities.

Screenshot of malware advertisement in situ:

Who are r2d2adverising?

Whois info for, r2d2adverising.com:
Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: R2D2ADVERISING.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jul-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS1.R2D2ADVERISING.COM 190.15.73.251 NS2.R2D2ADVERISING.COM 190.15.73.252

190.15.73.252:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are newbieadguide.com?

Registrant: Newbieadguide Inc. 2024 Silverlake Rd. NW Saint Paul, MN 55112 US Domain name: NEWBIEADGUIDE.COM Administrative Contact: Hostmaster, Newbieadguide Inc. newbieadguide@yahoo.com 2024 Silverlake Rd. NW Saint Paul, MN 55112 US (651) 222-9375 Technical Contact: Hostmaster, Newbieadguide Inc. newbieadguide@yahoo.com 2024 Silverlake Rd. NW Saint Paul, MN 55112 US (651) 222-9375 Registrar of Record: TUCOWS, INC. Record last updated on 24-Apr-2007. Record expires on 20-Apr-2008. Record created on 20-Apr-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS2.NEWBIEADGUIDE.COM 190.15.73.252 NS1.NEWBIEADGUIDE.COM 190.15.73.251

190.15.73.251:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are blessedads.com?

Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: BLESSEDADS.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 10-Jul-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS1.BLESSEDADS.COM 190.15.73.251 NS2.BLESSEDADS.COM 190.15.73.252

190.15.73.252:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are prevedmarketing.com

Registrant: Hostmaster Inc. Schoolstraat 214 Wambeek, Wambeek 1741 BE Domain name: PREVEDMARKETING.COM Administrative Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Technical Contact: Donna V. Reed, Donna no_name_inc@yahoo.com Schoolstraat 214 Wambeek, Wambeek 1741 BE 1-555-555-1234 Registrar of Record: TUCOWS, INC. Record last updated on 08-Nov-2007. Record expires on 02-Jul-2008. Record created on 02-Jul-2007. Registrar Domain Name Help Center: http://domainhelp.tucows.com Domain servers in listed order: NS2.PREVEDMARKETING.COM 190.15.73.252 NS1.PREVEDMARKETING.COM 190.15.73.251

190.15.73.251:
OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY

Who are scanner2.malware-scan.com?

Whois info for, malware-scan.com:
Domain Name: MALWARE-SCAN.COM Registrar: ESTDOMAINS, INC. Whois Server: whois.estdomains.com Referral URL: http://www.estdomains.com Name Server: NS1.MALWARE-SCAN.COM Name Server: NS2.MALWARE-SCAN.COM Status: ok Updated Date: 16-oct-2007 Creation Date: 27-sep-2007 Expiration Date: 27-sep-2008

Domain Name: MALWARE-SCAN.COM Registrant: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Creation Date: 27-Sep-2007 Expiration Date: 27-Sep-2008 Domain servers in listed order: ns2.malware-scan.com ns1.malware-scan.com Administrative Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Technical Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670 Billing Contact: PAYTECH INC PAYTECH INC (admin@malware-scan.com) - Pierrefonds QC,H9H1Y9 CA Tel. +800.7289670

Published Sat, Dec 1 2007 22:09 by sandi

Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits

Comments

# re: Performanceoptimizer malware hits www.defsounds.com

Saturday, December 01, 2007 11:26 AM by Cassy

If I -by mistake- downloaded it, how can I get rid of it??

# re: Performanceoptimizer malware hits www.defsounds.com

Sunday, December 02, 2007 3:59 AM by Steve

Hi Sandi. Would this sort of exploit be blocked by AdBlockPlus in Firefox?

Regards

# re: Performanceoptimizer malware hits www.defsounds.com

Wednesday, December 05, 2007 7:29 AM by Victor

I am getting this pesky stuff while trying to get more information about my shares, not even clicking on any adverts. Quite sad when a site like yahoo allows this to happen.

# re: Performanceoptimizer malware hits www.defsounds.com

Wednesday, December 05, 2007 4:34 PM by sandi

@Victor

I do not have a Fiddler capture evidencing a problem at Yahoo. If you, or anybody else, can get one for me, I'll be happy to do what I can to get the advertisements shut down.

# re: Performanceoptimizer malware hits www.defsounds.com

Friday, December 07, 2007 9:24 PM by john prochaska

games.oxygen.com/.../runadvergame.aspx

Oxygen .com contains a variety of computer games. In most cases now, the first time I sign on to a game called eggz, the game is stopped and an advertisement for malware pops up.

# re: Performanceoptimizer malware hits www.defsounds.com

Monday, February 11, 2008 2:01 PM by DDYurble Neo

I found this stupid host (host - neopets-web-8.west.mtvi.com) on my page source code. The first few times i could get rid of it by just disconnecting internet connections and/or logging out and then getting back on. Then later I had to shut down the whole system to get rid of it , now it comes up as soon as I log into firefox! I can't get it off! What info do you need from me to get what it is you need to find out who is doing this? when you find out will stopping them fix Everything? or do I need to clean my system? Whoever it is installed a friggin camera on my computer! called a PC CAMERA!

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News