Monday, December 03, 2007 2:25 PM
sandi
soccernet.com hit by malware
My cell phone rang a few minutes ago to warn me that soccernet.com has been hit by malware - again, it is a Skyauction.com advertisement (similar to the one that hit Sensis not that long ago) that is the malicious party.
Let's have a look at what happens this time - as always the network capture is available for review by the appropriate authorities. Screenshots of the malicious advertisement are at the end of this article.
We start here:
soccernet.espn.go.com/?cc=3436
The above page has an advertisement in the top right hand corner. That advertisement is:
a1767.g.akamai.net/v/1767/18689/7d/img-dc2.adtech.de/apps/162/Ad1600674St3Sz225Sq1148279V0Id1/468x60.swf
That SWF hijacks visitors to soccernet.com, and forces them to performanceoptimizer.com. As always, the performanceoptimizer site throws up fake alerts etc etc etc.
This time there is no sign of prevedmarketing. Instead, we see burnads and adtech.de, specifically:
burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424
ad.dc2.adtech.de/addyn%7C3.0%7C605%7C1181102%7C0%7C225%7CADTECH;loc=100;target=_blank;key=soccernet+index+AUS;kvsection=soccernet;kvpagetype=index;kvcc=AUS;grp=6644402;misc=1196658487765
ad.dc2.adtech.de/addyn%7C3.0%7C605%7C1181102%7C0%7C225%7CADTECH;loc=100;target=_blank;key=soccernet+index+AUS;kvsection=soccernet;kvpagetype=index;kvcc=AUS;grp=6644402;misc=1196658487765
We also see:
blessedads.com/?cmpid=flatfootup&adid=468
Before we finally end up at:
performanceoptimizer.com/.landing/index.php?cmp=tmsmsposl&poa=flatfootup&pol=468&apo=1&epo=1&edpo=2&mt_info=5010_3112_2759
The referrer for performanceoptimizer is: burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424
Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits