Spyware Sucks

This incident was reported via a comment on this blog. 

We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:
quinquecahue.com/swf/gnida.swf?campaign=fabulistor&u=1200910285

We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim's computer falls within the following IP addresses or is located in the following US States:

129.176.0.0-129.176.255.255
172.21.0.0-172.21.255.255
Minnesota, California, New York, New Jersey, Arizona, Florida

Note that mayoclinic.com's IP address is 129.176.217.6

Spyware Sucks is accepting donations, with thanks.

The bad guys are certainly expanding their stable of advertisements.

Both lead victims to malicious quinquecahue.com URLs.  More later... 

Expedia.com has been infiltrated by a malicious banner advertisement - a new one that I have not seen before.

Let's have a look at the danger path:

So, let's take a look at this new name, quinquecahue.com.

Not surprisingly, the malicious domain is hosted by, you guessed it, securehost.com (190.15.64.190):
http://www.robtex.com/dns/quinquecahue.com.html

Who else might we find in that IP range...
http://www.robtex.com/cnet/190.15.64.html

Again, no surprise, we see akamahi.net, newbieadguide.com, vozemiliogaranon.com and a name I have not seen before, familyislands.com.

Check out the domains sharing nameservers with quinquecahue.com - I *know* you're going to recognise many names....

domains sharing nameservers
 
advancedcleaner.com
akamahi.net
antispywaresuite.com
antiviruspcsuite.com
antiworm2008.com
avsystemcare.com
bestsellerantivirus.com
diskretter.com
elmejorantivirus.com
erreurchasseur.com
exterminadordevirus.com
moncontenuassistant.com
schijfbewaker.com
securepccleaner.com
spyguardpro.com
storageprotector.com
systemdoctor.com
thetechnorati.com
toolsicuro.com
vozemiliogaranon.com
winspycontrol.com
yourprivacyguard.com

 subdomains
*.quinquecahue.com
ns1.quinquecahue.com
ns2.quinquecahue.com
ns3.quinquecahue.com
ns4.quinquecahue.com
 

rhapsody.com has been hit by a malicious banner advertisement - rhapsody.com is owned by RealNetworks.

As always, let's work backwards from the final target site. 

Screenshot of malicious SWF - yep, its the infamous Skyauction advertisement - again

The malware domains we have been featuring have moved on again - they are no longer hosted by Denit Internet Services, Amsterdam.

But it looks, this time, like the bad guys need a break from moving to host to host to host

akamahi.net (190.15.64.185) (securehost.com)
newbieadguide.com (190.15.64.188) (securehost.com)
thetechnorati.com (190.15.64.191) (securehost.com)
vozemiliogaranon.com (190.15.64.192) (securehost.com)

Now remember, there is a slew of malicous domains hosted within the IP range 190.15.73 (also securehost.com), so we are not at all surprised that the bad guys have come to rest there.

To recap, first the domains were hosted by nine.ch but were dumped after the malicious advertisement that appeared on blick.ch, then they were briefly hosted by netrouting.eu, followed by FastServers, then by Denit Internet Services.

I think the next thing that we need to consider, bearing in mind the deep involvement of securehost.com in facilitating the distribution of fraudware, is to include SecureHost's upstream provider in any complaints about the hosted domains. 

Securehost may ignore complaints from the world at large, but if *their* bandwidth provider threatens to pull the pin, well that can be much harder to ignore...

Is it any surprise somebody has gotten grumpy and has been subscribing one of my public email addresses to a slew of mailing lists?  Oh well, if they want to devote valuable time to such games, then they're welcome to waste it - it will only take me only a few seconds to set up some appropriate mail rules to automatically delete the results of such shenanigans once I decide that the game is boring - there are plenty of common, yet unique, characteristics in "welcome to; you have joined; you have subscribed" email messages that make filtering too easy

IP 83.149.75.50 detected as subscribing one of my email addresses to a mailing list without permission.

Reduce it down to 83.149.75... do a Google search.. and what do we find?   Connections with malware.... "malwarewipe.com"????

http://board.protecus.de/t25767.htm

"http://malwarewipe.com/images/blue-gray-stripe.gif - deleted
http://83.149.75.51/count/l.php?pl=Win32&ce=true&id=rrd - deleted
http://www.surveyswages.com/img/laptop9.gif - deleted

http://dl.web-nexus.net/exclurls.php

"83.149.75." is a blocked IP.

Coincidence? 

What's cool is that I have only scratched the surface so far..... I have a mild interest in what's going on ... along the lines of "let's check this out just in case there's something newsworthy" but let's be honest... who gives two hoots about being subscribed to mailing lists... so many people have tried the "let's subscribe somebody we don't like to lots and lots of mailing lists" trick that it's a boring topic.

Let's see what happens over the next few days. Who knows, *they* may do something else mildly interesting, or something really dumb that we can giggle at, otherwise, I won't bore you with the details.

Keep 'em coming friend.  *Everything* is traceable eventually.

83.149.75.50 = LeaseWeb AS Amsterdam, Netherlands.... why am I not surprised?  The Netherlands has popped up several times in my recent articles about malware domains....

I admit, when I saw the following emails come in I assumed it was the typical "infected computer spewing out emails using me as a reply to" that we are all used to, and delete as a matter of course, until I saw the one from rollins.edu. That seems to be the result of an online form which requires actual input.

I confess to being disappointed... I expect my combatants to show, at the very least, a tiny glimmer of originality.

Oh well, you know what they say - small things amuse small minds.

That's right - this wasn't me:

Nor this one...

Nor this one....

Spyware Sucks is accepting donations, with thanks.

In order to uninstall Internet Explorer 7 from this system, you can follow the steps below:

1. Uninstall Service Pack 2 for Windows Server 2003 and restart the computer.

2. Uninstall Internet Explorer 7.0 and restart the computer.

3. Reinstall Service Pack 2 for Windows Server 2003.

http://support.microsoft.com/default.aspx/kb/948093

Spyware Sucks was linked to by the MCPM (Microsoft Certified Professional Magazine and the "Redmond Security Watch" email newsletter:

http://mcpmag.com/columns/columnist.asp?columnistsid=16

"ESPN Sports Bad Code
ESPN's Soccernet site hosted a malicious advertisement that, ultimately, led to PerformanceOptimizer.com, which in turn displayed numerous popups alleging problems with the victim's system and offering a solution.

Yep -- ad networks strike again! It simply amazes me how willing sites are to allow someone else to decide what its customers are going to see when they come to a site. That's precisely what you’re doing if you subscribe to an ad network. Revenue is a necessary component to any successful Web site, but there needs to be some additional steps taken to ensure your customers' experiences on your own site are good ones."

Cool!

Spyware Sucks is accepting donations, with thanks.

Source: 
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058638&source=rss_news50

Check out what Insignia had to say in their alert:
http://www.insignia-products.com/news.aspx?showarticle=13

"It recently came to our attention that a limited number of Insignia 10.4” digital picture frames (model number NS-DPF-10A) were contaminated with  a computer virus during the manufacturing process. Once informed, we immediately pulled all units of this product from stores and retail web sites as a precautionary measure to protect our customers.  This product has been discontinued, and no additional inventory will be sold.  Please note that no other Insignia digital picture frame products are affected by this issue.
 
However, some affected units were purchased at a Best Buy store or from www.bestbuy.com before the issue was detected. While this is an older virus which is easily  identified and removed by current anti -virus software, we are taking this situation seriously.  We apologize for the inconvenience that has been caused as a result of this incident."

I always ignore niceties such as "a limited number" - the fact that it occurred in the first place is bad enough; please don't try to make things sound better by saying "oh, but it was only a limited number".

The most glaring question I have is, if the "computer virus" is "an older virus which is easily identified and removed by current anti-virus software", then how the heck did the infection get past their own antivirus protection, and quality assurance, or is it that they don't they have any?

Insignia have not shared information about exactly what infected the frames, and I haven't been able to find any further information.

Source: http://blog.washingtonpost.com/securityfix/2008/01/massive_java_update_includes_s.html

I think it's worthwhile discussing a point that was raised in a comment made about the above article - specifically the comment made by the charmingly named "BelchSpeak", wherein he said:

"As a reminder, new versions of Java do not uninstall old ones automatically. This preserves some backwards compatibility issues with the software and older java applications that were version specific.