Thursday, January 03, 2008 8:37 PM
sandi
Excite.com still compromised by malicious banner advertisement
I thought for a little while that the malicious advertisement was gone but, no, I get home and check out the site using a different ISP and IP address and whammo, I'm immediately redirected, but to a performanceoptimizer URL, not malwarealarm.
This time we see, stepping backwards from the fraudware site to excite.com:
performanceoptimizer.com/.landing/index.php?cmp=tmsmsposl&poa=1akeweak&pol=728&apo=1&epo=1&edpo=2&mt_info=5000_3105_2759
Referrer:
burnads.com/swf/gnida.swf?campaign=1akeweak&u=23423424
blessedads.com/?cmpid=1akeweak&adid=728
Referrer:
burnads.com/swf/gnida.swf?campaign=1akeweak&u=23423424
burnads.com/swf/gnida.swf?campaign=1akeweak&u=23423424
Referrer:
burnads.com/statsg.php?u=23423424&campaign=1akeweak
burnads.com/statsg.php?u=23423424&campaign=1akeweak
Referrer:
ak.imgfarm.com/images/ads/ProximoGroup/skyauction_728x90.swf?clickTag=http://c4.excite.com/adclick/CID=00018f6b4ec51d4300000000/AREA=MYEXCITE_NEW/SITE=excite/AAMSZ=
468x60/CM=35935/CR=21093/AD=1253/CC=102251/ACB_RANDOM=9491758473?
ak.imgfarm.com/images/ads/ProximoGroup/skyauction_728x90.swf?clickTag=http://c4.excite.com/adclick/CID=00018f6b4ec51d4300000000/AREA=MYEXCITE_NEW/SITE=excite/AAMSZ=
468x60/CM=35935/CR=21093/AD=1253/CC=102251/ACB_RANDOM=9491758473?
Referrer:
excite.com/
As always, I have a network capture (and the gwida and skyauction SWF files themselves).
Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits