Spyware Sucks

But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

Malicious advertisement at diepresse.com

Yet another non-English language web site has been targeted by a malicious advertising campaign. I'm beginning to wonder if it is simply becoming to hard for the fraudsters to sell their wares to English language web sites because of the persistent attention we have been focusing on this problem, and the publicity that has resulted, and that they are therefore shifting their attention to European countries in the hope that victims there have not seen the publicity that has been so prevalent in English speaking countries.

I'm going to expand on the new table format for this blog entry, in the hope that it will make the information easier to read and understand (and take up less space). I'll be interested to hear if you like the idea of placing all of the information in tables, and if you like the idea of a summary at the beginning of each report.

Victim site	diepresse.com (194.232.116.3, 194.232.116.7)
SWF host	diepresse.com (using RealMedia software)
SWF Source
Target fraudware domain	performanceoptimizer.com
Banned cities, countries and IPs	193.16.0.0-193.16.255.255, 194.232.0.0-194.232.255.255 (Note, the banned range includes the IPs for diepresse.com) wien, vienna (note: diepresse.com is in Austria)
SWF URL	werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/dp1509_frontgate_fb_050208/diepr468x60.swf
Special notes	The malicious advertisement looks identical to the one that infiltrated washingtonpost.com. In this case the web site owner is directly hosting the malicious SWF and therefore it is up to the site owner to pull the advertisement.
Incident reported to	diepresse.com RealMedia
Resolution	Campaign suspended

As always, let's work backwards from the final target site.

URL	Referrer
performanceoptimizer.com/.landing/index.php?cmp=tmsmsposl&poa=usundulate&pol=intl&apo =1&epo=1&edpo=2&mt_info=5312_4080_2759 traveltray.com/?cmpid=usundulate&adid=intl traveltray.com/statss.php?campaign=usundulate&u= 1200497755 traveltray.com/statsg.php?u=1200497755&campaign=usundulate	traveltray.com/swf/gnida.swf?campaign=usundulate&u=1200497755
traveltray.com/statsg.php?u=1200497755&campaign=usundulate traveltray.com/statsa.php?u=1200497755&campaign=usundulate	werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/dp1509_frontgate_fb_ 050208/diepr468x60.swf?clicktag=http: // werbung.diepresse
werbung.diepresse.com/RealMedia/ads/Creatives/diepresse/ dp1509_frontgate_fb_050208/diepr468x60.swf?clicktag= http: // werbung.diepresse.com/RealMedia/ads/click_lx.ads/ diepresse.com/home/2103686827/Top/diepresse/ dp1509_frontgate_fb_050208/dp1509_frontgate_fb_ 050208.html/33616131643462393437393133663530?	diepresse.com/

Malicious behaviour

The diepresse.com page begins to load. If the malicious advertisement is displayed, and the computer displaying the advertisment is not captured by the banned cities and IP list mentioned above, the web browser is redirected to the malicious domain.

Here is the malicious advertisement in situ:

First the victim will see this:

as well as this small window which will be in the corner of the monitor screen - yes, this is the actual size of the window as it appears:

As always, do not click on the OK or Cancel button. As always, click on the close (X) button. When we do that, we see the following - yes, that's right, the Performance Optimizer web site opens regardless of which option is selected. Note that the info bar has appeared in IE7 warning that the site has tried to install an ActiveX control - older web browsers, or web browsers with lowered security settings, may automatically install the fraudware at this time.

Ok, so the next thing we try to do is close the Web page using the red close (X) button. When we do that, we see the following. Note that the OK button has focus.

Again, we ignore the OK and Cancel buttons and install use the red close (X) button. When then see the following. Note that there is no Cancel button this time - the site's owners are trying to trick visitors into thinking that they have no choice but to select OK.

Again, do not click on the OK button, instead click on the red close (X) button. Once we do that, we see the following (persistent bastards, aren't they). Note the info bar warning that the Web site in question has tried to download files to the target computer. Simply click on the red close (X) button. Once you do that, you have finally escaped from the tentacles thrown out by the PerformanceOptimizer site.

Published Sat, Jan 19 2008 12:53 by sandi

Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits

Comments

# re: Malicious advertisement at diepresse.com

Saturday, January 19, 2008 3:54 AM by Gerard

I'll be interested to hear if you like the idea of placing all of the information in tables, and if you like the idea of a summary at the beginning of each report.

I would like that.

Gerard

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

Malicious advertisement at diepresse.com

Malicious behaviour

Comments

# re: Malicious advertisement at diepresse.com