rhapsody.com hit by malicious banner advertisement

rhapsody.com has been hit by a malicious banner advertisement - rhapsody.com is owned by RealNetworks.

 

Victim site rhapsody.com (207.188.21.32)
SWF host RealOne / Doubleclick
SWF Source  
Target fraudware domain scanner2.malware-scan.com
Banned cities, countries and IPs 207.188.0.0-207.188.255.255 (note this IP range captures rhapsody.com)
newjersey, newyork, california, washington, virginia
paris, aarhus, velizycedex, jarrestr, amsterdam, rotterdam, zaanstad, koogaandezaan, seattle
Permitted cities, countries and IPS US, NL, FR, SE, DK, NO, UA
SWF URL i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http: // ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231
Special notes
Incident reported to Doubleclick
rhapsody.com
Resolution  

 

As always, let's work backwards from the final target site. 

URL Referrer

scanner2.malware-scan.com/9_swp/?tmn=null&aid=&lid=&affid=&ax=&ed=&aid=mi1eroof_ma9_mb1t&lid=728&affid
=&ax=1&ed=2&mt_info=3958_0_13496

prevedmarketing.com/?tmn=mwatmp&aid=mi1eroof&lid=728&ax=1&ed=2&mt_info=4957_3064_2358

blessedads.com/?cmpid=mi1eroof&adid=728

newbieadguide.com/statss.php?campaign=mi1eroof&u=23423424


newbieadguide.com/swf/gnida.swf?campaign=mi1eroof&u=23423424

newbieadguide.com/swf/gnida.swf?campaign=mi1eroof&u=23423424

newbieadguide.com/statsg.php?u=23423424&campaign=mi1eroof
newbieadguide.com/statsa.php?u=23423424&campaign=mi1eroof i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http: // ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231
i.realone.com/ads/Rollingstone/1_skyauction_728x90.swf?clickTag=http :// ad.doubleclick.net/click%3Bh=v8/3652/3/0/%2a/x%3B177176445%3B0-0%3B0%3B12874614%3B3454-728/90%3B24358245/24376098/1%3B%3B%7Eaopt%3D2/1/ff/0%3B%7Esscs%3D%3fhttp: // www.skyauction.com/?id=384231 rhapsody.com/-search?query=U2&searchtype=RhapArtist

 

Screenshot of malicious SWF - yep, its the infamous Skyauction advertisement - again

image

Comments

# re: rhapsody.com hit by malicious banner advertisement

Monday, January 28, 2008 6:10 AM by Samuel Loirat

Hi,

Here is my website which is containing a a tools called "click checker" this tool can also find secury holes and malware presence in swf files, here is the url: http://www.adopstools.net.

Some adnetworks are using it a lot and have already avoid to run malware ads thanks to this tool.

Enjoy.

# re: rhapsody.com hit by malicious banner advertisement

Monday, January 28, 2008 11:28 AM by MysteryFCM

@Samuel

Strange ..... your post just looks like a spam op to me

I also tried to scan the skyauction.com and i.realone.com url's using your site and it told me it wasn't a valid swf file?

# re: rhapsody.com hit by malicious banner advertisement

Monday, January 28, 2008 5:26 PM by Samuel Loirat

@MysteryFCM.

I was able to check the file remotely, I guess you haven't enter the correct url for it, also when you want to scan a remote file you need to select remote file first then you can enter the url. And this is definitly not a spam, the tool has been made public only 3 months ago and have received some very good feedbacks.

# re: rhapsody.com hit by malicious banner advertisement

Monday, January 28, 2008 5:48 PM by sandi

Samuel,

The gnida.SWF that is involved in a redirect affecting expedia.com is not scanning properly - there is a code error.  

The URL is:

quinquecahue.com/swf/gnida.swf?

Also, a SWF that is known to be redirecting visitors to the gnida.swf above is scanning clean.  

The URL is media.expedia.com/ads/FXSound/728x90.swf.

Can you investigate?

Sandi &c.

# re: rhapsody.com hit by malicious banner advertisement

Tuesday, January 29, 2008 4:40 AM by Samuel Loirat

@Sandi,

I check the 728x90.swf file, and it seems that the degre of encoding has reach an other level, I can see url from quinquecahue.com ( quinquecahue.com/statsa.php) but I can't see the necessary actionscript to allow its call : System.security.allowDomain("*");

Sam

# re: rhapsody.com hit by malicious banner advertisement

Tuesday, January 29, 2008 7:03 AM by Me

@Sam: They change the obfuscation tools from time to time. Back in Decmber 2007 all URL were visible, just prefixed with many whitespaces.

# re: rhapsody.com hit by malicious banner advertisement

Wednesday, January 30, 2008 9:39 AM by Rusty

I found this thread via Google as I was researching a Virus alert.  While visiting MAYOCLINIC.COM looking up info on a knee condition, my system stopped and alerted to a trojan (thanks go to McAfee).  The URL had changed to quinquecahue.com/statsg.php?u=1200910285&campaign=fabulistor.  I wasn't aware MAYO had banners, and I didn't purposefully click on one as I absolutely never do.

If I follow this correctly (and you folks are more up on this stuff than I am), it looks like you can add mayoclinic.com to the other sites this problem is affecting (so far I've seen rhapsody.com and expedia.com).

I'm curious if this info helps or, for that matter, I am correct in my assessment.

# re: rhapsody.com hit by malicious banner advertisement

Thursday, January 31, 2008 9:09 AM by Samuel Loirat

@Sandi,

thanks for all the file you provide on your blog, I was able to update my tool ;o). so If you want to can test it as much as you can, If you found out that a file went through the net just drop me a message from the contact from under the "About" section as it will be very gratefull for me as I can keep the tool updated to the latest possible tread.

Thanks

Sam