Malicious advertisement on MySpace.com
Sadly, the criminals behind the malicious Flash banner advertisements have been using "How2Vacation" creatives for a long time - in fact, How2Vacation was listed way back on May 2007 by MikeOnAds as a known malicious advertisement.
The challenge that the advertising industry faces is how to share information more effectively. It is frustrating to see incidents such as that which hit MySpace - frustrating because those of us who have been monitoring malicious advertisements recognize potential danger in a heartbeat.
This particular advertisement is, in fact, quite unsophisticated. If we analyse the creative we immediately detect suspicious content. For example, we see that the creative contains the following actionscript:
Also, we see this:
mysurvey4u.com is a known "shell" web site that uses a nameserver at, you guessed it, securehost.com. Domains sharing name servers and mail servers include:
traveltray.com <-- mentioned on this blog before
Its Registrar is YESNIC CO LTD, yet another name that appears far too often in association with malware and fraudware sites.
Ok, so now we know that malicious advertisements featuring "how2vacation" have been around for a while now, and that mysurvey4u.com is highly suspicious, that it has a very bad reputation, and that it is sharing a bed with some bad names. Let's look at what the advertisement actually does.
The URL of the malicious SWF is cache.opt.fimserve.com/contents/61/27/27061/CR_(SeptthroughDec)How2vacation_120x600_V2.swf.
fimserve.com is MySpace (ns1.myspace.com and ns2myspace.com, fimserv.myspace.com)
In the case of this particular campaign, it is coded so that the redirect will *not* trigger under the following conditions:
- If the computer is in the following countries - IN, IL, AU, NZ
- If the computer is in the following IP ranges - 184.108.40.206-220.127.116.11; 18.104.22.168-22.214.171.124; 126.96.36.199-188.8.131.52
As a point of interest, MySpace uses the following IP addresses - you will note that they fall within the IP ranges listed above:
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
What is the significance of the script system.security.allowdomain("*")
I shall quote Adobe:
"If two SWF files are served from the same domain -- for example, http://mysite.com/movieA.swf and http://mysite.com/movieB.swf -- then movieA.swf can examine and modify variables, objects, properties, methods, and so on in movieB.swf, and movieB.swf can do the same for movieA.swf. This is called cross-movie scripting or simply cross-scripting.
If two SWF files are served from different domains -- for example, http://mysite.com/movieA.swf and http://othersite.com/movieB.swf -- then, by default, Flash Player does not allow movieA.swf to script movieB.swf, nor movieB.swf to script movieA.swf. A SWF file gives SWF files from other domains permission to script it by calling System.security.allowDomain(). This is called cross-domain scripting. By calling System.security.allowDomain("mysite.com"), movieB.swf gives movieA.swf permission to script movieB.swf."
Cross domain scripting can be a "bad thing". Advertising networks should consider very carefully whether they are willing to allow such content into their networks, especially content that uses a wildcard when calling system.security.allowdomain.
The above call, system.security.allowdomain("*"), means that the SWF at CR_(SeptthroughDec)How2vacation_120x600_V2.swf is allowing ANY SWF on ANY DOMAIN to script it.
First of all, MySpace should have been aware that there was a risk involved in hosting this SWF because it features how2vacation.com. Second, even a cursory examination using a service such as adopstools reveals the dangerous script, and the mysurvey4you.com URL. In short, this advertisement should never have made it through security checks.