Yet another malicious banner advertisement at www.123greetings.com

OK, so tell me oh gentle reader... just how many "free passes" should a website get?

123greetings.com is, once again, displaying a malicious banner advertisement.  This is the third incident that I have personally experienced thanks to an advertisement accepted by those responsible for 123greetings.com, and enough is enough.

 

The URL of the malicious advertisement is:
imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/ReachWe_LB_10981A/123_728x90.swf

As you can see, the campaign is new to this blog:

image 

image


When we analyse the SWF we find this URL:

adtds2.promoplexer.com/statsa.php?campaign=123

Yes, Promoplexer.com are known badguys.  We also hit adsraise.com/mbuyers/statistics.html

adsraise.com and promoplexer are both hosted by WNET who also provide the name servers.  WNET have been mentioned several times in this blog.

The advertisement dumped me at tds.promoplexer.com/statsg.php

That URL led me to the now infamous gnida.swf (tds.promoplexer.com/swf/gnida.swf)

And from there to adtds2.promoplexer.com/in.cgi?12

before I finally ended up at antispywaredeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=

Published Tue, Apr 1 2008 0:51 by sandi

Comments

# re: Yet another malicious banner advertisement at www.123greetings.com

Monday, March 31, 2008 10:30 AM by Alun Jones

It seems to me that if anyone's getting free passes, it's not the web site on which you see the advert, but the advertising agency which approves the campaigns hosted on that site.

For various reasons - bandwidth, control, experience, etc - the web sites themselves generally "lease out" space to advertisers. Every day/week/month, the web site owners receive a list of links to media, and a count of how many times those media can be displayed. The web sites randomly attach an appropriate link's media to a page sent to the user's web browser, and the user's web browser displays the content.

Now, the web site could preview the media before sending it to the user - but there's that 'experience' thing again - the web site software doesn't know what to look for; there's that 'bandwidth' thing again - the web site can't afford the bandwidth to host the media, it sure can't afford the bandwidth to scan the media every time; and the web site can't simply scan on first display, or the malware would simply have to wait until it hits the tenth display to enable itself.

Also, as you've noted yourself, it's clear that the malware authors are careful to prevent the web site owners from seeing the malicious effects of the advert.

I think that the group that should be scanning the adverts, as they are originally uploaded, and at regular intervals, is the media hoster - in this case, that would appear to be 247realmedia.com - "24/7 Real Media".

Why are they still accepting and hosting these malicious adverts?

# re: Yet another malicious banner advertisement at www.123greetings.com

Tuesday, April 01, 2008 4:13 AM by Conrad Longmore

Perhaps time for Google to give 123greetings.com a "This site may harm your computer" tag?

Actually, it's already red flagged at SiteAdvisor - www.siteadvisor.com/.../123greetings.com

# re: Yet another malicious banner advertisement at www.123greetings.com

Tuesday, April 01, 2008 7:20 AM by sandi

@Conrad,

That could possibly be arranged, but I think that the Google warning is more for compromised web sites than malicious banner advertisements.

It would be Haute Secure that blocks sites based on the appearance of malicious advertisements.

Sandi

# re: Yet another malicious banner advertisement at www.123greetings.com

Tuesday, April 01, 2008 2:45 PM by laureli

google will flag sites for the ads contained therein.  report it!

part of the responsibility should rest with the site itself, and that may result in using different advertising agencies.  it seems like companies should take steps to avoid distributing malware to their users.

# re: Yet another malicious banner advertisement at www.123greetings.com

Thursday, July 31, 2008 1:53 AM by turkey

Thanx You.. Perfect Docs