New malvertizements detected - this time a deseretnews.com and sltrib.com

I received the following email the other day:

"I am quite certain that both DeseretNews.com and Sltrib.com, which are pretty likely to be running the same advertising platform software (due to their shared advertising company, NAC), are serving up bad advertisements. I don't know if you can detect it, but I've contacted their web departments and had no response. I wish they would make something happen so users don't suffer. I am not a security expert but the behavior on the website made me concerned and curious. They are the primary websites in Utah, and I believe their user traffic, though not gigantic like a Yahoo!, is pretty decent."

A lot of the discoveries reported on this blog is a team effort - we hear about a problem, we share the intelligence, and we get to work tracking down the bad guys.

 

This time, I am pleased to report that it was Kimberley who found the advertisement, featuring Traveltray :o)

image

You'll find Kimberley's report here:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=86832&mode=threaded&show=&st=30&#entry86832

I find it amazing that Forceup is still able to successfully sell malvertizements.  A simple web search for the word "Forceup" throws up enough red flags to concern anybody.  The malvertizement fails an adopstools test:
http://www.adopstools.com/index.asp?page=quicklink&id=0KT22GXn5404G8Ac

Assuming you are not redirected, if you click on the malvertizement you end up here:
http://www.traveltray.com/?aid=ad72890

BUT, if your web browser is hijacked, you end up here:
stat-diagnostic-imaging.net/c/index.php?id=Nnm7NkiZlYXFkT0V2SnQ0dGVGenVCeUxo
PTEyMDY0NDYwMDImcG56Y252dGE9YmFyYWd2m7NkiZXJ5bAYNkiDgNmYNkiDgNm

And here:
waytotheprofit.com/?cmpid=onentirely&adid=intl

The second URL redirects, for me, to:
harddriveguard.com/?tmn=es5&eai=onentirely&eli=intl&3&mt_info=5773_0_4217

You will note that Kimberley, on the other hand, was redirected to:
antispywaremaster.com/data/?440e535753&gai=onentirely&gli=intl&3&mt_info=5773_6484_18136

 

Let's look at the various malicious URLs:

 

stat-diagnostic-imaging.net

Hosted by DENIT (a name we have seen before on this blog)

NS supplied by TMIDC AP Hosting Services (MYLOCA), Data Services Division, Telekom Malaysia (another name we ahve seen before) and HOSTFRESH / myrdns.com (another name that we have seen before)

Have a look at this URL to see all the familiar names sharing name servers with stat-diagnostic-imaging:
http://www.robtex.com/dns/stat-diagnostic-imaging.net.html

 

waytotheprofit.com

Hosted by PEER1 Network Inc.  NS supplied by same.

Lots of familiar names sharing IP with A-Records, and sharing nameservers:
http://www.robtex.com/dns/waytotheprofit.com.html

 

harddriveguard.com

Hosted by REASONNET, NS and MX by RAPIDSWITCH

More untrustworthy names sharing IP with A-Records, mail servers and name servers:
http://www.robtex.com/dns/harddriveguard.com.html

 

antispywaremaster.com

Hosted by RAPIDSWITCH with NS and MX also by RAPIDSWITCH

More untrustworthy names sharing IP with A-Records, mail servers and name servers:
http://www.robtex.com/dns/antispywaremaster.com.html

Published Thu, Apr 10 2008 20:34 by sandi
Filed under: ,