New "surveys" malvertizement

Adopstools.com was not able to analyse the sample that I have, but there is more than one way to get things done.

The malicious SWF exposes victims to two different URLs:

impressiontracker.com/url/sc_6.php

and

yourredirect.com/soft.php?aid=000417&d=3&product=XPA

The yourredirect.com URL redirects to a fraudware site, being:

onlinescannerxp.com/2008/3/freescan.php?aid={removed}

yourredirect.com was created on 4 April 2008 and is protected by privacyprotect.org

impressiontracker.com was created on 8 April 2008, and WHOIS refers us to a "Carol Hamilton" of eosads.com .

Both impressiontracker.com and yourredirect.com use mynickname.com name servers...

eosads.com (the domain revealed by a WHOIS check of impressiontracker.com) is, in turn, registered via none other than the infamous estdomains.  The domain was created on 8 February 2007, updated on 10 March 2008 and expires on 8 February 2009.

Screenshots of the malvertizement:

 

image

image

image

image

The malicious SWF is hosted by content.yieldmanager.edgesuite.net.  The appropriate parties have been notified.

Published Sunday, June 08, 2008 12:21 AM by sandi
Filed under: ,

Comments

# re: New "surveys" malvertizement

thanks for redirecting me to this page!! it's already a favorite!

Saturday, June 07, 2008 10:05 AM by nathalie

Leave a Comment

(required) 
(required) 
(optional)
(required)