ALERT: malvertizement featuring imin.com
The malvertizement itself scans clean at Adopstools:
The malvertizement SWF uses the _url variable to check the URL that the SWF is run from. It also checks the timezone of the displaying computer.
The SWF loads another SWF from the URL optimizedby.net/__utm.gif?utmwv=1.1&utmn=<<snipped>>.
Note that the bad guys have tried to hide the fact that a SWF is being downloaded from optimizedby.net by pretending that it is a "GIF" (optimizedby.net_utm.gif).
The SWF from optimizedby.net is detected as malicious by Adopstools:
So, who are optimizedby.net? You will not be surprised to read that the ICANN Registrar is ESTDOMAINS. The domain was created on 26 August 2008, so it has been around for a while, and is hosted at IP 22.214.171.124 at Berlin (Netdirekt E.k). It is registered to a Sergey Bolshakov (firstname.lastname@example.org)
NS1.OPTIMIZEDBY.NET (126.96.36.199 - internetserviceteam.com)
NS2.OPTIMIZEDBY.NET (188.8.131.52 - internetserviceteam.com)
Netdirekt has been hosting several malicious domains in recent times, including:
premium-pc-scan.com, antivirus-live-scan.com, premiumlivescan.com and quick-live-scan.com. The first two were registered via REGTIME to a Vladimir Polilov; the second two were registered via ONLINENIC to a Shestakov Yuriy.