Spyware Sucks

But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

ALERT: malvertizement featuring imin.com

The malvertizement itself scans clean at Adopstools:
http://www.adopstools.com/index.asp?page=quicklink&id=AOPtiPgH5jyGpJ0D

The malvertizement SWF uses the _url variable to check the URL that the SWF is run from. It also checks the timezone of the displaying computer.

The SWF loads another SWF from the URL optimizedby.net/__utm.gif?utmwv=1.1&utmn=<<snipped>>.

Note that the bad guys have tried to hide the fact that a SWF is being downloaded from optimizedby.net by pretending that it is a "GIF" (optimizedby.net_utm.gif).

The SWF from optimizedby.net is detected as malicious by Adopstools:
http://www.adopstools.com/index.asp?page=quicklink&id=vKrEjupFem3Sax2e

So, who are optimizedby.net? You will not be surprised to read that the ICANN Registrar is ESTDOMAINS. The domain was created on 26 August 2008, so it has been around for a while, and is hosted at IP 212.95.32.166 at Berlin (Netdirekt E.k). It is registered to a Sergey Bolshakov (serg.bolshakov@mail.ru)

Name servers:

NS1.OPTIMIZEDBY.NET (212.95.32.166 - internetserviceteam.com)
NS2.OPTIMIZEDBY.NET (212.95.32.166 - internetserviceteam.com)

Netdirekt has been hosting several malicious domains in recent times, including:

premium-pc-scan.com, antivirus-live-scan.com, premiumlivescan.com and quick-live-scan.com. The first two were registered via REGTIME to a Vladimir Polilov; the second two were registered via ONLINENIC to a Shestakov Yuriy.

Published Mon, Nov 10 2008 19:49 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# re: ALERT: malvertizement featuring imin.com

Sunday, November 16, 2008 8:13 PM by Larry Seltzer

The AdopsTools link says that "The file has a sprite/movieclip which is containing Malware actionScript code."

Can you elaborate some on what this means? Does it just redirect or does it exploit a Flash vulnerability?

# re: ALERT: malvertizement featuring imin.com

Tuesday, November 18, 2008 9:38 PM by sandi

Thanks for commenting to my blog.

Basically, the redirect that is occurring without user interaction is not being achieved via a Flash vulnerability. It is a "feature" of Flash, a feature that the end user has no way to stop or otherwise control.

Unlike clipboard hijacking, which Adobe saw fit to fix by adding a permissions dialogue box:

(www.adobe.com/.../fplayer10_security_changes_02.html),

Adobe have done nothing about the redirect problem.

I had a discussion with an Adobe employee a while ago here about the problem:

(weblogs.macromedia.com/.../banner_redirect.html).

His attitude was, and continues to be, that blame lies elsewhere - a theme that continues here:

(weblogs.macromedia.com/.../on_clickjacking.html)

and here:

(blogs.adobe.com/.../clickjacking_reporters.html).

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

ALERT: malvertizement featuring imin.com

Comments

# re: ALERT: malvertizement featuring imin.com

# re: ALERT: malvertizement featuring imin.com