ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail...

Edit: BTW, it is Spaces and Hotmail - I haven't seen the malvert at Skydrive yet.

Kimberley saw the first one, a malvertizement featuring perfectmatch.com:

image

I have discovered another malvertizement featuring IMIN - we have seen this advert several times in recent days in different places:

image

Details of hijack:

IMIN malvertizement undetectable using adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=j5WPzf37aZeMUVbT

Encrypted dynamic text in use

Hash: 11c8f432a9e70c56a171ddfa9df43a3a

Refers victims user to this URL (SWF disguised as GIF)
optimizedby.net/__utm.gif?<<snipped>>

Scans malicious at adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=8010nJ21nJm6q02M

Hash: d730fba801a56311f9cf73587826821a

Leads victim fraudware domains, including windows-scannercenter.com/?id=<<snipped>>

optimizedby.net

ICANN Registrar: Regtime Ltd
Created 26 August 2008
NS1.OPTIMIZEDBY.NET (has 1 domain)
NS2.OPTIMIZEDBY.NET
Registrant: Sergey Bolshakov (serg.bolshakov@mail.ru)
IP: 212.95.32.166 - Netdirekt E.k
windows-scannercenter.com

ICANN Registrar: Directi
Created 21 September 2008
NS1.WINDOWS-SCANNERCENTER.COM (has 1 domain)
NS2.WINDOWS-SCANNERCENTER.COM
Registrant: Ali Said (kanobeliz@googlemail.com)
IP: 83.229.251.28 - Moskva - Moscow - Mchost.ru Inc

Domains sharing IP range 83.229.251.%

Tarapiska.ru |  Mymyt.ru |  Sexytales.ru |  Building-msk.ru |  Mjsk.ru  |  Ndcompany.ru |  Euro44.ru |  Romeld.biz |  Allkarnaval.ru |  Keramzit-moscow.ru |  Print-sign.biz |  Promo-extra.ru |  Rukoyatki.ru |  Vein-lux.com |  3anpetob.net |  Belwap.info |  Bigtraf.net |  Erokat.org |  Maxclicks.net |  Mtraf.net |  Oksex.ru |  Onsexi.info |  Smartam.net |  Xwen.biz |  Zgruz.ru |  Bluray-disk.ru |  Justkino.ru |  Majorno.ru |  Justkino.com |  Justkino.net |  Bangkok-lux.com |  Mashulya.ru |  Xlxlxlxl.ru |  Rostr-promo.ru |  Super-prorab.ru |  Allstroiki.ru |  Build-all.biz |  Domturciya.com |  Doska-ok.com |  Krezz.ru |  Vip-stroi.com |  Popbank.ru |  Advertise-your.name |  Internet-project.info |  Legko.org |  Ofigennoe.info |  Ohuennoe.info |  Senpa.ru |  Slonotop.com |  F-i-l-e-s.biz |  Morekalendarey.ru |  Morepaketov.ru |  Morepolygraphy.ru |  Moreupakovki.ru |  Microdelo.ru |  Lovra.ru |  Cat-in.ru |  Cathelp.ru |  Catmania.ru |  Catngo.ru |  Catomic.ru |  Grigoriev.su |  U-fm.ru |  Udvarta.com |  Udvarta.ru |  Acnenet.ru |  Medaest.ru |  Windows-scannercenter.com |  Windowsxp-privacy.net |  Bynker.net |  Mirki.ru |  Otravi.ru |  Walom.ru |  Wara.ru |  Wara.us |  Seomasteroff.net |  Incestru.com |  048-design.ru |  Mykostroma.ru |  Runlive.org |  Allnewsline.ru |  Fene4ek.net |  Lfsisrael.com |  Sperli.net |  Dirmovie.com |  Dirsound.ru |  Hdkino.tv |  Moldavan.net |  7ven.su |  Iog.su |  Cwazo.net |  Xlaguna.ru |  Nafani.net |  Xlivetv.ru |  Maximfans.ru |  Rapside.ru |  Mediaportal.ru  |  Loveinlife.ru |  Truefashion.ru |  6s9.ru |  Lux-turkey.com |  Paris-lux.net
Published Wed, Nov 19 2008 7:10 by sandi
Filed under: , , ,

Comments

# re: ALERT: Two malvertizements seen at Skydrive and Hotmail...

Thursday, November 20, 2008 4:02 AM by Ian Oxley (UK)

Ah, now you see I have been 'told off' for blocking ads from g.msn and other servers, blocking ad content in Messenger too, because I am 'messing up the business model of free services'. But if I can't even trust content from Microsoft servers then, sorry, I'll just go right on running the Messenger patch, using hosts entries, adblock in Firefox, tweaking IEPro, forcing IE and Messenger through the url blocker in Avast... etc! The ads can go to hell.

I understand from a Messenger Team blog that ad content in the beta of Messenger 2009 was also of concern at some point. How on Earth does this all happen?

# re: ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail...

Wednesday, December 03, 2008 6:19 AM by Samuel Loirat

the first file is now catchable by the tool