ALERT: new malvertizement featuring "Sell Your Home"
Detectable by Adopstools:
You may note that the URL seems to be downloading a "GIF". It is not. It is downloading a "SWF" (using the same trickery that has been seen with _utm.gif which also proved to be a SWF).
_stat.gif (which is a SWF) is detectable via adopstools:
So, who are 2layerads.net? Well, for starters they have been implicated in malvertizement incidents in the past - see the adtechie report here:
There is one thing I will draw to everybody's attention. Back when we were reporting on adtechie and its activities, 2layerads.net had an open WHOIS and was hosted by Cernel at 22.214.171.124:
2layerads.net as at 15 November 2008 - 126.96.36.199
Updated Date: 11-nov-2008
Creation Date: 24-mar-2008
Registrar: ESTDOMAINS, INC.
Name Server: NS.2LAYERADS.NET
Name Server: NS2.2LAYERADS.NET
Mikhail Seminin (firstname.lastname@example.org)
Meza prospekts 1/4
Estdomains, as my readers know, lost its ICANN registration and its domains have been passed to Directi at Estdomains' request. Well, a quick check of 2layerads.net reveals that the WHOIS is now hidden behind Directi's Privacy Protection Service:
So, let's have a look at 2layerads.net's IP range, being 64.28.187.%. We see a familiar name, adoptserver.info, at IP 188.8.131.52, which has been associated with malvertizement distribution in the past: