ALERT: malvertizement featuring Best Western

image

Detectable by adopstools:
http://www.adopstools.net/index.asp?page=quicklink&id=OTfPElP8UO2czuD9

The malvertizement hits the following domains:

profitabill.com
ab-outstat.net

I also see hits on:

onlinestatsmanager.com
protected-web-space.com
scan.freeantispyware-scanner.com
system-scanner.org

 

 

 

 

 

 

 

profitabill.com -----
ICANN Registrar: ENOM, Inc
Created 25 March 2008
NS1,2,3,4.PROFITABILL.COM
IP: 213.189.9.228- Noord-holland, Amsterdam, Trancepitt Services
Registrant: "noo", Serg Moon, moon.serg@gmail.com (associated with 104 domains)
-----
ab-outstat.net -----
ICANN Registrar: ENOM, Inc
Created 10 October 2008
NS1,2.AB-OUTSTAT.NET
IP: 79.135.187.70 - Turkey, Sistemnet
Registrant: ITmeter Inc, Sergey Belonozhko, sergbelo@gmail.com (associated with 40 domains)

Shares IP range with many domains associated with the facilitation of malvertizing and fraudware.
-----

onlinestatsmanager.com

-----
ICANN Registrar: ENOM, Inc
Created 3 July 2008
NS1,2,3,4.ONLINEPROMOSTATS.COM
IP: 76.74.249.9 - Virgin Islands, Soft-sol.inc
Registrant: Generic namecheap.com details - historical WHOIS hidden behind privacy service.
-----

protected-web-space.com

-----
ICANN Registrar: BIZCN.COM
Created 3 December 2008
NS1,2,3.FREEYOURDNS.COM
IP: 69.10.44.198  - United Kingdom - Innovative Solutions
Registrant: Vladimir Nevskiy (onicdomains@yahoo.com)
-----

scan.freeantispyware-scanner.com -----
ICANN Registrar: REGTIME LTD
Created 1 December 2008
NS1,2.NAMESELF.COM (195.161.133.218 & 204 - RTComm, Russia)
IP: 78.26.179.233 - Ukraine, Renome-Service
Registrant: Jamil Mcfatridge, jamil.mcfatridge@gmail.com (owns 4 domains)
-----
system-scanner.org -----
ICANN Registrar: BIZCN COM
Created 20 November 2008
NS1,2.SPY-PROTECTOR.NET
IP: 115.126.5.92 - Bangladesh Telegraph and Telephone Board
Registrant: Oleg Bajenov, oleg.bajenov@gmail.com
-----
Published Thu, Dec 11 2008 10:58 by sandi
Filed under: ,

Comments

# re: ALERT: malvertizement featuring Best Western

Wednesday, February 25, 2009 3:31 PM by Munhan

My company was approached by a client claiming to represent Best Western with a lower tech version of this.  We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image.  

I ran the code in AddOps tools and it did nothing.  Getting suspicious I checked the src URL for the Javascript which was "http:// st-aticglobalsources.com" and found a lot of trouble associated with it.  

We refused to run the ad with the code. Client claimed ignorance saying code came from their client and would provide new tags.  New tags arrived, similar to the first but sourcing the J-script from "http:/ /st-ation-appraisals.net" this time.  Running this code through AdOps tools at least generates a Best Western banner, but I ran the URL through search engines, found associated with ITmeter INC, and did not run the ad.

# re: ALERT: malvertizement featuring Best Western

Thursday, February 26, 2009 9:30 AM by sandi

Hello Munhan,

I am glad that you did not run the ad.  st-aticglobalsources.com and st-ation-appraisals.net are both bad domains, as you discovered.

I would be interested to know what name and domain the client was using.  Are you able to provide this information?

# re: ALERT: malvertizement featuring Best Western

Monday, March 02, 2009 7:39 PM by Munhan

Sandi-

Sorry, I don't feel like I should.  I'm not certain my company wants to be talking about this.  I can say the WHOIS on the "agency" actually doesn't show any links that I can see (though I'm not a network person) to the previous family of malware distribution.

I just wanted to get out the info that the "Serge Moon et cie" operation is showing some adaptability.  Malware detectable by testing tools?  Go simple with a JPG and a tag you will urgently demand the publisher to run.  Publisher asks why the tag does nothing?  Rig the tag to do something.

# re: ALERT: malvertizement featuring Best Western

Monday, March 02, 2009 7:44 PM by Munhan

Never mind, the cat is out of the bag.  Yourdirectmedia.com