ALERT: malvertizement featuring “Blue Nile”

image

 

The SWF advertisement pictured above retrieves content from the domain adburau.net.  That content is yet another SWF.  At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.

The “Blue Nile” SWF contains the easily recognizable encrypted dynamic text:

image

 

Let’s take a close look at adburau.net – we dig up some interesting information.

adburau.net
ICANN Registrar: DIRECTI
Created: 21 September 2008
NS1.ADBURAU.NET
NS2.ADBURAU.NET

IP: 212.95.37.133 - Netdirekt, E.k

Registrant:
Al Jabber
Said Fahtihma (saidfahtih@gmail.com)
A. Kodiri, 65
Tashkent
Kishlak, 100060
UZ
Tel: 998.348.754.198

 

Hostnames sharing IP with a-records:

212-95-37-133.internetserviceteam.com
adclickmate.net
ns1.adclickmate.net
ns2.adclickmate.net

 

Historical information about adclickmate.net

A known "bad actor" reported on here:

http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=180

adclickmate.net is currently "suspended" by Directi.  The Registrant is noted as:

Mark Haagland (markhaagland@gmail.com)
Harjumaa str. 546-5
Tallin
Harjumaa,13514
EE
Tel: 37.262.01114

 

Previous Registrant details – adclickmate.net:

Hidden by privacyprotect for a while, but before that was registered to:

Jacob Tua (jackyouthere@gmail.com) (a well known malvertizing associated name/email address)
Maltiskam 12-67
Belgrade
Belgrade,11008
RS
Tel: 381.113114094

 

I find it concerning that DIRECTI allowed a “bad actor” domain (adburau.net) to replace one that they had suspended (adclickmate.net).  I also find it concerning that adburau.net replaced adclickmate.net so rapidly. See screenshots below.  According to domaintools.com, adclickmate.net was suspended from IP address 212.95.37.133 on or about 19 February 2008.  adburau.net appeared at the same IP address on or about 23 February 2009.

Call me a cynic, but it seems that the bad guys are finding it too easy to use/abuse Directi.

 

image

 

image

Published Tue, Jul 14 2009 8:59 by sandi
Filed under: ,