Update re digitalspy.co.uk

My apologies for the delay.  For what its worth, I received an email within 3 hours of my report to the ad network in question, advising me that the malicious creatives had been identified and deactivated.

So, now to the details.  Technically, the incident was very similar to that which I wrote about here, but there were some new domains involved, all of which should be treated with extreme caution.

content.bannersulike.com
r.banner0709.com (Response = 302 Found moved to "masters-woodworks.com" and “worwink.com”)
masters-woodworks.com
worwink.com
xn-18ba.example.com (example.com is a domain reserved for use in documentation and not available for registration (RFC 2606, Section 3))
viorfjoj-1.com

There are screenshots of the advertisements displaying during a hijack, and other events, at the end of this article.

masters-woodworks.com
ICANN Registrar: DIRECTI
Created 8 June 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia - Grinvich3 - Vladimir Gubarenko

Shares IP with awiron-work.com, freshy-girls.com, masterwood-works.net, sleazy-dreams.net

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

viorfjoj-1.com
ICANN Registrar: DIRECTI
Created: 8 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 221.5.74.34 - Guangdong, Guangzhou, China Unicom Guangdong Province Network

Shares IP with 24-stunden-voegeln.com, Leevitra-viaagra.com, Original-vjiagra.com, Originalpillen.com, P0tenz-pillen.com, P0tenzpillen-bestellung.com, P0tenzpillen.com, Pillensh0p.com, Potent-hart-guenstig.com, Potenz-pillen-dienst.com, Potenzpillen-24.com, Potenzpillen-einkaufen.com, Potenzpillen-service.com, Potenzpusher-bestellen.com, Sichere-viagra-bestellung.com, Viaagra-bestellung.com, Viaagra-kaufen.com, Viagra-ohne-zoll.com, Viorfjoj-1.com, Viorfjoj-2.com, Viorfjoj-3.com, Vjiagra-einkaufen.com, Vjiagra-ohne-zoll.com, Vsalso-dkgj1.com, Vsalso-dkgj2.com, Vsalso-dkgj3.com

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

worwink.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created: 15 July 2009
NS1.WORWINK.COM
NS2.WORWINK.COM

IP: 212.95.37.186 - Netdirekt E.k

Registrant:
Mark Vinson (mvinson98@count.com)
8 Panorama Cir
Kunkletown PA US
Phone: 6106817173

*****

r.banner0709.com
ICANN Registrar: GODADDY.COM, INC
Created: 29 June 2009
NS37.DOMAINCONTROL.COM
NS38.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale, Godaddy.com Inc

Registrant:
Bryan Hunter (bryan@modenainc.com)
921 SW Washington Street
Suite 228
Portland, Oregon, 97205

*****

content.bannersulike.com
ICANN Registrar: GODADDY.COM, INC
Created: 13 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale - Godaddy.com Inc

Registrant:
Modena Inc
921 SW Washington St
Suite 228
Portland, Oregon 97205

*****

modenainc.com (because of its association with bannersulike.com and banner0709.com)
ICANN Registrar: GODADDY.COM, INC.
Created: 21 February 2001
NS15.DOMAINCONTROL.COM
NS16.DOMAINCONTROL.COM

IP: 38.100.208.45 - Oregon, Portland, Psinet Inc

Shares IP with 117 other sites

Registrant:
Incorporated, Modena (domains@modenainc.com)
921 SW Washington St
Suite 228
Portland, Oregon, 97205
Tel: 5032411091

 

 

image   image

image

image

image

 image

 image

image

 image

Malware downloaded – analysis results:
http://www.virustotal.com/analisis/3c9b52614c508cd168c3bd1d96dff6b3a6374a63d2334c754a31463bad791a5a-1248226154 

 

Another incident….

image

image

image

Published Wed, Jul 22 2009 12:52 by sandi
Filed under: ,

Comments

# re: Update re digitalspy.co.uk

Thursday, July 23, 2009 10:25 AM by Mark

What tool are you using above to display the headers and data?

Thanks,

mkealiher@gmail.com

# re: Update re digitalspy.co.uk

Monday, August 03, 2009 8:48 AM by sandi

@Mark,

Fiddler.  There is an advert for the free application to left of screen.