ALERT: Please treat the domains gogomediacenter.com, sys17media.com and praharesorts.cn with extreme caution

Sketchers malvertizement

It is very interesting to watch the modus operandi that the bad guys are using change.

This malvertizement was NOT seen on a web page; rather it was being displayed by an advertising supported freeware application.

The trouble starts when an ad.yieldmanager.com GET retrieves content, in an iframe, from the domain "gogomediacenter.com".  The content served up by gogomediacenter.com is an innocent "skechers” JPG (which is the advertisement itself), but it also serves up a little something extra...

image

 

Note the two areas of code highlighted by the arrows.  I find it interesting that the miscreants are going to the trouble of using some (basic) encoding.

 

If we decode the script at the end, we get this:

image

 

Again, there is a little bit of (basic) encoding to get rid of, which leaves us with this:

image

 

Another interesting thing to note about this particular incident is that the malicious code only seems to appear once per IP address.  If I nuke the sandbox I am using, the redirect does not recur, but if I change my IP address, then I can reproduce the redirect as often as I wish.

 

Ok, so let’s take a look at these new domains, gogomediacenter.com, sys17med.com and praharesorts.cn.  I think we can say that Root Esolutions, Luxembourg is turning into a bit of a cesspool, and yes, it is the same IP range as the domains revealed in my earlier blog post :(

 

gogomediacenter.com
ICANN Registrar: BIZCN.COM, INC
Created 26 August 2008

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Shares IP with the domains bestmediamind.com, pro-drugstore.com and yakaboopromo.com (all domains should be treated with extreme caution).

Registrant:
Mediaswan
Frank Roberts (frank@mailqueen.com)
2128054649 fax: 2128054649
2130 Small Street
New York, NY 10007

 

sys17media.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Shares IP with the domains doubleclick-ssl.com and verilline.com (both domains should be treated with extreme caution).

Registrant:
DNS Admin (d71245@registar.com)
580-433-9026 fax: 580-433-9026
2654 Cody Ridge Rd
Clinton OK 73601

 

praharesorts.cn
ICANN Registrar (Chinese)
Created 28 August 2009

IP: 83.133.126.155 - Lncde-greatnet-newmedia, Germany

Administrative email: webmaster@seniorstuds.com.ar (no such domain)

 

bestmediamind.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
Bob Robertson (bobrobertsonscmpbst@gmail.com)
6172679396
159 Newbury Street
Boston, MA 02116

 

yakaboopromo.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
John Robertson (johnrobertsoncmpbst@gmail.com)
6172679396
159 Newbury Street
Boston MA 02116

 

pro-drugstore.com
ICANN Registrar: ENOM, INC
Created 29 January 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registration service contact director@climbing-games.com (regular readers of this blog will recognise that email address)

Registrant:
Jack Hum (no email)
208 W. 1st St. CA 90012
Los Angeles 90012
Tel: +1 2338824832

 

doubleclick-ssl.com
ICANN Registrar: BIZCN.COM, INC
Created 20 August 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
doubleclick-ssl.com
Carolyn Hooley (carolyn@doubleclick-ssl.com)
845-223-3913 fax: 845-223-3913
4619 Camdem Place
Lagrangeville NY 12540

 

verilline.com
ICANN Registrar: BIZCN.COM, INC
Created 29 July 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
Lithpro Co
Linda Thompson (info@lithpro.com)
3037989467 fax: 3037989467
2600 W 104th Ave
Boston CO 80234

Published Fri, Sep 4 2009 18:15 by sandi
Filed under: