ALERT: Please treat content from trendbanner.com with extreme caution
It has been implicated in the facilitation of malvertizing that attempts to infect computers via PDF exploit
The way it works is as follows:
ad.trendbanner.com uses document.write to load the JS content at banner.pushbanner769.info
banner.pushbanner769.info displays an advertisement, but also loads content from content from t.banner08092.com.
t.banner08092.com simply redirects to blackwater-cuprumworks.net
blackwater-cuprumworks.net includes a javascript (valla.js) which loads content from bintus-bahi.cn in a 0x0 iframe
bintus-bahi.cn uses CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object) to infect vulnerable computers, as well as downloading other malware.
The SWF (oneComesEthics.swf) is suspected to be malicious.
Virustotal analysis of some content received via bintus-bahi.cn:
http://www.virustotal.com/analisis/fbf39bcd9dea6e1233895e391c2d4bab22096cf7b76b8a6b760203f3d0efa76d-1252662476
Domain information
ad.trendbanner.com
ICANN REGISTRAR: GODADDY.COM, INC
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM
IP: 161.58.56.25 and 207.57.97.233
Shares IP with doityourselfbuilder.com and banner.islandbanner.com
Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States
Modena Inc have a dubious history, with complaints as far back to 2005 about "spyware infested filesharing programs", site scraping and 302 domain poisoning:
http://www.freedomcrowsnest.org/forum/viewtopic.php?t=1416
http://forum.abestweb.com/showthread.php?p=456066&mode=threaded#post456066
Modena Inc domains were also part of the malvertizing incident that his digitalspy.co.uk:
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx
There is also a dishonorable mention at bluetack.co.uk (**10** different security exploits were used in that incident) - domains used were banners.exitexchange.com and count.exit1208.com:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&
It is interesting that ashoping.com was part of the incident recorded at bluetack.co.uk. The registrant, helen.nikolson@gmail.com, has been seen myriad times, in association with traffichunters.net (which we can tie to Innovative Marketing in the Ukraine):
http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx
*****
doityourselfbuilder.com
ICANN Registrar: MELBOURNE IT, LTD D/B/A INTERNET NAMES WORLDWIDE
Created 10 June 2006
NS1.SECURE.NET
NS2.SECURE.NET
Registrant:
Music Unlimited Inc
PO Box 1200
Jacksonville 97530
Admin Name:
David Sprunger (pptorders@playpianotoday.com)
*****
banner.islandbanner.com
ICANN Registrar: GODADDY.COM, INC
Created 24 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM
IP: 68.178.232.100 (shares IP with 11,039,738 other sites)
Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington Street
Suite 228
Portland, Oregon 97205
*****
pussbanner769.info
ICANN Registrar: GODADDY.COM, INC
Created 7 August 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM
IP: 68.178.232.100 (shares IP with 11,039,738 other sites)
Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale
Arizona 85260
Tel: +1 8005551212
*****
blackwater-cuprumworks.net
ICANN Registrar: DIRECTI
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko
Shares IP with the domains aw-work.net, awirons-work.com, sexamateur-hartcore.com and sleazy-dreamers.net
Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948
*****
masterwood-works.com
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 February 1999
NS.WVT.NET
NS2.WVT.NET
IP: 65.36.167.73 - Delaware, Newark, Hostmysite
Shares IP with 395 other sites
Registrant:
Master Wood-Works
4526 Olentangy River Road
Delaware, OH 43015
US
Admin:
Steve Krengel (hostmaster@wvt.net)
*****
bintus-bahi.cn
ICANN Registrar: Chinese
Created 15 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 61.235.117.72 - Guangdong, Shenzen, China Railcom Guangdong Shenzhen Subbranch
Registrant:
Cehhost, inc (owns about 84 other domains)
Lucas Steven (steven_lucas_2000@yahoo.com)
