Malvertizing at boingboing.net

image

Original source: Dynamoo
http://www.dynamoo.com/blog/2010/01/boingboingnet-bootcampmediacom-ad-leads.html

We have seen problems at bootcampmedia for a LONG time (at least a year) – Jamie Dalgetty needs to start cleaning up bootcampmedia.

Historical evidence:
http://www.google.com/cse?cx=007665253733268001951:qtjb7x6vodw&ie=UTF-8&q=bootcampmedia&sa=Search&siteurl=www.google.com/cse/home%3Fcx%3D007665253733268001951:qtjb7x6vodw

 

Now, I’ve been able to reproduce Dynamoo’s findings, but I saw a different advertisement (I’m sure I’ve seen that fake craigslist advert before), and different domains.

I bounced from bootcampmedia.com to firedogred.com to deliver.azrielwhereincozen.com (which hosted the advert itself) to content.bookletjigsawsenam.com (which redirected us to bonnapet.com).  bonnapet.com is the domain that was used to attempt to download malicious content to my test machine (an attempt that was easily thwarted, thanks to IE8’s infobar).

Domain details are below the screenshot.

The malicious behaviour has been reported to Right Media (Yieldmanager) with supporting evidence.

image

bootcampmedia.com
ICANN Registrar: GODADDY
Created: 11 dECEMBER 2007

IP: 69.163.209.214 - New Dream Network LLC

Shares IP with 26 other sites.

Registrant hidden by domainsbyproxy.com

*****

firedogred.com
ICANN Registrar: GODADDY
Created:15 September 2009

IP: 68.178.232.100 - Godaddy.com, inc.

Registrant - anonymised...
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
USA

Aren't 555 phone numbers always fake? 800 555 1212

*****

azrielwhereincozen.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 74.207.232.202 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bookletjigsawsenam.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 69.164.196.55 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bonnapet.com
ICANN Registrar: ENOM, INC
Created: 11 January 2010

IP: 217.2.114.40 - Berlin - Netdirekt E.K.

Registrant:
Wade Cook (wade.cooke@yahoo.com)
12 Hull Street
Boston MA 02113
US

Published Wed, Jan 13 2010 16:12 by sandi
Filed under: ,

Comments

# re: Malvertizing at boingboing.net

Wednesday, January 13, 2010 8:37 AM by Steven

The /mirror/ directory on bonnapet.com seems to have been removed (404's for me), but there's exploit code still present on the bonnapet.com homepage, which when decoded, shows someone isn't a fan of AVG;

hosts-file.net/.../imgbonnapet_com_-_source.gif

hosts-file.net/.../imgbonnapet_com_-_source2.gif

Decoding the code shows the payload comes from the following, which surprisingly, also 404's for me atm;

bonnapet.com/friends/umgo.php

# re: Malvertizing at boingboing.net

Wednesday, January 13, 2010 9:04 AM by sandi

Nah, I suspect that the mirror directory is not gone; it is simply hiding. I was seeing the same error immediately after seeing the original hijack when I tried to load the URL directly.  I suspect something like an HTACCESS manipulation where the contents of the directory only load under precise conditions.

# re: Malvertizing at boingboing.net

Thursday, January 14, 2010 10:08 AM by Steven

You read my mind ;o)