Spyware Sucks

Not again – this time it is the “Family Link” application on Facebook

Visually the advert is identical to the one that was hijacking Facebook visitors using Farm Town, and again the malvert is hitting justimpression.com.  This time, though, the campaign does not seem to be targeting Australians.

If we look at the SWF itself we see:

Sometimes it isn’t malvertizing….

I’m still keeping an eye on the Farm Town forums, now that they’ve caught my eye because of the malvertizing incident and the amazing 30+ page complaint thread on their forums (all of the old posts were deleted from that thread on or close to the 20th of April, btw).

Anyway, the complaint seen in the screenshot below is one of the few posts that remain in the thread, and I’ve been watching to see what sort of advice is proffered. 

One thing immediately jumps out at you, don’t it, that make you suspect that the problem is *NOT* a bad advertisement, but rather a virus alert triggered by content from the Farm Town application itself:

The alert was triggered by “poppy[1].swf”

The Farm Town application uses a “poppy.swf” as well as myriad other “SWF” to display various farm assets:

Ok, so what about “bloodhound.exploit.52” – what is that?
http://www.symantec.com/security_response/writeup.jsp?docid=2005-111115-4810-99
http://www.adobe.com/devnet/security/security_zone/mpsb05-07.html

“Bloodhound.Exploit.52 is a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability.

An attacker who exploits this vulnerability could perform a denial-of-service, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by viewing a specially crafted Macromedia Flash file. This is usually hosted on a web page.”

In short, assuming the server at cdn.slashkey.com has not been hacked, and assuming that the file “poppy.swf” that is being served by cdn.slashkey.com has not been replaced with a fake one that tries to take advantage of the Flash vulnerability, then I think we can safely assume that the virus alert was a false positive.  Certainly, the fact that the SWF detected is named “poppy[1].swf” makes it extremely unlikely that the alert was being triggered by any advertisement that was being displayed (the fact that there is a [1] appended to the name of the SWF simply means that there was already a SWF named poppy.swf on the computer in question, so the new copy was downloaded and saved but renamed).

Anyway, SillySandy hasn’t logged in at the Farm Town forums since she posted her last message so I think we can assume that she has abandoned the topic.  And it is probably not worth posting to the thread in question to submit my theory on the incident because my last few posts to that thread were moderated, and were not allowed to go live AND my forum account was locked down so much I couldn’t even edit my own profile details, or view anybody else’s public profile.  Not only that, a couple of posts by other people were deleted before a moderator went ahead and got rid of the whole lot (as evidenced by the “Reply to Thread” emails that I received that quoted messages that were no longer there by the time I went to review the thread).  I haven’t received any correspondence to tell me why my posts were not allowed to go live, or to tell me that my profile had been locked down, or why, or if/when the moderation would be lifted.  All in all, the place is a little too revisionist for my tastes. 

The only public response to SillySandy has been:

Further info from SillySandy:

More trouble at cubics.com

Again, a Facebook application is affected, but this time it is users in the United States (and perhaps elsewhere) who are being targeted.  The App owner, cubics.com and Facebook have all been notified of the incident and given the necessary evidence.

The advertisement displayed when I test the social.bidsystem.com URL changes all the time.  That being said, one thing that caught my eye further down the network capture was this URL:

206.217.206.138/id/468/makari/

That URL displays this advert:

Yes, we have seen a “Makari” malvert – in association with a malvertizement incident that his eventful.com:
http://msmvps.com/blogs/spywaresucks/archive/2010/04/02/1762772.aspx

If the App user is redirected by a malvertizement he or she is exposed to fake security software (in the tests I have seen, the application is the oft seen “Security Tool”.

One thing that worries me about this incident is that the first bad domain to appear in the network capture, mojoadserver.net, has been known to have been bad since at least mid March (I have written about the domain twice).

The other domains/IP addresses used to facilitate the hijack are 206.217.204.166, 13-ads.net and 91.213.157.32.

All domains listed below should be treated with extreme caution:

mojoadserver.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP 64.27.21.25 - Los Angeles, Calpop.com Inc (previously 206.217.200.84 - Chicago, Illinois, Hosting Services Inc)

Registrant: Stiven Mon (stive@catedral.es)

*****

206.217.204.166 (ns149.midphase.com)
United States Providence Hosting Services Inc

*****

13-ads.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP: 74.27.26.78 - Los Angeles, Calpop.com Inc

Shares IP with 10-ads.net, ad-land.eu, ad-trader.eu, ads-display.net, air-ads.eu, click-bank.net, click-es.net, click-gb.net, click-network.eu, click-network.net, ed-ady.net, eu-traffic.com, fast-adv.eu, multi-click.net, sociallive.eu

Registrant: Stiven Mon (stive@catedral.es)

*****

91.213.157.32
Trinidad and Tobago Pe Sattelecom
AS13618 - CARONET - ASN Carolina Internet, Ukraine

One last post on the Farm Town malvertizement incident

I posted this to Farm Town here:

This response was posted, just 14 minutes later – note that my post was edited not once (by “candlelight”), but twice – once to disable the links (which I don’t have a problem with) and then again over 12 hours later (by “Heddryin”?) to remove the links completely.

Then I posted this to let Farm Town users know that the problem was likely gone – I had not been contacted by email by a Forum Moderator, or the Developers.  That being said, the advertising network *did* respond to my alert – again the links were removed completely – my bad, I admit, its force of habit and I need to establish my bona fides with people reading my posts.

Then “Molly Mew” posted this, an hour and 21 minutes later, after the bad advert had been disabled.

So, I posted this – by this stage the thread was at least 30 pages long, having been started on the 9th of April, the advert had been disabled, and I still had not heard from the Developers, or a Forum Moderator, by email to get a copy of the information that I had for them, or to ask how I had done it – and that is a big point for me – after all, we had a complaint thread that is days old, and 30 pages long.  I appear, say I have the info needed to shut down the advert, ask them to get in touch (while alerting the ad network at the same time) and the bad advert, which people had been complaining about for days, is shut down within hours – wouldn’t YOU want to know how the heck I did it so that you could learn, and do the same thing?

No editing this time, no links removed.

Then I see this response, posted within minutes – ok, that stung.  When have I ever asked for money from anybody to help them get rid of malvertizing or train their staff?  That would be NEVER!

and then this:

So, I tried to post a response to “Tony D” to reassure him that there was no sales pitch, and that I do not and never have charged for such assistance, but I saw the following.  What the? I did not have such a block against my posts earlier.  I don’t even have permission to view my own private messages at the moment :(

I can only hope it is some sort of automatic switch that has been flipped.

I have since tried three times to post to that thread, and none of the posts have appeared.  I did not save my response to “Tony D”, having been surprised by the unexpected moderator approval requirement, but I did save two further attempts.  I don’t know if a moderator will eventually approve them, but I’ll put them here just in case – forum moderators/helpers need to realise that the information that they are asking for is of LIMITED use when trying to track down a bad advertisement – the most effective information is information about the bad advert itself, not where it takes the victim.

Yesterday’s attempt:

And tonight’s attempt:

As at time of writing, my posts have not been approved, and I have not received an email from the Forum Moderators, or the Developers.

Update on Farm Town

I received an email from adknowledge.com 50 minutes ago to advise that they have identified and taken down the malicious advertisement.

There is, of course, much that needs to be addressed. 

• How did the advert get in in the first place?
• If Farm Town were approached and accepted the advert, who gave it to them?
• What training do Farm Town staff need to help them avoid future incidents, because if they accepted a bad ad, they are now known as an “easy touch” and they WILL be approached again by the same bad guys, using new pseudonyms.  The Farm Town staff MUST be trained in how to identify potential bad actors to minimize any chance of being fooled again.

Conrad digs deeper

Oh boy… Conrad took a look at the traffic hitting justimpression.com

http://blog.dynamoo.com/2010/04/farmtown-impressionclubcom-and.html

One thing I will point out is that those stats are for people visiting justimpression.com who are based in the United States.  It seems that the Farm Town malvertizement on Facebook is geotargetted and hitting UK and Australian players. 

Alexa reports that 69% of site traffic to justimpression.com is from the USA, with "Other" countries allowing for 31.4%.  The number of potential victims being exposed to malware via justimpression.com is staggering.

More on the Malvertizing problem

Graham Cluney writes:
http://www.sophos.com/blogs/gc/g/2010/04/12/farm-town-virus-warning-malvertising-work/

And there is a *big* thread on the Farm Town forums:
http://slashkey.com/forum/showthread.php?s=0ac5ce13b15397a9577dee639cf9e205&t=204626

I’m going to join that forum and post to that thread.

And here’s a screenshot of the malvertisement in situ:

Confirmed – the FarmTown application on Facebook is displaying malicious advertising

IMPORTANT NOTE: THE APPLICATION AFFECTED IS FARM TOWN, NOT FARMVILLE.  THE ORIGINAL ARTICLE HAD ‘FARMVILLE’ IN THE TITLE – THAT WAS QUICKLY AMENDED BUT SOME RSS FEEDS MAY HAVE PICKED UP THE ORIGINAL TITLE.

Google Chrome’s protections stopped the bad advert from working by rejecting the content from justimpression.com – Internet Explorer’s various protections did NOT.  Are you listening Microsoft?

Here is the advertisement in question:

So, we bounce from social.bidsystem.com to icons.cubics.com and ads.cubics.com.

From there we get to justimpression.com, then 64.120.176.42.

We also hit avatar-secrets.com and finally we make it to 2web-antivirus.com, which is your run-of-the-mill fake antivirus software.

I have to ask, after putting together the data below, why Registrars don't cross check data that is coming in?  In this case we have "Roy S Robert", "Megan M Jasey", "Paul J Raul" and "Lloyd G William" all using the same email address (test@now.net.cn) AND the same Registrar (TODAYNIC.COM).  It simply isn't good enough.

justimpression.com
ICANN Registrar: DIRECTI
Created 17 December 2009

IP: 64.120.176.42 - Pennsylvania - Scranton - Network Operations Center Inc, Burstnet Technologies Inc (64-120-176-42.hostnoc.net)

Shares IP with impressionclub.com

Registrant: Armand Gregori (armandgregory3@gmail.com)

*****

impressionclub.com
ICANN REGISTRAR: DIRECTI
Created 4 January 2010

Registrant hidden behind PrivacyProtect.org

*****

64.120.176.42 - see above

*****

avatar-secrets.com
ICANN Registrar: TODAYNIC.COM, INC
Created 30 March 2010

IP: 193.105.134.113 - Sweden - Christian Maurice Sebastiaan Hein

Shares IP with cnn-videos1.com, facebookamazing.com, googl-videos.com, yahoo-videos1.com

Registrant:
Roy S Robert (test@now.net.cn)

*****

2web-antivirus.com
ICANN Registrar: TODAYNIC.COM
Created 10 April 2010

IP: 93.174.95.154 - Noord-holland - Hoofddorp - Co-location Customers Pa Block Ienetworks

Shares IP with lots of fake antivirus URLs, including:

100-your-scanner.com, 11-best-scanner.com, 110-your-scanner.com, 111-your-scanner.com, 211-your-scanner.com, 22-best-scanner.com, 221-your-scanner.com, 222-your-scanner.com, 2try-best-scanner.com, 3try-best-scanner.com, 44-best-scanner.com, 50virus-scanner.com, 55-best-scanner.com, 5try-best-scanner.com, 700virus-scanner.com, 7try-best-scanner.com, 9try-best-scanner.com, antivirus-test66.com, antivirus200scanner.com, antivirus600scanner.com, antivirus800scanner.com, antivirus900scanner.com, av-scanner200.com, av-scanner300.com, av-scanner400.com, av-scanner500.com, defend-computer82.com, novirus-scan00.com, stop-all-virus1.com, stop-all-virus3.com, stopvirus-scan11.com, stopvirus-scan13.com, stopvirus-scan16.com, try2-your-scanner.com, try4-your-scanner.com, try6-your-scanner.com, try8-your-scanner.com, virus77scanner.com

Registrant: Megan M Jasey (test@now.net.cn)

*****

cnn-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

facebookamazing.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Lloyd G William (test@now.net.cn)

*****

googl-videos.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

yahoo-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

Uh oh… dangerous stuff on Facebook?

Seen when a computer was used to access the FarmTown game on Facebook.

New fraudware

Nice, yes?  I received a copy of the alert from an associate who wanted to know if I’d seen it before.

Of course, you get the chance to pay $400 or so to make it all go away (and hand over your name, address and full credit card details):

Screenshot credit: http://torrentfreak.com/malware-extort-cash-from-bittorrent-users-100411/

Don’t want to pay the $399.85 and prefer to go to Court? Then you see this:

Screenshot credit: http://torrentfreak.com/malware-extort-cash-from-bittorrent-users-100411/

So, who are ICCP Foundation? Well, they claim to be “a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally”, but who are they *really"*?

icpp-online.com
ICANN Registrar: ENOM, INC
Created: 24 February 2010

IP: 193.33.114.77 - Karnten - Klagenfurt - Anexia Internetdienstleistungs Gmbh

Shares IP with green-stat.com and media-magnats.com

Registrant:
Overns Ltd
Shoen Overns (ovenersbox@yahoo.com)

ovenersbox@yahoo.com - associated with use of the Liberty Exploit Kit:
http://www.malwaredomainlist.com/mdl.php?search=ovenersbox@yahoo.com&colsearch=All&quantity=50

*****

green-stat.com
ICANN Registrar: BIZCN.COM
Created: 27 January 2010

Registrant:
ChanSu (tahli@yahoo.com)

*****

media-magnats.com
ICANN Registrar: BIZCN.COM
Created 27 January 2010

Registrant:
ChanSu (tahli@yahoo.com)

tahli@yahoo.com is associated with some pretty bad stuff:
http://ddanchev.blogspot.com/2009/12/koobface-gang-wishes-industry-happy.html

Various trojans and exploits:
http://www.malwaredomainlist.com/mdl.php?search=tahli@yahoo.com&colsearch=All&quantity=50

Alert: malvertizing at eventful.com

eventful.com have been hit by a malvertizing incident involving mojoadserver.net.  All domains marked in BOLD should be treated with extreme caution.

I did not see a redirect during my tests, but I did see content from t.locpub.com that led to mojoadserver.net and from there to 206.217.206.140 and live-rail.net.  The mere existence of content from mojoadserver.net is sufficient to indicate that there is a problem.

The victim was redirected to a web site touting fake antivirus software hosted on IP 91.213.157.22.  I can’t find anything specific for you at that IP, but there is other bad stuff in the same IP range:

http://www.malwaredomainlist.com/mdl.php?search=91.213.157&colsearch=All&quantity=50

Note the URL refers to finderhun.org

finderhun.org
ICANN Registrar: BIZCN.COM
Created 27 March 2010

IP: 91.213.157.72 - Pe Sattelecom, Trinidad and Tobago

Registrant: John Aprill (johnaprill@xhotmail.net)

The payment screen for the fake AV was hosted at 213.229.83.83.

The domain invoicecosby.com is apparently hosted at that IP address.  Another bad site is in the same IP range - onlinewebsupport.net - known as a support site for Rogue AV.

*****

invoicecosby.com
ICANN Registrar: DIRECTI
Created 10 November 2009

IP: 213.229.83.83 - Blueconnex Networks

Registrant hidden behind privacy protection service

*****

onlinewebsupport.net
ICANN Registrar: REGTIME LTD
Created 23 July 2009

IP: 213.229.83.196 - Blueconnex Networks

Registrant: Michael Hall (michael.l.hall@pookmail.com)

http://www.malwaredomainlist.com/mdl.php?search=onlinewebsupport.ne&colsearch=All&quantity=50

*****

onlinewebsupport.net leads us to mail.supportwebcenter.com and ns2.supportwebcenter.com.

supportwebcenter.com
ICANN Registrar: REGTIME LTD
Created 28 July 2009

IP: 213.229.83.196 - Blueconnex Networks

Registrant: Jack Bailey (jack.s.bailey@mailinator.com)

Bad stuff implicating supportwebcenter.com:
http://forum.sysinternals.com/topic22007.html

*****

t.locpub.com
ICANN Registrar: GODADDY.COM
Created 15 September 2008 <— a longstanding registration – likely a victim, not a ‘bad guy’.

IP: 216.109.84.209 - Savvis, USA

Registrant hidden behind privacy protection service.

*****

mojoadserver.net (again!)
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP: 206.217.200.84 - shares IP with apt-adserver.net and yourvisitor.net

Registrant: Stiven Mon (stive@catedral.es)

*****

live-rail.net
ICANN Registrar: EVOPLUS LTD
Created 15 March 2010

IP: 206.217.200.85 - shares IP with hit-d1.net

Registrant hidden behind privacy protection service

*****

apt-adserver.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

Registrant: Stiven Mon (stive@catedral.es)

*****

yourvisitor.net
ICANN Registrar: EVOPLUS LTD
Created 18 March 2010

Registrant hidden behind privacy protection service

*****

hit-d1.net
ICANN Registrar: ENOM, INC
Created 18 March 2010

Registrant: Ralph Greene (ralph@ad-speed.com)

*****

ad-speed.com - comes up as "deleted and available again".  Please be aware that there is also a domain adspeed.com that has been around since 2003 and seems to be legitimate - don't get the two confused.