Malvertizing activity
There has been a lot going on in the malvertizing world lately, with a spike in the number of reports coming in about malvertizing incidents that are occurring because the Ad Server in question is running an old and exploitable version of OpenX – people, we need to be running version 2.8.8.
The bad guys have been able to insert malicious iframe scripts in tandem with legitimate advertising, and sometimes obfuscated JavaScript that causes various requests to domain names within the *.dyndns.org namespace.
A couple of domains implicated in malvertizing incidents are reonmedia.com and malidie.com
reonmedia.com (registered 19 June 2011 – reonmedia.com cookie spotted in a conversation about an infected computer here)
IP address at time of writing 176.65.162.61 – Zexotek It-services, Gmbh
Registrar: DIRECTI
Registrant: LEGAZ Inc, Anthony White (anthonywhite@gmail.com)
Sharing IP with adtiara.net
adtiara.net (registered 15 July 2011)
Registrar: DIRECTI
Registrant hidden by privacyprotect.org
malidie.com (registered 21 July 2011)
IP address at time of writing 188.72.204.48 – Hessen, Frankfurt, Netdirect
Registrar: BIZCN.COM, INC
Registrant hidden behind privacy-protect.cn
Sharing IP with inviasat.ru and gennetron.com
gennetron.com (registered 21 July 2011)
Registrar: DIRECTI
Registrant hidden behind privacy-protect.cn
inviasat.ru (registered 1 June 2011)
Registrar: REGRU-REG-RIPN
Registrant: “Private Person”
Also mentioned in recent times – trekmedia.net – including here:
http://stopmalvertising.com/tag/trekmedia.net.html
trekmedia.net (registered 14 February 2011)
IP address at time of writing 173.236.89.200
Registrar: ENOM, INC
Registrant hidden behind WhoisGuard
Also adveritising.com (note the extra letter i)
adveritising.com (registered 17 July 2011)
IP address at time of writing 50.17.195.149
Registrar: DYNADOT, LLC
Registrant hidden behind Dynadot Privacy