http://msmvps.com/blogs/spywaresucks/archive/tags/Vulnerabilities_2C00_+viruses+and+exploits/safety+and+privacy+on+the+Internet/default.aspxTags: Vulnerabilities, viruses and exploits, safety and privacy on the InternetenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656334.aspxWed, 10 Dec 2008 00:34:58 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1656334sandi0http://msmvps.com/blogs/spywaresucks/commentapi.aspx?PostID=1656334http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656334.aspx#comments<p>Cite: <a title="http://www.google.com/support/forum/p/Webmasters/thread?tid=612707351ed6b298&amp;hl=en" target="_blank" href="http://www.google.com/support/forum/p/Webmasters/thread?tid=612707351ed6b298&amp;hl=en">http://www.google.com/support/forum/p/Webmasters/thread?tid=612707351ed6b298&amp;hl=en</a></p> <p>I disagree with the theory being espoused by some in that thread (that the site is hacked and/or htaccess has been manipulated).&nbsp; This is because:</p> <ol> <li>the thread author is complaining that the redirects are occurring as he browses the site</li> <li>it is not affecting anybody else who has posted to the thread</li></ol> <p>Such symptoms lead me to believe that there is malvertizing being displayed somewhere on the site - I agree with jwp_var.&nbsp; It is interesting that the behavior only seems to affect Firefox...</p> <p>The complained of URL, proweb-info.com/soft.php?aid=075676&amp;d=1&amp;product=XPA&amp;refer=dc77b3921 is definitely bad, leading the victim to the fraudware site advancedproscan.com. <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1656334" width="1" height="1">Vulnerabilities, viruses and exploitssafety and privacy on the Internethttp://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspxTue, 09 Dec 2008 23:16:09 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1656329sandi1http://msmvps.com/blogs/spywaresucks/commentapi.aspx?PostID=1656329http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspx#comments<p>Olympic Media has been caught distributing malvertizing ... again (<a target="_blank" href="http://www.bluetack.co.uk/forums/index.php?showtopic=18064&amp;st=180#">thanks to Kimberley for the heads up</a>).</p> <p>Why do I say again? <a target="_blank" href="http://msmvps.com/blogs/spywaresucks/archive/2008/08/07/1643854.aspx#1649660">Because a usatoday representative posted to my blog back in September claiming that Olympic Media had sold them a malvertizement</a>.</p> <p>Anyway, back to present day.&nbsp; This time Olympic Media are distributing a cyberipod malvert. </p> <p>Adopstools results - you will see that it is not even one of the newer style, difficult to detect adverts:<br /><a title="http://www.adopstools.com/index.asp?page=quicklink&amp;id=o0CVw0KNmEe0g8sv" target="_blank" href="http://www.adopstools.com/index.asp?page=quicklink&amp;id=o0CVw0KNmEe0g8sv">http://www.adopstools.com/index.asp?page=quicklink&amp;id=o0CVw0KNmEe0g8sv</a></p> <p>When the advert is run, it reaches out to two domains - freegreenstats.com and statisticsmanager.com.</p> <p>statisticsmanager.com drops a cookie for adnetserver.com before leading us to onlinestatsmanager.com.&nbsp; From there we end up at online-info-clicks.com, is which the first URL that exposes the victim to fraudware.&nbsp; online-info-clicks.com redirects the victim to anti-virus-live-scan.com.</p> <p>The advert also uses _url within its code (which means it can change its behavior depending on where it is run from), and runs timezone checks (again, as a way to control the advert&#39;s behavior).</p> <p>So, what does the various domains tell us?&nbsp; Kimberley has done already done the hard work so I shall refer you to her <a target="_blank" href="http://www.bluetack.co.uk/forums/index.php?showtopic=18064&amp;st=180#">report</a>.&nbsp; You&#39;ll note that she draws a connection between Olympic Media and a known bad actor, Atlantmedia.</p> <p>Also, you&#39;ll see that another malvert was discovered on MSN (<a target="_blank" href="http://www.bluetack.co.uk/forums/index.php?showtopic=18064&amp;st=180#">this time the Encarta site</a>).&nbsp; Thankfully, that advert has been pulled from circulation.</p> <p>BTW, note the spelling mistakes on the Olympic Media home page... &quot;dvertising&quot; instead of &quot;advertising&quot; appears twice.</p> <p>&nbsp;</p> <p><img style="border-right-width:0px;margin:0px 25px 25px 0px;border-top-width:0px;border-bottom-width:0px;border-left-width:0px;" border="0" alt="image" align="left" src="http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.ALERTtreatallconte.netwithextremecaution_5F00_A485/image_5F00_8c20f741_2D00_5e2a_2D00_49b3_2D00_8295_2D00_b40187527857.png" width="170" height="640" /><img style="border-right-width:0px;margin:0px 25px 25px 0px;border-top-width:0px;border-bottom-width:0px;border-left-width:0px;" border="0" alt="image" align="left" src="http://msmvps.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/spywaresucks.ALERTtreatallconte.netwithextremecaution_5F00_A485/image_5F00_8ea89409_2D00_5a41_2D00_4e2a_2D00_8ebc_2D00_9f620408025b.png" width="679" height="536" /></p><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1656329" width="1" height="1">Vulnerabilities, viruses and exploitssafety and privacy on the Internet