Sponsored by..

Friday, 5 February 2010

More fake ad networks

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.
The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
  • Namdoline.com
  • Quintat.com
  • Bradfortnd.com
  • Ealana.com
  • Rovitalt.com
  • Favorti.com
  • Muentely.com
  • Briarmod.com
  • Deltamsc.com
  • Jessiereet.com
  • Startrailrs.com
  • Connata.com
  • Vehiced.com
  • Essiell.com
  • Holdrism.com
  • Bellwaynetworks.com
  • Forlifemedia.com
  • Revoltechmarketing.com
  • Hickoryhs.com
  • Ingramctc.com
  • Luxortd.com
  • Morrelmedia.com
  • Gappion.com
  • Savoyee.com
  • Goldbaynetwork.com

No comments: