Sponsored by..

Showing posts with label Bogus Ads. Show all posts
Showing posts with label Bogus Ads. Show all posts

Wednesday 20 January 2010

AdSlash.com is a bogus ad network

We've seen a number of ads being punted through AdSlash.com to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131959519&td=qcbp71pz=42834&sz=120x600&_zm=359161&st=n1n4&id=131959519&zcw=gh17chl277&xryr=3913771&mp=1460h1
uparms.com/uparmglde/index.php
uparms.com/uparmglde/js/zingvaz.js
uparms.com/uparmglde/sexxhsdtk.php
which then loads a PDF exploit

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131958218&td=qcbp71pz=42834&sz=300x250&_zm=359161&st=n1n4&id=131958218&zcw=gh17chl277&xryr=3913771&mp=1460h1
setsup.com/setglde/index.php
setsup.com/setglde/js/common.js
setsup.com/setglde/ffcollab.php
setsup.com/setglde/files/slob.pdf

Despite the use of "zedo.com" in the subdomain, there is no evidence that these are being syndicated through Zedo.

Let's look at the WHOIS entry for AdSlash.com first:

Domain name: adslash.com

Registrant Contact:
PublishingAlert
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Administrative Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Technical Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Billing Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

DNS:
ns1.everydns.net
ns2.everydns.net

Created: 2010-01-04
Expires: 2011-01-04

The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.

AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:

217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com

217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com

217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com

217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com

Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.

The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:
  • alwaysinwork.com
  • fridayalways.com
  • runsup.com
  • uparms.com
  • upmostly.com
WHOIS details show the infamous moldavimo@safe-mail.net email address.

Registrant:
Name: dannis
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

Administrative Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Phone: +7.9957737737
Fax: +7.9957737737
Email: moldavimo@safe-mail.net

Technical Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
The whole UNNET-LINER netblock of 213.108.56.0 - 213.108.63.255 looks fairly sordid, blocking access to it will probably do no harm.

As a side note, AdSlash.com did used to be owned by a hosting company called RackSlash, but it expired and was re-registered.

If you are accepting new ad banners - always remember to look closely at WHOIS details and other credentials to ensure that you are dealing with who you think you are.

Monday 18 January 2010

Is trafficbuyer@gmail.com Bryan Hunter of Modena, Inc?

We have seen quite a lot of the domain registrant trafficbuyer@gmail.com lately [1] [2] [3] and it would be fair to say that this email address has been connected with malware domains for a few months [4] [5].

Domains operated by trafficbuyer@gmail.com appear to be part of the routing mechanism to bad sites, but there's no indication of who the email address actually belongs to. Is it an ad network, or is it the bad guys themselves.. and if it's an ad network, why are they hiding their name?

This post at Spyware Sucks gave a clue. There are several domains which are interesting because they have changed hands during their lifetime from a firm called Modena Inc (modenainc.com) owned by one Bryan Hunter of Oregon and are now in the hands of "trafficbuyer".

In July 2009, these domains were registered to:


Manager, Domain domains@modenainc.com
Modena Inc.
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States
(503) 241-1091 Fax --
By September 2009 they had all changed to:

Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --
So, who are Modena Inc of Oregon? According to the State of Oregon, the two key people here are Bryan Hunter and Andrew Vilcauskas, although Mr Hunter's name is most often associated with Modena, Inc. The official status for Modena, Inc shows "Administrative Dissolution" which means that the state dissolved the company for non-filing of paperwork.. this seems to be a common issue. If we look at businesses related to Bryan Hunter then we see:

Big Truck Autobody (dissolved, failed to renew in 2004)
CreditYes, Inc (administrative dissolution in 2008, though still trading at CreditYes.com)
Diminished Value, Inc (filings overdue as of November 2009, trading at DiminishedValue.com)
ExitExchange Corporation (still active, although check the rating at WOT for ExitExchange.com or simple Google it)
Modena Homes, Inc (administrative dissolution in 2008)
Modena, Inc (administrative dissolution in 2009)
Modena, Inc (older incorporation, administrative dissolution in 2004)
Pro Web Design LLC (administrative dissolution in 2004)
Wind Song Creek Estates LLC (administrative dissolution in 2009)

Now, given the WHOIS history of these domains we would suggest that either Bryan Hunter is trafficbuyer@gmail.com or he sold the domains on to this person. If they are the same person, then perhaps he would like to review his business relationships and clean them up...

Wednesday 13 January 2010

More on malvertisements running through Bootcampmedia.com

Sandi at Spyware Sucks has a closer look at the malvertisements running through Bootcampmedia.com and comes up with some more details, following up from this post yesterday.

In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?

Tuesday 12 January 2010

BoingBoing.net / Bootcampmedia.com ad leads to malware


A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM
trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:

  • Ablxsr.info
  • Ajgdrt.info
  • Alevfq.info
  • Alfwqr.info
  • Alrpsl.info
  • Ameronada.info
  • Bnzbfz.info
  • Bodxmt.info
  • Bplimo.info
  • Briliantio.info
  • Bvqlag.info
  • Bzjsqk.info
  • Ccwarj.info
  • Cityopicos.info
  • Clthth.info
  • Ctksji.info
  • Dasyxe.info
  • Dbivoh.info
  • Dgltup.info
  • Dpuefh.info
  • Dtjblp.info
  • Enhmqq.info
  • Enqpqk.info
  • Euespj.info
  • Exmxfd.info
  • Fblooe.info
  • Fdwghs.info
  • Fopqde.info
  • Fprvsu.info
  • Frgbat.info
  • Fymjjz.info
  • Gelvmf.info
  • Gnautw.info
  • Gnysgg.info
  • Gredotcom.info
  • Grupodanot.info
  • Grxqog.info
  • Gukuny.info
  • Gyckjq.info
  • Hagijd.info
  • Haqdsc.info
  • Hgtbng.info
  • Hjdnps.info
  • Hyiyyi.info
  • Iakecg.info
  • Iaoaxz.info
  • Iewwpn.info
  • Ijaflj.info
  • Iohbvo.info
  • Jhrubd.info
  • Jokirator.info
  • Kbwstb.info
  • Kibfsz.info
  • Klamniton.info
  • Ktebkx.info
  • Kxlglw.info
  • Leeloe.info
  • Lgcezx.info
  • Lkraat.info
  • Lktcaj.info
  • Llchqs.info
  • Lnmrjz.info
  • Lokitoreni.info
  • Lqhczk.info
  • Lywavy.info
  • Lyzocu.info
  • Mallstern.info
  • Manaratora.info
  • Megafrontan.info
  • Mesxql.info
  • Mngmjc.info
  • Monsatrik.info
  • Montrealt.info
  • Mruvienno.info
  • Mrvsnq.info
  • Nalszu.info
  • Ncnzfh.info
  • Neiaea.info
  • Nigrandara.info
  • Njcmug.info
  • Npmkrr.info
  • Ntaxkj.info
  • Obzdkn.info
  • Ocftfa.info
  • Optugj.info
  • Otfcco.info
  • Owpwhi.info
  • Pbrugb.info
  • Plxxii.info
  • Pncgfd.info
  • Ppusmb.info
  • Prbakn.info
  • Qdinql.info
  • Qgxelo.info
  • Qqtwft.info
  • Realuqitor.info
  • Refrentora.info
  • Retuvarot.info
  • Rfouce.info
  • Rljysj.info
  • Rocqdn.info
  • Roeaaj.info
  • Semqef.info
  • Snosrz.info
  • Spgsgh.info
  • Stqvqw.info
  • Swrapz.info
  • Tcoqgo.info
  • Tehfnn.info
  • Top-lister1.info
  • Transforltd.info
  • Tsfxzg.info
  • Tyenxv.info
  • Ugrdzf.info
  • Uliganoinc.info
  • Urupnk.info
  • Utpxno.info
  • Uyguau.info
  • Vbqfdm.info
  • Veqibp.info
  • Vkfaao.info
  • Vwwtlp.info
  • Wddifv.info
  • Wdhcvv.info
  • Wdokxd.info
  • Wevoratora.info
  • Wtstds.info
  • Wvkjxx.info
  • Wvlsam.info
  • Xbhmws.info
  • Xbxynl.info
  • Xcisup.info
  • Xxiyrv.info
  • Ybeaxd.info
  • Yfntrg.info
  • Yqjxkj.info
  • Ywbxen.info
  • Zdkaki.info
  • Zhwtqz.info
  • Zlpbha.info
  • Znkwjc.info
  • Zqpwco.info
Unlocker.org.uk is located on the same server, but it doesn't seem to fit in with the malware delivery and perhaps it is best to assume that it is a coincidence.

Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!

Added: You probably want to block these too..

216.150.79.76
  • Cacorq.info
  • Clxhbz.info
  • Dgrxqh.info
  • Diwiowano.info
  • Dmdurz.info
  • Funkol.info
  • Geetol.info
  • Gitoer.info
  • Gondiroda.info
  • Gutrandin.info
  • Hizfek.info
  • Hopore.info
  • Ivgzda.info
  • Jopqae.info
  • Kolpao.info
  • Nadotraza.info
  • Niraynome.info
  • Ofahitino.info
  • Oirjsa.info
  • Ornotivec.info
  • Pirtaf.info
  • Popsto.info
  • Rellok.info
  • Ruhcsy.info
  • Sacmtf.info
  • Sdoras.info
  • Tapiroten.info
  • Tiizwb.info
  • Traxemere.info
  • Ulmqmq.info
  • Vivibt.info
  • Xsxydj.info
  • Yuncdjbiw.info
  • Yyoqny.info

216.150.79.77
  • Bnodas.info
  • Brasilianstoree.info
  • Byzypub.info
  • Depahugu.info
  • Gionasodor.info
  • Giratunes.info
  • Gyreal.info
  • Hlopki.info
  • Huerin.info
  • Igerinsar.info
  • Jcafuzixa.info
  • Joketarona.info
  • Koevoru.info
  • L-iza.info
  • Laryju.info
  • Manocoraz.info
  • Nbuuf.info
  • Npefu.info
  • Nvihobepo.info
  • Pe-aqemop.info
  • Pyneh.info
  • Retiof.info
  • Rzajexu.info
  • Tolkienad.info
  • Tymane.info
  • Typolazu.info
  • Vfoxoe.info
  • Wanitale.info
  • Yawibyve.info
  • Ydiuvy.info
  • Zoimie.info

Thursday 19 November 2009

Warning: Affilnet.net

Just as a follow-up to the warmfuzzylove.com scam, the same server (98.126.22.178) now hosts Affilnet.net which may be trying to pass itself off as Affili.net which is a legitimate marketing agency, although at the moment the site appear to be blank.

The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.

Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.