Sponsored by..

Tuesday 15 September 2009

Rogue ads on answers.com: dotastoc.com

I'm still trying to track this one down, but somewhere on answers.com is a rogue ad that does through several hops to reach a fake anti-virus application. Don't visit any of the following sites unless you know what you are doing!
  1. dotastoc.com/442417.js?sid=bWtuamJoX2NvZmZlZS1jODMuZG90YXN0b2MuY29t [, Germany - Netdirekt E.k]
  2. mknjbhyju.exxl.pl/coffee-c83/xalei.html [, Ohio - XLHost.com Inc]
  3. mknjbh_coffee-c83.dotastoc.com/index.html ?Ref=http%3A%2F%2Fwww.google.co.uk %2Fsearch%3Fhl%3Den%26q%3D[redacted]%26btnG%3DSearch%26meta%3D
  4. myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1 [, Netherlands - Ecatel]
  5. 09computerquickscan.com [multihomed at,,,,, Germany Hetzner Online AG]
Step 3 requires a referer string to work, depending on the string you may get redirected, for example to usdisturbed.cn/?pid=229&sid=4b5855 [, Belize "Financial Company Titan Ltd"] then fast-virus-scan4.com [, Costa Rica Centerinfocom Ltd or again]

Lots of suspect IP addresses there, is the first step and also hosts these following domains that also look suspect:

  • Anidmenonpderche.com
  • Dotastoc.com
  • Ewyuewssf.com
  • Fishbiss.com
  • Iggiksc.com
  • Lur2cont.com
  • Niuk.ru
  • Pornokogu.com
  • Uewiosdasda.com
fast-virus-scan4.com is also being used in some .htaccess attacks, where the hacked site only redirects to the fake virus scanner if accessed through Google or some other search engine, not if it is visited directly.

Update: answers.com appear to have tracked down and removed the ad, although some other sites have been hit by a very similar attack.

No comments: