Sponsored by..

Wednesday 13 January 2010

More on malvertisements running through Bootcampmedia.com

Sandi at Spyware Sucks has a closer look at the malvertisements running through Bootcampmedia.com and comes up with some more details, following up from this post yesterday.

In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?

1 comment:

MysteryFCM said...

The /mirror/ directory on bonnapet.com seems to have been removed (404's for me), but there's exploit code still present on the bonnapet.com homepage, which when decoded, shows someone isn't a fan of AVG;

http://hosts-file.net/misc/imgbonnapet_com_-_source.gif
http://hosts-file.net/misc/imgbonnapet_com_-_source2.gif

Decoding the code shows the payload comes from the following, which surprisingly, also 404's for me atm;

bonnapet.com/friends/umgo.php

/attempt #2 to post as my connection is apparently unstable atm