Thursday, February 21, 2008

Malicious Advertising (Malvertising) Increasing

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :

01. (

02. (

03. (

04. (

05. (

06. (

07. (


09. (

10. (

11. (

12. (

Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :

Contact details of the fake new media advertising agencies :

- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210

- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"

- AdTraff - "Leader enterprise in Online Marketing"

Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70

Detection rate :

gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc

The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.