Thursday, February 21, 2008

Malicious Advertising (Malvertising) Increasing

In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :

01. quinquecahue.com (190.15.64.190)
quinquecahue.com/swf/gnida.swf?campaign=tautonymus
quinquecahue.com/swf/gnida.swf?campaign=atliverish
quinquecahue.com/statsg.php?campaign=meatrichia
quinquecahue.com/swf/gnida.swf?campaign=atticismus

02. akamahi.net (190.15.64.185)
akamahi.net/swf/gnida.swf?cam
akamahi.net/swf/gnida.swf?campaign=innational
akamahi.net/swf/gnida.swf?campaign=annalistno
akamahi.net/statsg.php?u=1199891594&campaign=annalistno

03. thetechnorati.com (190.15.64.191)
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
thetechnorati.com/swf/gnida.swf?campaign=whoduniton
thetechnorati.com/statsg.php?u=1198689218

04. vozemiliogaranon.com (190.15.64.192)
vozemiliogaranon.com/statss.php?campaign=zoolatrymy
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
vozemiliogaranon.com/statss.php?campaign=revenantan

05. newbieadguide.com (190.15.64.188)
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=2rapid1y
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=germanit
newbieadguide.com/swf/gnida.swf?campaign=ta5temix
newbieadguide.com/swf/gnida.swf?campaign=c0pperin
newbieadguide.com/swf/gnida.swf?campaign=remain0r
newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9

06. traffalo.com (84.243.252.94)
traffalo.com/swf/gnida.swf?campaign=atekistics
traffalo.com/swf/gnida.swf?campaign=byagnostic
traffalo.com/statsg.php?u=1201711626
traffalo.com/statsg.php?u=1202224809

07. burnads.com (84.243.252.85)
burnads.com/swf/gnida.swf?campaign=1akeweak
burnads.com/swf/gnida.swf?campaign=flatfootup

08. v0zemili0garan0n.com
v0zemili0garan0n.com/statsg.php?u=1199391035

09. adtraff.com (84.243.252.84)
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=weightt0

10. mysurvey4u.com (194.110.67.22)
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5
mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe

11. traveltray.com (194.110.67.23)
traveltray.com/swf/gnida.swf?campaign=pavoninean

12. tds.promoplexer.com (217.20.175.39)
tds.promoplexer.com/statsg.php
adtds2.promoplexer.com/in.cgi?2

Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :

aboutstat.com
newstat.net
officialstat.com
stathisranch.net
station-appraisals.net

Contact details of the fake new media advertising agencies :

- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210

- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
mysurvey4u.com

- AdTraff - "Leader enterprise in Online Marketing"

Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70

Detection rate :

gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc

The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.