Banner ads from major sites
Hi folks,
Ok, we all know that infective banner ads are not new, but this is more interesting than most because they're currently fairly common from both mlb.com and nhl.com.
These are really hard to track down, because they don't happen every time you visit a site ... it took us hours to get our first capture... but it was both interesting and instructive that when _we_ got a capture, one of our researchers on the other side of the world got one at about the same minute. Now, it was a different fake scanner, and a different path thru the ad network, but it was a startlingly similar style and almost the same time. We don't believe in coincidences.
Here's the chain for mlb.com ...
mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com
and here's the chain from nhl.com ...
www.nhl.com calls to m1.2mdn.net
m1.2mdn.net with a parameter of ad.doubleclick.net calls to adtraff.com
adtraff.com calls to blessedads.com
adtraff.com calls also to prevedmarketing.com (which is the same ip as blessedads.com)
one of those two does a 302 (temporary redirect) to scanner2.malware-scan.com, which does the fake scan.
Full URLs are available to appropriate interested parties.
Here's a vid for anyone who'd like to watch it in action...
Cheers
Roger
10 Comments:
This has been happening for a while, I first saw it about three weeks ago. Couldn't quite figure out where the banners were coming from though, but it is definitely the same AdTraff.com outfit.
The bottom line is that if you're running rich media ads (e.g. Flash or Javascript) then you have to keep a very close eye on what you are publishing.
Please inform me why anyone would do an online scan like this.
What makes this different from the late 90's scans which appeared to work the same way ?
Conrad wrote:
>you have to keep a very close eye on what you are publishing.
Yes. I agree, but to be fair to the folks accepting advertising revenue, the Bad Guys make it hard to tell they're Bad Guys.
Roger
Axel wrote:
>Please inform me why anyone would do an online scan like this.
Well, the Bad Guys do it without asking. It happens automatically.
Don't forget though... it's not really a scan... they're just _pretending_ to scan you to scare you into installign their warez.
Roger
Susan asked:
>What makes this different from the late 90's scans which appeared to work the same way ?
Well, for one thing, these work on fully-patched Vista with IE7, fully-patched Firefox, and Mac OS/X. How's that for a difference?
The real point is that they're not really running a scan at all ... they're just pretending to... it's called social engineering, and they're trying to convince you to install their warez.
Roger
I thought all the Bad Guys wore black hats so that you could tell they were Bad Guys? ;)
You're right about patching - this wasn't using an exploit at all, and if you had Flash then it would work. Heck, it even told me that my Linux-based Nokia Internet Tablet had Windows malware on it, which was a surprise!
Hi Roger
Thanks for the heads up. Could you point me to any resources that address why the bad guys do what they do? You mentioned there's money in it - but I'm curious where it comes from. I understand the kick of hackers doing something to play with the vulnerabilities of systems, or to show off to one another, etc etc. It escapes me how they expect to make money doing it however (other than potentially by getting credit card numbers or something off a compromised system).
To anyone wondering about how/why we have viruses, spam, exploits etc it is all due to organized crime and the mafia. The problem got worse when the virus writers and the people peddling spam got together and shared their tools. There will be more of this in the next few years. This is proof that a "Zero Day Attack" can be orchestrated against a system that is fully patched.
You can't tell from publisher's or viewer's standpoint who embeds the redirection code in the Flash ad. That's because many ads are actively traded at AdECN by 3 dozen members. It's like tracking the original source of the HIV infected person, I suppose.
Post a Comment
<< Home