Banner ads from major sites
Ok, we all know that infective banner ads are not new, but this is more interesting than most because they're currently fairly common from both mlb.com and nhl.com.
These are really hard to track down, because they don't happen every time you visit a site ... it took us hours to get our first capture... but it was both interesting and instructive that when _we_ got a capture, one of our researchers on the other side of the world got one at about the same minute. Now, it was a different fake scanner, and a different path thru the ad network, but it was a startlingly similar style and almost the same time. We don't believe in coincidences.
Here's the chain for mlb.com ...
mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com
and here's the chain from nhl.com ...
www.nhl.com calls to m1.2mdn.net
m1.2mdn.net with a parameter of ad.doubleclick.net calls to adtraff.com
adtraff.com calls to blessedads.com
adtraff.com calls also to prevedmarketing.com (which is the same ip as blessedads.com)
one of those two does a 302 (temporary redirect) to scanner2.malware-scan.com, which does the fake scan.
Full URLs are available to appropriate interested parties.
Here's a vid for anyone who'd like to watch it in action...