Carbon Grove - Carbon Reduction Reminder Service

Internet Explorer has partnered with a carbon reduction reminder service to help increase awareness around one of Earth's most precious resources. Browse three endangered forests and plant your own virtual tree while learning how to become a better steward of the environment.

I've completed the questionnaire, and have added the tree to my web site and blog as a Webslice.

Each week, Carbon Grove will send you an email to remind you of your carbon-reducing commitments. Each email will have a link you can click on to keep your virtual tree growing.  As your tree grows it will provide shelter to animals native to your chosen forest (my tree is already sheltering a butterfly after just one growth spurt)

If you ignore the email and do not click on the link, the emails will stop.

Notes: The Carbon Grove website requires Silverlight and IE7 or IE8.

New malvertizement - americansingles.com

Here it is:

The malvertizement, if triggered, redirects victims to the URL windowsxp-privacy.net/?id=987650085.  That URL, if a malicious redirect is not triggered, simply dumps the victim at Google.

windowsxp-privacy.net is hosted in Russia, with mail services supplied by estboxes (Intercage) and is registered via Estdomains.

Slow malvertizement clean-up... how frustrating.

The malvertizements discovered on Yahoo are STILL there...

Moli.com is still displaying malvertizements as well

Alert: malvertizements at moli.com

Kimberley found these ones - full information here:
http://www.bluetack.co.uk/forums/index.php?s=ae5aae56f29889c26c465d6f3aa4e9c1&showtopic=18064&st=30&p=87072&#entry87072

atlas-ads.com is registered using the infamous Estdomains, and if you try to visit the domain you are automatically redirected to the Microsoft owned atlassolutions.com - but don't be fooled - atlas-ads.com has nothing to do with Microsoft.

The appropriate parties have been notified.

Malvert 1 - featuring Neopets: atlas-ads.com/23486/728x90.swf

Malvert 2 - again featuring Neopets: atlas-ads.com/23486/300x250.swf

p-mediaonline.com - exercise caution if dealing with them....

Earlier I posted an alert that ReachWe (reachwe.com) has been caught distributing malvertizements.

Kimberley has written about another advertising service that shares IP with reachwe.com - P-mediaonline.com - discussed here:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87048&mode=threaded&show=&st=30&#entry87048

reachwe.com and p-mediaonline.com have the same Flash navigation on the opening pages.

P-mediaonline.com was created on 4 April 2008; reachwe.com was created on 6 December 2007.

And, to add to the "yuck" factor, Kimberly uncovers another domain that uses the same contact email address in its WHOIS details as ReachWe - the domain has the charming name of ***-juice.net and yes, it too has a sample of the SWF used by reachwe.com and P-mediaonline.com, albeit with a lot of placeholder text, at ***-juice.net/base.swf:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87056&mode=threaded&show=&st=30&#entry87056

reachwe.com;s "Administrative Contact": Martin, Sten smith.realty@yahoo.com
***-juice.net uses: Rudenkov, Pavel smith.realty@yahoo.com

Screenshots of ***-juice.net/base.swf - note the details in the Contact Us pane and the URL in the address bar:

Yahoo aren't listening...

Edit: the malvertizements have been removed from circulation .

And still the problems continue....

I wonder how many hits Yahoo gets per day, and how many people are being exposed to fraudware, while these advertisements are allowed to remain online...

Be very cautious if accepting advertising from ReachWe LLC

Cite this discussion:
http://www.geekvillage.com/forums/showthread.php?p=178973

There are three complaints about malicious advertisements being supplied by ReachWe in that discussion.

You'll note that somebody who claims to be from Yahoo posted a comment to that discussion on 16 April claiming to have been supplied malvertizements by ReachWe.  Yet here we are, seeing malvertizements on Yahoo sites even now.  It seems to me that Yahoo needs to tighten up their processes and procedures - and soon.

Thanks to Kimberley of http://www.bluetack.co.uk/forums/index.php?showforum=239 for the heads up about the thread.  Kimberley will be posting more information about ReachWe soon...

Yet another malvertizement at Yahoo Mail...

Edit: the malvertizement has been removed from circulation 

And another one - the URL for this one is:

eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300x250.swf

Even if you don't get redirected, the malvertizement still let's the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html

Yahoo is one of the few companies where I *don't* have a high level contact  :o(

Malvertizement problems continue at Yahoo

Edit: the malvertizement has been removed from circulation 

Here it is at Yahoo Mail:

Warning: malvertizement at Yahoo Groups!

Edit: the malvertizement has been removed from circulation 

Here it is, in situ - it is familiar, yes?

This is the URL of the malvertizement:
eur.a1.yimg.com/java.europe.yahoo.com/eu/any/yahoonew728x90.swf

The malicious SWF leads us to:
adtds2.promoplexer.com/statsa.php?campaign=yahoo

And:
track.trackads.net/statsa.php?campaign=yahoo

Any other site that uses Yahoo advertising (Yahoo mail, or Ebay for example) could potentially expose visitors to the malvertizement and fraudware sites.

Old malvertizement featuring getsafeonline

I was intrigued to see this malvertizement pop up on my radar - Mike of mikeonads.com first wrote about this advert back in early 2007.  Perhaps the bad guys think we have short memories

The URLs (thanks Kimberley) used by the malvertizement are:

burnads.com/crossdomain.xml  (this page was apparently last modified in November 2007)
burnads.com/stats.php?campaign=heldthin

Screenshots:

New malvertizement featuring Nielsen/NetRatings

Yet another big name is being impersonated via a malvertizement.

The Nielsen malvertizement reveals a new malicious domain, xp-vista-update.net, hosted in Russia with name servers provided by the infamous estboxes.

The domain was created on 25 March 2008.

The malicious URL is xp-vista-update.net/?id=244400121 (currently redirecting to Google).

Here are screenshots of the malvertizements:

Update re malvertizement at livejournal.com

I have been advised that the malvertizement has been removed from circulation.

Malvertizement appearing on livejournal.com

This incident has been reported to livejournal, Atlas Solutions (aka adbureau.net) aquantive and Microsoft.

Here is a screenshot of the malvertizement:

The malvertizement is being displayed at community.livejournal.com.  (Screenshot at end of article)  Heck, the darn thing is popping up on every livejournal page that has an advert - don't they have *anything* else to display???

The malicious SWF is

http://sixapart-images.adbureau.net/sixapart/041808_728x90_765.swf

adbureau.net is associated with aquantive.com, who are in turn owned by... Microsoft.

The SWF dumps us at a MalwareAlarm site via the following route.  The SWF redirects victims to this URL:

profitabill.com/?cmpid=andirector&adid=x  (domain registered by Serg Moons)

When we hit that URL, we are redirected to prevedmarketing.com, which sets a cookie that lasts barely a day.

From there we hit scanner2.malware-scan.com.

statsgod.com also makes an appearance, which sets another shortlived cookie, as does bucksbill.com.

We also hit the following URL (URL incomplete for security reasons)

statgroup.net/c/index.php?

The coders of the SWF are lazy; if you click on it, nothing happens - because the click target is _blank.

And the SWF exposes us to another domain, being:

statgroup.net/crossdomain.xml (registered by Serg Moon)

I conducted a search for domains registered by Serg Moon back in March - back then, he had 20 unique domains, being the following - you will note that profitabill is not listed:

aboutstat.com
aboutstat.net
newstat.net
officialstat.com
officialstat.net
stat-diagnostic-imaging.net
statetstr.com
statgroup.net
stathisranch.com
stathisranch.net
stathome.net
staticglobalsources.com
staticglobalsources.net
station-appraisals.com
station-appraisals.net
statnation.net
statsite.net
statsla.net
statuas.net
statworld.net

profitabill was created on 25 March 2008 - my search was ordered on 10 March - enough said there.

At time of writing, profitabill.com was at IP 80.86.94.191.  Other hostnames sharing that IP with a-records are:

manzano181.serv.lt, xen-su-01.serv.lt

Domains sharing nam serves are far more interesting - I'm sure you will recognize many infamous names:

advancedcleaner.com
alltiettantivirus.com
antispywaresuite.com
antivirusaskeladd.com
antiviruspcpakke.com
antiviruspcsuite.com
antiviruspertutti.com
antiworm2008.com
avsystemcare.com
bedreigingsmonitoor.com
beschermingstool.com
besutohogo.com
bugdokter.com
bugsdestroyer.com
diannaoqingjieji.com
discerrorfree.com
discosemerros.com
discosenzaerrori.com
discosinerrores.com
diskfejlfri.com
diskrensare.com
diskretter.com
doraibuhogo.com
drivecleaner.com
drivedefender.com
driveproteccion.com
einaprivadesapc.com
elmejorantivirus.com
erreurchasseur.com
errorfri.com
errorout.com
errorsafe.com
errorskydd.com
errorsoshi.com
exterminadordevirus.com
fiksdinpc.com
konsekieraser.com
libresystem.com
maximumantivirus.com
minnesparere.com
mistikotitatuipologisti.com
moncontenuassistant.com
munazifalhasob.com
nocompromaat.com
norwayvirus.com
oczyszczaczkomputerza.com
pc-prot.com
pcbeskyttelse.com
pcrengoringsmaskine.com
pcsegura.com
pcsikker.com
pcsikkerhed.com
pcsod.com
pcvirusless.com
pembersihkomputer.com
plattefehlerfrei.com
pp-total.com
privacidadeprotegida.com
privacyprotector.com
puliturasystem.com
regrensere.com
rejishufuku.com
reparateurdesysteme.com
sanitardiska.com
schijfbewaker.com
securepccleaner.com
senzaerrori.com
sichererantivirus.com
sistemaimune.com
solutionreg.com
spyguardpro.com
storageprotector.com
supashuri.com
suspenzorpc.com
sysdepannage.com
syskontroller.com
systemdoctor.com
systemordnare.com
toolsicuro.com
tryggdator.com
turvapc.com
vacinatotal.com
virenfrierpc.com
virusdeteccion.com
virusforsvar.com
virusfrittsystem.com
virusvanguard.com
winantispyware.com
winsecureav.com
winspycontrol.com
yourprivacyguard.com

New malvertizement featuring driveway.com

This malvertizement is *very* new

Cite - Kimberley's site - she has all the details:

http://www.bluetack.co.uk/forums/index.php?s=8085d39a6043e446198cbd9ab8234f01&showtopic=18064&st=30&p=86950&#entry86950

Apple, pardon the pun, changes its (i)tune and rejiggs the Apple Software Updater....

Remember how I got so grumpy with Apple back in March, when they were pushing out Safari to Windows users as an "update"?

I was far from the only person criticizing Apple for their behaviour, and it seems Apple have listened and changed the way their Updater.

As reported by eWeek Security Watch:
http://securitywatch.eweek.com/apple/after_criticism_apple_software_updater_gets_ui_makeover_1.html

New malvertizement featuring WeightWatchers

Here's a screenshot - the SWF leads you to adtds2.promoplexer.com/statsa.php?campaign=bebo

Another malvertizement featuring yourmusic.com

Here's a screenshot - nothing new here...

Malicious SWF URL:

adroll.com/u/ads/POOPATPCXNFSNB35TZLVYO/FKM7SN4NXNAJLH75HOCZYB.swf

Campaign.

(Edited to correct host details)
 

page2.googiesindication.com/crossdomain.xml

Note: page2.googiesindication.com is hosted by the infamous Securehost.  Nine Internet Solutions, the same provider implicated in the Blick.ch outbreak - is host of googiesindication.com [no page2 appended]).  Domain created on 26 November 2007.

page2.googiesindication.com/c/index.php? id=eWtkekFoRmpzSFQwMWVySTVRSUNoPTEyMDQwMzE5MjMmcG56Y252dGE9Ymm7NkiZmcmFncmFwcgYN
kiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=ossentence

prevedmarketing.com/?tmn=mwatmpsmcmp&aid=ossentence&lid=&ax=1&ed=2&mt_info=5640_5846_16615

scanner2.malware-scan.com/14_swp/?tmn=null&aid=ossentence_ma14s_mb1sct&lid=&affid=&ax=1&ed=2&mt_info=5640_5846_16615:5745_0_16604

statsgod.com/a/?lang=en&aid=ossentence_ma14s_mb1sct&lid=keyin&affid=keyin&prod_id=655&ref=

bucksbill.com/.stats/refil.php?p=14&aid=ossentence_ma14s_mb1sct&lid=keyin&affid=keyin

Source of information - thanks Kimberley:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=86914&mode=threaded&show=&st=30&#entry86914

Another malvertizement at radiofrance.fr

Here it a screenshot of another malvertizement featuring Lady Speedstick "in situ".  The URL for the malvertizement is:
media.ftv-publicite.fr/0/OasDefault/2008_1349_I_1_4__Mega-RF-RG//france_728x90_LADY.swf

As before, the malvertizement sends data to the criminals, even if you are not redirected to a fraudware site.  In this case, the URL in use is:
adtds2.promoplexer.com/statsa.php?campaign=france&u=

Malvertizement at radiofrance.fr

A French version of the Lady Speedstick malvertizement is being displayed on Radio France's web site.  Here is a screenshot:

This is the URL of the malvertizement:

media.ftv-publicite.fr/0/OasDefault/2008_1349_I_1_3__Pave-RF-RG//france_300x250_LADY.swf

The malvertizement sends data to the criminals, EVEN IF YOU ARE NOT REDIRECTED, specifically to these URLs:

adsraise.com/mbuyers/statistics.html
adtds2.promoplexer.com/statsa.php?campaign=france&u=