<![CDATA[[SecurityRatty] tag: traffalo]]> http://securityratty.com/tag/traffalo Wed, 20 Feb 2008 19:33:33 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Malicious Advertising (Malvertising) Increasing]]> http://securityratty.com/article/37f3f9caf6504e11892262d9abcaab70 http://securityratty.com/article/37f3f9caf6504e11892262d9abcaab70 In the wake of the recent malvertising incidents, it's about time we get to the bottom of the campaigns, define the exact hosts and IPs participating, all of their current campaigns, and who's behind them. Who's been hit at the first place? Expedia, Excite, Rhapsody, MySpace, all major web properties. Now let's outline the malicious parties involved. These are the currently active domains delivering malicious flash advertisements that were, and still participate in the rogue ads attacks :
01. quinquecahue.com (190.15.64.190)
quinquecahue.com/swf/gnida.swf?campaign=tautonymus
quinquecahue.com/swf/gnida.swf?campaign=atliverish
quinquecahue.com/statsg.php?campaign=meatrichia
quinquecahue.com/swf/gnida.swf?campaign=atticismus

02. akamahi.net (190.15.64.185)
akamahi.net/swf/gnida.swf?cam
akamahi.net/swf/gnida.swf?campaign=innational
akamahi.net/swf/gnida.swf?campaign=annalistno
akamahi.net/statsg.php?u=1199891594&campaign=annalistno

03. thetechnorati.com (190.15.64.191)
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier
thetechnorati.com/swf/gnida.swf?campaign=whoduniton
thetechnorati.com/statsg.php?u=1198689218

04. vozemiliogaranon.com (190.15.64.192)
vozemiliogaranon.com/statss.php?campaign=zoolatrymy
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy
vozemiliogaranon.com/statss.php?campaign=revenantan

05. newbieadguide.com (190.15.64.188)
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=2rapid1y
newbieadguide.com/statsg.php?campaign=missblue
newbieadguide.com/statsg.php?campaign=germanit
newbieadguide.com/swf/gnida.swf?campaign=ta5temix
newbieadguide.com/swf/gnida.swf?campaign=c0pperin
newbieadguide.com/swf/gnida.swf?campaign=remain0r
newbieadguide.com/swf/gnida.swf?campaign=mi1eroof
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9

06. traffalo.com (84.243.252.94)
traffalo.com/swf/gnida.swf?campaign=atekistics
traffalo.com/swf/gnida.swf?campaign=byagnostic
traffalo.com/statsg.php?u=1201711626
traffalo.com/statsg.php?u=1202224809

07. burnads.com (84.243.252.85)
burnads.com/swf/gnida.swf?campaign=1akeweak
burnads.com/swf/gnida.swf?campaign=flatfootup

08. v0zemili0garan0n.com
v0zemili0garan0n.com/statsg.php?u=1199391035

09. adtraff.com (84.243.252.84)
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=forcejoe
adtraff.com/swf/gnida.swf?campaign=weightt0

10. mysurvey4u.com (194.110.67.22)
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5
mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe

11. traveltray.com (194.110.67.23)
traveltray.com/swf/gnida.swf?campaign=pavoninean

12. tds.promoplexer.com (217.20.175.39)
tds.promoplexer.com/statsg.php
adtds2.promoplexer.com/in.cgi?2

Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :

aboutstat.com
newstat.net
officialstat.com
stathisranch.net
station-appraisals.net

Contact details of the fake new media advertising agencies :

- Traffalo - "A Leader in Online Behavioral Marketing"
Phone: +46-40-627-1655
Fax: +46-8-501-09210

- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
mysurvey4u.com

- AdTraff - "Leader enterprise in Online Marketing"

Phone number: +49-511-26-098-2104
Fax: +353-1-633-51-70

Detection rate :

gnida.swf : Result: 21/32 (65.63%)
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A
File size: 3186 bytes
MD5: 015ebcd3ad6fef1cb1b763ccdd63de0c
SHA1: 5150568667809b1443b5187ce922b490fe884349
packers: Swf2Swc

The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.

]]> Wed, 20 Feb 2008 19:33:33 +0000 swf comswfgnida php newbieadguide comstatsg adtraff active domains domains traffalo Malicious Advertising (Malvertising) Increasing