Saturday, March 22, 2008

More Malvertising on Myspace

Yet again, another example of malvertising on Myspace. Does this ad look familiar??



The VML ActiveX Control is loading from the IP address highlighted in red.

The WHOIS for the IP points to Russia. Thanks to Fergie for point out the error in my intial research.



This IP address have been connected to other malware issues in the past.

I didn't dig too much into this malware ad, since I wasn't in a secure VM.

Malvertising is a very serious issue and it will only get worse before it gets better.

2 comments:

  1. If you would have used a WHOIS client that did recursive referrals, you have seen that this block of IP addresses is actually located in Russia [see bleow].

    It is a well-known fact that Russian/Ukrainian criminals are behind most of these malicious ad efforts.

    Also, the rDNS entry for [80.93.48.74] is 80.93.48.74.colo.piter.peterhost.ru.

    AS | IP | AS Name
    35295 | 80.93.48.74 | PETERHOST-PITER PeterHost.Ru Hosting Provider at SPb


    Results:
    % This is the RIPE Whois query server #3.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Note: This output has been filtered.
    % To receive output for a database update, use the "-B" flag.

    % Information related to '80.93.48.0 - 80.93.48.255'

    inetnum: 80.93.48.0 - 80.93.48.255
    netname: PETERHOST-PITER
    descr: PeterHost.Ru Hosting Provider
    country: RU
    org: ORG-CL37-RIPE
    admin-c: PHST-RIPE
    tech-c: PHST-RIPE
    status: ASSIGNED PA
    mnt-by: PETERHOST-MNT
    mnt-domains: PETERHOST-MNT
    source: RIPE # Filtered

    organisation: ORG-CL37-RIPE
    org-name: Concorde Ltd.
    org-type: LIR
    address: PeterHost.Ru
    Alexander Chernov
    Prof. Popova str. 37 B
    197376 Saint-Petersburg
    RUSSIAN FEDERATION
    phone: +78123477743
    fax-no: +78123341222
    admin-c: GBDJ-RIPE
    mnt-ref: PETERHOST-MNT
    mnt-ref: RIPE-NCC-HM-MNT
    mnt-by: RIPE-NCC-HM-MNT
    source: RIPE # Filtered

    role: PeterHost.Ru NOC
    address: Professora Popova street, 37B
    address: 199178, St-Petersburg, Russia
    phone: +7 812 3477743
    org: ORG-CL37-RIPE
    admin-c: DAK1-RIPE
    tech-c: GBDJ-RIPE
    tech-c: ALIN-RIPE
    nic-hdl: PHST-RIPE
    abuse-mailbox: abuse@peterhost.ru
    mnt-by: PETERHOST-MNT
    source: RIPE # Filtered

    % Information related to '80.93.48.0/21AS35295'

    route: 80.93.48.0/21
    descr: PeterHost.Ru St.Petersburg
    origin: AS35295
    mnt-by: PETERHOST-MNT
    source: RIPE # Filtered

    - ferg

    ReplyDelete
  2. Thanks Fergie. I ran thru the checks fast, so it isn't shocking that I missed something.

    The fact is that the malware is being served thru no action of the user and without going to some "unsafe" page. This is st8r Myspace.

    Unsafe in the general public sense. =)

    ReplyDelete