[nsp-sec] ATTN Akamai - malware on adbureau.net (AUSCERT#200904d8e)
Matthew McGlashan
matthew at auscert.org.au
Thu Apr 16 22:12:02 EDT 2009
G'day all and Akamai,
A major AU newspaper (and related sites) had one of its banner ad companies
compromised and as such were vicariously serving malware. The ad company
originally was serving malware via:
http://ffxd-images.adbureau.net/ffxd/imagemaps/images/DirectAd_Solutions/140
409_spabirthday_728x90.swf
> host ffxd-images.adbureau.net
ffxd-images.adbureau.net is an alias for
images.adbureau.net.edgesuite.net.
images.adbureau.net.edgesuite.net is an alias for a900.g.akamai.net.
FYI the rest of the story shows this did lead to (but now seems dead):
http://securedonlinecomputerscan.com/download/Install_2002-8.exe
the flash file does:
http://wepawet.iseclab.org/view.php?hash=c6bd946a56534f9065d223f4860e978d&ty
pe=swf
and this next flash then does:
http://wepawet.iseclab.org/view.php?hash=9d9caf071b76b0a96f837508b1a88f89&ty
pe=swf
and then:
http://updatewindowssecurity.com/?id=35124556600
Binaries start here and:
http://destroyvirusnow.com/index.php?affid=08023
http://destroyvirusnow.com/download.php\?affid=08023
http://destroyvirusnow.com//install/installpv.exe
And you get the idea.
Other domains used were:
securedonlinecomputerscan.com
antispywarepcscanner.com
totalpcdefender.com
Anyway - the start point for all this was/is ffxd-images.adbureau.net so if
that can be cleaned that would be great.
Thanks for your time,
-- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
More information about the nsp-security
mailing list