[nsp-sec] ATTN Akamai - malware on adbureau.net (AUSCERT#200904d8e)

Patrick W. Gilmore patrick at akamai.com
Fri Apr 17 12:24:58 EDT 2009 

On Apr 16, 2009, at 10:12 PM, Matthew McGlashan wrote:

> G'day all and Akamai,
>
> A major AU newspaper (and related sites) had one of its banner ad  
> companies
> compromised and as such were vicariously serving malware.  The ad  
> company
> originally was serving malware via:

ACK.

-- 
TTFN,
patrick


> http://ffxd-images.adbureau.net/ffxd/imagemaps/images/DirectAd_Solutions/140
> 409_spabirthday_728x90.swf
>
>> host ffxd-images.adbureau.net
>  ffxd-images.adbureau.net is an alias for
> images.adbureau.net.edgesuite.net.
>  images.adbureau.net.edgesuite.net is an alias for a900.g.akamai.net.
>
> FYI the rest of the story shows this did lead to (but now seems dead):
>
>  http://securedonlinecomputerscan.com/download/Install_2002-8.exe
>
> the flash file does:
>
>
> http://wepawet.iseclab.org/view.php?hash=c6bd946a56534f9065d223f4860e978d&ty
> pe=swf
>
> and this next flash then does:
>
>
> http://wepawet.iseclab.org/view.php?hash=9d9caf071b76b0a96f837508b1a88f89&ty
> pe=swf
>
> and then:
>
>  http://updatewindowssecurity.com/?id=35124556600
>
> Binaries start here and:
>
>  http://destroyvirusnow.com/index.php?affid=08023
>  http://destroyvirusnow.com/download.php\?affid=08023
>  http://destroyvirusnow.com//install/installpv.exe
>
> And you get the idea.
>
> Other domains used were:
>
> securedonlinecomputerscan.com
> antispywarepcscanner.com
> totalpcdefender.com
>
> Anyway - the start point for all this was/is ffxd- 
> images.adbureau.net so if
> that can be cleaned that would be great.
>
> Thanks for your time,
>
> -- Matthew McGlashan --
> Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
> Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
> (AusCERT)                                   | Fax:     +61 7 3365 7031
> The University of Queensland                | WWW:     www.auscert.org.au
> Qld 4072 Australia                          | Email: auscert at auscert.org.au
>
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list