Folks, I think we have a problem, right here in Internet City. Ok, that’s a bad play on words from the Music Man song. But I am VERY SERIOUS. Or, as the saying goes, I’m as serious as a heart attack!
I’m greatly disturbed by something that’s happening repeatedly and with great regularity!
Every morning I go to a website: tarot.com to read my horoscope and other tidbits of information. My housemate visits there too on weekend mornings.
First, let me preface this by saying that over the past several months, tarot.com has added a slew of Google ads (adsense) and other ad delivery services to their site. Their site content is free so I do understand the need to generate income, believe me I do!
The reason I’m telling you this is because there seems to be a direct correlation between the amount of ad content and the quickly spreading malware that we are seeing recently.
Just now, as I’m writing this, I received a call from another person that told me the same thing happened to him on Yahoo Mail. I immediately went to Yahoo and received the exact same pop-up message again! This botnet thing - whatever it is - is disabling the Antivirus programs too!
Last weekend, while at tarot.com my housemate received the dreaded Antivirus 2009 pop-up message while visiting their site. Of course, he knows how to exit that without becoming infected with the Trojan, and I alerted their support immediately. They said they would investigate. To date, I have not received that particular message and I’ve heard nothing further from the folks at Tarot.com.
This morning, I’m visiting there and I get my Trend RUbotted pop-up stating that a bot was found.
So, I immediately close my browser and start the scans. Here’s the interesting part, every scan came up negative.
And even my RUBotted log doesn’t even acknowledge a threat! WHAT????
I even went so far as to scan with Trend’s online Housecall! And no threats found. WTF?
Now, I shut down - totally shut down because something is deeply wrong here.
I boot to the following problem with TrendMicro Internet Security Pro:
My Trend is disabled and I cannot restart it.
Now I run Spybot Search and Destroy. I only find a few measly cookies in Firefox and a bad saved bookmark that I didn’t know was dangerous!
Now I’m perplexed! What in the heck is going on????
Now, I run a wireshark packet capture and I go back to Yahoo Mail to see if I can duplicate the bot message. And sure enough! There it is again!
But this time, I have an IP address!
150.70.89.33
WhoIS says this:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
So now I go to the Whois for APNIC (http://wq.apnic.net/apnic-bin/whois.pl) and find this on the IP:
inetnum: 150.26.0.0 - 150.100.255.255
netname: JAPAN150
country: JP
descr: Japan Network Information Center
admin-c: JNIC1-AP
tech-c: JNIC1-AP
status: ALLOCATED PORTABLE
notify: hostmaster@nic.ad.jp
mnt-by: MAINT-JPNIC
changed: hm-changed@apnic.net 20070824
source: APNIC
role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: JI13-AP
tech-c: JE53-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: hm-changed@apnic.net 20041222
changed: hm-changed@apnic.net 20050324
changed: ip-apnic@nic.ad.jp 20051027
source: APNIC
Surprise, surprise! Japan is at it again!
So, now I’m peeved to say the least. Bastages!
I grabbed the Yahoo mail page source code and the Tarot.com source code. There has to be something duplicated between these two pages that are displaying the same ad code that is allowing this to get in. What is it?
Looking at both pages, I found the advertising code and Tarot.com is using DoubleClick (ad.doubleclick.com) while Yahoo is using the ad.yieldmanager.com which, after research I tracked down to Right Media.
The tarot.com ad code:
The Yahoo Mail page ad code:
I typed in yieldmanager.com since the ad.yieldmanager.com is a sub-domain of yieldmanager.com and I received this result:
So, I went to the right media site and it turns out yieldmanager is a Yahoo company! Imagine that?
So, here’s what I did. I blocked ad.yieldmanager.com in my Firefox cookies and I blocked ad.doubleclick.net.
You can also do the same in IE if you are using that. If you need directions on how to do this, contact me.
Now, here’s my take on this situation. There is one of several, if not all of the following situations going on here. The possibilities are:
- The same malware creator is advertising on all the advertising networks so (s)he can push the malware.
- All the ad servers have been compromised.
- All the ad servers have been injected with a code that will serve up this malware.
Either way you look at it, it appears that the advertising networks are clueless that they are putting all users at risk in their effort to generate revenue.
If you would like a copy of my wireshark packet capture files please contact me and I’ll send them to you.
If you are an advertising network and you would like testing done on your servers, please contact us to get a quote for those services. We do penetration testing - remotely and on-site.
If you are a antivirus, malware, or firewall software provider and would like all our files, please contact us. (Please note that our forensic files are not given unless we receive acknowledgment for our findings. That includes our partners: Trend Micro and Symantec.)
And to those of you who are STILL NOT USING IT, I highly suggest getting the FREE botnet tool from TrendMicro located here: http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
Your PC Security is ultimately your responsibility! None of these manufacturers are going to come and clean up your machine for you. You’re stuck cleaning up the mess after they fail to protect you. So, I would suggest you start protecting yourself and learning how to do that!
ADDED: 2:30 PM CTD, Business Week just gave me one!
(Check it out at your own risk! http://images.businessweek.com/ss/08/10/1023_btw/index.htm)



























Do you enjoy this blog? Then buy me a coffee or send me a tip! May I suggest $3 for a Venti (extra-large) cup of Starbucks Carmel Macchiato? You can also choose any amount you wish.
Recent Comments