Malware-scan.com / Newbieadguide.com hijacking Yourmusic.com
22nd October 2007
this article is not aimed at end users, the audience
is intended to be IT Professionals and security researchers.
Do not visit any of the URLs listed in RED
unless you know what you are doing - certainly do not
visit them on a Windows system unless you are preparted
to reformat and reinstall.
Most people assume that malware comes from "dodgy
web sites" - but sometimes it's legitimate sites
that get compromised. We've seen this before,
but this time the ad was being served up by Virgin Media
on their own virginmedia.com website, specifically
their webmail. It appears that the exploit here is still
active at the time of writing and has been for at
least a week.
In this incident, a user logged into the Virgin Media
webmail site as normal. Before they even clicked on
a mail message, they were redirected to a site called
malware-scan.com which then attempted to install
an application called xpupdate.exe "signed"
by "Fidelity Overseas". The download
is detected by CA eTrust as Oneraw.CB.
The user captured the dialogue box,
but didn't examine the publisher information. They also
assert that the did not click "Run". However,
despite this, a file called xpupdate.exe was
install in the PC's C:\Windows folder, identified
by CA eTrust as Oneraw.CB.
Then a registry entry was made
and given the highly misleading name of Windows update
loader with a string value of C:\Windows\xpupdate.exe
So far a simple hijack, but how exactly
did the malware get onto the machine in the first place
when the user hadn't clicked on anything? A combination
of the browser history, proxy logs and most importantly
the local Temporary Internet Files cache gave the clues.
This particular snapshot of the Temporary Internet Files should
be read from the bottom up - emailgateway.htm
is the start of the interaction with Virgin Media's
webmail. The browser then loads in various components
and advertisements until it gets to what is cached as
CAYF0TE3.swf, but is actually http://www.virginmedia.com/microsites/ntl/virginmedia_yourmusic_468%20x%2060_En.swf
not visit this URL) - this appears at first sight
to be quite a harmless flash banner ad for yourmusic.com
(yourmusic.com are not involved in the hijack, just
the banner ad).
It turns out that the SWF file (which is a Flash
animation, excerpts above) has been altered to include
a reference to http://newbieadguide.com/statsa.php?campaign=[tracking-name]
which is completely unrelated to yourmusic.com.
The URL at Newbieaguide.com is actually another Shockwave
Flash file, that then redirects through blessedads.com until
it gets to malware-scan.com
and triggers a cookie at prevedmarketing.com
at the same time. As a final step, the user is directed
a known rogue
Note that the user does not have to click the
banner ad - the ad automatically loads the malware site.
There are then two dialogue boxes in order to alarm
Then a fake scanner screen starts up - this isn't
performing a real scan at all, it's just a meaningless
If you are running Internet Explorer on Windows,
then you will see the installation prompts at the very
top of the page. It is quite possible that the malware
payload will install through a backdoor if it can find
are hosted on 220.127.116.11 in Honduras, a known malware
site (see here).
is hosted on 18.104.22.168 in Russia. Newbieadguide.com
is hosted in 22.214.171.124 in Switzerland. All of
the registration data may well be false, so I have not
repeated it here. Malwarealarm.com
is on 126.96.36.199 in Malaysia.
The big question is - just how did the SWF
banner get infected? It turns out that Virgin Media
aren't the only ones with a bad banner - there is exactly
the same on at http://www.desperateseller.co.uk/crash_yourmusic_468%20x%2060_En.swf
This snippet above is from Google, and as Google
can read inside Flash files you can see the reference
for loadMovie http://newbieadguide.com/statsa.php?campaign=roadface createEmptyMovieClip
do not visit this URL) within the SWF file itself.
This means that the SWF file must be infected at
the source, and Virgin Media and Desperate Seller have
download a compromised SWF file.. it is quite possible
that the file has been compromised for some time, and
that the slimeware
pushers have merely turned it on by activating the remote
web site. The URL is very well hidden in the SWF file
and normal Flash decompiler tools cannot find it.
Of interest, the URL hidden in the Virgin Media file
in the Desperate Seller SWF is http://newbieadguide.com/statsa.php?campaign=roadface
so the SWF files are not exactly the same.
My advice: prevention is better than cure, so block
access to malwarealarm.com,
prevedmarketing.com, malware-scan.com and blessedads.com to
be on the safe side.
Note for security researchers: all tree SWF files
are archived here
with a password of "virus". Approach with
Note for affiliates: The link does not appear to
be from the Commission Junction network, rather it appears
to be sourced from Yourmusic.com directly, the link
is as follows:
This same hijack is now on other banners - it has
been spotted on Flash ads for shoe-shop.com and
poetry.com, The following Google search brings
up several hijacked banners - DO
NOT CLICK ON THE RESULTS!