Malware-scan.com / Newbieadguide.com hijacking Yourmusic.com banner ads

22nd October 2007

IMPORTANT NOTE: this article is not aimed at end users, the audience is intended to be IT Professionals and security researchers. Do not visit any of the URLs listed in RED unless you know what you are doing - certainly do not visit them on a Windows system unless you are preparted to reformat and reinstall.

Most people assume that malware comes from "dodgy web sites" - but sometimes it's legitimate sites that get compromised. We've seen this before, but this time the ad was being served up by Virgin Media on their own virginmedia.com website, specifically their webmail. It appears that the exploit here is still active at the time of writing and has been for at least a week.

In this incident, a user logged into the Virgin Media webmail site as normal. Before they even clicked on a mail message, they were redirected to a site called malware-scan.com which then attempted to install an application called xpupdate.exe "signed" by "Fidelity Overseas".  The download is detected by CA eTrust as Oneraw.CB.

The user captured the dialogue box, but didn't examine the publisher information. They also assert that the did not click "Run". However, despite this, a file called xpupdate.exe was install in the PC's C:\Windows folder, identified by CA eTrust as Oneraw.CB.

Then a registry entry was made in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and given the highly misleading name of Windows update loader with a string value of C:\Windows\xpupdate.exe

So far a simple hijack, but how exactly did the malware get onto the machine in the first place when the user hadn't clicked on anything? A combination of the browser history, proxy logs and most importantly the local Temporary Internet Files cache gave the clues.

This particular snapshot of the Temporary Internet Files should be read from the bottom up - emailgateway.htm is the start of the interaction with Virgin Media's webmail. The browser then loads in various components and advertisements until it gets to what is cached as CAYF0TE3.swf, but is actually http://www.virginmedia.com/microsites/ntl/virginmedia_yourmusic_468%20x%2060_En.swf (warning: do not visit this URL) - this appears at first sight to be quite a harmless flash banner ad for yourmusic.com (yourmusic.com are not involved in the hijack, just the banner ad).

It turns out that the SWF file (which is a Flash animation, excerpts above) has been altered to include a reference to http://newbieadguide.com/statsa.php?campaign=[tracking-name]  which is completely unrelated to yourmusic.com.

The URL at Newbieaguide.com is actually another Shockwave Flash file, that then redirects through blessedads.com until it gets to malware-scan.com and triggers a cookie at prevedmarketing.com at the same time. As a final step, the user is directed to malwarealarm.com, a known rogue antispyware application.

Note that the user does not have to click the banner ad - the ad automatically loads the malware site.

There are then two dialogue boxes in order to alarm the user:

Then a fake scanner screen starts up - this isn't performing a real scan at all, it's just a meaningless animation.

If you are running Internet Explorer on Windows, then you will see the installation prompts at the very top of the page. It is quite possible that the malware payload will install through a backdoor if it can find it.

Both blessedads.com and prevedmarketing.com are hosted on 190.15.73.254 in Honduras, a known malware site (see here). malware-scan.com is hosted on 81.29.249.205 in Russia. Newbieadguide.com is hosted in 217.150.252.136 in Switzerland. All of the registration data may well be false, so I have not repeated it here. Malwarealarm.com is on 203.121.79.55 in Malaysia.

The big question is - just how did the SWF banner get infected? It turns out that Virgin Media aren't the only ones with a bad banner - there is exactly the same on at http://www.desperateseller.co.uk/crash_yourmusic_468%20x%2060_En.swf

This snippet above is from Google, and as Google can read inside Flash files you can see the reference for loadMovie http://newbieadguide.com/statsa.php?campaign=roadface createEmptyMovieClip (warning: do not visit this URL) within the SWF file itself.

This means that the SWF file must be infected at the source, and Virgin Media and Desperate Seller have download a compromised SWF file.. it is quite possible that the file has been compromised for some time, and that the slimeware pushers have merely turned it on by activating the remote web site. The URL is very well hidden in the SWF file and normal Flash decompiler tools cannot find it.

Of interest, the URL hidden in the Virgin Media file is http://newbieadguide.com/statsa.php?campaign=lakeweak, in the Desperate Seller SWF is http://newbieadguide.com/statsa.php?campaign=roadface so the SWF files are not exactly the same.

My advice: prevention is better than cure, so block access to malwarealarm.com, newbieadguide.com, prevedmarketing.com, malware-scan.com and blessedads.com to be on the safe side.      

Note for security researchers: all tree SWF files are archived here with a password of "virus". Approach with caution.

Note for affiliates: The link does not appear to be from the Commission Junction network, rather it appears to be sourced from Yourmusic.com directly, the link is as follows:

Update 24/10/07

This same hijack is now on other banners - it has been spotted on Flash ads for shoe-shop.com and poetry.com, The following Google search brings up several hijacked banners - DO NOT CLICK ON THE RESULTS!

loadMovie  createEmptyMovieClip statsa.php