Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 18 October 2013

Alert: Malvertisement from 8.29.133.140

Investigating a new malicious site (reason7crack.com) led to zippyshare.com URLs, which once again, has led to malvertisements. This time from cpadominator.com (8.29.133.140).

The path for this little bit of badness was;

hxxp://reason7crack.com
-> hxxp://reason7crack.com/download/
--> hxxp://4j4.me/reason7crackmac.php
---> hxxp://a4caed69.linkbucks.com
--> hxxp://www30.zippyshare.com/v/80240661/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&
--> hxxp://www57.zippyshare.com/v/65769005/file.html
---> hxxp://8.29.133.140/download/download5adcuk.php?src=ADC&kw=125524&lp=4
----> hxxp://cpadominator.com/campaigns/index.php?g=adcuk&src=ADC&kw=125524
-----> hxxp://cpadominator.com/campaigns/index.php?g=mplayeradcuk&src=ADC&kw=125524&lp=4
------> hxxp://secure.oi-installer7.com/o/flashproplayer_flashproplayer/Setup.exe?subid=flashproplayer_ADCUK-4-125524&filedescription=Setup&adprovider=flashproplayer&

Depending on the browser you're using, you'll see one of the following. The first was with the Gecko engine, and the second, with the Trident engine;



So iBryte/Optimum Installer - still want to try and tell me you're a fully ethical and legit, and non-adware company?

In both cases by the by, the offending ad network as usual (and as with almost all previous cases), was adscash.com. A few refreshes of the page, led to one of the other major offenders of fake Flash player etc pages, Performersoft LLC, courtesy of;

hxxp://clkmon.com/adServe/sa?pid=3092&cid=125524
-> hxxp://www.noyapps.com/lp/codecperformer/v17/?cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524
--> hxxp://www.softologicsb.com/download/$qPo%2BRZlsIQYpuQgO?exename=CodecPerformerSetup&cid=3975&clickid=0038245225419101508&orig_client=ADCASHDWN-125524



Not surprisingly, these chaps (along with AirInstaller as it happens, who are protesting at their host (SingleHop) that they aren't malicious at all, and these documented accounts of malicious and otherwise misleading and unethical behaviour, are "spurious complaints" - of course they are - NOT!) are also swearing blind that they're legit.

Well sorry to burst your obviously opaque bubble, but as far as I am concerned, and there's plenty of evidence (such as the above) to support this, you're about as legit as Zango were, and the sooner your respective companies are shut down, the better for everyone (and as iLivid (aka iMesh, BearShare etc) have stopped responding to complaints, the same goes for them too).

No comments: