Blog for hpHosts, and whatever else I feel like writing about ....

Friday 15 March 2013

Misleading marketing (yet again): InstallQ, Amonetize, bechiroapps.com

I know this isn't a surprise anymore, but it still annoys the hell out of me.

Whilst following a malware trail, I found 3 more examples of misleading marketing. One of them on depositfiles.com, and 2 of them on zippyshare.com. In all 3 cases, the route went through adsmarket.com (also not a surprise).

First we have a fake flash player. This was loaded by;

hxxp://www76.zippyshare.com/pop.jsp?a=1

And goes straight to a download at (domains PD houses the same thing too);

hxxp://www.adobeflashplayeryukle.com/dl.php

No landing page, no warnings.



And InstallIQ, and you'll notice (follow the red arrow), the fake "plugin required" advert;



Which leads to the landing page here;



URLs:

hxxp://ad.xtendmedia.com/clk?3,eJytTd1qgzAUfhrvRGJiRJFdpDqLZcomdqI3Q02ssVqlDVP79Iu29An2cTjn-zmHoyOHoYqxsrYtjKFNGXZ0RM26BnqpGypwHAdiCGwAsAXV48Q6l-VLNJHymAOy4TBW8fSg5LS24ME.rbXvvcVNjs-4dH1K.gVukMbZkwfb35NnkV3cTuUd7F5r-3cY9gceJXn3kTTnrM1EmPhdyHUepdJLAxR5lIdtaOTp9zn.el2-qWojxKggokBfVnVlheC.TJsFu9CeUV5o1dDLZLwO8yJnX4ihX7Zks7RG9J2C.IL-iGVkCvIKqkBTyhu.rxIBMEMMpHdjleDDZfVMhCzb-AMcNHmH,
-> hxxp://ad.yieldmanager.com/clk?3,eJytTd1qgzAUfhrvRGJiRJFdpDqLZcomdqI3Q02ssVqlDVP79Iu29An2cTjn-zmHoyOHoYqxsrYtjKFNGXZ0RM26BnqpGypwHAdiCGwAsAXV48Q6l-VLNJHymAOy4TBW8fSg5LS24ME.rbXvvcVNjs-4dH1K.gVukMbZkwfb35NnkV3cTuUd7F5r-3cY9gceJXn3kTTnrM1EmPhdyHUepdJLAxR5lIdtaOTp9zn.el2-qWojxKggokBfVnVlheC.TJsFu9CeUV5o1dDLZLwO8yJnX4ihX7Zks7RG9J2C.IL-iGVkCvIKqkBTyhu.rxIBMEMMpHdjleDDZfVMhCzb-AMcNHmH,
--> hxxp://network.adsmarket.com/click/imNwlo2ff5S3YZiVjaJ7mZFjapaNpIGcjGKYmGGcepW3ZG-YZaF7?dp=RMX_A6103404_P5280544_V161810259_RSanta Rosa_S3633894_C10309915_B93712&dp2=UwelCeZyNwAbUZ0AAAAAAJpcRwAAAAAAAgAAAAIAAAAAAP8AAAAGDyCTUAAAAAAAbCFdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIWRYAAAAAAAIAAgAAgD8ABGXwbz0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJwL9awqi.SNzM51z810DU9NyXI0q3Qq93SrKKrMCowq9QIAwR0LwQ==&dp3=Usource_url_hidden
---> hxxp://www.xvidupdate.com/tube/?pub_id=2271&ce_cid=20dJX94msVBiUYqE0UM73Z1ugC6T000.

hxxp://ad.yieldmanager.com/clk?3,eJytjV1vgjAUhn8Nd2jaUlkJ2UXBj7Do4hRmuhuDtIWifEy7Kf76Fee2P7A3TXOe5.T0QMfHLpQYIozBiAAPcB863JVSCCI9G.i-j7DnAUgeRtBOzuIQJvlyeQ4jsE4C2iekT6sz.U5OJ.QnS9Lfs7GnXpK7kiTI6L8kjDYrdq-jyOyl-ZhQNJCD3RUEv89mCWbXCLDNBM.jYs.KXC.i6WGhYMHK13IeZ.gt5vtFzDoWB-Xz34JH2y60bi2HWmhqTnYUqVafYnjRouaV4CodZk1lOlWqm6ozhU7zYaGrg-VMU77VXSssZ9w2rYVcwyd17RlcgOGTyLRqasMYOsglvduldS341gzcZk-miRzjb0JVNwHvLI.i.UPUWdf.-AWkYYZS,
-> hxxp://network.adsmarket.com/click/imNwlo2ff5S3YZiVjZx9m4xpbJlfyoObkGVqxGadfZmJkG-VXqN-lQ?dp=RMX_A6078591_P5279960_V161810259_RSanta Rosa_S4132680_C19255688_B93712&dp2=UwelCUgPPwCI0SUBAAAAACAJRwAAAAAAAgAEAAAAAAAAAP8AAAAGD9iQUAAAAAAAf8BcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIWRYAAAAAAAIIAgAAgD8AEtAMcD0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJwL9awqi.SNzM51z810DU9NyXI0q3Qq93SrKKrMCowq9QIAwR0LwQ==&dp3=Usource_url_hidden
--> hxxp://cp.tuguu.com/pasarela/affp/769/ce_cid=20kWRn19.Jj2IJoY0UM73Z1ugCAV000.&pub_id=2271?ce_cid=20kWRn19.Jj2IJoY0UM73Z1ugCAV000.
---> hxxp://cp.tuguu.com/pasarela/download.php?p=769&_so=1&_bw=1&_sv=5.1&_bv=9.0&_ip=838941715&_cc=US&asdd=1&_qs=ce_cid%3D20kWRn19.Jj2IJoY0UM73Z1ugCAV000.%26pub_id%3D2271%3Fce_cid%3D20kWRn19.Jj2IJoY0UM73Z1ugCAV000.
----> hxxp://cp.nicdls.com/pasarela/doma/dls.nicdls.com/p/151/FlashPlayer/79/418/769.4.92.016f731e
-----> hxxp://dls.nicdls.com/p/151/FlashPlayer/79/418/V.24081182a

Monday 4 March 2013

[INFO] vURL server offline

Just a note folks, the vURL server will be offline for another hour or two, to allow for essential maintenance.

Sites affected:

vurldissect.co.uk
apk.it-mate.co.uk
avant.it-mate.co.uk
bartware.it-mate.co.uk
bughunter.it-mate.co.uk
dnsbh.it-mate.co.uk
hostsman.it-mate.co.uk
naomi.it-mate.co.uk
support.it-mate.co.uk
temp.it-mate.co.uk
helenbenoist.co.uk
ashsofdev.tk
8gc.com

Sorry for the inconvenience.

/edit

All done.