1
Beware of malvertizing at eventful.com on Fri Apr 02, 2010 12:06 pm
DragonMaster Jay
Site Owner
Warning: contains un-activated malicious domains. Do not go to the sites listed below that are not activated links.
Found malvertizing at eventful.com
~~~~~~~~~~~~~~~~~~~~~
-Saw a redirect from t.locpub.com to the mojoadserver.net, IP: 206.217.206.140, and live-rail.net.
-That redirected to IP: 91.213.157.22.
What websites are listed under that IP?
NONE FOUND!
So, what is the big deal? Referral malware install. Why? You cannot display the page, if you place the IP in the address bar and hit Go, instead, the site holds the connection, then redirects you to a search engine - if the referral is incorrect.
If you follow the referral, by the malvertisement, you will see the page. This is a new malware writer trick. By clicking the malvertisement, I was redirected yet again, and was taken to the fake antivirus page, ready for malware install. But, when I entered the IP in the address bar, and tried to go to it, the page did not display.
By the referral, it was expected to do a fifth redirect...YES I said a FIFTH redirect. The page shown was a fake antivirus page, hosted at IP: 213.229.83.83. Home IP for onlinewebsupport.net, a rogue AV support site. What is the problem? All the databases on these IPs will not allow me to query all of its sites.
OnlineWebSupport.net blacklisted at MDL: http://www.malwaredomainlist.com/mdl.php?search=onlinewebsupport.ne&colsearch=All&quantity=50
Similar site to onlinewebsupport.net: supportwebcenter.com.
Guess what the Fake AV page showed? A purchase for Security Tool rogue antivirus. That's right.
Seems like all of these sites are similar, and show rogue AV advertisements:
Actual IP: 213.229.83.196
Range: 213.229.83.192 - 213.229.83.255
altapcsecurity.com
antispyadviware.com
antispyavailable.com
antispyinteractive.com
antispywareavailable.com
antispywareutility.com
antivirusfreeonline.com
antivirusinteractive.com
bestsupportcenter.com
cybernetsafety.com
defenseinteractive.com
etotalsecurity.com
identitysecuritysuite.com
onlinecentersupport.net
powersystemstability.com
serversafety.com
spyremoveronline.com
stabilitysuite.com
supportnetcenter.com
supportonlinecenter.com
systemsecuritysupport.com
totalantivirusvivo.com
totalsurfguard.com
yourantimalware.com
On IP: 213.229.83.84
invoiceerica.com
===========================
Use an antivirus to resist these threats:
Free:
Avira Antivir: http://free-av.com
Avast: http://www.avast.com
Rising Antivirus: http://freerav.com
Paid:
Kaspersky Antivirus: http://www.kaspersky.com
ESET NOD32: http://www.eset.com
Avira Antivir Premium: http://www.avira.com
Found malvertizing at eventful.com
~~~~~~~~~~~~~~~~~~~~~
-Saw a redirect from t.locpub.com to the mojoadserver.net, IP: 206.217.206.140, and live-rail.net.
-That redirected to IP: 91.213.157.22.
What websites are listed under that IP?
NONE FOUND!
So, what is the big deal? Referral malware install. Why? You cannot display the page, if you place the IP in the address bar and hit Go, instead, the site holds the connection, then redirects you to a search engine - if the referral is incorrect.
If you follow the referral, by the malvertisement, you will see the page. This is a new malware writer trick. By clicking the malvertisement, I was redirected yet again, and was taken to the fake antivirus page, ready for malware install. But, when I entered the IP in the address bar, and tried to go to it, the page did not display.
By the referral, it was expected to do a fifth redirect...YES I said a FIFTH redirect. The page shown was a fake antivirus page, hosted at IP: 213.229.83.83. Home IP for onlinewebsupport.net, a rogue AV support site. What is the problem? All the databases on these IPs will not allow me to query all of its sites.
OnlineWebSupport.net blacklisted at MDL: http://www.malwaredomainlist.com/mdl.php?search=onlinewebsupport.ne&colsearch=All&quantity=50
Similar site to onlinewebsupport.net: supportwebcenter.com.
Guess what the Fake AV page showed? A purchase for Security Tool rogue antivirus. That's right.
Seems like all of these sites are similar, and show rogue AV advertisements:
Actual IP: 213.229.83.196
Range: 213.229.83.192 - 213.229.83.255
altapcsecurity.com
antispyadviware.com
antispyavailable.com
antispyinteractive.com
antispywareavailable.com
antispywareutility.com
antivirusfreeonline.com
antivirusinteractive.com
bestsupportcenter.com
cybernetsafety.com
defenseinteractive.com
etotalsecurity.com
identitysecuritysuite.com
onlinecentersupport.net
powersystemstability.com
serversafety.com
spyremoveronline.com
stabilitysuite.com
supportnetcenter.com
supportonlinecenter.com
systemsecuritysupport.com
totalantivirusvivo.com
totalsurfguard.com
yourantimalware.com
On IP: 213.229.83.84
invoiceerica.com
===========================
Use an antivirus to resist these threats:
Free:
Avira Antivir: http://free-av.com
Avast: http://www.avast.com
Rising Antivirus: http://freerav.com
Paid:
Kaspersky Antivirus: http://www.kaspersky.com
ESET NOD32: http://www.eset.com
Avira Antivir Premium: http://www.avira.com
..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner
Kaspersky Anti-Virus 2012: Click HereContribute/donate to our site
Wed May 16, 2012 3:33 pm by 
