Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    December 22nd, 2005
    Posts
    4
    Angry compactbanner.com spreads viruses through banners
    I'm overfill resentment!

    See attached screenshot for details
    Attached Images Attached Images

  2. #2
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Wow... interesting find. I've had a look at this and I can see there are multiple layers of embedded IFRAMES which are masking the trojan download.

    Please do not visit any of these URLs unless you are fully protected and know exactly what you are doing

    The banner ad URL is:
    http://www.server2.compactbanner.com/centraladserver/media/media1.php
    ?p=cb&acc=h73&site=h73&activex=true&host=h73

    That uses an IFRAME to call:
    http://www.server2.compactbanner.com/centraladserver/media/code1.php
    ?p=cb&site=h73&account=h73&max=

    Which uses another IFRAME to call:
    http://www.server2.compactbanner.com/centraladserver/media/c1.php
    ?program=cb&account=h73&site=h73&code=1

    Which then uses another IFRAME to call:
    http://www.saybyebye.net/defaults/media/ads.php
    ?site=h73&nopopup=&program=cb&subsite=h73&xint=

    And then there's another IFRAME calling:
    http://www.saybyebye.net/defaults/media/bannerusa.php
    ?account=h73&program=cb&site=h73

    This page has a couple of interesting bits, an affiliate link to the casino (complete with the member name):

    {a href="http://banner.prestigecasino.com/cgi-bin/redir.cgi?member=dwyeager" target=_blank}{img border="0" src="http://www.cpays.com/markettool/new_tools/prestige/English/bnr/dollar/468x60/pren46802.gif" width="468" height="60" }{/a}
    And then a link to the Javascript that's trying to infect your PC: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=0&loadfirst=1&delayload=0&software_id=10
    &account_id=1004831&recurrence=always&adid=a1136128699&event_type=onload&user_level=3

    Now, ysbweb.com is run by an outfit called IST for their Yoursitebar product. To give IST some credit they do have an abuse reporting tool, although bearing in mind that they provided the script in the first place, it's probably unlikely that they'll do much.

    So, compactbanner.com appears at first glance to be guilty of nothing but sloppiness. cpays.com is just some casino affiliate program (CasinoPays) who aren't really anything to do with the drive-by dowload attempt. IST are a known quantity and are just the end point.

    The real perp is the saybyebye.net site. Let's look at the WHOIS data for that:

    Registrant:
    Global MediaTeam
    Po box 1368
    granbury, TX 76048
    US

    Domain name: SAYBYEBYE.NET

    Administrative Contact:
    Yeager, Derrel support@adinfinity.com
    Po box 1368
    granbury, TX 76048
    US
    1 817 881 51 87
    Technical Contact:
    Yeager, Derrel support@adinfinity.com
    Po box 1368
    granbury, TX 76048
    US
    1 817 881 51 87
    Cha-ching, we have a match. The name Derrel Yeager matches up with the cpays.com affiliate link and also ties in with some other outfit called adinfinity.com.

    saybybye.net is running on 207.44.158.104 along with centraladserver.com and saybyebye.com...

    ..and this is where the penny drops..

    ..because centraladserver.com is part of the compactbanner.com network. So who does own compactbanner.com? Yup, Derrel Yeager and Global MediaTeam (I guess just Derrel in his bedroom). So in fact, compactbanner.com really is spreading the trojan, but it's trying to use several different layers of IFRAMEs to conceal this.

    Just for the record, here are some the domains I can identify as belonging to Derrel Yeager's network:

    • www.Adinfinity.com
    • www.Centraladserver.com
    • www.Adoptimal.com
    • www.Compactbanner.com
    • www.Globalmediateam.com
    • www.Saybyebye.com
    • www.Saybyebye.net


    Looking at the Alexa stats you can see that it's a crummy no-traffic banner network that pulls in perhaps a few thousand or so uniques per day. The Alexa page for compactbanner.com has the following review (their words, not mine) that just about sums it up:

    1 of 5 stars Pure Scam,
    90% of your exposures will not register and their standard pop-under ads will be riddled with pop-under codes that will overwhelm your visitors.

    Stay away from these people like the plague
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  3. #3
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Damn these guys - one of my users just got an attempted download using the WMF vulnerability from saybyebye.net. The site running the banner was samachar.com which is a sizeable Indian news portal (Alexa traffic rank 5000 or so).

    It's just a shame they're based in the US.. if they were in the UK they'd be getting a visit from the police about now.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  4. #4
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    ISTbar is pretty well known for doing drive-by installs. And the banner thing is a pretty easy way to do it. I would think their abuse reporting page is equivalent to an unsubscribe link in a spam. It really is quite a shame, but it's the reality of the world of adware folks who'll do anything to get their crap on a computer and their 'affiliates' who will do the actual dirty work for a few pennies per install.

  5. #5
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    ISP's need to start pulling the plug on these guys...both the spyware/adware companies and the 'affiliate's who spread the stuff. They should at least have to fo through the hassle of setting up house all over again.

  6. #6
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Outing the bad actors should be a rewarded exercise at ABW. The scumbag Derrel Yeager's network is just one of many set up by the cybercriminals pushing Adware, PPCSE fraud, Trojan horse virus backdoors, e-mail spammers and spyware privacy info peddling:

    www.Adinfinity.com
    www.Centraladserver.com
    www.Adoptimal.com
    www.Compactbanner.com
    www.Globalmediateam.com
    www.Saybyebye.com
    www.Saybyebye.net

    The one's also needing to get perp walks are the advertisers paying the IST group, and their ilk, to infest shoppers systems with this garbage. Posting the advertisers condoning this crap and their sleazy AM's should be a priority here in 2006.
    http://www.adinfinity.com/about.html
    http://www.adinfinity.com/advertisers.html
    Last edited by Dynamoo; January 17th, 2006 at 06:10 AM. Reason: Edited to delink the URLs - we don't want anyone to get infected!
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  7. #7
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Here's a real nest of Adware/Spyware snakes infesting systems though freebee game trial and download sites. http://www.spywareguide.com/articles...sn_t__102.html


    Enbrowser is the name of a company and develops "free" games as a way to distribute advertisements to the people who download them. The games are advertised as “free”. There are no references to any advertising of any kind on their download page. However under their “About us” section (http://www.enbrowser.com/about.html) we see that that they do state that downloading will result in online advertisements.

    Is this just another free game on the internet that displays advertisements or is it bundled with something else? There is evidence to support the claim that these free games also install another software, some debate as a trojan, known as “PacerD”..... http://www.spywareguide.com/articles...sn_t__102.html


    No where in the EULA does it even mention that information is collected from your computer, but this does not speak for the thirty-three (33) other programs installed with snackman.exe in an action called "daisy-chaining". In total, the figures for this install are as follows:

    Adware – 26
    Trojan – 4
    Data Miner – 1
    Worm – 1
    Loyaltyware - 1

    This is a high price to pay for a game of Snack Man..... the game character sure knows how to eat up your commissions.

    Interesting read as the perps and commission thieves using this type of deceptive infestation points to plant their popup & under cookie setting crap on shoppers systems. PaymyBills and other major network merchants are one of the monitizers paying to bombard systems with crapware like this.

    Here's what's possible in funding terrorists... via the BHO infestation game currently in play... http://www.spywareguide.com/articles...rroris_39.html
    Last edited by ecomcity; January 18th, 2006 at 10:44 PM.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  8. #8
    Life is Supposed to be Fun! Rexanne's Avatar
    Join Date
    January 18th, 2005
    Location
    Los Angeles
    Posts
    12,360
    Quote Originally Posted by Dynamoo
    It's just a shame they're based in the US.. if they were in the UK they'd be getting a visit from the police about now.
    Yeah, the UK is a lot more civilized AND the police don't carry guns but manage to keep creeps off the streets or, in this case, out of our computers.
    Peace,

    Rexanne

    Rexanne.com
    Loving Everyone's Child Creates Magic


  9. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Beware these new viruses!
    By flamingoworld in forum Virtual Family and Off-Topic
    Replies: 6
    Last Post: October 12th, 2004, 08:27 AM
  2. Two nasty new viruses
    By Dynamoo in forum Midnight Cafe'
    Replies: 5
    Last Post: February 19th, 2004, 01:14 PM
  3. Slapper worm spreads its disease
    By Haiko de Poel, Jr. in forum Domains & Hosting
    Replies: 2
    Last Post: October 7th, 2002, 12:12 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •