[G_R]

I'm overfill resentment!

See attached screenshot for details

[Dynamoo]

Wow... interesting find. I've had a look at this and I can see there are multiple layers of embedded IFRAMES which are masking the trojan download.

Please do not visit any of these URLs unless you are fully protected and know exactly what you are doing

The banner ad URL is:
http://www.server2.compactbanner.com/centraladserver/media/media1.php
?p=cb&acc=h73&site=h73&activex=true&host=h73

That uses an IFRAME to call:
http://www.server2.compactbanner.com/centraladserver/media/code1.php
?p=cb&site=h73&account=h73&max=

Which uses another IFRAME to call:
http://www.server2.compactbanner.com/centraladserver/media/c1.php
?program=cb&account=h73&site=h73&code=1

Which then uses another IFRAME to call:
http://www.saybyebye.net/defaults/media/ads.php
?site=h73&nopopup=&program=cb&subsite=h73&xint=

And then there's another IFRAME calling:
http://www.saybyebye.net/defaults/media/bannerusa.php
?account=h73&program=cb&site=h73

This page has a couple of interesting bits, an affiliate link to the casino (complete with the member name):

Quote:

{a href="http://banner.prestigecasino.com/cgi-bin/redir.cgi?member=dwyeager" target=_blank}{img border="0" src="http://www.cpays.com/markettool/new_tools/prestige/English/bnr/dollar/468x60/pren46802.gif" width="468" height="60" }{/a}

And then a link to the Javascript that's trying to infect your PC: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=0&loadfirst=1&delayload=0&software_id=10
&account_id=1004831&recurrence=always&adid=a1136128699&event_type=onload&user_level=3

Now, ysbweb.com is run by an outfit called IST for their Yoursitebar product. To give IST some credit they do have an abuse reporting tool, although bearing in mind that they provided the script in the first place, it's probably unlikely that they'll do much.

So, compactbanner.com appears at first glance to be guilty of nothing but sloppiness. cpays.com is just some casino affiliate program (CasinoPays) who aren't really anything to do with the drive-by dowload attempt. IST are a known quantity and are just the end point.

The real perp is the saybyebye.net site. Let's look at the WHOIS data for that:

Quote:

Registrant:
Global MediaTeam
Po box 1368
granbury, TX 76048
US

Domain name: SAYBYEBYE.NET

Administrative Contact:
Yeager, Derrel support@adinfinity.com
Po box 1368
granbury, TX 76048
US
1 817 881 51 87
Technical Contact:
Yeager, Derrel support@adinfinity.com
Po box 1368
granbury, TX 76048
US
1 817 881 51 87

Cha-ching, we have a match. The name Derrel Yeager matches up with the cpays.com affiliate link and also ties in with some other outfit called adinfinity.com.

saybybye.net is running on 207.44.158.104 along with centraladserver.com and saybyebye.com...

..and this is where the penny drops..

..because centraladserver.com is part of the compactbanner.com network. So who does own compactbanner.com? Yup, Derrel Yeager and Global MediaTeam (I guess just Derrel in his bedroom). So in fact, compactbanner.com really is spreading the trojan, but it's trying to use several different layers of IFRAMEs to conceal this.

Just for the record, here are some the domains I can identify as belonging to Derrel Yeager's network:

• www.Adinfinity.com
• www.Centraladserver.com
• www.Adoptimal.com
• www.Compactbanner.com
• www.Globalmediateam.com
• www.Saybyebye.com
• www.Saybyebye.net

Looking at the Alexa stats you can see that it's a crummy no-traffic banner network that pulls in perhaps a few thousand or so uniques per day. The Alexa page for compactbanner.com has the following review (their words, not mine) that just about sums it up:

Quote:

1 of 5 stars Pure Scam,
90% of your exposures will not register and their standard pop-under ads will be riddled with pop-under codes that will overwhelm your visitors.

Stay away from these people like the plague

[Dynamoo]

Damn these guys - one of my users just got an attempted download using the WMF vulnerability from saybyebye.net. The site running the banner was samachar.com which is a sizeable Indian news portal (Alexa traffic rank 5000 or so).

It's just a shame they're based in the US.. if they were in the UK they'd be getting a visit from the police about now.

[Kellie aka Ms. B]

ISTbar is pretty well known for doing drive-by installs. And the banner thing is a pretty easy way to do it. I would think their abuse reporting page is equivalent to an unsubscribe link in a spam. It really is quite a shame, but it's the reality of the world of adware folks who'll do anything to get their crap on a computer and their 'affiliates' who will do the actual dirty work for a few pennies per install.

[Kellie aka Ms. B]

ISP's need to start pulling the plug on these guys...both the spyware/adware companies and the 'affiliate's who spread the stuff. They should at least have to fo through the hassle of setting up house all over again.

[ecomcity]

Outing the bad actors should be a rewarded exercise at ABW. The scumbag Derrel Yeager's network is just one of many set up by the cybercriminals pushing Adware, PPCSE fraud, Trojan horse virus backdoors, e-mail spammers and spyware privacy info peddling:

www.Adinfinity.com
www.Centraladserver.com
www.Adoptimal.com
www.Compactbanner.com
www.Globalmediateam.com
www.Saybyebye.com
www.Saybyebye.net

The one's also needing to get perp walks are the advertisers paying the IST group, and their ilk, to infest shoppers systems with this garbage. Posting the advertisers condoning this crap and their sleazy AM's should be a priority here in 2006.
http://www.adinfinity.com/about.html
http://www.adinfinity.com/advertisers.html

[ecomcity]

Here's a real nest of Adware/Spyware snakes infesting systems though freebee game trial and download sites. http://www.spywareguide.com/articles...sn_t__102.html


Enbrowser is the name of a company and develops "free" games as a way to distribute advertisements to the people who download them. The games are advertised as “free”. There are no references to any advertising of any kind on their download page. However under their “About us” section (http://www.enbrowser.com/about.html) we see that that they do state that downloading will result in online advertisements.

Is this just another free game on the internet that displays advertisements or is it bundled with something else? There is evidence to support the claim that these free games also install another software, some debate as a trojan, known as “PacerD”..... http://www.spywareguide.com/articles...sn_t__102.html


No where in the EULA does it even mention that information is collected from your computer, but this does not speak for the thirty-three (33) other programs installed with snackman.exe in an action called "daisy-chaining". In total, the figures for this install are as follows:

Adware – 26
Trojan – 4
Data Miner – 1
Worm – 1
Loyaltyware - 1

This is a high price to pay for a game of Snack Man..... the game character sure knows how to eat up your commissions.

Interesting read as the perps and commission thieves using this type of deceptive infestation points to plant their popup & under cookie setting crap on shoppers systems. PaymyBills and other major network merchants are one of the monitizers paying to bombard systems with crapware like this.

Here's what's possible in funding terrorists... via the BHO infestation game currently in play... http://www.spywareguide.com/articles...rroris_39.html

[Rexanne]

Quote:

Originally Posted by Dynamoo

It's just a shame they're based in the US.. if they were in the UK they'd be getting a visit from the police about now.

Yeah, the UK is a lot more civilized AND the police don't carry guns but manage to keep creeps off the streets or, in this case, out of our computers.