There is some confusion involving the orange Flash ad. So we’ve decided to spend a lot of time and explain to our visitors how it started and what is going on from the beginning. And they can make their own conclusions.
In mid-December 2007, we started seeing something different on our websites. First, we saw white-yellow Flash ads (a young man in it) that are related to MP3 music. We then started seeing an orange horizontal Flash ad (728 x 90 pixels). When this orange Flash ad started appearing, we also started experience something unpleasant on our websites. Involuntary redirection to Malware Alarm‘s website (malware-scan.com)… There was always this orange Flash ad running at our website before and after the involuntary redirection. It’s not like we have something against the individual or company who ran this particular Flash ad. Inevitably, we came to believe that this orange Flash ad was used as a medium to redirect us and our visitors to the malware scan website.
Some of our visitors may not have seen either white-yellow or orange Flash ad. That’s because many ad companies control their ads such that they will appear depending on some factors including geographical locations.
Finding the ad company
At first, we MacHouse had to find out which ad company was responsible for the orange Flash ad. That was not so easy. And let me explain why. Our primary suspect was AdBrite. Allow me to say at first that they aren’t really involved in this mystery. Screenshot 01 shows their ad system. A publisher is allowed to control which ad to approve and which to reject. As AdBrite was our primary suspect, we simply had to find the orange Flash ad under Approved Ads. I personally spent about 40 minutes trying to find it. But it’s not there. So it turned out that AdBrite was a good guy. And we are sorry to bring up AdBrite’s name.
For us, there was no other suspect. It was possible that another ad company Canep Media brought this orange Flash ad to our system. But Canep Media is always good to us. They are polite and respond to our questions promptly. Canep Media is one of the 3 dozen ad companies trading rich media campaigns at AdECN. And AdBrite is also a seat holder at AdECN, I suppose.
Anyway, let me explain why it could be Canep Media. Screenshot 02 shows AdBrite’s system again. Under the Pricing Options tab, we can decide what to display when there is no ad company who is willing to display an ad at our websites. We are allowed to inject an ad code from another advertising system. This ad campaign is configured such that an ad brought by Canep Media will be displayed at our websites when AdBrite has no advertisers for us. By the way, the ad code says adecn.com. Canep Media acts as a broker. So the actual ad will come from AdECN. There is no particular name, so let’s call this ad from AdECN/Canep Media an escape ad. And we can also designate an escape ad when Canep Media cannot find any advertisers for us. That’s why finding the ad company responsible for the orange Flash ad might not so easy.
Okay. So far, we have assumed that Dot.Tunes’ orange Flash ad is used as a medium for the involuntary redirection to Malware Alarm. The next step that we had to take is to remove all ads and put just one ad with an ad code from AdECN/Canep Media. And we showed a documentation video under the article of January 1.
Click on the button to watch a documentation video.
This video shows that I had no ads (blank files) at first and then that Dot.Tunes’ orange ad appeared and I was redirected to Malware Alarm’s spam website when an ad code from AdECN/Canep Media was injected. No matter how many times we visited our own websites, we only saw this orange ad.
How sure are we that Dot.Tunes’ orange Flash ad is responsible for the redirection? Well, it’s not exactly their Flash ad that is in question. First, let me mention that there are a couple of possible exploitation types. One is SQL injection and the other type is iframe injection. Our suspicion goes to the latter. The SQL injection is not the case here because the involuntary redirection occurs even at http://www.mhvt.net/index.php where there is no database used. The SQL injection works such that an exploiter injects a malicious code directly in a database. How about the latter? We don’t use iframe. And we checked several web pages where the redirection had occurred and didn’t find an iframe code. I’m not terribly sure, but one can be redirected with a simple code like
http://xxx.xxx.xxx.xxx/iframe/file.php where xxx.xxx.xxx.xxx is just an IP address of the destination.
It’s also possible that the iframe injection is used before the orange Flash ad reaches our system. Or any exploitation type may be used before the ad is actually delivered to our system. Let’s take a look at the diagram below.
At the end of December, we contacted Canep Media so that they could investigate our claim that the orange Flash ad from DotTunes was responsible for the redirection. We contacted Canep Media because we didn’t and still don’t know how the Flash ad was relayed and finally reached us. We don’t know the first ad company. It’s shown as AD1 in the diagram. We don’t know how many companies are involved in the trade. There could be more than AD1 and AD3. It’s been 10 days since we first contacted Canep Media. But they haven’t told us anything. I don’t even know if they are investigating our claim. So we don’t know where a malicious code is injected as we don’t even know who AD1 is.
However, whether DotTunes is happy or not, our hypothesis that DotTune’s orange Flash ad is used as a medium for the involuntary redirection to Malware Alarm is true. The screenshots presented in the article of January 5 show that I was redirected at a totally different website, and the orange Flash ad was there. (Pay attention to the status bar.) The second documentation video presented in an article of January 6 shows the same. Their orange ad is there.
Click on the button to watch a documentation video.
Whose Flash ad is it?
We honestly believed that the orange Flash ad in question belongs to Dot.Tunes. But we aren’t sure if that’s the case any more. Although we have no direct business with Dot.Tunes, I personally sent an e-mail message to them. It took them several days to get back to me. You can see the screenshots of the exact messages below, but let me summarize our communication.
In fact, it’s not the matter of at which website you click on the orange Flash ad. If you find the same Flash ad somewhere else and click on it, you can be redirected to DotTune’s website with this ID. We know it because we tested on our own website with an ad code from AdECN/Canep Media. We confirmed that the ID is the same. It’s Q76123.
As we noted in our January 1 article, our immediate interest is in showing that there is injury. That is, we wanted to show that Dot.Tunes’ Flash ad has been used to redirect visitors arriving at MHVT.NET/MHOUSE-J.COM to Malware Alarm’s malware website. Because our documentation videos consistently support the hypothesis that the redirection mechanism is triggered somehow only in the presence of Dot.Tunes Flash ad, we have concluded that Dot.Tunes Flash ad is used as a medium for the redirection. A temporary remedy to stop this involuntary redirection exists to our knowledge. By removing the ad code from AdECN/Canep Media and eliminating a possibility of displaying Dot.Tunes Flash, no Internet visitor to MacHouse’s websites has been redirected to Malware Alarm’s malware scan website against their will.
We are not particularly interested in knowing how injury occurs. That is, it was not our immediate concern in finding out how the redirection mechanism works or where a malicious redirection code is injected. MacHouse has never stated that Dot.Tunes or AdECN/Canep Media is responsible for the injection of a malicious redirection code if there exists such a code. MacHouse is not an acting authority of any kind. Therefore, it is not under our responsibility in finding out how the redirection mechanism exactly works and who is ultimately responsible.
Furthermore, MacHouse has informed all concerned parties including Dot.Tunes, Canep Media and youhide.com or Certified Nerds LLC in a timely manner. Therefore, our responsibility ended at this point.
In the meantime, I don’t know how they have cooperated so far (See Screenshot 08.), but if they want to cooperate in finding out how this involuntary redirection works, answering the following three questions would help. Of course, they don’t have to.
- Who is your ad company (AD1)?
- Do you have a referral program?
- What does Q76123 stand for?
Finally, let me stress that there are a lot of innocent people involved. According to quantcast, Malware Alarm (malware-scan.com) gets 2.8 million unique visitors per month! Some of them are buying their malware and then end up buying another malware-removal application to remove Malware Alarm’s scrap program. For us, our journey is over. We have removed the ad code from AdECN/Canep Media. So our visitors won’t be redirected to Malware Alarm’s spam website for the time being. In the meantime, we are looking forward to seeing a big even around January 16. Hopefully, we will see a big change.
Malware-Scan.Com, DotTunes.Net’s Flash Ad and Computer Virus
More Evidence for Dot.Tunes Flash Banner As Source of Ill Redirection to Malware-Scan.Com
Flash-Based Ad and Involuntary Redirection to Malware-Scan.com