<<<
NEWS FROM THE LAB - Tuesday, February 16, 2010
>>>
 

 
Flabber Ad Leads to Rogue AV Posted by Christine @ 04:28 GMT

Paul, an avid reader of our blog asked us to investigate flabber.nl since it led him to a Rogue-hosting website. When we initially checked it, we found nothing. Must be those geolocation-sensing ads. To solve that, Paul sent in packet logs of when he visited flabber.nl.

Flabber

And soon it showed that one ad goes a long way.

+partner.googleadservices.com
++pubads.g.doubleclick.net
+++ad.bannerconnect.net
++++ad.yieldmanager.com
+++++("pharmacy" site that contains a link to a Rogue-hosting site)
++++++The Rogue-hosting site

From googleadservices to yieldmanager.com, it all looks like normal ad traffic. Then, an ad reference from yieldmanager.com sends it downhill to a "pharmacy" website, then to…

Flabber

Flabber

And when you leave, well, the Rogue website reminds you to come back..

Flabber

The latest Rogue AV hosted here is already detected in our latest databases and parties were already being notified to shut down the offending websites and contact flabber.nl.

Updated to add: Flabber.nl has been very quick and vigilant in removing the offending ad and has already cleaned up their site. Thank you for the immediate action guys.