How the exploit works, servers and locations (confirm Explabs):
Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download
Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.
As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:
- AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 18.104.22.168/21
- AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 22.214.171.124/18
- AS33510 SETUPAHOST - Toronto Canada - IP range involved - 126.96.36.199/24
- AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 188.8.131.52/21
Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.
Explabs - Wired.com - Sunbelt