Like most of you, I find malicious or fraudulent online advertisers annoying to say the least.
My typical response, upon receipt of rogue AV pop-ups, or redirects to clearly fraudulent sites, is to "closely scrutinize" the perpetrating site.
This effort often bears fruit as is evident in the following analysis.
My interest was recently peaked when being made aware of a number of related sites committing abuse against a variety of brands; all quite clearly in violation of copyrights and trademarks.
This, of course, pissed me off, so...off to the races.
A poke here, a tickle there, and voila.../etc/passwd.
<a href="http://3.bp.blogspot.com/_kVOWaY1TAF0/S2fZcpYTBCI/AAAAAAAAASs/FFlisZ193PQ/s1600-h/etcPasswd.png"></a>
This Centos server, running Apache 2.2.3 (very dated), complete with craptastic PHP code, is a textbook lesson in how to not run a web server.
Includes, anyone?
<a href="http://4.bp.blogspot.com/_kVOWaY1TAF0/S2fbIgsI3dI/AAAAAAAAAS0/0Un4USSCDTk/s1600-h/includes.png"></a>
What's lovely about grabbing /etc/passwd with directory traversal (file path traversal, if you prefer) is the discovery of all the additional abusive URLs in play on this same server. Additionally you'll note more than a few culprits, learned to be based in the Phillipines after running their user names through Maltego.
A little regex parsing produced 256 +/- URLs, all pointing back to freedownloadzone.com, and all GoDaddy domains (shocking!).
Lesson to be learned for the bad guys: secure development practices apply to you as well, or the whitehats may come knocking.
A parting thought for freedownloadzone.com, and it's shadow org, helpmedownload.com.
![全托管推荐引擎服务:智能推荐AIRec[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)