adnet.media.*.com domains - NEW TITLE

[eoin.miller]

This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.

[SysAdMini]

Someone sent us this url by contact form.

Code: [Select]

http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.

[SysAdMini]

also reported today

Code: [Select]

adnet.media.prananc.com/b/jx/cd/?rq=103193&sid=215411720&m=714&tn=4&d=s&ct=1&t=s
adnet.media.ditent.com/bn/j/cd/?rq=104192&sid=9472394&m=514&tn=7&d=s&ct=1&t=s

[eoin.miller]

Someone sent us this url by contact form.

Code: [Select]

http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.

Domain is definately malicious and actively being seen on our network. I've seen it not include the malicious URL's sometimes, not sure why really. Obfuscated javascript leads client to the following exploit kit URL's in order in the sample we have looked at:

http://phicruss.com/cust.php?n=cust2
http://bbnhs.com/c/index.php

JS Unpack Report for URL http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc:
http://jsunpack.jeek.org/dec/go?report=b39fc1948d85cbd5b96bee1ee078ea2b432bbe59

They flipped to the 178.162.133.0/24 netblock on 5-14-10 @15:00 UTC. Luckily this is only for the advertising server hosting the javascript that is redirecting. The domains still being served up currently go to the other previously mentioned netblocks (188.72.192.0/24, 194.8.250.0/24). Most advertising now seems to be referred by Yahoo! web mail services. hooray.

[Kimberly]

This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.

Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.

Most advertising now seems to be referred by Yahoo! web mail services. hooray

Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).

Imagine how many more people have been infected because you send stuff to the wrong people ?

[eoin.miller]

This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.

Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.

Most advertising now seems to be referred by Yahoo! web mail services. hooray

Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).

Imagine how many more people have been infected because you send stuff to the wrong people ?

The handlers at these various organizations told me they are disseminating the information appropriately to the correct places. If you wish to furnish me with direct contacts at any of these organizations, I will talk to them directly about it and provide any information I have to help stop it. I do not send out PCAP's of my clients data to unknown sources via web forums, even after I have taken the time to sanitize them. This isn't my first rodeo.

And FYI, SANS is part of the co-op that is DShield.

http://www.dshield.org/
http://isc.sans.org/

Look similiar?

[eoin.miller]

FYI, this is still running pretty rampant, watching people get referred from sites like open.ad.yieldmanager.net:

HTTP/1.1 200 OK
Date: Mon, 24 May 2010 14:43:12 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV T
AI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI
PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Connection: close
Transfer-Encoding: chunked
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 10536
(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<!-- SpaceID=2022775850 loc=AP37 noad -->\u000a<img style=\"display:none\"
 width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf
5f-bf408f606688&T=19d2poc7s%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5
%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2921782211%2fH%3dYWx0c3BpZD0iOTY3MjgzMT
UxIiBzZXJ2ZUlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI
4NTUxIiB0U3RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d
1%2fJ%3d29558862&U=128h7uej0%2fN%3djLRSIkwNiZE-%2fC%3d-1%2fD%3dAP37%2fB%3d-1%2fV%
3d5\"><script>// no ads\u000a</script><!--flv has invalid value--><!--rTg has inv
alid value--><!--rTg has invalid value--><!--XCH|ae0af71a-6742-11df-bf5f-bf408f60
6688--><!--fac9.cl1.ads.adx.ac4.yahoo.com-->",
 "type":"text/html",
 "id":"0",
 "size":["160x90"],
 "slug":false,
 "secure":false},
{"ad":"<script language=\"javascript\" src=\"hXXp://adnet.media.unwited.com/cr/j/
cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc\">\u000d\u000d</script>\u0
00d\u000d<noscript>\u000d\u000d<a href=\"http://us.ard.yahoo.com/SIG=15vmvpbvl/M=
600742873.600772841.409311541.408347572/D=ncnws/S=2022775850:N/Y=PARTNER_US/L=ae0
af71a-6742-11df-bf5f-bf408f606688/B=j7RSIkwNiZE-/J=1274712193000950/K=33yOa_MgRUm
ArzkSIRRKYQ/EXP=1274719393/A=1757979682871089560/R=0/X=2/SIG=12t964gb2/*http://ad
net.media.unwited.com/cr/j/clk/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=s
c\" target=\"_top\">\u000d\u000d<img src=\"http://adnet.media.unwited.com/cr/j/vi
ew/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc\" width=728 height=90 bord
er=0>\u000d\u000d</a>\u000d\u000d</noscript><img style=\"display:none\" width=0 h
eight=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf5f-bf408f6
06688&T=19c202ntl%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5%2fV%3d8.1
%2fW%3d0%2fY%3dPARTNER_US%2fF%3d293944772%2fH%3dYWx0c3BpZD0iOTY3MjgzMTUxIiBzZXJ2Z
UlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI4NTUxIiB0U3
RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d295
58862&U=13raiokei%2fN%3dj7RSIkwNiZE-%2fC%3d600742873.600772841.409311541.40834757
2%2fD%3dN%2fB%3d1757979682871089560%2fV%3d2\"><!--flv has invalid value--><!--rTg
 has invalid value--><!--rTg has invalid value--><!--MME--><!--TRK:a:175797968287
1089560,m:600742873.600772841.409311541.408347572-->",
 "type":"text/html",
 "id":"1",
 "size":["728x90"],
 "slug":false,
 "secure":false},

[eoin.miller]

nertonic.com

Drive by:
http://nertonic.com/9bc16b427vc52/

PDF:
http://nertonic.com/657fs76fg87vc9/840099943
http://wepawet.iseclab.org/view.php?hash=744420e7136af84acdcbb12dd970b188&type=js

Java:
http://nertonic.com/657fs76fg87vc9/B0.php


Payload:
http://nertonic.com//657fs76fg87vc9/6875643787820
Detected as Win32/Fainli.A by Microsoft Security Essentials


Check-in post infection:
antispyware-scan.com
antispyware-scan.net



Getting referred to by ad.doubleclick.net

[Moore]

FYI, this is still running pretty rampant

Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.

YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.

[Kimberly]

FYI, I know that Dshield is part of SANS and FYI we got their blocklist available for download at Bluetack.

Microsoft still has NO information from SANS or Dshield, as reported by my contacts at AdCenter / Traffic Quality Team. Just FYI, they found several other malvertisement campaigns even with the few details I was able to provide because you wanted to play the smart way.
http://stopmalvertising.com/malvertisements/alert-new-curves-malvertisement

And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.

You had the elements in hand to stop these campaigns but they are still running and even more malvertisement domains have been discovered.
http://msmvps.com/blogs/spywaresucks/archive/2010/05/30/1770473.aspx

Happy now ?

[Kimberly]

I've alerted my contact at Yahoo about the adnet.media.unwited.com incident. Which site is that malvertisement displayed or is that again top secret too?

[Kimberly]

Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....

[eoin.miller]

And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.

Good for you, then keep helping the bad guys out.

Additionally if you have nothing to actually contribute to the thread that is pertinent, it is best to stay out of it.

Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....

Then they obviously haven't taken any time to read what I post in public or bothered to contact me. I've got a bunch more, but I think I'll stop publishing that we find it and keep it to ourselves.

[Kimberly]

For over the last 4-5 years I've spend most of my time if not all on reporting malware.

Actually FYI, Yahoo / Right Media took out more since my last post as I have been continously in contact with the incident team. I have the exact number of incidents which I can't disclose in public unfortunately.

Good for you, then keep helping the bad guys out.

Yeah, sure .... that's exactly what you're doing by sending the information to the wrong people and blaming me for it. Keep doing what you do and we'll see how fast something gets pulled out of an ads network.

We see guys like you all the time ... showboat poney's ...

[eoin.miller]

For over the last 4-5 years I've spend most of my time if not all on reporting malware.

And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.