[en] Zbot/Dorkbot malvertising

Found by Jérôme  Segura (Malwarebytes) yesterday : https://twitter.com/jeromesegura/status/423180548236771328

directrev.com is 121 @ Alexa, so it’s probably big : http://www.alexa.com/siteinfo/directrev.com

Reveton_Malvertising_directrev

Able to reproduce it from http://www.elivetv .in

http://ad.directrev.com/RealMedia/ads/adstream_sx.ads/S0002289/126642279083300710@x10?uln=en-US
http://www.klixfeed.com/re.php?mid=152d6395bcb0ad&m=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L2ZpbHRlci5waHA=&tu=79110 (108.170.34.11)
http://www.boxsearch.net/filter.php?mid=[..]&tu=79110
http://www.boxsearch.net/go.php?mid=[..]=79110 – 0 @ VT
http://addirekt.com/?id=klix (5.45.74.44)
than Angler Exploit Kit : http://y02ks.lucirabydeva.com/fyt9iimg9y?thread=143&key=[..]

think boxsearch.net and addirekt.com are owned by badguys.
klixfeed.com dunno but whois is hidden, so suspicious.

 

Reveton_Malvertising_directrev2

binary is Zbot / Citadel :
http://malwaredb.malekal.com/index.php?hash=8a0c95be8a40ae5419f7d97bb3e91b2b
https://www.virustotal.com/fr/file/b04637c11c63dd5a4a599d7104f0c5880717b5d5b32e0104de5a416963f06118/analysis/1389771250/

SHA256:b04637c11c63dd5a4a599d7104f0c5880717b5d5b32e0104de5a416963f06118
Nom du fichier :0502.dll
Ratio de détection : 3 / 48
Date d’analyse :2014-01-15 07:34:10 UTC (il y a 14 minutes)

ESET-NOD32Win32/Spy.Zbot.AAQ20140115
MalwarebytesTrojan.SFXAD.EDGen20140115
McAfee-GW-EditionHeuristic.BehavesLike.Win32.Suspicious-BAY.G20140115

Reveton_Malvertising_directrev3will try to make it pulled.

EDIT –

On this french topic forum, someone claim to get a Browlock redirection from a streaming website : http://www.commentcamarche.net/forum/affich-29508135-solution-simple-pour-virus-amende-100

from this kind of ads :

malvert_AdSupply2

got a malvertising from4dsply.com

http://ad.vuiads.org/showads.php?id=125&porn=0&title=WawaFilm.OrgThe.Wolverine.2013.TS.FRENCH.LD.XViD73v3n.avi
http://cdn.engine.4dsply.com/Scripts/infinity.js.aspx?guid=d43a20e1-cbd9-4330-86c3-abfc19350930
http://engine.4dsply.com/Tag.engine?id=d43a20e1-cbd9-4330-86c3-abfc19350930&rand=0.1535698646365256&ver=async&time=300&referrerUrl=&fingerPrint=1425431180
http://ad.velmedia.net/ads.php?id=369&title=WawaFilm.OrgThe.Wolverine.2013.TS.FRENCH.LD.XViD73v3n.avi
http://creative.m2pub.com/matomy/scripts/smart/smart.js
http://engine.4dsply.com/fastpopunder.engine?id=d43a20e1-cbd9-4330-86c3-abfc19350930&rand=0.6455719399989015&ver=async&time=300&referrerUrl=
http://engine.4dsply.com/Redirect.engine?PlacementId=8049&MediaId=7477&PoolId=62&SiteId=19&ZoneId=24&Country=France&PerformanceTest=&Bid=2.35&MaxBid=2.5
http://cavanza.info/click.php
http://cavanza.info/click.php?sc=87a44ce1e1ce91c91c5b10bff6bda9b6&ssname=1389786275870501
http://cavanza.info/search.php?username=index&query=target+marketing+systems+40+inch+drop+l4af+table
http://cavanza.info/style.css
http://cavanza.info/re.php?href=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L3JlLnBocD9taWQ9MTUyZDY3NGE0NmVlNDQmdHU9NjAyMTE%3D

http://www.boxsearch.net/re.php?mid=152d674a46ee44&tu=60211
http://www.boxsearch.net/go.php?mid=152d674a46ee44&tu=60211
http://eu.hak.su/
http://gamesbest7.net/eu.php
http://cl2zaei6.bronzehairdresser.pw/e342d5Y72fe_ddb_39-c63b1e7Jfac-59-5_8_8-2_1/11/6ee319ae296e3aa6023cb71182ac027f.html

Exploit kit :

http://cl2zaei6.bronzehairdresser.pw/e-34_2d5E72-fed_db-39c_63_b1e7Vfa-c-59588G21K/11/6ee319ae296e3aa6023cb71182ac027f.html
http://cl2zaei6.bronzehairdresser.pw/1823020209/1389764760.jar
http://cl2zaei6.bronzehairdresser.pw/f/1389764760/1823020209/2
http://cl2zaei6.bronzehairdresser.pw/f/1389764760/1823020209/2/2
http://cl2zaei6.bronzehairdresser.pw/1823020209/1389764760.htm

As you can see, www.boxsearch.net is there again.

malvert_AdSupply3

malvert_AdSupply

only one detection, DorkBot according Malwarebytes :

https://www.virustotal.com/fr/file/92e892bbf7753439c3a0b853ab31655415fc8f1e655536fff6537a827488fcc1/analysis/1389786692/

http://malwaredb.malekal.com/index.php?hash=172f27e726d294bec002afebe4e99cd2

The use of .pw and Dorkbot make think about the Malvertising on this thread (December 21 EDit) : http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/

EDIT – Juanary 17

During a look with @MalwareMustDie and @mak, i came accross of this : Clicksor that redirect to goo.gl/jNQkjO that redirect to klixfeed.com

clicksor_malvert2

reload directly to the goo.gl give malicious content :

http://goo.gl/jNQkjO
http://91.230.205.15/css/look7.php
http://yqoky38q.bikegeneral.pw/cf_2-cB5Z09_f7afb_d4-7_8b1_8cRfd_6_8_ac_6_f6a3e.html

clicksor_malvert4

The statistics for goo.gl is impressive.
Already blogged it  on December 21 edit : http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/
clicksor_malvert3

We came accross on differents redirectors, depend of the country :

http://dede.hak.su/
http://usa2.wen[.]ru/ 
http://new229[.]com/eu.php

it comes Always from :

http://www.klixfeed.com/re.php – 6k at Alexa
http://www.boxsearch.net – 14k at Alexa

Noticed two differents username :

http://www.klixfeed.com/popupads.php?link=true&username=12345678
http://www.klixfeed.com/popupads.php?link=true&username=r2k1984

Time to contact klixfeed!

 EDIT – January 18

still active from AdSuply – moved from http://cavanza.info/click.php to http://xiokita.info/click.php
http://engine.4dsply.com/Redirect.engine?PlacementId=8049&MediaId=8003&PoolId=62&SiteId=19&ZoneId=24&Country=France&PerformanceTest=&Bid=2.35&MaxBid=2.5
http://xiokita.info/click.php
http://xiokita.info/click.php?sc=33e821c522a689ef952edf79f2917068&ssname=1390038688434047
http://xiokita.info/search.php?username=index&query=target+marketing+systems+40+inch+drop+lea+table
http://xiokita.info/re.php?href=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L3JlLnBocD9taWQ9MTUyZGE0ZWEwOTBhNWMmdHU9NzkwNQ%3D%3D
http://www.boxsearch.net/re.php?mid=152da4ea090a5c&tu=7905
http://www.boxsearch.net/go.php?mid=152da4ea090a5c&tu=7905

redirector :
http://eu2.wen.ru/
http://new229.com/eu.php

Exploit kit :
http://ietanaya.glottems.com:8000/nenevivhxpl?smekyuluh=3292328
http://ietanaya.glottems.com:8000/xbsbmoclrv.js
http://ietanaya.glottems.com:8000/bhymthz
http://ietanaya.glottems.com:8000/emwsf
http://ietanaya.glottems.com:8000/htddbsepwn?tkxzed=rsyyetr

xiokita.info

again www.boxsearch.net

108.170.34.11 /  108.170.34.10 seems owned by bad guys.
www.boxsearch.net has address 108.170.34.11
cavanza.info has address 108.170.34.10
geek2us.net has address 108.170.34.10 <= fake Ads company there.
xiokita.info has address 108.170.34.10 

EDIT Juanary 20

Got a redirection to Browlock Ransomware.
http://www.klixfeed.com/popupads.php?link=true&username=1000&sid=354&cap=0&type=1&open=1
http://www.boxsearch.net/filter.php?mid=152dce13f97f72&tu=75898

http://adserving.grandclix.com/newServing/go.php?[…] (199.21.148.108)
http://adserving.grandclix.com/newServing/go.php?[…]

http://meetingwebcams.com/ (31.184.224.140) – 0 @ VT https://www.virustotal.com/fr/url/ff81b1958c19d82dca4fec34ed9c941800ca8a9b34fa970f81940fd9ca830445/analysis/1390208533/
http://meetingwebcams.com/images_003/script.js
http://meetingwebcams.com/images_003/style.css
http://meetingwebcams.com/a4ebe34eb2fc5fc6253715679fbc73f3_stat.js

http://ndytjyj.k12grantwriters.net/interpol/[…]

Browlock_boxsearch Browlock_boxsearch2 Browlock_boxsearch3

Russian stuff :

Domain Name: GRANDCLIX.COM
Registrar: NAME.COM, INC.
Whois Server: whois.name.com
Referral URL: http://www.name.com
Name Server: NS1.DATAH2.BIZ
Name Server: NS2.DATAH2.BIZ
Status: clientTransferProhibited
Updated Date: 06-oct-2013
Creation Date: 26-apr-2012
Expiration Date: 26-apr-2014

Admin Name: Mark Bonin
Admin Organization: iCHAMP LLC
Admin Street: 51, 15 Orshanskaya
Admin City: Smolensk
Admin State/Province: Smolensk
Admin Postal Code: 214000
Admin Country: RU
Admin Phone: +7.9002195140
Admin Fax: +7.9002195140
Admin Email: mbcd@rocketmail.com

Browlock_boxsearch4

EDIT Juanary 21

on popads.net – this time :

http://serve.popads.net/servePopunder.php?cid=57973&m=271,765.8999633789062,84,1840,118,319,846.8999633789062,26,4,9,20,79,971,514,979,600&s=1024,768,1,1024,768
http://serve.popads.net/popOut.php?c=00000001000&a=1921652765&ac=334466958464887

http://www.klixfeed.com/popupads.php?link=true&username=0122&sid=12&cap=0&type=1&open=1
http://www.klixfeed.com/re.php?mid=152de35e3b5db2&m=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L2ZpbHRlci5waHA=&tu=74804
http://www.boxsearch.net/filter.php?mid=152de35e3b5db2&tu=74804
http://www.boxsearch.net/go.php?mid=152de35e3b5db2&tu=74804

Redirector :

http://kasimov.kan.su/
http://dddkb.com/usa.php

Then Exploit Kit :

http://x8amqvsu.joggerdirector.pw/0C08fL2If6I2Xf9-6-fU8659a-bfde-5113_244d4S59/40/f1e86bed19d01aecb2eae414f6bee79b.html
http://x8amqvsu.joggerdirector.pw/1327165053/1390272960.jar
http://x8amqvsu.joggerdirector.pw/f/1390272960/1327165053/2
http://x8amqvsu.joggerdirector.pw/1327165053/1390272960.htm
http://x8amqvsu.joggerdirector.pw/f/1390272960/1327165053/2/2

popcast_malvert

EDIT January 21

ok now, time to switch on cpxcenter to get it removed.

http://ads.cpxcenter.com/cpxcenter/dpop.php?nid=4&pid=17444&sid=17506&zone=21728&durl=ubermakedonichen.over-blog.com&subid=&opt1=&opt2=
http://goo.gl/jNQkjO

http://www.klixfeed.com/popupads.php?link=true&username=r2k1984&sid=496&cap=0&type=1&open=1%E2%80%8F
http://www.klixfeed.com/re.php?mid=152def07b163e7&m=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L2ZpbHRlci5waHA=&tu=54626

http://www.boxsearch.net/filter.php?mid=152def07b163e7&tu=54626
http://www.boxsearch.net/go.php?mid=152def07b163e7&tu=54626

http://milfsindablack.net/ – 0 @ VT https://www.virustotal.com/fr/url/fb5eebc8cbe056c29f0249d66ba1914e666d338f5066f90e588561c1ee5cde22/analysis/1390342536/

http://1a5bdef.5cdb.73030.868f.61a9d7.d3a520.plbkzjtrrj.onesplacing.pw/?196b7c7f7b76616a7c786b7a7137777c6d

cpxcenter_malvertising.com

stats :

cpxcenter_malvertising.com_stats

EDIT January 23

Playing with SWF redirector ?

http://ad.directrev.com/RealMedia/ads/adstream_sx.ads/S0001308/126264085875391140@x10?uln=DE

Malvert :
http://camspot .ws/ (62.212.73.98)
http://promo.angels-promotions.ro/file .swf (62.212.73.98)
http://promo.angels-promotions.ro/file .swf
http://3d.stationmap.com .my/ (62.212.73.98)

Rotator :
http://2rush.bwmeule.co .za/?555 (46.246.126.149)
http://2rush.bwmeule.co .za/?555

Then Exploit Kit :
http://9d9.8d5e.80438d2.412f.0886.9cc90f.f8fe.ykpycakz.growingtell .pw/
http://9d9.8d5e.80438d2.412f.0886.9cc90f.f8fe.ykpycakz.growingtell .pw/8703_7b/b_c9f_3_b/f2/d4869/5/dbbebfa_de1b0/ac_458/a_25_cda3_7_7/adf3/25e_54/55795c/7_34

directrev
Already seen this code in Urausy or Reveton malvertising :
directrev2

EDIT – Juanary 23

Case closed, all the malvertising has been pulled.
Finally i got a reply from klixfeed and they claim to have cleaned everything.

EDIT – January 31

well got a funny malvertising (or hack) from the OpenDNS’s website-notavailaible.
I blog here, because it’s a Nuclear Exploit Kit at the end, but not sure it’s a Zbot, the PE seems damage/buggy : https://www.virustotal.com/fr/url/2217a4d3ecce456ea2c451359e6e5a108224dcd9e682b67d4cb6b54abee85b8a/analysis/1391168550/

http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=9037/15225&geo=eu&co=de
http://ads.heias.com/x/heias.match/?dpid=152&uid=RUBICON_USER_ID
http://ads.heias.com/x/heias.TAG.v2.0/tag.php?H_VAR=h_ref|;|http%3A%2F%2Fwww.opendns.com%2F[..]
http://ad2.adfarm1.adition.com/js?wp_id=2502427&kid=359183&keyword=publisher&ts=1935635207336141500&clickurl=[..]
http://ad2.adfarm1.adition.com/banner?sid=2502427&adjsver=3&co=1&fvers=10&iframe=0&ref=[..]
http://ad.123-template.com/www/delivery/ajs.php?zoneid=4&cb=40468151097&charset=utf-8&loc=[..]

http://spring.freeconcealedcarrymagazine.com/scripts/js/core.js?ver=3.71.2396 (67.215.65.132) – 1 @ VT https://www.virustotal.com/fr/url/2217a4d3ecce456ea2c451359e6e5a108224dcd9e682b67d4cb6b54abee85b8a/analysis/1391168550/

http://zcrnm8.goalmedal.pw/dN6-8f3bfead-77f4f8M44-c24-ea4ab_bQ1-c_f57.html
http://zcrnm8.goalmedal.pw/4030722763/1391145360.jar
http://zcrnm8.goalmedal.pw/4030722763/1391145360.htm
http://zcrnm8.goalmedal.pw/f/1391145360/4030722763/2
http://zcrnm8.goalmedal.pw/f/1391145360/4030722763/2/2

Then OpenX at ad.123-template.com is 2.8.8 – so very old and many vulnerabilities.
Can be a hack.
Seems this campaign are targed Germany.

OpenDNS_malvert OpenDNS_malvert2

EDIT –

confirmed it’s a Zbot : http://malwaredb.malekal.com/index.php?hash=f4d646a29f925deda0d084cf74edae0d

opendns_2e opendns_2e_fiddler

EDIT February 4

and back on kflixfeed from popapls :

http://www.popapls .com/popupads.php?link=true&username=1920&sid=816&cap=0&type=1&open=1

http://www.klixfeed .com/re.php?mid=152f10f07bb03b&m=aHR0cDovL3d3dy5ob3Rwb3B1cHMuY29tL2ZpbHRlci5waHA=&tu=36373
http://www.hotpopups .com/filter.php?mid=152f10f07bb03b&tu=36373
http://www.hotpopups .com/go.php?mid=152f10f07bb03b&tu=36373

http://supp92343 .com/core/index.php?id=mssFEgXuWJLy&keyword=fIZyYHnEctIH7KsdYVtRyonXXc6Kuw09ceAA1xRiWG84jKpH9MJ

Exploit Kit :
http://znbxx2.naqycirefuji .org/ih3zkxwkeq?thread=148&key=D93FA4AC93A02A40121BF8FD4E46928D  [174.142.67.76]
http://znbxx2.naqycirefuji .org/xDAsL-iT0wf-c5bU_SU1ZUyniuLZJelDK5-7z14OK-dwzl9Y
http://znbxx2.naqycirefuji .org/xDAsL-iT0wf-c5bU_SU1ZUyniuLZJelDK5-7z14OK-dwzl9Y
http://znbxx2.naqycirefuji .org/xDAsL-iT0wf-c5bU_SU1ZUyniuLZJelDK5-7z14OK-dwzl9Y

Sample : http://malwaredb.malekal.com/editlespokemons.php?id=6e05d6a48030e4e9544ff14407bc9e9f

klixfeed_malvertising klixfeed_malvertising2 klixfeed_malvertising3

EDIT –

kflixfeed pulled it in 5 minutes 🙂

EDIT – February 10

http://ad.directrev.com/RealMedia/ads/adstream_sx.ads/S0002679/156913863483965430@x10?uln=de

http://www.popanclick.com/popupads.php?link=true&username=1920&sid=816&cap=0&type=1&open=1
http://popanclick.com/renew.php?mid=152f8970a6956d&m=aHR0cDovL3d3dy5wb3BhbmNsaWNrLmNvbS9maWx0ZXIucGhw&tu=62211
http://www.popanclick.com/filter.php?mid=152f8970a6956d&tu=62211
http://www.klixfeed.com/go.php?mid=152f8970a6956d&tu=62211

http://v6mbr0cm.huddledartboard.pw/21_1_46d2dd5L9-5-8-a8-d_dD6ab3Ec581-c8eY1-122-.html (31.41.221.135)
http://v6mbr0cm.huddledartboard.pw/4183759026/1392001860.jar
http://v6mbr0cm.huddledartboard.pw/f/1392001860/4183759026/2
http://v6mbr0cm.huddledartboard.pw/f/1392001860/4183759026/2/2
http://v6mbr0cm.huddledartboard.pw/4183759026/1392001860.htm
http://v6mbr0cm.huddledartboard.pw/f/1392001860/4183759026/5

Sample : https://www.virustotal.com/fr/file/4d87512aea9be5c206b7e30d1744fe3ff5c805621e86018ba309c012b5015f2b/analysis/1392023800/

SHA256:4d87512aea9be5c206b7e30d1744fe3ff5c805621e86018ba309c012b5015f2b
Nom du fichier :5.exe
Ratio de détection :8 / 46
Date d’analyse :2014-02-10 09:16:40 UTC (il y a 2 minutes)
AntivirusRésultatMise à jour
AhnLab-V3Spyware/Win32.Zbot20140210
DrWebTrojan.MulDrop5.878020140210
ESET-NOD32a variant of Win32/Injector.AXIC20140209
KasperskyTrojan-Spy.Win32.Zbot.rmdp20140210
MalwarebytesSpyware.Zbot.ED20140210
McAfeePWSZbot-FRQ!CA0D6E01D49820140210
McAfee-GW-EditionPWSZbot-FRQ!CA0D6E01D49820140210
NormanSuspicious.FZN20140210

Malvertising_kflixfeed OVH_UA

EDIT Febuary 11 – Poponclick / Vertoz Malvertising

Got an other one from poponclick network :

http://poponclick.com/pp800x600.js?id=dvdriprl
http://poponclick.com/pu800x600.php?id=ZHZkcmlwcmw=&affid=12624
http://poponclick.com/pu.php?id=ZHZkcmlwcmw=&affid=12624&authcode=WndOa0FQNGpadjRrWkd0bFl3UmxabDRrWlFWaFp3Tmo=&rt=1&uadiff=0&flid=1&os=0
http://poponclick.com/click2.php

word key redirector :
http://40953.12624.link.plexious.com/ncp/checkBrowser?key=weather%20northville%20mi&ip=82.123.102.200&n_d=2000609033&ua=Mozilla%2F4.0%20%28compatible%3B%20MSIE%208.0%3B%20Windows%20NT%206.1%3B%20Trident%2F4.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%29
http://40953.12624.link.plexious.com/iframe?p=&c=40953&sc=12624
http://search.vertoz.com/click?i=mC5joJUM9NM_0
http://jsfilter.vertoz.com/filter?q=weather+northville+mi&i=mC5joJUM9NM_0&t=2103183979
http://search.vertoz.com/click2?i=mC5joJUM9NM_0&f=&j=rv%3Db%26ss%3D1024x768%26ws%3D784x510%26wp%3D17x101%26ce%3D1%26ck%3Djc%26cv%3D8532%26cs%3D1%26fr%3D0%26hc%3D0%26fl%3D11.9.900%26jv%3Dnull%26sc%3D32%26hr%3D2%26rf%3D40953.12624.link.plexious.com%26lo%3Djsfilter.vertoz.com%26mb%3D0%26hb%3D0%26pl%3DWin32%26ua%3DMozilla%252F4.0%2B%28compatible%253B%2BMSIE%2B8.0%253B%2BWindows%2BNT%2B6.1%253B%2BTrident%252F4.0%253B%2BSLCC2%253B%2B.NET%2BCLR%2B2.0.50727%253B%2B.NET%2BCLR%2B3.5.30729%253B%2B.NET%2BCLR%2B3.0.30729%29

Fake Counter Website :
http://klixfeer8.com/eu/index.html (95.211.52.51)
http://klixfeer8.com/eu/index.html
http://klixfeer8.com/eu/counter.swf

Rotator : http://mymostake.com/mix.php (95.211.217.200)

then EK :
http://f9dz0d6i.raftingbocce.pw/4B9d3-3_a27a7Q90_3f33bfG8_73-f-b_1a-70Aaac31/64/3e7b044effbab2e6e9eb0af73e121ad1.html

Pretty new and russian :

Domain Name: KLIXFEER8.COM
Registrar: LLC « REGISTRAR OF DOMAIN NAMES REG.RU »
Whois Server: whois.reg.ru
Referral URL: http://www.reg.ru
Name Server: NS31.KUBEZ.BIZ
Name Server: NS32.KUBEZ.BIZ
Status: clientTransferProhibited
Updated Date: 08-feb-2014
Creation Date: 08-feb-2014
Expiration Date: 08-feb-2015

The malicious SWF Redirector is not very obfuscated : http://pjjoint.malekal.com/files.php?read=20140211_z13m10y12e9h10

poponclick.com_malvertising

EDIT February 13

popsit.net has address 198.24.141.110 – should be kflixfeed again.

http://ad.directrev .com/RealMedia/ads/adstream_sx.ads/S0002679/191358335013434500@x10?uln=de
http://www.popsit.net/popupads.php?link=true&username=200810&sid=316&cap=0&type=1&open=1

http://popsit .net/renew.php?mid=152fcedfd7ed65&m=aHR0cDovL3d3dy5wb3BzaXQubmV0L2ZpbHRlci5waHA=&tu=6725
http://www.popsit .net/filter.php?mid=152fcedfd7ed65&tu=6725
http://www.popsit. net/go.php?mid=152fcedfd7ed65&tu=6725
http://rpv5m.snowflakereferee .pw/e_8-a0-85b1-5V50-f01_24B6_d3I0449cf_39-07-3bf.html
http://rpv5m.snowflakereferee .pw/1522526720/1392286260.jar
http://rpv5m.snowflakereferee .pw/1522526720/1392286260.htm
http://rpv5m.snowflakereferee .pw/f/1392286260/1522526720/2
http://rpv5m.snowflakereferee .pw/f/1392286260/1522526720/5

kfixfeed_pw

EDIT February 14

popanclick.com (198.24.141.110) is loading malvertising (via Adsuply)

http://engine.4dsply.com/fastpopunder.engine?id=d43a20e1-cbd9-4330-86c3-abfc19350930&rand=0.33969712695281545&ver=async&time=-60&referrerUrl=
http://engine.4dsply.com/Redirect.engine?PlacementId=7768&MediaId=7971&PoolId=62&SiteId=19&ZoneId=24&Country=Germany&PerformanceTest=&Bid=4.1&MaxBid=4.5

http://datinggo.info/click.php
http://datinggo.info/click.php?sc=c8ee017d617abd31602130c5f8a1a8a4&ssname=1392391284878481
http://datinggo.info/search.php?username=index&query=targeet+marketing+systems+furnituretargef+marketing+systemstargef+marketing+systems+40+inch+drop+leaf+table
http://datinggo.info/re.php?href=aHR0cDovL3d3dy5wb3BzaXQubmV0L3JlLnBocD9taWQ9MTUyZmUzNDc2YjU1NjMmbT1hSFIwY0RvdkwzZDNkeTV3YjNCaGJtTnNhV05yTG1OdmJTOW1hV3gwWlhJdWNHaHcmdHU9ODY4ODg%3D
http://www.popsit.net/re.php?mid=152fe3476b5563&m=aHR0cDovL3d3dy5wb3BhbmNsaWNrLmNvbS9maWx0ZXIucGhw&tu=86888
http://www.popanclick.com/filter.php?mid=152fe3476b5563&tu=86888
http://www.popanclick.com/go.php?mid=152fe3476b5563&tu=86888

http://g0759e6.evergreenplay.pw/c6_0498e294_3M1H6-36U5ee5_bcdac-6W3-0-cea-eWd/66/607a1eb05ff3be2092b42879c7d5092a.html
http://g0759e6.evergreenplay.pw/2603887969/1392369900.htm
http://g0759e6.evergreenplay.pw/2603887969/1392369900.jar
http://g0759e6.evergreenplay.pw/f/1392369900/2603887969/2
http://g0759e6.evergreenplay.pw/f/1392369900/2603887969/2/2

popanclick_malvertising

 

EDIT – February 23 : poponclick malvertising

Focus now on poponclick third party network.
already blogged on February 11 on this tread and tweet some others :

Today – Again Intelfeeds :

dondemete_exploit2

EDIT – February 28 : Poponclick / Vertoz malvertising

still active :

https://twitter.com/malekal_morte/status/439069915199193088
https://twitter.com/malekal_morte/status/438734618343120896

on sayxml .com :

http://poponclick.com/pu.php?id=ZHZkcmlwcmw=&affid=12624&authcode=WndOa0FQNGpadjRsQlF0all3dGxZd0w0WXdWMEFOPT0=&rt=1&uadiff=0&flid=1&os=0
http://c.feed-xml.com/GZx1c39D7p7JozS527c6975ff997a93296b7ed211dbb3ffc17A
http://xml.sayxml.com/click?i=19c-Ym7h4RI_0 (174.137.155.136)
http://filter.sayxml.com/filter?q=beach+in+key+largo+resort+westin&i=19c-Ym7h4RI_0&t=1332132045
http://xml.sayxml.com/click2
http://vokut.radrigioo8.wf/jesus3.php
http://humming-life.jp/_r_.html
http://humming-life.jp/de/sites/phpupdater.jnlp
http://humming-life.jp/de/sites/phpupdater.jar

sayxml_malvertising6

sayxml_malvertising2

on 174.137.155.136 – we can find various « ads network » with the same skin – so very suspicious :sayxml_malvertising4 sayxml_malvertising5sayxml_malvertising5 sayxml_malvertising3

and… vertoz is still redirecting to it too :

sayxml_malvertising7

 EDIT – Mars 4 : Poponclick / Vertoz malvertising

The malvertising on poponclick’s third network is still online : https://twitter.com/malekal_morte/status/439511932497063936
Sent email to poponclick and vertoz, but i dont get any replies.

I got the malvertising domain suspended yesterday, i tweet it, and today a new one still from vertoz !

poponclick_vertoz

EDIT – Mars 5 : Poponclick / Vertoz malvertising

The malvertising in poponlick third party network is still online, still via vertoz.

i got the two last domains suspended and everytime a new one come up fast.


vertoz_suspended vertoz_suspended2

 

The last url is language.lorforio.com :vertoz

Still no reply from poponclick and vertoz : https://twitter.com/malekal_morte/status/440973202974441472
Still no email.
I also post in digitalforum : https://forums.digitalpoint.com/threads/poponclick-com-cpm-popup-thread.2344751/page-13#post-18899295

No reply, fast wake up when the domain is suspended, someone is part in this.
Poponclick reputation look scary : https://www.mywot.com/en/scorecard/poponclick.com

EDIT also xml.ecpvads.com is redirecting to the Exploit Kit

xml.ecpvads.com

EDIT – Mars 6 – Poponclick / Vertoz Malvertising

still online : https://twitter.com/malekal_morte/status/441337324396224514

and poponclick / vertoz stilll not responding.

it seems also that

seems also that vertoz = intelfeeds – intelfeeds was also spreading this malvertising (see above).
vertoz.fs.wowcon.net has address 173.239.42.220
intelfeeds.xml.wowcon.net has address 173.239.42.220

Today :

vertoz

EDIT – Mars 7 – Poponclick – Vertoz

yersterday, i contacted danarimedia.com via their web form.
I dont get any response, but i notice a change since yesterday evening, there is no more redirections to vertoz.com and so the malvertising disapear for a while.

I just got it back from an other network :

danarimedia_malvert
http://xml.clixactly.com/click?i=fpKkyZlFyO0_0
http://jfilter.clixactly.com/filter?q=cubic+guard+ring+zirconia&i=fpKkyZlFyO0_0&t=1888610524
http://xml.clixactly.com/click2?[..]
http://xml.cynosmedia.com/click2?[..]

Malvert :
http://2.ooopart88.com/cloud.php

Exploit Kit :
http://jhgibson.com/list/xmlscanner.jnlp
http://jhgibson.com/list/xmlscanner.jar
http://jhgibson.com/META-INF/services/javax.xml.datatype.DatatypeFactory

 

Still at wowcon.net like vertoz.com and others before :

vertoz.fs.wowcon.net has address 173.239.42.220
intelfeeds.xml.wowcon.net has address 173.239.42.220

host filter.cynosmedia.com
filter.cynosmedia.com is an alias for cynosmedia.fs.wowcon.net.
cynosmedia.fs.wowcon.net has address 173.239.36.117

host tn.cynosmedia.com
tn.cynosmedia.com is an alias for cynosmedia.ui.wowcon.net.
cynosmedia.ui.wowcon.net has address 173.239.36.118

seems from Ukraine :

NetRange: 173.239.0.0 – 173.239.63.255
CIDR: 173.239.0.0/18
OriginAS: AS27257
NetName: WEBAIRINTERNET8
NetHandle: NET-173-239-0-0-1
Parent: NET-173-0-0-0-0
NetType: Direct Allocation
Comment: rwhois://rwhois.webair.com:4321
RegDate: 2010-03-30
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-173-239-0-0-1

OrgName: Webair Internet Development Company Inc.
OrgId: WAIR
Address: 501 Franklin Avenue
Address: Suite 200
City: Garden City
StateProv: NY
PostalCode: 11530
Country: US
RegDate: 2001-03-12
Updated: 2012-01-12
Comment: Reassignment information for this block is available at rwhois.webair.com port 4321
Ref: http://whois.arin.net/rest/org/WAIR

Renvoi trouvé vers rwhois.webair.com:4321.

%rwhois V-1.5:003fff:00 rwhois.webair.com (by Network Solutions, Inc. V-1.5.7.3)

Nnetwork:Class-Name:network
network:ID:173.239.36.112/28
network:Auth-Area:173.239.0.0/18
network:Network-Name:Delson_Union_SA–block
network:IP-Network:173.239.36.112/28
network:Org-Name:Delson_Union_SA
network:Street-Address:38,_Krasnogvardejskaja,_appt.35
network:City:Zaporozhje
network:State:Zaporozhje
network:Postal-Code:69003
network:Country-Code:Ukraine
network:Tech-Contact;I:abuse@webair.com
network:Admin-Contact;I:abuse@webair.com
network:Created:20140307
network:Updated:20140307
network:Updated-By:hostmaster@webair.com

Seems that all ads network at wowcon.net are fakes and owned by bad guys to trick danarimedia.com

EDIT – Mars 8 : poponclick malvertising in third network

ok got now vertoz and danarimedia.com in contact.
got also a reply from poponclick : https://forums.digitalpoint.com/threads/poponclick-com-cpm-popup-thread.2344751/page-13#post-18902806
poponclick_reponse

Since vertoz.com has been removed, i think the traffic of the malvertising decreased, but the malvertising is still alive.

http://33488.12624.filter .danarimedia.com/ncp/checkBrowser?key=[..]
http://nami.t.domdex .com/search.gif?k=[..]
http://33488.12624.filter.danarimedia .com/iframe?p=&c=[..]
http://clients.bluecava .com/data/?p=[..]
http://67.201.62 .40/redir2?cid=[..]
http://filter.snapdo .com/filter?q=gmx+flatrate+dsl+e-mail+freemail+kostenlos&i=IMlrZ1rApCk_0&t=585296218
http://xml.snapdo .com/click2?[..]

Rotator :
http://2.lukmoretu .com/sonofgod.php

Exploit kit (not working in my case) :
http://bsdonsarto .nl/2014/03/03/07/2014/downloader.php?page_seed=xhtml

snapdo.com is a well known PUP domain.
Same structure :

host filter.snapdo.com
filter.snapdo.com is an alias for snapdo.fs.wowcon.net.
snapdo.fs.wowcon.net has address 174.137.155.136

xml.snapdo.com is an alias for snapdo.xml.wowcon.net.
snapdo.xml.wowcon.net has address 174.137.155.136

network:Class-Name:network
network:ID:174.137.155.128/28
network:Auth-Area:174.137.128.0/18
network:Network-Name:Delson_Union_SA–block
network:IP-Network:174.137.155.128/28
network:Org-Name:Delson_Union_SA
network:Street-Address:38,_Krasnogvardejskaja,_appt.35
network:City:Zaporozhje
network:State:Zaporozhje
network:Postal-Code:69003
network:Country-Code:Ukraine
network:Tech-Contact;I:abuse@webair.com
network:Admin-Contact;I:abuse@webair.com
network:Created:20140308
network:Updated:20140308
network:Updated-By:hostmaster@webair.com

poponclick_snapdo poponclick_snapdo2

EDIT Mars 11

still struggling for survival

on directrev :

directev_malverton poponclick third network (via xml.ecpvads.com 173.239.42.218 – 173.239.36.121):
ecpvads_malvert

Fun the whois redirection is now forbidden 🙂

Got a FUD dropper :
https://www.virustotal.com/fr/file/e4f06be342d95b86d05cef5fac4a4568b3f726e90deeaa22ba2426c52749b476/analysis/1394567795/
https://www.virustotal.com/fr/file/67b5027ca66c4d34034134b4d11d15d8a72d08b926d0074a3c39670b0081e3c8/analysis/1394568582/

EDIT – Mars 25 : poponclick / Vertoz Malvertising

http://jsfilter.vertoz.com/filter?q=players+online+poker+games+texas+bingo&i=COLgQuXIIes_0&t=259749833
http://search.vertoz.com/click2?[..]
http://futurama31.com/de/index.html (5.79.67.143)
http://futurama31.com/de/counter.swf
http://pipsqwery.com/de.php (5.79.67.143)
http://eso7.duurfresn.net/gz9x43z454

SWF Redirector : http://malwaredb.malekal.com/index.php?hash=1d26ef43bb09057037a132034c00bc5e
Dropper : http://malwaredb.malekal.com/index.php?hash=6bdb0161df1b61fa377b6cfe85132600

NS52.KUBEZ.BIZ has address 5.79.67.184
NS51.KUBEZ.BIZ has address 5.79.67.143
FUTURAMA31.COM has address 5.79.67.143
pipsqwery.com has address 5.79.67.143

Domain Name: FUTURAMA31.COM
Registrar: LLC « REGISTRAR OF DOMAIN NAMES REG.RU »
Whois Server: whois.reg.ru
Referral URL: http://www.reg.ru
Name Server: NS51.KUBEZ.BIZ
Name Server: NS52.KUBEZ.BIZ
Status: clientTransferProhibited
Updated Date: 14-mar-2014
Creation Date: 14-mar-2014
Expiration Date: 14-mar-2015

Domain Name: PIPSQWERY.COM
Registrar: LLC « REGISTRAR OF DOMAIN NAMES REG.RU »
Whois Server: whois.reg.ru
Referral URL: http://www.reg.ru
Name Server: NS51.KUBEZ.BIZ
Name Server: NS52.KUBEZ.BIZ
Status: clientTransferProhibited
Updated Date: 13-mar-2014
Creation Date: 13-mar-2014
Expiration Date: 13-mar-2015

futurama_malvert futurama_malvert2

 

 EDIT – May 2 : directrev again and kreditin.de malvertising

Malvertising on directrev were back :
https://twitter.com/malekal_morte/status/460001589457993729
https://twitter.com/jeromesegura/status/461208908120354817 (Thanks to Jerome Segura @Malwarebytes)

still the same network :
kaprisearch.info has address 198.24.141.108
papasearch.info has address 198.24.141.108

also today, i notice a new malvertising on kredtin.de : https://twitter.com/malekal_morte/status/462176506777571328

at the moment, got it from fhserve.com (not the first time, i got a malvert from it)
the second fom linkbucks.

URLs :

http://www.fhserve.com/www/delivery/lr.php (78.140.181.188 – 78.140.181.169)

http://kreditin.de/ (195.154.235.100)

http://kreditin.de/images/count.swf (195.154.235.100)
http://blandoncore.com/post.php (194.54.83.182)

http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/event.php?samsung=89
http://darling.nb-win1.com:60012/mozilla.php?link=87&plus=327&demo=4&sales=556&rfid=171&mail=195&rate=539&logos=747
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/GexoDiF.jar
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/USiow.jar
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/GexoDiF.jar
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/GexoDiF.jar
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/GexoDiF.jar
http://london.newstoursparaelalma.com.ar:60012/rss/informer/mysql/GexoDiF.jar

~~

http://www.linkbucks.com/d8adf801/?ref=ada3624164d2d393687edb2c0af11ec80598eb9a
http://www.admngronline.com/apu.php?n=&zoneid=5555&cb=&popunder=1&direct=1 (78.140.181.184 – 78.140.181.187)
http://www.admngronline.com/lr.php

http://kreditin.de/
http://blandoncore.com/post.php

http://london.newstoursparaelalma.com.ar:60012/mail/membership/event.php?samsung=89
http://darling.nb-win1.com:60012/mozilla.php?quote=113&demo=4&lang=626&rfid=171&exec=213&texis=204&nomic=279&edit=295&comp=259
http://london.newstoursparaelalma.com.ar:60012/mail/membership/USiow.jar

Files :

Dropper : http://malwaredb.malekal.com/index.php?hash=f9f4ddd14d3ccf2f0641afb0f8fcf941
SWF redirector : http://malwaredb.malekal.com/index.php?hash=6f2c64c76bf34b7544adc28b1b1b7d91

Probably dummy :

http://www.fhserve.com/www/delivery/lr.php (78.140.181.188 – 78.140.181.169)
http://www.admngronline.com/apu.php?n=&zoneid=5555&cb=&popunder=1&direct=1 (78.140.181.184 – 78.140.181.187)

linkbucks_kreditin fhserve_kreditin

EDIT – June 2 – still malvertising at poponclick third party network

still from the same IP block : network:IP-Network-Block:198.24.141.104 – 198.24.141.111
http://www.popanclick.com/filter.php?mid=1538c38fb8fb5b&tu=57325
http://www.popanclick.com/go.php?mid=1538c38fb8fb5b&tu=57325

http://4rnz577xti.lewuhfsv.com/cgsbbynec2
http://4rnz577xti.lewuhfsv.com/Md1LiDy6KrVVcqpDtGkcPmaMtiTcQq2_PQFe260Sj8C4WYHz0iiTUSFwJa7vWtiCilYu4w==

www.popanclick.com has address 198.24.141.110

popanclick

EDIT – adfclick1.com leading to Magnitude ExploitKit

just to bump this old topic, nothing related to Zbot, but Cerber Ransomware.
Always the same actor…

adfclick1.com leading to Magnitude ExploitKit, see this topic (in french) : http://www.malekal.com/malvertising-uptobox-cerber/
Already mentionned in this topic (see EDIT – February 28 : Poponclick / Vertoz malvertising )

xml.adfclick1.com is an alias for adventurefeeds.xml.ak-is.net.
adventurefeeds.xml.ak-is.net has address 174.137.155.139

uptobox_malvertising_call

wondering how this ads network can be trusted : https://www.virustotal.com/en/ip-address/174.137.155.139/information/
looks like so fake, no information about the source..

uptobox_malvertising_2 uptobox_malvertising_3

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 351 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *