[en] MegoADS fake advertising for porn websites


This fake Advertising is not really new – i already talked about it on this article (domain freesoftinka.eu) : http://www.malekal.com/2012/07/28/quelques-campagnes-de-malvertising/ (~12 August).
For now, it’s spreading well – many porns sites used it.

 

 

 

Below some redirection example to Exploits Kits :

 

Today look like they have some DNS problem :

 

 

At the beggining, the domain used was megoads.eu :

Now – the main domain is pnads.com :

http://pnads.com/bannerCode/banner?width=728&height=90&lc=fr&callback=jQuery17206833357621000337_1353249555813&_=1353249557349
http://domain.eu/banner/bc806f2e23ba4ec2f3dff985612ede55.swf
http://domain.eu/banner/_c93ce011fb5e76e89391843b66991b67.stats

As you can see, the final .eu domain is random – very suspicious.
Also the whois informations of every domains are hidden – no way a trusted company want to hide it – very very suspicious too.

There’s still some mention of megoads.eu in the code :

 

I contacted Kaspersky some days ago to ask them to investigate this issue and so anwser is positive (Kaspersy you rocks!).

 

 

 

So yeah – Bad guys create a fake ads with probably a huge traffics.
If you are a porn webmaster, please stay away from it.
If you are a Malware Research and belongs to a security solution vendors – please investigate and blacklist them – you can start from this porn website : http://hometeenmovies.com

EDIT – definitely malicious 🙂

was able to decompile the SWF using this website : http://www.showmycode.com/

The SWF applet get the JSON responsable and decrypt it to build the iframe with the Exploit Kit URL.
SWF code source : http://pjjoint.malekal.com/files.php?read=20121120_p15v10v7f910

 

 

 

and so for :

 

can’t get it working trought line command :

echo LSoodZ8CyTBJKhzr8a7uPKPHAu9Td5whF8ImvR5xhGwVMwSYQRs78R2UGZlmcdQ3kq8LmmVpRoXb643D7wbcvWO5Ng+h011gY1Zro6me/6c=|openssl enc -aes-128-ecb -a -d -salt -k 27tSTCPrn72YnKGd

so using PHP :

EDIT 27 November

The day after i blog this – pnads.com didnot work (so good news)

Today, i came accross it again with new domains :

http://itelevisorks.eu/bannerCode/banner?width=728&height=90&user_id=b07f53cf-6649-42fc-a083-5a5a415d01c9&lc=fr&callback=jQuery17205490045837409376_1354034647874&_=1354034648342 (5.61.37.27)
http://tursalonfe.eu/bannerCode/banner?width=728&height=90&user_id=b07f53cf-6649-42fc-a083-5a5a415d01c9&lc=fr&callback=jQuery17205490045837409376_1354034647874&_=1354034648342 (95.211.155.43)
http://tursalonfe.eu/banner/3aac9cb930bafa75065e9519626519ec.swf
http://tursalonfe.eu/banner/_505f9b74a878c17cca91623e8e3c9712.stats

Example of banner :
http://affiliates.thrixxx.com/scripts/connect.php?aid=9680460&ad=1&pr=8&gr=14&el=10621&ts=3&lg=en&c=0 :

http://affiliates.thrixxx.com/scripts/connect.php?aid=9680460&ad=1&pr=8&gr=14&el=10621&ts=3&lg=en&c=0 :

Right now the server returns false (so no exploit kit).
Also, there is a new parameter user_id – looks like it’s to identify the client.

news location megoadz.com (37.1.199.133) – the captcha is also new !

The SWF is not detected by any antivirus : https://www.virustotal.com/file/63d567960caefa50d56e10183dc3464d6d65957eeddbbb6db8b2175a7984d9c9/analysis/1354035418/

SHA256: 63d567960caefa50d56e10183dc3464d6d65957eeddbbb6db8b2175a7984d9c9
File name: 3aac9cb930bafa75065e9519626519ec.swf
Detection ratio: 0 / 44
Analysis date: 2012-11-27 16:56:58 UTC ( 0 minute ago )

 

We will see if it leads to Exploit Kit thoses next days.

 

EDIT 3 December

found one that return data and so an Exploit Kit URL

http://voltmarkets.com/bannerCode/banner?width=300&height=250&user_id=258c5dc3-f298-44e0-b024-3d80e3647a42&lc=fr&callback=jQuery17208939024892321452_1354556856717&_=1354556859727
http://quadriviuma.eu/bannerCode/banner?width=300&height=250&user_id=258c5dc3-f298-44e0-b024-3d80e3647a42&lc=fr&callback=jQuery17208939024892321452_1354556856717&_=1354556859727
http://quadriviuma.eu/banner/d9b7e135874e39bb79b07cb3468a43f6.swf
http://quadriviuma.eu/banner/_18b4b02a7038d6799c3ab1da8de056a0.stats
http://j45hddh.h2optionsstore.com/f1LJeo8SIYiFrEJ9RsH5OFyBvsCpjk2U
http://j45hddh.h2optionsstore.com/f1LJeo8SIYiFrEJ9RsH5OFyBvsCpjk2U?s=1&m=2
http://j45hddh.h2optionsstore.com/f1LJeo8SIYiFrEJ9RsH5OFyBvsCpjk2U?s=1
Malware is Urausy (taunts antivirus version) : http://www.malekal.com/2012/11/28/en-urausy-ransomware-get-an-update-and-taunts-antivirus/

(the Cool EK URL is not related)

And the SWF is still not detected on VirusTotal ….

https://www.virustotal.com/file/fdd74e175a64a6b6257d232dcc8a9555b1184636cf77e3ab7ee36cc5bc8ca364/analysis/1354557004/

SHA256: fdd74e175a64a6b6257d232dcc8a9555b1184636cf77e3ab7ee36cc5bc8ca364
File name: d9b7e135874e39bb79b07cb3468a43f6.swf
Detection ratio: 0 / 45
Analysis date: 2012-12-03 17:50:04 UTC ( 0 minute ago )

EDIT 8 December

The SWF has been recoded and the JSON response is not encrypted anymore (may be because some antivirus began to add detections on it).
Source Code of the New SWF : http://pjjoint.malekal.com/files.php?read=20121208_g12f7s8y15k8

 

 

The antivirus detection is still not good : https://www.virustotal.com/file/009d449e202e1ecdef01146ed7049b87da394b02d2a47ca31d3487bd085d24b1/analysis/1354916197/

SHA256: 5b3d77628eec01294cba4fe05d15c497e4d40501eea8e85cae1f37154a001eb5
File name: 4e2aefd7680131c8475076eb621a3ec5.swf
Detection ratio: 3 / 46
Analysis date: 2012-12-07 23:04:27 UTC ( 4 minutes ago )
Avast SWF:Iframe-D [Trj] 20121207
GData SWF:Iframe-D 20121207
TrendMicro-HouseCall TROJ_GEN.F47V1207 20121207

EDIT February 16

Back.
Example of banner.
There is also a « Saboom banner »

MegoAds_back
They dont use SWF applet anymore but Ajax + JQuery.
Th banner make an Ajax call to http://kolmagorovax.info/banner/post/95e9b1c91201b44e3aa0871301a70a98?callback=jQuery18306317142408863277_1361031913789&lc=fr&tz_offset=-60&_=1361031915858

MegoAds_back2

that returns the iframe code with the Exploit Kit that load Reveton.
See : http://pjjoint.malekal.com/files.php?read=20130216_l8v6n14p6p9
MegoAds_back3

Dropper : http://malwaredb.malekal.com/index.php?hash=b1c1551dfa65cbc3761f842d31c56b1e

MegoAds_back4

EDIT February 20

Back with a malicious banner but this time, the banner is loaded from the porn website

The pornwebsite load the banner from http://www.mspylogs.com/banners/swf/flash.swf (64.120.137.102)
containts an iframe to  load http://test.worldpgl.com/rtr/counter.php (95.211.162.96)

MegoADS_malicious_mspylogs._banner2
then http://test.worldpgl.com/rtr/counter.php redirect to the Exploit Kit
MegoADS_malicious_mspylogs._banner

Detection :

https://www.virustotal.com/fr/file/a3964916281b0d4ddc2e680245cae4d7870f7ce581ae83c8d5ae798f7bd0f115/analysis/1361349313/

SHA256: a3964916281b0d4ddc2e680245cae4d7870f7ce581ae83c8d5ae798f7bd0f115
Nom du fichier : flash.swf
Ratio de détection : 0 / 46
Date d’analyse : 2013-02-20 08:35:13 UTC (il y a 0 minute)

MegoADS_malicious_mspylogs._banner3

Still Reveton : http://malwaredb.malekal.com/index.php?hash=38e3c3034590d5843f5594f2b2cffb69

https://www.virustotal.com/fr/file/0818dc32b52d2a6b6a629ccbd75c0ba91f2db70bc27cc981eecd7b2b032e3303/analysis/1361349425/

SHA256: 0818dc32b52d2a6b6a629ccbd75c0ba91f2db70bc27cc981eecd7b2b032e3303
Nom du fichier : RCBDYCTL.DLL
Ratio de détection : 3 / 45
Date d’analyse : 2013-02-20 08:37:05 UTC (il y a 3 minutes)

Fortinet      W32/Kryptik.ALRY!tr      20130220
Kaspersky      HEUR:Trojan.Win32.Generic      20130220
Rising      Suspicious      20130205

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 97 times, 1 visits today)

One thought on “[en] MegoADS fake advertising for porn websites

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *