[en] qweentits.org Malvertising and malicious SWF

Just got a nice Malvertising from clicksor via plugcrush and adultadworld on a Warez website :

http://serw.clicksor.com/newServing/links.php?zone=0&chad=1&adu=2&cs=&adtype=0&nid=1&sid=240866&pid=158704&spid=0&image=2&memkey=21ef288088acf517e987cc9c5dce85d9&durl=http%3A%2F%2Ftinyurl.com%2Fd5vnmq5&lq=0&lb=145&qp=YF4lKC_7JScg-Scy-yQqJPFjZU4wKSL7KDIg_GpVJSUzICctfX4lLnwjKiL9IzAiKnxiWy0tfCgsIPwnL_4r
http://viegmobmi.com/?9d41c876af1aa135efa0cc288c49fe05
http://udkqwktff.ftp1.biz/vd/2;bbac9ceefad9d2cdeab12044a0bbe316
http://koralucpa.info/
http://viegmobmi.com/?9d41c876af1aa135efa0cc288c49fe05
http://ad.koraloguild.info/?529f79e9fe8613c45013718baab7d1a2
http://koraloguild.info/?track=072221289aea340cfe2daa2add5f15fc

redirect to :

http://pu.plugrush.com/1o1w.js
http://pu.plugrush.com/t/1o1w/3305/302e834e1ebe560283f5496e31ab8659/aHR0cDovL2tvcmFsb2d1aWxkLmluZm8vP3RyYWNrPTA3MjIyMTI4OWFlYTM0MGNmZTJkYWEyYWRkNWYxNWZj

that redirect to :

http://newt7.adultadworld.com/jsc/z5/fm.html?n=607&c=14316&s=30358&d=15&w=1&h=1&z=76146995
http://newt7.adultadworld.com/bar/v16-605/z5/jsc/fmr.html?n=607&c=14316&s=30358&d=15&w=1&h=1&z=76146995
http://cs.adxpansion.com/ads.php?zone_id=86850&type=redirect&q=

that redirect to the end ads : qweentits.org

as you can see qweentits.org hits a TDS Sutra that redirect to the Exploit Kit :

http://pornedcash.org/in.cgi?2 (95.211.199.34)
http://pornedcash.org/file.php
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/t/3a167abc5fb34ae7fd79e9bb167fad78
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/t/kalibton.class

In the code source of qweentits.org there is nothing related to that TDS.

In fact, the redirect to the TDS Sutra is made by this banner :

 

With Sothink SWF Editor we can see the TDS Sutra URL :

 

 

The SWF is at 0 on VirusTotal : https://www.virustotal.com/file/eb63434ab5ec1f5974a08fac5974dbeab465770e2d1881748fb4ef1da367e825/analysis/1355219842/

SHA256: eb63434ab5ec1f5974a08fac5974dbeab465770e2d1881748fb4ef1da367e825
File name: porn.swf
Detection ratio: 0 / 43
Analysis date: 2012-12-11 09:57:22 UTC ( 1 minute ago )

 

The malware is not well detected : http://malwaredb.malekal.com/index.php?hash=d865c1ce929421df6aca6a92d806cc41

 

EDIT – December 15

back with www.livecamsxxxnow.com on the same IP : 95.211.199.34

 

TDS Sutra is replaced by http://dereteweret.org/ava/file.php

http://www.livecamsxxxnow.com/porn.swf detection : https://www.virustotal.com/file/90f861fcaf2b93e0d8178a843ae010cc217714dcec8e25e11e1d36466cad8c72/analysis/1355572194/

SHA256: 90f861fcaf2b93e0d8178a843ae010cc217714dcec8e25e11e1d36466cad8c72
File name: porn.swf
Detection ratio: 0 / 46
Analysis date: 2012-12-15 11:49:54 UTC ( 0 minute ago )

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 28 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *