[en] Zbot Malvertising on Clicksor

Clicksor is well know to lead to malvertising : http://www.malekal.com/?s=clicksor
First mention, December 2011 when Fake Police Ransomware has started in mass in France, so they are delivering malvertising for 2 years now : http://www.malekal.com/2011/12/12/virus-police-virus-bundespolizei-malvertising-de-clicksor-com-sur-streaming/

so today, in rapid8.com, i found two differents malvertising… (merci à celui qui m’a envoyé un message)

clicksor_rapid8

clicksor_rapid8_suite3

clicksor_rapid8_suite2

TDS on deevidos.com
clicksor_rapid8_suite4
clicksor_rapid8_suite
http://totalmediaconverter-u.com/promo/468×60.html (31.207.3.122) – 1 @ VT https://www.virustotal.com/fr/url/8c05faaec8a3746774f8e650365b034d570dcc4b4947d1b64538bd3350c5b48d/analysis/ <= 4 mouths ago
http://asrtofurygames.com/uads/300×250.html (31.207.3.122)
http://deevidos.com/ad_track.php?s=22&ln=undf&cmp=tc&data=all&stats=all
http://deevidos.com/ad_track.php?s=2&aid=123&cn=eu&contextm=1 (31.207.2.154) – 1 @ VT https://www.virustotal.com/fr/url/de7c597a6cfd5b57897a82920750164df0aeac89a5d850c3e2ad5c5f679bbee5/analysis/1386520209/ – Yeah KAV !
http://compas.lacasadelchopp.com.ar:60012/meta_login/upgrade/admin/support.php?affiliate=21
http://qknzbmia.seekiumg.biz/83892e-5_f1c_35_4d-aId-ccac-25cR3_d-2Jcf2_5U66/1/dcdfa5e32c34dbc55c8cfc58a9395347.html
http://compas.deltar.es:60012/plugins.php?what=307&blogs=4&blogs=622&module=171&html=692&rfid=134&help=610&shows=56&asia=448

The binary is probably a Zbot (two lazzy to check) : https://www.virustotal.com/fr/file/8adf8a7f4d8e9c3d6661330af9525ca7a3338281082c851170c742dd6a2ffad0/analysis/1386519498/

SHA256:8adf8a7f4d8e9c3d6661330af9525ca7a3338281082c851170c742dd6a2ffad0
Nom du fichier :SSCKbd.exe
Ratio de détection :4 / 48
Date d’analyse :2013-12-08 16:18:18 UTC (il y a 0 minute)

Sample : http://malwaredb.malekal.com/index.php?hash=787e2cccbd85b74d8a59b28304517850

 

clicksor_rapid8_suite5 The second malvertising :

http://farmfrenzyforwindows.com/ads/ads468.html (31.207.3.122) – – 1 @ VT https://www.virustotal.com/fr/url/e135f64ea7ea8af2ec3d3bc7efb274f5f36df928a264ea606561d89fb00cf755/analysis/1386520313/
http://supteckclick.com/counter/300/cmp/17/stats.html (31.207.3.130) – 0 @ VT https://www.virustotal.com/fr/url/c6a3d48bbfec2236fb57ec64823f5b25589d6feea5a33cea0463819c5309de5a/analysis/1386520320/

http://gtgkcv.seekiumg.biz/175W8-2_6-d8a7b500be7_7-1-1-d-0-5-1-8-1-ab0a-3b.html
http://gtgkcv.seekiumg.biz/697256322/1386497640.jar
http://gtgkcv.seekiumg.biz/f/1386497640/697256322/2
http://gtgkcv.seekiumg.biz/f/1386497640/697256322/2/2
http://gtgkcv.seekiumg.biz/697256322/1386497640.htm
http://gtgkcv.seekiumg.biz/f/1386497640/697256322/5

The binary : https://www.virustotal.com/fr/file/2c0d7632d7e43f30f68ec23ae0b73ee6b9b1a4f6e4d3eef34247dba4a1ea2f80/analysis/1386519491/

SHA256:2c0d7632d7e43f30f68ec23ae0b73ee6b9b1a4f6e4d3eef34247dba4a1ea2f80
Nom du fichier :1dsve2wefd.exe
Ratio de détection :2 / 48
Date d’analyse :2013-12-08 16:18:11 UTC (il y a 0 minute)

Sample : http://malwaredb.malekal.com/index.php?hash=26c237d3f1fde2e85760bcafb5ae9798

clicksor_rapid8_suite_malvert2

clicksor_rapid8_suite_malvert2 clicksor_rapid8_suite_malvert_suite2

As you can see two IP 31.207.3.122 and 31.207.3.130

EDIT – French Version

http://ads1.progametesters.net/1test_468x60.html (198.50.104.206) – 1 @ VT https://www.virustotal.com/fr/url/ceac30f322ba768a4385b37fbeee47c1254b15189611013f4a184ca356507bc5/analysis/1386521940/ <= yeah BitDefender
http://viccpm08.victoryproads.com/08vic_300x250.html (184.107.189.54) – 4 @ VT https://www.virustotal.com/fr/url/d4a5dfc803f13a7299ea46d1912b81edf5a3221abce24d10de6c2c0411537ac6/analysis/1386521994/
http://hotimp.pw/a59e7058633818f77c265b65e81219ef (198.50.104.204) – 3 @ VT https://www.virustotal.com/fr/url/d87d7965f0b1ab1965fa20cb538e7c2c41ae46b8c7e775c65ac62ab507b82f14/analysis/1386522014/

http://c3yj1sr.silvekrkitchen.biz/aaeIbJd1F2_f36bbf-d67Q3X176ebb3bM0b-61-a3-eV/3/f3f9ab7de7f1388cc5ee8101b891ec2b.html
http://s9s7vnt.silvekrkitchen.biz/aVf74_3ff_f28d2_e9eG98Vf_968ee-2JdB4_3_6d_6-90_/97/1eb730986c0fe201cdd08f136bf2c6d1.html
http://c3yj1sr.silvekrkitchen.biz/2162401136/1386500040.jar
http://c3yj1sr.silvekrkitchen.biz/f/1386500040/2162401136/2
http://c3yj1sr.silvekrkitchen.biz/f/1386500040/2162401136/2/2
http://c3yj1sr.silvekrkitchen.biz/2162401136/1386500040.htm


clicksor_rapid8_suite_malvert3 clicksor_rapid8_suite_malvert3_suite

EDIT and also…

if Clicksor malvertising are not enough and if you are lucky, you can get Browlock !
nice cocktail on rapid8.com !

http://mobatory.com/8jxjj7ifv3055xytz5ih3o130iar6rf9
http://mobatory.com/7jwgzo2ub186py0imhspqlfoe
http://mobatory.com/5uxfljc5z4s6eacz305ic45h25hq3srib5tc1b51g?j8c=49ljg&pjz9ci=rapid8.com/&3kgiokr8=t3619158&80ipnpaegcqj19=rapid8.com/stage2.php&4kf7k=0&31n33=0&3ea6o=0&3cvlt=0&wr71g34ni=1&127ehq780r=0&6s89o644imz=0&78ob3sh84zkh1z=1&6iu2mhp1=0&rpo5za53h=1024&yq84eazbm=768&8v0luzzkqq3=0&6s5iunzsdhm2mj30=1
http://mobatory.com/5uxfljc5z4s6eacz305ic45h25hq3srib5tc1b51g?j8c=49ljg&pjz9ci=rapid8.com/&3kgiokr8=t3619158&80ipnpaegcqj19=rapid8.com/stage2.php&4kf7k=0&31n33=0&3ea6o=0&3cvlt=0&wr71g34ni=1&127ehq780r=0&6s89o644imz=0&78ob3sh84zkh1z=1&6iu2mhp1=0&rpo5za53h=1024&yq84eazbm=768&8v0luzzkqq3=0&7uyedgxpbuv6y8kxg34cuxdmz=99780&98uca7ro8qv6eu5qpnguteh6r=
http://mobatory.com/img/close/en/flash/close.swf
http://news-91566-latest.natsyyaty.ru/5bj0eswiecc7mmr46usjkk8mowqb82af78xs3nqduz2m6jr3w8scdal93qraqt3xw86s37ljkdf0k6vhnwr9298k6slx0ryscgj8hknoi2xov15mhwkynnl7c8c3f9ltee6e8f12649fh8z53q09yp5jif80ro56hlg7o90cgopfz7yt66osfwb9s0q99l8atc4y14834natopbns80kr5hkg7kh5y627t1tqo88blftkjgen063wl7jbipun7vah44puaf88i2us9lup1y63abhafr7rh98u0zx81bep533guehrh1z60y7kgq7lf48behn11znly7mgst440gf06c22mad7u2p6jvt7agqn116uqeeu15gsp5uvuafkm51t83irjikttn56h3on68uh4a7pbb0gw4fls5h286v9203m8ccsdyxc64j6q55gwmrplo663ba044d9076s26lu1nbtsxstvfq5t – (78.140.142.186 / 78.140.142.178) 1 @ VT https://www.virustotal.com/fr/url/c55af4663c5bc81c0312b82ebdc88edb606178c46b09d5a7fb81ab778999ac5d/analysis/1386577134/
http://seducedmatures.com/ (193.169.87.247) – 1 @ VT https://www.virustotal.com/fr/url/b6356e4a03e4381b86af5ad05a65331d1076e7207eedcd4968f80aead1dabab5/analysis/1386577123/

rapid8_browlock

 EDIT December 21

Seems that the malvertising at Clicksor is now dropping Dorkbot and not Zbot anymore.
http://ads.clicksor.com/newServing/cpalinks.php?networkid=2&clck_pid=21643&clck_sid=30783&ref=
http://goo.gl/jNQkjO
http://www.klixfeed.com/popupads.php?link=true&username=r2k1984&sid=496&cap=0&type=1&open=1%E2%80%8F
http://www.klixfeed.com/re.php?mid=152b5c6a8ed90a&m=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L2ZpbHRlci5waHA=&tu=7354
http://www.boxsearch.net/filter.php?mid=152b5c6a8ed90a&tu=7354
http://www.boxsearch.net/go.php?mid=152b5c6a8ed90a&tu=7354
http://nether.tep.su/ <= 1 @ VT https://www.virustotal.com/fr/url/44e11b3e2d26fd2d7d336398ad7feb7accee16a4a627384a904765d6b1231ca7/analysis/1387645138/
http://moro-movie.com/mama/img/nl.php

Then Exploit kit :
http://bqx24.accountantmanufacturer.pw/4b5713e0_0fdadfe-ae11_3Y8_7_1-205a5_0c70/64/3e7b044effbab2e6e9eb0af73e121ad1.html
http://bqx24.accountantmanufacturer.pw/2167512493/1387623000.jar
http://bqx24.accountantmanufacturer.pw/2167512493/1387623000.htm
http://bqx24.accountantmanufacturer.pw/f/1387623000/2167512493/5

Clicksor_malvert

Dropper : http://malwaredb.malekal.com/index.php?hash=7364cb248dc936a9d1f47286fd950e6b

https://www.virustotal.com/fr/file/60ab92cd6f93a90b6200940b70dfbaae8639260e1a8d05595a21d4b57d8867e7/analysis/1387644957/

SHA256:60ab92cd6f93a90b6200940b70dfbaae8639260e1a8d05595a21d4b57d8867e7
Nom du fichier :5.exe
Ratio de détection :3 / 37
Date d’analyse :2013-12-21 16:55:57 UTC (il y a 7 minutes)

Some stats about the goo.gl link – 111k redirection since the December 9.
Not bad 🙂

Clicksor_malvert2

EDIT January 20

More about the last one on this thread : http://www.malekal.com/2014/01/15/directrev-malvertising-lead-to-zbot/

now, a Clicksor one :
http://serw.clicksor.com/newServing/showbanner.php?nid=1&t2042.0200890210355&zone=0&chad=1&oe=utf-8&cs=NovaFile%7CiFile%7CPutLocker%7CTurbobit%7CUploading&adtype=2&sid=165156&pid=97125&spid=&adu=2&image=3&c1=%23FAFAFA&c2=%23FAFAFA&c3=%23A6B3BB&c4=%23666666&memkey=9775f2afc255f4bd815d95177f636005&qp=YF4lIy37KiV-ICcqIyt8YVFUOf4pLH58JiJdWjQl-ykuISQqfiAoMSAjKfdcYzn-JjB9_SUweyso91wtMn4rLCQ&bdurl=&lq=0&lb=33&orid=2206604

http://adsheaven.net/js/banner.php?id=21  (87.118.91.193)
http://adsheaven.net/js/banner.php?id=21
http://www.adsheaven.net/tr.php

Then Exploit Kit :
http://eylpi.gymnasticscobbler .pw/3_1fKdc197-7_9-aL7_83fP1_2-dcf_a-ebZ4a-6b_cf4b6.html
http://eylpi.gymnasticscobbler .pw/1398504892/1390232760.htm
http://eylpi.gymnasticscobbler .pw/1398504892/1390232760.jar
http://eylpi.gymnasticscobbler .pw/f/1390232760/1398504892/2
http://eylpi.gymnasticscobbler .pw/f/1390232760/1398504892/2/2

adsheaven.net is not new – already got it on December 18 : http://malwaredb.malekal.com/index.php?hash=d3cff35720f87efc284407c052904b83ae90dd3c0eff1ceb646e6d949ce72a67

Detection today : https://www.virustotal.com/fr/url/10f90a0dc014dbb19a0d87125acdfd29829b4164f3a03f0fc18a177eab2ab3b2/analysis/1390254780/

BitDefenderMalware site
EmsisoftMalware site
KasperskyMalware site
MalekalMalicious site
Websense ThreatSeekerMalicious site

Payload  : https://www.virustotal.com/fr/file/c395c6f35e1bf894210b90971133908b85e94fd5939deb322df57df9730afb8c/analysis/

so adsheaven.net is probably a rogue ads company and as usual Clicksor do not clean his network.

Clicksor_malvertising_zbot

EDIT January 22

Two malvertising from clicksor via grandclix.com :

http://serw.clicksor.com/newServing/inter.php?ob=Yesup.clicksor.Code[0]&zone=0&adu=2&chad=1&cs=&adtype=0&nid=1&sid=512238&pid=244939&spid=&image=2&c1=&c2=&c3=&c4=&memkey=7be08ca9b2d90440787717e7a2b4ade2&durl=&lq=0&lb=1&qp=YF4lITUiISkifH0xIiEqIfFjZU4wLH79Ii8i_GpVJSUzICctfX4lLnwjKiL9Iy8jKXxiWy0tfCwnIX4pMSMn&ao_s=12&maxad=-1&hourcap=-1&showcap=2&ref=http%3A%2F%2Fwww.mp3skull.me%2Flyrics%2FWrecking-Ball-Miley-Cyrus-ABJVvjAD.html
http://adserving.grandclix.com/redir.php?url=http%3A%2F%2Fsystads.info
http://adserving.grandclix.com/newServing/go.php?cpx=cpi&pid=244939&sid=512238&spid=&nid=1&uid=50889941803136&af=3&rf=0&curl=http%3A%2F%2Fadserving.grandclix.com%2Fredir.php%3Furl%3Dhttp%253A%252F%252Fsystads.info&log=1&rnd=58270

http://systads.info/ – 2 @ VT https://www.virustotal.com/fr/url/ff5eed97bf14e35a475f84ebef49dd44a1482a0129878b0f1147f508ec2e453c/analysis/1390384146/
http://www.systads2.info/?id=3 – 2 @ VT https://www.virustotal.com/fr/url/e2afa04af4bd425baf74954d7a5aa9f8a9c005c30bbd0e6e5009c56cc3d33627/analysis/1390384136/

http://kokifeev.niaharuu.com:8000/kfcge?biqrgupe=4830488

~~

http://content.yieldmanager.edgesuite.net/atoms/af/d6/da/b3/afd6dab324e5e8737287313ff96d1267.swf?clickTAG=http%3A%2F%2Fads%2Eyahoo%2Ecom%2Fclk%3F3%2CeJydjVFvgjAQxz%2DNb4y0pYCk2UMRYW4WQoJu8GJaECpD2KTT4Kcfbhr3vF8ul9%2E%2E7pKDBrENZIIc5TYocSkwJhAbwrEdDrZcA4QQBB0HOciEUHsr2iY4LsJV7KZ%2DG7v0wnPIRUz%2EcAvvF517s5m%2Eq34nL0Lh6%2ELpE6f0%2E3jmUXZXX1B6orTyplRarvm1Yu79jA1RkDWsZqdlUp3DIFUs8Rs2QBkF63qZyF32mgJ2nkOGsjq6P3jUNKnUx8SgE%2DSPxXVePPRDr%2DfdfozloWvVphAbXoxJ8LbdHvrREBibBX7MAlNLl2rffANby2YN%2C
http://adserving.grandclix.com/redir.php?url=http%3A%2F%2Fautisticadvisor.com

http://autisticadvisor.com/ – 0 @ VT https://www.virustotal.com/fr/url/c38759410630516c367fd893f0ca7aeeb1f5b2f81409eb0db86c915acc8bd915/analysis/1390386687/

http://adserving.grandclix.com/newServing/go.php?cpx=cpi&pid=97125&sid=165156&spid=&nid=1&uid=50498886990596&af=3&rf=0&curl=http%3A%2F%2Fadserving.grandclix.com%2Fredir.php%3Furl%3Dhttp%253A%252F%252Fautisticadvisor.com&log=1&rnd=82917

http://10dd6.ef11711.93.0b40904.0c5c0a4.de1a.mghmdcliqyfx.buildingmanner.pw/

Clicksor_malvertising Clicksor_malvertising2

kflixfeed was also lead to grandclix – see : http://www.malekal.com/2014/01/15/directrev-malvertising-lead-to-zbot/

since 2006 ?
so why the domain was registered in 2012 ?

Domain Name: GRANDCLIX.COM
Registrar: NAME.COM, INC.
Whois Server: whois.name.com
Referral URL: http://www.name.com
Name Server: NS1.DATAH2.BIZ
Name Server: NS2.DATAH2.BIZ
Status: clientTransferProhibited
Updated Date: 06-oct-2013
Creation Date: 26-apr-2012
Expiration Date: 26-apr-2014

so scam !

Clicksor_malvertising3

EDIT –

klixfeed malvert on Clicksor : http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/

http://serw.clicksor.com/newServing/links.php?zone=[…]

http://goo.gl/jNQkjO

http://www.klixfeed.com/popupads.php?link=true&username=r2k1984&sid=496&cap=0&type=1&open=1%E2%80%8F
http://www.klixfeed.com/re.php?mid=152dfc7e1e1f93&m=aHR0cDovL3d3dy5ib3hzZWFyY2gubmV0L2ZpbHRlci5waHA=&tu=68706
http://www.boxsearch.net/filter.php?mid=152dfc7e1e1f93&tu=68706
http://www.boxsearch.net/go.php?mid=152dfc7e1e1f93&tu=68706

http://91.230.205.16/css/look5.php

http://n83klqo.figureskatinggardener.pw/b6JaAe_8-6-f17-9-33_4_9200_6-05c-8-905b460_c66U.html
http://n83klqo.figureskatinggardener.pw/902687235/1390375920.htm
http://y5p8k2.figureskatinggardener.pw/ae-2_bWfEd38Xb_cL1ff-1a1_56_3-b49_c_2G3b8-dc_8c9.html
http://y5p8k2.figureskatinggardener.pw/386960325/1390375920.jar
http://y5p8k2.figureskatinggardener.pw/f/1390375920/386960325/2
http://y5p8k2.figureskatinggardener.pw/f/1390375920/386960325/2/2
http://y5p8k2.figureskatinggardener.pw/386960325/1390375920.htm

Clicksor_yousucks

EDIT – Juanary 23

Case closed.
Got in touch with Yesup and it appear – they remove all malvertising listed their (and maybe an other not listed).
We will see if they are able to maintain their network clean.

EDIT – Juanary 25

found an other one, still the same .pw group
http://serw.clicksor .com/newServing/showbanner.php?nid=1&t8452.530353509331&zone=0&chad=1&oe=utf-8&cs=Share%20Online%7CYoutube%7CUltramegabit%7CFreakShare%7CEasy%20Share&adtype=2&sid=165156&pid=97125&spid=&adu=2&image=3&c1=%23FAFAFA&c2=%23FAFAFA&c3=%23000000&c4=%23666666&memkey=9775f2afc255f4bd815d95177f636005&qp=YF4lIS_9ISgmfH0t_SglIPwlIl1cWyv8JjH-KC33W1c5ISMwIH4hL_4rLyN9IC7zZ2or_CM1_SksfiAkL_NnNCR8KDEg&bdurl=&lq=0&lb=33&orid=8411981
http://pub.clicksor .net/newServing/js/banner.js

http://kartuga-game .com/promo/banner_468x60.html (31.207.3.122) – 3 @ VT https://www.virustotal.com/fr/url/5d1994f150e090f9205a461d9e57527094ed6fe46c997c9a601e89b67771f481/analysis/1390652436/
http://melicord.com/ad_track .php?s=22&aid=123&cn=eu&contextm=1 (31.207.2.154) – 4 @ VT https://www.virustotal.com/fr/url/4ec2c5df3abb412fe4b13f9adb761f4a87c6da72825cdd59f5dc04f6de062a12/analysis/1390652453/

Then Exploit kit :
http://huyie.skatebiathlon .pw/3c66aeKcH177a-d-3cVab9795Dc82Pbb_54c5d61/20/f2489f9f8618a7cf297a1d5330e30fc3.html
http://huyie.skatebiathlon .pw/1806829153/1390630320.htm
http://huyie.skatebiathlon .pw/1806829153/1390630320.jar
http://huyie.skatebiathlon .pw/f/1390630320/1806829153/2
http://huyie.skatebiathlon .pw/f/1390630320/1806829153/2/2

Clicksor_malvertising

Les exploits sont hostés chez OVH :
*.DOMAIN.PW (192.95.6.121)
CIDR: 192.95.6.112/28
OriginAS: AS16276
NetName: OVH-CUST-411280

DNS1.OFROADCDNNS.ORG (198.50.242.120)
CIDR: 198.50.242.120/30
OriginAS: AS16276
NetName: OVH-CUST-416954

DNS2.OFROADCDNNS.ORG (198.50.235.198)
CIDR: 198.50.235.196/30
OriginAS: AS16276
NetName: OVH-CUST-416985

*.batlacrosse.pw
*.helmetracer.pw

~~

*.DOMAIN.PW (192.95.6.119)
CIDR: 192.95.6.112/28
OriginAS: AS16276
NetName: OVH-CUST-411280

DNS1.SKYWEBNET.ORG (142.4.194.4)
CIDR: 142.4.194.0/29
OriginAS: AS16276
NetName: OVH-CUST-416988

+ DNS2.SKYWEBNET.ORG (198.50.235.77)
CIDR: 198.50.235.72/29
OriginAS: AS16276
NetName: OVH-CUST-419692

OVH_Exploitkit

EDIT – January 26

and… the adsheaven.net malvertising is back…

Clicksor_malvert

EDIT – February 1

And back for the Week-End :
http://serw.clicksor .com/newServing/showbanner.php?nid=1&t9902.307506219691&zone=0&chad=1&oe=utf-8&cs=BillionUploads%7CFileCloud%7CVip%20File%7CExtabit%7CSockShare&adtype=7&sid=165156&pid=97125&spid=&adu=2&image=3&c1=%23FAFAFA&c2=%23FAFAFA&c3=%23000000&c4=%23666666&memkey=c56fb925b40a706ff83353a58808c53d&qp=YF4lITMiIS0h-SIv_iEwfvFjZU4wKCR8ITEg_GpVJScsIyUufv4hNCIoLX39-XBdMCghISEufigvInv5cCcnKCd7JTL-&bdurl=&lq=0&lb=32&orid=2726422

http://www.sladoadv .com/promo468x60/promo.swf?t=1391255847367

http://serw.clicksor .com/newServing/roitrack.php?cluid=1-1-165156-114833-18197588-182677-13912558434375-1391255845-10216633690961-18660256&nid=1&type=Other&value=-1&adsid=70719
http://pub.clicksor .net/newServing/js/banner.js
http://serw.clicksor .com/newServing/roitrack.php?cluid=1038-1-165156-1942-1506755-3646-13912558434375-1391255847-10220670687762-1678538&nid=1&type=Other&value=-1&adsid=1423

http://rm1.datexrmedia. com/rxm1_300x250.html

http://drukin .pw/6fb0bc82808b4ecee3eb1d7e46db93a0
http://p63n8dw.movedodgeball.pw/0569Q3e6Wda5-8_d_dN0Rd9_79Z02028-3R51f7c-b-8_1/3/f3f9ab7de7f1388cc5ee8101b891ec2b.html
http://p63n8dw.movedodgeball .pw/4136663354/1391234400.jar
http://p63n8dw.movedodgeball .pw/f/1391234400/4136663354/2
http://p63n8dw.movedodgeball .pw/f/1391234400/4136663354/2/2
http://p63n8dw.movedodgeball .pw/4136663354/1391234400.htm
http://p63n8dw.movedodgeball .pw/f/1391234400/4136663354/5

dropper  : http://malwaredb.malekal.com/index.php?hash=9a3aae86d9ec1b951f247de787ccb8d2

Clicksor

EDIT –

an other one :

http://serw.clicksor.com/newServing/showbanner.php?nid=[..]
http://pub.clicksor.net/newServing/js/banner.js

http://www.sladoadv.com/promo468x60/swfobject.js (65.49.89.232)
http://www.sladoadv.com/promo468x60/promo.swf?t=1391291088790 – 0 @ VT https://www.virustotal.com/en/file/bd1c1fe62d03244c3fb560e9aee513b25218e7ec4159a2cd9039ad955748d7
http://www.hroatasoft.com/crossdomain.xml

http://www.hroatasoft.com/price.xml?t=384.8222028464079 (31.148.220.76)

http://aihahdid.ninefours.com:8000/dtwwyvgj?ifnklbfljujt=9931422
http://aihahdid.ninefours.com:8000/xrekkgj.js
http://aihahdid.ninefours.com:8000/brhjqxcvmowyd
http://aihahdid.ninefours.com:8000/ttwsiksrldzcmxnsz
http://aihahdid.ninefours.com:8000/fgqscbba?epslaltx=xjuquhnpar

Clicksor_Malvertising

EDIT February 13

some days after the shutdown of the previous campaign,  everything is back, now with 2 differents Exploit kits :

http://serw.clicksor.com/newServing/showbanner.php?[…]

http://providencevisitor.com/banners/showad.php – 4 @ VT https://www.virustotal.com/fr/url/d3cdb0bd48578b9f5d92b6490a61341c5ba359adff1e491ea2d3df1273a5ac04/analysis/1392304920/
http://providencevisitor.com/banners/moms300x250.swf
http://sellyourmaind.pw/banners/show_ads.php (sellyourmaind.pw)

http://name.cidadenamao.com/logout.php&PSSGVErSYw?002
http://name.cidadenamao.com/logout.php&MsQvx7FWr9?001
http://name.cidadenamao.com/logout.php&MTYAH2Wq47?003

EK 1 :

http://bestrailcs.cz/zip/scanner/GJ.html (130.193.8.48)
http://bestrailcs.cz/02/13/2014/analyzer/str/analyzer.htm

http://pixuu.qywelororef.com/uav.cgi?20 (64.120.137.44)

EK 2 :

http://hejcow2b.hotchocolatefield.pw/3264de_9c-f4-0eK86O6-a8E23fQd-03F03dRe1Pc3adZ/34/cff414b8e48d6a05a941b28ee3aef9ea.html (31.41.221.130)

Clicksor_pw2 Clicksor_pw

EDIT – February 14

http://serw.clicksor. com/newServing/showbanner.php?nid=1&t7982.0865895940315&zone=0&chad=1&oe=utf-8&cs=download%7Cmusic%7Ccascada%20evacuate%7Csound%7Csong%20writer&adtype=7&sid=512238&pid=244939&spid=&adu=2&image=3&c1=%23ffffff&c2=%23FFFFFF&c3=%23000000&c4=%23666666&memkey=29046e59144c04fe0d21f2b777c57089&qp=YF4lJSp-KSUg_n0ufiR8YVFUOX4kKSD-KCJdWjQg_iMzfionI34gLiEpfGJbLS18LCkhfSQsICQ&bdurl=&lq=0&lb=33&orid=8566015

http://kartuga-game .com/promo/banner_300x250.html <= 3 @ VT https://www.virustotal.com/fr/url/4a2426f92620158f05d58e4f55e1dbf35d94a459913acc094cbc670bb6170adb/analysis/1392364369/

kartuga-game .com already blog January 25

http://quender .com/ad_track.php?s=22&aid=123&cn=eu&contextm=1
http://kosmetyczkaanna .pl/updater5.aspx?show=F72CB41703F96BE912

Clicksor_malvertising

EDIT – February 20

Just to point out some changes about Clicksor.

At the beginning of this thread, there were about 3/4 active malvertisings on Clicksor network
It takes sometimes but i have now the feeling that is possible to get Clicksor network full cleaned.
Last one is more difficult to get enterely pulled off.
6 days without any malvertising, but the last one is still alive, i tweet it yesterday https://twitter.com/malekal_morte/status/436182430462922753 and seems to be pulled.
Some improvements and it will be probably more and more difficult to bad guys to submit their malvertisings to Clicksor.

Also, Nuclear Exploit Pack get some problems =) http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/ – gg @ConradLongmore and @MalwareMustDie team (and probably another invisible persons)
They were forced to switch to Angler EK.
Bad time to bad guys !

EDIT – Mars 4

No malvertising for some  weeks.
So incident is now close.

Focus on poponclick / vertoz to get now their network cleaning : https://twitter.com/malekal_morte/status/439511932497063936

EDIT – April 4

spotted by Kafeine in badwarebusters : https://www.badwarebusters.org/main/itemview/34534

Clicksor is loading content to adsmania.biz (85.25.137.56) that seems to be a fake ads company

http://adsmania.biz/js/banner.php?id=27&f=120×600
http://marklodsystem.com/red/tr.php
http://qq1by05r62w40i0eg36-ib3.axiomle.ru/

Dropper is 1 @ VirusTotal : http://malwaredb.malekal.com/index.php?hash=b0407de0ce0090f1d2b16f1a8b9ba908

This is the same scheme as  adsheaven described above.
A bit obvious.. :

Domain Name: ADSMANIA.BIZ
Domain ID: D59205815-BIZ
Sponsoring Registrar: REGTIME LTD.
Sponsoring Registrar IANA ID: 1362
Registrar URL (registration services): whois.regtime.net
Domain Status: ok
Variant: ADSMANIA.BIZ
Registrant ID: CO1468389-RT
Registrant Name: Ralph Marton
Registrant Organization: Ralph Marton
Registrant Address1: via galelleo 14
Registrant City: Milan
Registrant State/Province: Milan
Registrant Postal Code: 12535
Registrant Country: Italy
Registrant Country Code: IT
Registrant Phone Number: +44.7593693953
Registrant Email: Lorinwpb504@hotmail.com

Domain Registration Date: Wed Feb 26 17:55:05 GMT 2014
Domain Expiration Date: Wed Feb 25 23:59:59 GMT 2015
Domain Last Updated Date: Wed Feb 26 17:55:05 GMT 2014

~~

Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM

All the DNS are hosted in Russia :

NS1.NAMESELF.COM has address 87.242.73.100
NS1.NAMESELF.COM has address 81.176.95.18

NS2.NAMESELF.COM has address 88.212.207.45
NS2.NAMESELF.COM has address 77.221.159.237

Clicksor_GoogleFriendConnect_adsmania

The redirection to Clicksor is made by Google Friendconnect.

Clicksor_GoogleFriendConnect The Malvertising :Clicksor_GoogleFriendConnect2 Google FriendConnect :Clicksor_GoogleFriendConnect3

EDIT – April 25

and again…

I dont know if they are just uncompetent or if they are running malvertising on purpose (malvertisings brings more money), but the result is the same.
so i decide to blacklist clicksor in VirusTotal : https://www.virustotal.com/fr/url/f2c1f4fefaa4a01a6a041b47200efcf76e9f0a7964b67490beaf85891c41dbb3/analysis/1398447083/

if they are some brave Antivirus around, please do the something. Thsi network is A BIG THREAT for users for years.

Clicksor

 EDIT – May 22

Again…
=> http://malwaredb.malekal.com/index.php?hash=25017d5058473afcf7de9ebb2ee9da70

Clicksor_malvertisingEDIT – June 2 2014

A made a comment about Fake Java/Flash malvertising on this thread : http://malvertising.stopmalwares.com/2014/05/pup-domaiq-fake-javaflash-update-pages/
There is also a fake Flash malvertising with the javainstall.net malvertising that is still online.

EDIT – February 25 2015 : Clicksor / Yesup network is redirecting to fake scam support malvertising

update this old article to mention that Clicksor / Yesup is redirecting to fake scam support malvertising.
Not so surprising.
They seems to use a lot of domain – maybe to bypass blacklist ? : https://www.virustotal.com/fr/ip-address/199.21.148.108/information/

Clicksor_fakescamsupport

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 126 times, 1 visits today)

One thought on “[en] Zbot Malvertising on Clicksor

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *