[en] Zbot Malvertising on Clicksor

: https://www.virustotal.com/fr/file/c395c6f35e1bf894210b90971133908b85e94fd5939deb322df57df9730afb8c/analysis/ so adsheaven.net is probably a rogue ads company and as usual Clicksor do not clean his network. EDIT January 22 Two malvertising from clicksor via grandclix.com : http://serw.clicksor.com/newServing/inter.php?ob=Yesup.clicksor.Code[0]&zone=0&adu=2&chad=1&cs=&adtype=0&nid=1&sid=512238&pid=244939&spid=&image=2&c1=&c2=&c3=&c4=&memkey=7be08ca9b2d90440787717e7a2b4ade2&durl=&lq=0&lb=1&qp=YF4lITUiISkifH0xIiEqIfFjZU4wLH79Ii8i_GpVJSUzICctfX4lLnwjKiL9Iy8jKXxiWy0tfCwnIX4pMSMn&ao_s=12&maxad=-1&hourcap=-1&showcap=2&ref=http%3A%2F%2Fwww.mp3skull.me%2Flyrics%2FWrecking-Ball-Miley-Cyrus-ABJVvjAD.html…

[en] Yahoo Ads for Fake Java Update (PUP.DomaIq)

…dalymotion redirected to FakeAV : http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ Clicksor traffic : http://ads.clicksor.com/newServing/showAd.php?nid=1&pid=304673&adtype=1&sid=538358 http://serw.clicksor.com/newServing/searchTrack.php?nid=1&sid=538358&random=738713247 http://pub.clicksor.net/newServing/js/show_ad.js http://serw.clicksor.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=304673&sid=538358&spid=&ns=0&nw=1&zone=0&url=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26section%3D5013750%26pub_url%3Ddailymotion.com%26_msd%3D1%26_xcf%3D0%26rmxbkn%3D0%26_cbv%3D3353494515&lb=0&ext=0&oe=iso-8859-1&t7969123&txt=Riffynetwork http://serw.clicksor.com/newServing/showbanner.php?nid=1&t9269.462439714461&zone=0&chad=1&oe=iso-8859-1&cs=&adtype=1&sid=538358&pid=304673&spid=&adu=2&image=3&c1=%23A0D000&c2=%23FFFFFF&c3=%23000000&c4=%23666666&memkey=6927a62e15c60e573a1e61358bdd4418&qp=YF4lJi77JSoh-SQu-yQoJfFjZU4wLCEgIzEi_GpVJScsIyUufv4hNCIqLX4g-XBdMCghICktIicvI3s&bdurl=&lq=0&lb=1&ref=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26section%3D5013750%26pub_url%3Ddailymotion.com%26_msd%3D1%26_xcf%3D0%26rmxbkn%3D0%26_cbv%3D3353494515&orid=9632986 http://pub.clicksor.net/newServing/js/banner.js http://perricone.educationv.com/product/acyl-glutathione/728×90.html http://down.javainstall.org/go.php?code=java&country=FR http://www.javainstall.org/topic/java/?auth=downl&ext=1&country=FR Win an Ipad ads : http://ads.yahoo.com/imp?Z=728×90&x=http%3A%2F%2Fams1%2Eib%2Eadnxs%2Ecom%2Fclick%3FmpmZmZmZqT%5FD9Shcj8KlPwAAAAAAAPA%5Fw%5FUoXI%5FCpT%2DamZmZmZmpP6up1IKGAZQp%5FugyUgKkojPuJ81SAAAAAGqMIAAyAwAA4wQAAAIAAAA%2DzmUAneIEAAAAAQBVU0QAVVNEANgCWgBc%2DAAAn7gDAQUCAQIAAIoAjyjU1QAAAAA%2E%2Fcnd%3D%2521PQXjLQiQhW4QvpyXAxidxRMgAA%2E%2E%2Freferrer%3D%2525referer%253Ddailymotion%2Ecom%2Fclickenc%3D%24&u=%7bPUB_URL%7d&s=3898459&T=3&_salt=0&B=10&H=http%3A%2F%2Fams1.ib.adnxs.com%2Fif%3Fenc%3DmpmZmZmZqT_D9Shcj8KlPwAAAAAAAPA_w_UoXI_CpT-amZmZmZmpP6up1IKGAZQp_ugyUgKkojPuJ81SAAAAAGqMIAAyAwAA4wQAAAIAAAA-zmUAneIEAAAAAQBVU0QAVVNEANgCWgBc-AAAn7gAAgUCAQIAAIoAjSiv1QAAAAA.%26cnd%3D%25210SMyNQiQhW4QvpyXAxgAIJ3FEz&M=3&r=0 http://shuang11dacu.com/frdsnr/ http://shuang11dacu.com/fr/dsnr/lp.php http://shuang11dacu.com/fr/dsnr/lp.php http://shuang11dacu.com/fr/dsnr/index.php http://mprptrk.com/mt/v27433a4b4v233r244z2u2b4/&subid1=dsnr http://lp.prizerally.com/fr/newipad/?networkid=411&category=b2c&country=fr&pageid=201&programid=137&saleid=1&optinfo=e2c4w294c4y2v2_37f0444faf5098c2dc6f23f2bd9be1bd&publisher=CD13939…

Malvertising clicksor toujours en ligne

…https://www.malekal.com/2011/12/13/malvertising-asrvstatsmanager-com-droppe-malware-via-videobb-et-adserve-com/ Celle de clicksor après avoir été en sommeil fait son retour.   hxtp://serw.clicksor.com/newServing/showbanner.php?nid=1&xxxx hxtp://dueicow.info/43d7f87b86dfab98953c543c3a0e4e83 (184.107.189.53) hxtp://durkapoc.com/in.cgi?3 hxtp://mitchell-i-shop-nord-po-rated-blogg.com/com.class (109.236.81.247) hxtp://mitchell-i-shop-nord-po-rated-blogg.com/content/v1.jar hxtp://mitchell-i-shop-nord-po-rated-blogg.com/content/fdp1.php?f=105 hxtp://mitchell-i-shop-nord-po-rated-blogg.com/content/cph2.php?c=105 hxtp://mitchell-i-shop-nord-po-rated-blogg.com/content/fdp1.php?f=105 hxtp://mitchell-i-shop-nord-po-rated-blogg.com/pentalgin.php?page=637f131124c215e2 => http://www3.malekal.com/malwares/index.php?&domaine=109.236.81.247   La bannière est…

Virus Police / Virus Bundespolizei – Malvertising de clicksor.com sur site de streaming

…régie, comme par exemple, les gros sites tel que dpstreaming, allo-show-tv.com mentionné par les victimes. Le lien de la régie clicksor renvoie vers la page hxxp://abrak7.info/fc061bf0b1f0f56610357be4d6228211 (184.107.189.51) Referer: http://serw.clicksor.com/newServing/showbanner.php?nid=1&t40.51179350271772&zone=0&chad=1&oe=UTF-8&cs=Watch%20Free%20Live%7CLiga%7CEuropa%20League%7CBundesliga%7CWatch%20Live%20Sport%20on&adtype=1&sid=340726&pid=211273&spid=0&adu=2&image=3&c1=&c2=&c3=&c4=&memkey=89ac83e4867598e00114613086dc6a26&qp=YF4lKC_7JScg-Scz-yUqJ_FjZU4wKiL7Jy4g_GpVJSEseyZ8YlstLXwlKiQhJDV-K3xVXy0t_SM&bdurl=&lq=0&lb=129&orid=2584354 Ce…

Malvertising sur dl-protect.com via hooqy.com et clicksor

…au BlackHole La bannière malicieuse : C’est en fait clicksor qui charge celle-ci : Les liens BlackHole : http://ads.hooqy.com/newServing/banner_frame.php?nid=1&pid=159185&sid=241812&zone=-1&image=3&adtype=1&key=8bea49e5152adb5a2d9dbd8496455335 (199.21.148.108) http://totyballl.info/43bf6353ecaa0e20c9631bcb680ea963 http://untidy.alnilin.info/main.php?page=a306572deb323e11 (84.19.161.156) http://untidy.alnilin.info/content/fdp1.php?f=27 http://untidy.alnilin.info/content/cph2.php?c=27 http://untidy.alnilin.info/content/v1.jar http://untidy.alnilin.info/content/fdp1.php?f=27 http://untidy.alnilin.info/com.class http://untidy.alnilin.info/content/fdp1.php?f=27 http://untidy.alnilin.info/w.php?f=27&e=3…

Les publicités malicieuses « Malvertising », source de distribution des virus

…sont des plugins du navigateur WEB qui sont visés. Le schéma suivant décrit une campagne de malvertising : Exemple de malvertising Clicksor en vidéo : Quelques campagnes de malvertising 2011…