[en] Malvertising on tube8.com leads to Trojan.Zbot

Already got it some days ago, but i didnt pay any attention.

Tube8.com is a large porn website - 130k at Alexa.com

Tube8_malvertising
The Exploit Kit : Tube8_malvertising2

engine.phn.doublepimp.com leads to dblpmp.com
Tube8_malvertising3
then it leads to dateroute.com (95.211.13.44 - LeaseWeb -NL) Tube8_malvertising4

then leads to a TDS clickstatonlinetreker.com/in.cgi?4 (62.212.72.236 - LEASEWEB - NL) Tube8_malvertising5
leads to appletreestore.com/ (95.211.216.35 - LeaseWeb -NL) Tube8_malvertising6
and finally to the Exploit Kit - mixicams.com/discussing/soon-rarely_bodies_combinations.php (130.185.105.69 - Creative-Telematics-Trade
- CZ) Tube8_malvertising7
This time, it's not a ransomware Fake Police but a Trojan.Zbot.
More Zbot last times, there is also a malvertising on Clicksor that leads to Zbot.
(but clicksor leading to malware, this is "normal")
Tube8_malvertising8

http://malwaredb.malekal.com/index.php?hash=ac1789b1b7d644338be6041b1fbd167d

https://www.virustotal.com/fr/file/574180f75800d59d2bc57b3421944d668ee08e27ef0302f7264c85c60abc909a/analysis/

SHA256: 574180f75800d59d2bc57b3421944d668ee08e27ef0302f7264c85c60abc909a
Nom du fichier : nature.exe
Ratio de détection : 3 / 46
Date d'analyse : 2013-04-30 09:27:50 UTC (il y a 16 minutes)

Comodo UnclassifiedMalware 20130430
Kaspersky Trojan-Spy.Win32.Zbot.kyug 20130430
Kingsoft Win32.Troj.Zbot.ky.(kcloud) 20130422

Tube8_malvertising9

EDIT

The malvertising is probably present on the others websites of the PornHub Network

Tube8_malvertising_PornHub_Network

For example,  got it also on extremetube.com (1000 at Alexa.com) Tube8_malvertising_PornHub_Network2or in spankwire.com (550 at Alexa.com)
Tube8_malvertising_PornHub_Network3

EDIT 05/01/2013 : 150k / 240k day

Thank to MalwareScene

Looks like fixed.

Got Access to the TDS statistics.
100k / 200k uniq day.
With around 10% of success, they probably reached 15k / 24k infected computers per day.

The malvertising on PornHub Network begans 04/28.
Look like before, they were somefind in redtube.com according the referrer.

Tube8_TDS France and Germany are the main targets : Tube8_TDS2

Statistics by browser :
Tube8_TDS4

 

 

The TDS is a quite old, they targed others country in the past.

Japan and Poland : Tube8_TDS7
Germany and Japan :
Tube8_TDS6
Poland and France : Tube8_TDS5

 

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Malvertising on tube8.com leads to Trojan.Zbot mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :
Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum