[en] qweentits.org Malvertising and malicious SWF

Just got a nice Malvertising from clicksor via plugcrush and adultadworld on a Warez website :

http://serw.clicksor.com/newServing/links.php?zone=0&chad=1&adu=2&cs=&adtype=0&nid=1&sid=240866&pid=158704&spid=0&image=2&memkey=21ef288088acf517e987cc9c5dce85d9&durl=http%3A%2F%2Ftinyurl.com%2Fd5vnmq5&lq=0&lb=145&qp=YF4lKC_7JScg-Scy-yQqJPFjZU4wKSL7KDIg_GpVJSUzICctfX4lLnwjKiL9IzAiKnxiWy0tfCgsIPwnL_4r
http://viegmobmi.com/?9d41c876af1aa135efa0cc288c49fe05
http://udkqwktff.ftp1.biz/vd/2;bbac9ceefad9d2cdeab12044a0bbe316
http://koralucpa.info/
http://viegmobmi.com/?9d41c876af1aa135efa0cc288c49fe05
http://ad.koraloguild.info/?529f79e9fe8613c45013718baab7d1a2
http://koraloguild.info/?track=072221289aea340cfe2daa2add5f15fc

redirect to :

http://pu.plugrush.com/1o1w.js
http://pu.plugrush.com/t/1o1w/3305/302e834e1ebe560283f5496e31ab8659/aHR0cDovL2tvcmFsb2d1aWxkLmluZm8vP3RyYWNrPTA3MjIyMTI4OWFlYTM0MGNmZTJkYWEyYWRkNWYxNWZj

that redirect to :

http://newt7.adultadworld.com/jsc/z5/fm.html?n=607&c=14316&s=30358&d=15&w=1&h=1&z=76146995
http://newt7.adultadworld.com/bar/v16-605/z5/jsc/fmr.html?n=607&c=14316&s=30358&d=15&w=1&h=1&z=76146995
http://cs.adxpansion.com/ads.php?zone_id=86850&type=redirect&q=

that redirect to the end ads : qweentits.org

as you can see qweentits.org hits a TDS Sutra that redirect to the Exploit Kit :

http://pornedcash.org/in.cgi?2 (95.211.199.34)
http://pornedcash.org/file.php
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/t/3a167abc5fb34ae7fd79e9bb167fad78
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/images/0834df1f7eb7522dff56cf98039d6c6d/1355219750/bee08027b51dbd80bd1f3a764f6474d8.jar
http://a1s2d3f4g5h6j7.quannhacvang.com:19980/t/kalibton.class

In the code source of qweentits.org there is nothing related to that TDS.

In fact, the redirect to the TDS Sutra is made by this banner :

 

With Sothink SWF Editor we can see the TDS Sutra URL :

 

 

The SWF is at 0 on VirusTotal : https://www.virustotal.com/file/eb63434ab5ec1f5974a08fac5974dbeab465770e2d1881748fb4ef1da367e825/analysis/1355219842/

SHA256: eb63434ab5ec1f5974a08fac5974dbeab465770e2d1881748fb4ef1da367e825
File name: porn.swf
Detection ratio: 0 / 43
Analysis date: 2012-12-11 09:57:22 UTC ( 1 minute ago )

 

The malware is not well detected : http://malwaredb.malekal.com/index.php?hash=d865c1ce929421df6aca6a92d806cc41

 

EDIT - December 15

back with www.livecamsxxxnow.com on the same IP : 95.211.199.34

 

TDS Sutra is replaced by http://dereteweret.org/ava/file.php

http://www.livecamsxxxnow.com/porn.swf detection : https://www.virustotal.com/file/90f861fcaf2b93e0d8178a843ae010cc217714dcec8e25e11e1d36466cad8c72/analysis/1355572194/

SHA256: 90f861fcaf2b93e0d8178a843ae010cc217714dcec8e25e11e1d36466cad8c72
File name: porn.swf
Detection ratio: 0 / 46
Analysis date: 2012-12-15 11:49:54 UTC ( 0 minute ago )

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] qweentits.org Malvertising and malicious SWF mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :
Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum