Wednesday, January 14, 2009

Serving Up Malware via Ad Networks


So nothing new to serve up exploits via ad networks but I thought it was cool that someone was serving up a pdf exploit via the Ad Network

From http://www.curse.com/forums/t/69161.aspx

"I was looking at GridManaBars when Avast popped up a virus, 3 times. Twice on the addon's page, and once on the download page. I just viewed the page again, but nothing there.

Here's Avast's log.

12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file.
12/2/2008 7:11:31 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702" file.
12/2/2008 7:11:50 PM SYSTEM 1132 Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file. "

Url looks similar from what I recall, it's traced back to valuepromo.net. Ad banners I assume?

A robtex of that IP gives you two others in the valuepromo network

76.74.154.110 server2.valuepromo.net
76.74.239.45 server3.valuepromo.net
76.74.239.143 server1.valuepromo.net

http://www.robtex.com/dns/qiweroqw.com.html

google for those IPs and you'll see all kinds of people complaining about AV alerts and browser crashes.

The best stuff is here though

http://forums.techpowerup.com/showthread.php?t=81570

"
http://76.74.154.110/zyyqoeiwrueq/pdf.php?id=14273&vis=1

i'm sitting at techpowerup.com homepage and it takes me to this ^^ and brings me to a blank pdf document.... about 6 hours ago today, at techpowerup's homepage, it opened up acrobat reader (outside of firefox) with a blank document...."

Opens up a blank pdf, yeah that's not good...

On a more fun note, think of the damage you could do to competitor ad network by getting them to serve up malware and get their whole netblock blocked? good stuff.
CG

No comments: