[Emerging-Sigs] malvertising at MSN

James McQuaid jim.mcquaid at gmail.com
Sun Oct 31 20:20:58 EST 2010


Hello Eoin,

Here is another one:
93.174.91.149    adsuffle1.com
93.174.91.149    hostmaster.adsuffle1.com

The group behind this is Ukrainian, and appear to be spoofing evangelical
protestants.

James McQuaid



On Tue, Oct 26, 2010 at 4:31 PM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:
Don't know if you have this in RBN right now or not, but these guys should
go in there as well:

93.174.91.146 - this.content.served.by.adshuffle1.com
93.174.91.142 - adfarm.mediaplex1.com

Historically these malvertising servers have been in the following
netblocks. Dates are somewhat approximate:

72.9.236.160/27 - 6/30/2010
65.254.60.224/27 - 8/30/2010

These are malvertising servers within the affiliate network that Microsoft
currently uses (for the last few weeks). Tons of people are hitting them,
getting obfuscated javascript that redirects them to a *.co.cc domain which
then finally redirects them to the SEO driveby netblock (91.213.217.0/24).

I wrote a sig to track when these malvertising servers move around, but it
never made it into ET for some reason. I think because it triggers way to
much but it seriously is all valid. I haven't had a FP yet with this for
helping me identify the malvertising servers as they swap hostnames and
netblocks, it is SERIOUSLY simple as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID MALVERTISING
client contacting malvertising server for stats tracking";
flow:established,to_server; content:"/stats_js_e.php?"; http_uri;
classtype:bad-unknown; sid:5600096; rev:1;)

Watch the referrers and the hostnames on the packets that fire this, it is
beyond terrifying. If you have full PCAP you can look at the obfuscated
javascript to/from the malvertising hosts/netblocks, deobfuscate it with
jsunpack.jeek.org and then follow the redirect (usually to the intermediary
*.co.cc domain) and then finally to the actual SEO exploit kit. It has yet
to let us down with sinkholing with this massive malvertising campaign for
at least the past 6 months.

-- Eoin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101031/08b025d5/attachment-0001.html


More information about the Emerging-sigs mailing list