Malware writers had a big week to start off the new year by using Yahoo Advertisement services to peddle their warez. The talent over at Fox-IT broke the story last week which set Team Z on the hunt.
The primary focus of our attention was on the Magnitude EK (Exploit Kit), which was distributed via a Malvertising campaign designed to infect the maximum number of users in a small amount of time. These attacks are particularly dangerous to websites who rely on advertising revenue to fund their sites activities. Protecting Ad servers should be held to a higher scrutiny than other content distribution channels for this very reason. If user's find themselves at risk more often than they prefer , then they will adopt ad-blocking applications such as AdBlock.
This attack started at precisely Wed Jan 01 23:17:05. The attack lasted all through Friday the 3rd, until Yahoo and other researchers caught onto this treachery and promptly put a stop to it. We track the last transaction serving up malware from ads.yahoo.com/* at approximately Fri Jan 03 02:16:48. In that time, the following domains were seen to host a malicious iFrame from an ads.yahoo.com transaction:
blistartoncom[.]org/
slaptoniktons[.]net/
These domains would redirect the user to a Magnitude EK with a randomly generated hostname to attempt hindering researcher's ability to track the threat. However all these sites were hosted on the same IP address hosted in the Netherlands (193.169.245.78).
201116.pzmu.nsv.ha.ywyh.ya.fmpryuyqoz.crisisreverse[.]net
201111.inrx.itlqojqjton.boxsdiscussing[.]net
201111.jz.ek.al.psx.pfzzypjydv.limitingbeyond[.]net
201111.cd.da.mlx.dupn.sci.rdwxbioveahx.boxsdiscussing[.]net
201111.fef.mma.rdwxbioveahx.boxsdiscussing[.]net
201111.kxox.jgru.oktl.rdwxbioveahx.boxsdiscussing[.]net
201116.yphu.ixrwpvewnkui.limitingbeyond[.]net
201111.ygiv.wdh.ioycntlg.boxsdiscussing[.]net
201116.cx.zq.ixrwpvewnkui.limitingbeyond[.]net
201111.wi.kyk.vm.bq.ioycntlg.boxsdiscussing[.]net
201111.qx.pp.amuq.gp.fz.txlqbyjrlcl.crisisreverse[.]net
201117.lgr.duohlqzrzqw.limitingbeyond[.]net
201311.urho.ru.pis.tf.ixrwpvewnkui.limitingbeyond[.]net
201311.kpxt.twqr.fse.rpcq.ixrwpvewnkui.limitingbeyond[.]net
201117.sy.mp.kc.qd.loty.duohlqzrzqw.limitingbeyond[.]net
201116.md.jpij.ezj.pdu.cinmvjurxop.boxsdiscussing[.]net
201117.zmb.pshi.ldf.xqk.duohlqzrzqw.limitingbeyond[.]net
201311.fex.qhpz.pje.gfu.xvroferresd.liechecks[.]net
201111.qhh.orit.tka.bwqvkvvaithe.suggestsfilm[.]net
201111.txz.rrjh.wdx.uvh.uqgz.paftwtdqc.limitingbeyond[.]net
Other root domains include:
chapterwild[.]net
elsecommenting[.]net
farmtrains[.]net
federalpoet[.]net
irritatedpound[.]net
layfriend[.]net
suggestsfilm[.]net
In the time that this threat was active, an approx total of 21,000 transactions occurred. This speaks to the effectiveness of malvertising campaigns. A single site compromise yields only victim's who frequent that site, a ad server compromise not only affects that site, but also all sites which use advertisements from the site. Malware writers will continue to find methods to cast the largest possible net to rope in more victim's to their dubious activities.
At this time, we are still investigating all aspects of the threat in a postmortem process. It's been reported that the compromise propagated the following malware families:
- Zbot
- Andromeda
- Dorkbot
- Various Adware
- Tinba
- Necurs
ThreatLabZ will continue to monitor this threat.
