We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn.com just to name a few) using the advertising services of malicious servers that are using Acrobat PDF and Java exploits to force the download and installation of fake antivirus software. Analysis from SysAdMini @ www.malwaredomainlist.com has informed us the sites are all using the NeoSploit drive-by kit. After further reseach, we found that Jiri Sejtko from Avast! has actually documented this and written up a great blog entry about this back on Feb 18th, 2010. It is unbelievable that online advertisers the likes of yieldmanager.com, fimserve.com, advertangel.com, bannerimg.com, jambovideonetwork.com, myspace.com, zedo.com, vestraff.com and others allowed this to occur and even thrive for the better part of a month. The host names hosting the drive-by and fake antivirus software that we have discovered so far are:
google.analytics.com.bazqrhafrrh.info google.analytics.com.bidxctvqvwrw.info google.analytics.com.byuigracdnjj.info google.analytics.com.ckzqfrxaxihi.info google.analytics.com.cvybexpnqhlx.info google.analytics.com.dbvvwrkgycfa.info google.analytics.com.dcghkoixsagu.info google.analytics.com.dfxlhdyffzho.info google.analytics.com.dwldxeqavts.info google.analytics.com.dygpcewrjnw.info google.analytics.com.eliyisgtkaj.info google.analytics.com.eututrywxvhd.info google.analytics.com.ezqaxnmsbs.info google.analytics.com.friavuzpsvxc.info google.analytics.com.fywthroeasx.info google.analytics.com.gopbaqvgprvh.info google.analytics.com.hjvcnunmtzc.info google.analytics.com.hnstetlseuop.info google.analytics.com.hzlyaejcvmat.info google.analytics.com.inxvwrxogrc.info google.analytics.com.jestywtvadgj.info google.analytics.com.jgvsjnhmvngn.info google.analytics.com.jjotqkhqymp.info google.analytics.com.jklnznqvztu.info google.analytics.com.jtmqypcgt.info google.analytics.com.jttyhhvcxmbz.info google.analytics.com.jvoamkvyxv.info google.analytics.com.kijksoeohxze.info google.analytics.com.kmpbfdtknwsh.info google.analytics.com.kzpkpehthbgn.info google.analytics.com.lsvoenxxyya.info google.analytics.com.mnuzqxerjufm.info google.analytics.com.muhrlwuzyaly.info google.analytics.com.nbtislvidmq.info google.analytics.com.nlfgjehbotwi.info google.analytics.com.noltvoqmhoce.info google.analytics.com.oaofmsckue.info google.analytics.com.ocryspyjvkh.info google.analytics.com.omvdbdcknpct.info google.analytics.com.pmxjpigimsdv.info google.analytics.com.prtrkmxkpctw.info google.analytics.com.pzignbfxspou.info google.analytics.com.qlgkmytdvyjx.info google.analytics.com.rimofoixaf.info google.analytics.com.rmkbyklbhawd.info google.analytics.com.rtkffbmmgkpw.info google.analytics.com.rxflhciirups.info google.analytics.com.sphamifoaqpx.info google.analytics.com.tbxierkoqze.info google.analytics.com.tdrfhdzxyb.info google.analytics.com.tidawgeihqch.info google.analytics.com.tklaxlxvedkt.info google.analytics.com.tluaweyermg.info google.analytics.com.uentfkblzpxx.info google.analytics.com.uoncvsqcuclx.info google.analytics.com.uuyvsrbtpjhl.info google.analytics.com.uwbhpcrydgta.info google.analytics.com.vgmhlwrixzxz.info google.analytics.com.vujpgvscrjbk.info google.analytics.com.vwrvqmvrvjwi.info google.analytics.com.wwkzrjfuhmjg.info google.analytics.com.wxrzufdrzzn.info google.analytics.com.xewffvnixdyk.info google.analytics.com.xkduqnxfpnfg.info google.analytics.com.xnboetuqunld.info google.analytics.com.yfguydudorip.info google.analytics.com.yggxvnwumcqv.info google.analytics.com.yhaidebpfltr.info google.analytics.com.yynspckhyebi.info google.analytics.com.zejdcqsoglao.info google.analytics.com.zelhnalbivd.info google.analytics.com.zsrsjnihnb.info google.analytics.com.zugponkeqtzz.info
All of these host names resolved to the following IP addresses at this time:
69.174.245.147 69.174.245.148 69.174.245.150 72.51.41.155 75.125.183.50 174.142.53.148
We have been observing this for a few days and have been checking our repository of traffic and this goes back even further than Feb 15th, 2010. The signature that will trip on the download of the malware more often than not is this one:
ET POLICY Binary Download Smaller than 1 MB Likely Hostile
http://doc.emergingthreats.net/2007671
Once a client is infected, the following signatures trip:
ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)
http://doc.emergingthreats.net/2010597
ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)
http://doc.emergingthreats.net/2010594
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
http://doc.emergingthreats.net/2002400
The infected client will attempt to check-in to the follwing IP Address/hostname:
79.135.152.5 – avgroupwebsite.com
195.88.190.54 – av-command.com/av-crew.net
This campaign seems to have been very effective and we know of thousands of hosts that have been exploited by this campaign.
Вы не ошиблись, все верно…
We have identified several major websites (buy.com, cnbc.com, digg.com, evite.com and msn…..