B.I.S.S. Forums > 85.17.169.57/85.17.166.209

Full Version: 85.17.169.57/85.17.166.209

B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section

wagdoll

Dec 31 2008, 03:05 AM

site name hxxp://gamers-games.com has been carrying malware since at least the 20th December. This site is running in several ad network inventories as "prepopped" ads. The malware is loading via a 1x1 iframe at the bottom of that site and the domains serving the malware in that iframe are actively changing... I searched this forum for the IP addresses that are hosting the malware files, but the closest matches I could find were 85.17.16*

The publishing site URL that is seen in the codes is referrer dependent, if you try to load it in a blank window it will redirect to a cleaner page.

20th December hxxp://gamers-games.com was carrying this:

CODE

That loaded:

CODE

Today, coming via a slightly different ad network:

This one shows the ad networks because it's the 2nd time in as many days I've had a malware type problem from antventure...

CODE

<script src="http://ad.spot200.com/st?ad_type=pop&ad_size=0x0&section=420420&banned_pop_types=23&pop_times=1&pop_frequency=0" type="text/javascript">

<script src="http://ad.yieldmanager.com/imp?Z=0x0&y=23&s=420420&_salt=1123623717&B=10&r=0" type="text/javascript">

<iframe id="rm_frm" height="100%" frameborder="0" width="100%" name="rm_frm" marginheight="0" marginwidth="0" src="http://ad.spot200.com/iframe3?T51aAERqBgCK.RcAxrkHAAIAAAAAAP8AAAAECQIIAANEAAkAQpoJALUlCwAAAAAAAAAAAAAAAAAAAAAA
AAAAAB0LG6-KgeE.HQsbr4qB4T-GEi15PC3tP4YSLXk8Le0.ZmZmZmZm.j9mZmZmZmb-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVbIVEf4PpAX.cL.L9ceATagfwR56GjWGiR5F
HAAAAAA=,,http://foloo.net/pages/ptp.php?refid=ynot">

That loads:

CODE

<script src="http://ad.antventure.com/st?ad_type=pop&ad_size=0x0&section=477339&banned_pop_types=23&pop_times=1&pop_frequency=0" type="text/javascript">
</script>
<script src="http://ad.yieldmanager.com/imp?Z=0x0&y=23&s=477339&_salt=3755613422&B=10&r=0" type="text/javascript">
</script>
<iframe id="rm_frm" height="100%" frameborder="0" width="100%" name="rm_frm" marginheight="0" marginwidth="0" src="http://ad.antventure.com/iframe3? AAAAAJtIBwD8WRgArd8HAAIAWAAAAP8AAAAECQIIAAPwJAsAcpwJANFcCwAAAAAAAAAAAAAAAAAAAAAA
AAAAADMzMzMzM.M. MzMzMzMz8z8zMzMzMzMDQDMzMzMzMwNAAAAAAAAAEEAAAAAAAAAQQAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAXoJneBAQpAUaz56Ehmf3V1IwZ45rBUorbL5HTQAAAAA=,,http://www.antventure.com/creatives/default/mke/popad.html">

That loads:

CODE

hxxp://gamers-games.com

That has this iframe at the bottom:

CODE

That loads:

CODE

http://85.17.169.57/css/pdf.php?id=0&sid=b181b687b681b182b081bccfbdd8b5d4b38eb988bd8cbb8a84

Kimberly

Dec 31 2008, 11:17 AM

Yeah wagdoll, I'm aware of the problem since december 24. It's coming through Yahoo and splattered everywhere. I did alert them about the issue. Being holidays, most of my contacts are out of office unfortunately.

It's not only a PDF exploit but around 10 different ones.

Moore

Dec 31 2008, 02:03 PM

Thanks for your help wagdoll.. Added those IP's.

Kimberly

Jan 2 2009, 11:22 AM

There is some more ...
http://www.bluetack.co.uk/forums/index.php...ost&p=90556

ads.bootcampmedia.com is AdJuggler

.... which means I know exactly who to contact.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.