system
September 4, 2012, 5:56am
1
adf.ly Malvertising :
hxtp://adf.ly/BYOG2
hxtp://adf.ly/3market.php?c=2&cb=3m&t=d6288268d8dc44a8bfeba46de1fa7871&d=358019
hxtp://adf.ly/omnigy7425325410.swf
hxtp://fantastictwitfollowers.com/
hxtp://membercitycouncil.info:8284/UDZsFG?YXTCm=35
hxtp://fantastictwitfollowers.com/ajax.microsoft.com/ajax/jquery.validate/1.7/jquery.validate.pack97e1.js?ver=1.7
hxtp://membercitycouncil.info:8284/265
hxtp://membercitycouncil.info:8284/27
hxtp://adf.ly/callback/d6288268d8dc44a8bfeba46de1fa7871
hxtp://membercitycouncil.info:8284/27
hxtp://hometownfaraway.info:8284/fzLOxw?expid=13&fid=26
81.30.152.85 = malware <<-- this seems to be blocked by avast network shield…
I found this at: https://www.virustotal.com/url/7b8fdfb70424b87478ce54ad40ef5b5575e223be5154960c5a35a6b74a201ba6/analysis/1346512744/
Malware Hosting is a ransomware…
more info : http://www.malekal.com/2012/03/13/malvertising-adf-ly-ransomware-sacem-police-nationale/
Reported this at Virus AT Avast DOT com.
polonus
September 4, 2012, 1:13pm
2
Somewhat older finds, but hard to detect: http://www.malekal.com/2012/03/13/malvertising-adf-ly-ransomware-sacem-police-nationale/
Whem cookies are disabled one is a lot more secure for this, so the maximum protection therefore is having a script blocker inside the webbrowser, like NoScript in Firefox or a similar extension for Google Chrome to be protected against these…
polonus
system
September 4, 2012, 4:42pm
3
Always great to hear it from you
thanks!
system
September 4, 2012, 4:53pm
4
Hi Pol,
here is a good news…we have these sites blocked now.
polonus
September 4, 2012, 5:04pm
5
And there is more…
If we look for the third party request going to: htxp://membercitycouncil.info:8284/UDZsFG?YXTCm=35
from hxtp://fantastictwitfollowers.com/ /** Is your rel canonical tag pointing to another domain?
The answer is yes, and that is as we know: htxp://membercitycouncil.info:8284/UDZsFG?YXTCm=35
https://www.google.com/safebrowsing/diagnostic?site=fantastictwitfollowers.com
It is flagged here: http://www.avgthreatlabs.com/sitereports/domain/fantastictwitfollowers.com/
So we get the good news that the browsers that have Google Safe Browsing are warned and will have to override a block to land there:
http://zulu.zscaler.com/submission/show/02fa177e9dc30566aa472ffe004a3c16-1346777044 (this is 100 out of 100 malicious)
Google’s Safe Browsing: This link is currently listed as suspicious: https://www.google.com/safebrowsing/diagnostic?site=http%3A//membercitycouncil.info
1 exploit
Surprise, surprise, site is also a Blackhole.1 php: http://sitecheck.sucuri.net/results/fantastictwitfollowers.com/
Infected via generator Wordpress 3.3.2 IDS alert = SPECIFIC-THREATS Blackhole landing page with specific structure
See: http://urlquery.net/report.php?id=158786
polonus