Alerted to this scheme by my good friend, !Donovan. The vicitim visited an expired once secure website parked with TradeDoubler adware that now redirects to a fake malware warning site, read: https://isc.sans.edu/diary/How+Victims+Are+Redirected+to+IT+Support+Scareware+Sites/19487/
The landing site’s scan results: https://www.virustotal.com/en/url/d8d55a41f0efaccd1daf16a661c2525330ef014b8098bee7b183d79650ecb260/analysis/#additional-info and https://www.c-sirt.org/en/incidents-on-domain/p2.dntrax.com and
index
Severity: Suspicious
Reason: Detected suspicious redirection to external web resources at HTTP level. [What’s this?]
Details: Detected HTTP redirection to htxps://www.dntx.com/. uMatrix blocks this destination for us.
File size[byte]: 0
File type: Unknown
Page/File MD5: 00000000000000000000000000000000
Scan duration[sec]:
Thanks to !Donovan for his observations and we should report that Sucuri has not as yet detected this malicious scheme.
polonus
This web domain also seems to play a role in this scheme: https://www.virustotal.com/en/domain/tj.symcd.com/information/
We should understand that these redirects may be rather short lived and mitigating.
Going to the IP, 23.4.43.27, it automatticaly downloads woc3kreY.part
woc3kreY.part
Scan history
Scan new file
First uploaded2014-02-07 17:01:48 GMTFiletypedata
Last scanned2014-02-07 17:01:48 GMTFile size5 B
MD5 4842E206E4CFFF2954901467AD54169E
SHA1 80C9820FF2EFE8AA3D361DF7011AE6EEE35EC4F0
SHA256 2ACAB1228E8935D5DFDD1756B8A19698B6C8B786C90F87993CE9799A67A96E4E
See what I earlier reported on this: https://forum.avast.com/index.php?topic=170995.0
polonus
