See: Up(nil): unknown_html ARIN US abuse at qwest dot net 63.146.170.87 to 63.146.170.87 care2 dot com htxp://www.care2.com/?ptrxcz_mzCObo0CPbo1DQcp1EPbr3GSes5IUg
See: http://urlquery.net/report.php?id=1133608
RBN Known Malvertizer (iframe) yads.zedo dot com/ads3/a?
Found: iframe src=“htxp://d3.zedo.com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90” frameborder=0 marginheight=0 marginwidth=0 scrolling="no
which is Zlob Zedo click tracking! Throwing up an issue similar to the “Ads Everywhere”-problem (adware) - bordering on being benign?
Code hick-up
nothing detected] (iframe) d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90
status: (referer=www.care2 dot com/?mzCObo0CPbo1DQcp1EPbr3GSes5IUg)saved 3757 bytes bfbedd4f3036a71d4abbfb1ed4bba7bf8e11c448
info: [iframe] d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/
info: [script] d7.zedo dot com/bar/v17-005/d3/jsc/gl.js
info: [iframe] yads.zedo dot com/ads3/a?
info: [decodingLevel=0] found JavaScript
error: undefined variable Image
error: line:5: TypeError: Image is not a constructor
suspicious:
Read: http://www.ehow.com/how_12100513_remove-powered-zedo-popups-windows-7.html
A Quttera scan also flags this as potentially suspicious:
dingo.care2.com/pictures/static/js/www/js/c2/care2-jquery/care2-jquery.1361399361.js
Severity:
Potentially Suspicious
Reason:
Detected procedure that is commonly used in suspicious activity.
Details:
Too low entropy detected in string [[‘=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26async=%26=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=’]] of length 591 which may point to obfuscation or shellcode. see: http://quttera.com/detailed_report/www.care2.com for the threat dump
which may point to obfuscation or shellcode, but also can be benign code used in sharing…
dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/yahoo-dom-event.1234488966.js benign
[nothing detected] (script) dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/yahoo-dom-event.1234488966.js
status: (referer=dingo.care2 dot com/pictures/static/js/www/js/c2/care2-jquery/undefined)saved 31637 bytes 7a4f80649be5ecba2bca886b037d58448ec4b442
info: [decodingLevel=0] found JavaScript
error: undefined variable clearInterval
error: undefined function clearInterval
error: undefined function O.addEventListener
error: undefined variable O
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista, 281 bytes
info: Decoding option browser=Opera and browser=Firefox, 0 bytes
info: [element] URL=dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/undefined
info: [decodingLevel=1] found JavaScript
suspicious
Known history of banner clck code through cross site scripting…
polonus