polonus
1
unknown_html flagged to-day at MX-VW. → https://www.virustotal.com/nl/url/8c0b3e11d371cddd9db2c9d91e4720cfa942d75bca10516bccf7d130bc755217/analysis/
Found via malekal →
htxp://moneymakerclick.com/vigrx/adv/index2.php?adv_id=21
<Referer1_IP>192.243.127.219</Referer1_IP>
htxp://ads.zazazizoo.com/ads/aff2.php
<Referer2_IP>80.77.81.44</Referer2_IP>
Here found beingn: http://zulu.zscaler.com/submission/show/0da8a1423cfad3ac1790554e7539e062-1387118604
Earlier found to be suspicious here: http://zulu.zscaler.com/submission/show/0da8a1423cfad3ac1790554e7539e062-1386863023
polonus
Just the URL is suspicious. Wouldn’t ever go on that site for the life of me
polonus
3
Another one flagged, but why?
See: http://209.9.239.101/?report=431569e41fec2db269ed3cad8113005fd5ec7662 *
IDS alert for ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element here:
http://urlquery.net/report.php?id=8396102
BitDefender flags as malicious.
See for vulnerability of Prototype JavaScript framework, version 1.7 *
http://www.cvedetails.com/cve/CVE-2008-7220/
pol
This website injected an Exploit-Generic into Internet Explorer: hxxp://ads.zazazizoo.com/ads/aff2.php (Screenshot)
Virustotal analysis of the javascript file from this link: hxxp://www.broedersgezondheidswinkel.nl/media/js/55b783a98f039fe7c7ac9ad51b2d4922.js
https://www.virustotal.com/de/file/9eb079a637507443ba0a2c41439abe70ee81de6928e86f0d5e53c29eecbcc62c/analysis/1387121079/ 0/48
polonus
5
By the way, the first URL is blocked by Avast. So we are protected.
The Javascript file wants to Remote Control the svchost.exe via OLE.
system
7
Hello,
ads.zazazizoo.com = fake ads company to spread malvertising.
you can get them, for example on x3xtube.com (porn website).
polonus
8
Hi Malekal_morte,
Thanks for explaining the malvertising connection here.
The kraken Virus Tracker Classification for that domain is
ads dot zazazizoo dot com,88.214.225.178,Criminals,
(where “criminals” will denote nothing more than that malcode is up and active)
polonus