(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com. The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware.
This is our report. We plan to put up the video later--we still need to narrate it, which will take some time. As DoubleClick is a very large AD network, we decided to put up the post quickly.
The first link in the infection chain is the following standard script for all websites using Google DoubleClick for Publishers (Google DFP):
Which gives an HTTP 302 redirect to:
The domain "indistic.com" was registered on Aug 12, 2011 (evidence 1) by "Marcene D. Rohodes (email@example.com). The domain currently runs on IP 18.104.22.168 (AS49734) (thank you Jason D.Seimesi), which is located in Romania. The whois records show a US street address but with a Lithuania phone number and a Romanian IP (evidence 2):
Name: Marcene D. Rhodes
Address: 4653 Twin House Lane
City: Mount Vernon
Postal Code: 65712
The domain is using FreeDNS on freedns.afraid.org (evidence 3).
So there were at least three evidences here, that indistic.com wasn't a legitimate advertiser. This malvertisement shouldn't have been let into this chain of AD networks.
Furthermore, as (Jason D.Seimesi pointed out, the same IP is also used by pisofta.com--another domain also registered on Aug 12. Therefore there should be more than one malicious advertiser identify associated with this effort.
(Link 9-a, BlackHole exploit pack:)
kokojamba.cz.cc is the exploit domain running the BlackHole exploit pack. It is currently running on IP 22.214.171.124, located in Jihomoravský kraj of Czech Republic.
Currently, 7 out of 44 vendors on VirusTotal can detect this malware:
We are in the process of informing all parties involved. If you know more about this incident, please email us at firstname.lastname@example.org