Malvertising on Google Doubleclick ongoing

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com. The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware.

This is our report. We plan to put up the video later--we still need to narrate it, which will take some time. As DoubleClick is a very large AD network, we decided to put up the post quickly.

The first link in the infection chain is the following standard script for all websites using Google DoubleClick for Publishers (Google DFP):

(Link 1:)
<script type='text/javascript' src='hxxp://partner.googleadservices.com/gampad/google_service.js'>

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 2:)
http://partner.googleadservices.com/gampad/google_ads.js

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 3:)
http://pubads.g.doubleclick.net/gampad/ads?correlator=1314244145446&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-1199834677431615&slotname=LA_PRENSA_Poderes_728x90_Superior&page_slots=LA_PRENSA_Poderes_728x90_Superior&cookie=ID%3D6ece38c99f627779%3AT%3D1314244080%3AS%3DALNI_MbRwmcAoAFohCjkKxnj_JXcxZEUEA&url=http%3A%2F%2Fwww.laprensa.com.ni%2F2011%2F08%2F23%2Fpoderes&lmt=1314244147&dt=1314244147962&cc=100&oe=utf-8&biw=878&bih=477&ifi=1&adk=2910702588&u_tz=480&u_his=2&u_java=true&u_h=1920&u_w=1080&u_ah=1892&u_aw=1080&u_cd=32&flash=10.1.102.64&gads=v2&ga_vid=2122880267.1314244061&ga_sid=1314244061&ga_hid=187578555&ga_fc=true

Which generates a <script src> tag, causing the browser to load javascript from Adify (Now a part of Cox Digital Solutions):

(Link 4:)
http://ad.afy11.net/srad.js?azId=1000004110207

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 5:)
http://ad.afy11.net/ad?asId=1000004110207&sd=2x728x90&ct=15&enc=1&nif=1&sf=0&sfd=0&ynw=0&anw=1&rand=55943306&rk1=56285031&rk2=1314244149.806&pt=0&asc=3x133&vad=878x477

Which generates an iframe, causing the browser to load javascript from tentaculos.net, which is a part of Pulpo Media:

(Link 6:)
http://d1.tentaculos.net/afr.php?zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which gives an HTTP 302 redirect to:

(Link 7:)
http://d1.tentaculos.net/afr.php?ct=1&zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 8:)
http://indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=142038917

This is the malicious advertiser. The above javascript generates an iframe, causing the browser to load from the exploit domain kokojamba.cz.cc (Link 9-a), and also the creative (the banner ad) itself (Link 9-b) as a .png file. Here's a snippet of this javascript:


The entire javascript code can be found here.

The domain "indistic.com" was registered on Aug 12, 2011 (evidence 1) by "Marcene D. Rohodes (marcenedrhodessm@yahoo.com). The domain currently runs on IP 95.64.46.84 (AS49734) (thank you Jason D.Seimesi), which is located in Romania. The whois records show a US street address but with a Lithuania phone number and a Romanian IP (evidence 2):

=====================================
Administrative Contact:
Name: Marcene D. Rhodes
Organization: no
Address: 4653 Twin House Lane
City: Mount Vernon
Province/state: MO
Country: US
Postal Code: 65712
Phone: +370.956734778
Fax: +370.956734778
=====================================

The domain is using FreeDNS on freedns.afraid.org (evidence 3).

So there were at least three evidences here, that indistic.com wasn't a legitimate advertiser. This malvertisement shouldn't have been let into this chain of AD networks.

Furthermore, as (Jason D.Seimesi pointed out, the same IP is also used by pisofta.com--another domain also registered on Aug 12. Therefore there should be more than one malicious advertiser identify associated with this effort.

(Link 9-a, BlackHole exploit pack:)
http://kokojamba.cz.cc/index.php?tp=2733de342143bbc7

kokojamba.cz.cc is the exploit domain running the BlackHole exploit pack. It is currently running on IP 178.238.36.64, located in Jihomoravsk√Ĺ kraj of Czech Republic.

(Link 9-b:)
http://indistic.com/crt/1Npstr/728.PNG

Currently, 7 out of 44 vendors on VirusTotal can detect this malware:

We are in the process of informing all parties involved. If you know more about this incident, please email us at wayne@armorize.com

Read more (rest of article)...