DoubleClick malvertising campaign ...
FYI...
DoubleClick malvertising campaign exposes... malvertising infrastructure
- http://www.webroot.com/blog/2014/02...un-beneath-radar-malvertising-infrastructure/
Feb 14, 2014 - "... we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About .com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case...
Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1 .com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1 .com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv .com – 37.59.15.44; 37.59.15.211, hxxp ://188.138.90.222 /ad.php?id=31984&cuid=55093&vf=240
IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver .com; notslead .com; adwenia .com – Email: philip.woronoff@ yandex .ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia .com)
Based on BrightCloud’s database, not only is adservinghost1 .com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec)* is known to have phoned back to the same IP as the actual domain, hxxp ://212.124.112.232 /cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular...
> https://www.webroot.com/blog/wp-content/uploads/2014/02/DoubleClick_Malvertising.png
Here comes the interesting part. Apparently, the name servers of adservinghost1 .com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1 .COM – 212.124.126.2
NS2.ADSERVINGHOST1 .COM – 74.50.103.38
... domains are also responding to the same IP as the Epom .com domain at 198.178.124.5 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...a1d43b6b63a5d2b2e62c2f4af60f57f7bbb/analysis/
___
Malware sites to block 14/2/14
- http://blog.dynamoo.com/2014/02/malware-sites-to-block-14214.html
14 Feb 2014 - "This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here* by Umbrella Labs). OVH Canada have a long history with this bad actor (who I believe to be r5x .org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all. First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active... (Long list at the dynamoo URL above)
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30
I can see the following domains being actively supported by these nameservers, all of which should be considered hostile..." (Long list at the dynamoo URL above)
* http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/
Feb 14, 2014
___
Fake Flash install via Silverlight
- http://community.websense.com/blogs...4/fakeflash-installation-via-silverlight.aspx
Feb 14, 2014 - "... discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server... the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log... The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run... At the time of initial investigation, fewer than 10% of AV vendors* had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established. The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
> http://community.websense.com/cfs-f...nts.WeblogFiles/securitylabs/0407.blog007.png
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector..."
* https://www.virustotal.com/en/file/...9cb1e15d75a1c57a20b3720e95e46c9ff77/analysis/
Silverlight current version: 5.1.20913.0 - http://www.microsoft.com/silverlight/
MS13-087
- http://technet.microsoft.com/en-us/security/bulletin/ms13-087
Oct 08, 2013 - "... upgrades previous versions of Silverlight to Silverlight version 5.1.20913.0..."
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3896 - 4.3
:fear::fear:
:fear:
FYI...
DoubleClick malvertising campaign exposes... malvertising infrastructure
- http://www.webroot.com/blog/2014/02...un-beneath-radar-malvertising-infrastructure/
Feb 14, 2014 - "... we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About .com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case...
Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1 .com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1 .com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv .com – 37.59.15.44; 37.59.15.211, hxxp ://188.138.90.222 /ad.php?id=31984&cuid=55093&vf=240
IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver .com; notslead .com; adwenia .com – Email: philip.woronoff@ yandex .ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia .com)
Based on BrightCloud’s database, not only is adservinghost1 .com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec)* is known to have phoned back to the same IP as the actual domain, hxxp ://212.124.112.232 /cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular...
> https://www.webroot.com/blog/wp-content/uploads/2014/02/DoubleClick_Malvertising.png
Here comes the interesting part. Apparently, the name servers of adservinghost1 .com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1 .COM – 212.124.126.2
NS2.ADSERVINGHOST1 .COM – 74.50.103.38
... domains are also responding to the same IP as the Epom .com domain at 198.178.124.5 ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...a1d43b6b63a5d2b2e62c2f4af60f57f7bbb/analysis/
___
Malware sites to block 14/2/14
- http://blog.dynamoo.com/2014/02/malware-sites-to-block-14214.html
14 Feb 2014 - "This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here* by Umbrella Labs). OVH Canada have a long history with this bad actor (who I believe to be r5x .org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all. First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active... (Long list at the dynamoo URL above)
Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.
142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30
I can see the following domains being actively supported by these nameservers, all of which should be considered hostile..." (Long list at the dynamoo URL above)
* http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/
Feb 14, 2014
___
Fake Flash install via Silverlight
- http://community.websense.com/blogs...4/fakeflash-installation-via-silverlight.aspx
Feb 14, 2014 - "... discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server... the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log... The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run... At the time of initial investigation, fewer than 10% of AV vendors* had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established. The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
> http://community.websense.com/cfs-f...nts.WeblogFiles/securitylabs/0407.blog007.png
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector..."
* https://www.virustotal.com/en/file/...9cb1e15d75a1c57a20b3720e95e46c9ff77/analysis/
Silverlight current version: 5.1.20913.0 - http://www.microsoft.com/silverlight/
MS13-087
- http://technet.microsoft.com/en-us/security/bulletin/ms13-087
Oct 08, 2013 - "... upgrades previous versions of Silverlight to Silverlight version 5.1.20913.0..."
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0074 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3896 - 4.3
:fear::fear:
:fear:
Last edited: