DomaIq / OutBrowse : Fake Java/Flash update malvertising campaign

DomaIq / OutBrowse : Fake Java/Flash update malvertising campaign

EDIT – May 15 : some moves.

Some moves.

An other ads network hits by theses malvertising :https://twitter.com/malekal_morte/status/466539522176851968

The Fake Java/Flash Malvertising disapear, it is replaced by “Video Player update” campaign.
Note that, it’s still using the Adobe Flash Player update web page, even if they removed the Flash Player Logo.

 

But for me, it’s still a malvertising way :

• It replaces the website you visit by the malvertising – so webmaster lose traffic. It’s also a disgusting way.
• They are trying to maintain theses campaigns. For Example in my website, the ads network that dont want them have big difficulties to get them removed completly. It comes back over and over via appnexus network. For this reason, i have to suspend this ads network in my website until they find a way to remove this malvertising campaign completly.
• They use domains rotation to bypass detections as most of malware campaign does.

~~

About uptobox, they said that behind exchange.admailtiser.com it’s Matomy.

 

An other Israli company – i made a post about Israel company there :http://malvertising.stopmalwares.com/2014/05/installcoreconduit-fake-flash-player-malvertising/

It seems that hoster and registrar are very slow to move (or they dont).

Most of the domains are registered on Enom Registrar and they are still online :http://pjjoint.malekal.com/files.php?read=20140515_r8u14r11e15i12I made this tweet :https://twitter.com/malekal_morte/status/466873006816755712

same for Egihosting : https://twitter.com/egihosting/status/466238690658746368
it seems that old domains using Egihosting IPs are still online, so malwares guys can used it again if they need.

About Antivirus. Only Malwarebytes and BitDefender did some URLs blacklists but binaries detections for PUP.DomaIQ are good for stuffs in the wild (around ~10/52 in VirusTotal).

I upload some PUP.DomaIQ samples on Malwaredb thoses last days :http://malwaredb.malekal.com/index.php?malware=DomaI

Avast! do not detect most of them (also the URLs), and in France, Avast! is very used – i will try to shake them about this :
 

EDIT May 16 : Appnexus got cleaned

ok now the good news…

First Avast! gonna move : https://twitter.com/misak19/status/466897774290948096

and then, the better one, got now a contact with Appnexus and they cleaned everything fast.

This is really a good news, because most of theses malvertising were coming from this network, that is a big one : http://www.alexa.com/siteinfo/adnxs.com

Also i want to mention this…
a.ad-sys.com is loading this malvertising….. i was talking about them on this topic :http://malvertising.stopmalwares.com/2014/05/installcoreconduit-fake-flash-player-malvertising/

Will try to get it removed.

EDIT – Monday 19 : Appnexus got cleaned

Most of the appnexus malvertising has been removed.
I got also Avast! blocking it.

We notice a drop in adwares/PUPs removal resquest in forums – this is good.

EDIT – Tuesday 21 : on Ebay France

Ebay France is hit – i made this post (in French language) :http://www.malekal.com/2014/05/20/ebay-virus-lpmxp2-lecteur-video-peux-etre-obsolete/

Video :

EDIT – Wednesday 22 : also on Yahoo Ads (only France?)

The Ebay Malvertising is still online, Ebay France and pubmatic doesnt reply to the request.

Also, Not the first time, the ads network i use in for my website is also loading content to Yahoo Ads.
They usally as Appnexus hit by theses malvertising.
Actually, an active one is delivery to the fake Flash Player page.

EDIT – Wednesday 28

some news.
ad-sys still leading to fake Java

back to t411.me with admailtiser :

still the same actor.

EDIT – June 2

An update.
This Week end, t411.me get blacklisted by Google – in french :http://forum.malekal.com/t411-blackliste-par-google-t48050.html – seems that fix the malicious redirections, but t411.me is still loading content to pubdirecte that is loading content to m2pub so i guess it will be back soon.

• openx.net is still redirecting to fake Flash/Java Malvertising
• Also, admailtiser / ad-sys are still loading a lot of them.

i found also some of them in Clicksor network :

 

new domains are still registered to ENOM that seems not to move, so i made this write and ping them on twitter : http://pjjoint.malekal.com/files.php?read=20140602_f12d8h9s10o5

EDIT – June 6

According netcraft – ask.fm was hitten by Fake Java Malvertisinghttp://news.netcraft.com/archives/2014/06/02/ask-fm-users-being-redirected-to-malware-sites.html

also on this French topic, an user say to get Fake Malvertising on mangaxd.com :http://www.commentcamarche.net/forum/affich-30322426-popup-fausse-mise-a-jour-adobe-flash-player

The redirection is made by admailtiser.com loaded by affiliation-france.com, not the first time i see them.

First, they are red in WOT : https://www.mywot.com/en/scorecard/affiliation-france.com

According the website – affiliation-france belong to Venesome LTD, they got a box in British Virgin Islands, so could be from everywhere.

also, they use DNS at DNSMADEEASY.COM domains like many domains i have already told in this topic : http://malvertising.stopmalwares.com/2014/05/installcoreconduit-fake-flash-player-malvertising/

Domain Name: AFFILIATION-FRANCE.COM
Registrar: WILD WEST DOMAINS, LLC
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Name Server: NS10.DNSMADEEASY.COM
Name Server: NS11.DNSMADEEASY.COM
Name Server: NS12.DNSMADEEASY.COM
Name Server: NS13.DNSMADEEASY.COM
Name Server: NS14.DNSMADEEASY.COM
Name Server: NS15.DNSMADEEASY.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 31-may-2013
Creation Date: 12-dec-2009
Expiration Date: 12-dec-2014

A five-page website of something else 

EDIT – June 16

Openx removed the malvertising some days ago. Thanks to them 
An other malvertising come up at Appnexus network (maybe 3rd network party) yesterday, hackernews write a news about malvertising at DeviantArt :http://thehackernews.com/2014/06/deviantart-malwaretising-campaigns-lead.html but of course, it’s not only there.
Got it yesterday on mangafox.com – i reported it to Appnexus, so i expect to get it removed soon.

Also admailtiser is back on Appnexus network via fastlick.net (conversant Media).

EDIT – A look at the Fake Flash Malvertising on Appnexus network

A Fake Flash Malvertising is still alive at Appnexus.

Here a screenshot of the source – as you can see, a javascript is call from a BMP URL JAVA-WORD.COM
The domain is suspicious :

Domain Name: JAVA-WORD.COM
Registrar: NAME.COM, INC.
Whois Server: whois.name.com
Referral URL: http://www.name.com
Name Server: NS1.LINODE.COM
Name Server: NS2.LINODE.COM
Name Server: NS3.LINODE.COM
Name Server: NS4.LINODE.COM
Name Server: NS5.LINODE.COM
Status: ok
Updated Date: 12-jun-2014
Creation Date: 12-nov-2013
Expiration Date: 12-nov-2014

trant Name: wu bin
Registrant Organization: wubin
Registrant Street: yinglonghuayuan 60dong 501
Registrant City: nanjing
Registrant State/Province: jiangsu
Registrant Postal Code: 210014
Registrant Country: CN
Registrant Phone: +86.84297132
Registrant Email: 12557286@qq.com
Admin Name: wu bin
Admin Organization: wubin
Admin Street: yinglonghuayuan 60dong 501
Admin City: nanjing
Admin State/Province: jiangsu
Admin Postal Code: 210014
Admin Country: CN
Admin Phone: +86.84297132
Admin Email: 12557286@qq.com
Tech Name: wu bin

The BMP give a an other code :

we got an other call at : http://www.java-word.com/ResponeSevlet?domain=FR_300x250_280000&c=FR_300x250_280000.jpg

if you call directly, you got an image, so no redirection :

and the code when you are redirected to the Fake Flash Malvertising :

You got a redirection per IP – This is clearly malvertising way.

EDIT June 20

it leaves, it comes back 

• Appnexus network : https://twitter.com/malekal_morte/status/479717948710731776
• Media Player Malvertisint at Openx Network :https://twitter.com/malekal_morte/status/479598790408949760
• PubMatic Network : https://twitter.com/malekal_morte/status/479740747768659968
• ValueClick / Convertmedia Network :https://twitter.com/malekal_morte/status/479575217619341313 – as you can see admailtiser.com is still involved in this. It’s now running for a while at ValueClick network.

so, still big traffic.

The Pubmatic malvertising  is the same as DeviantArt website  mentioned in the Hackernews news.
In my case, it replace the website you are trying to visit.

There is a SWF at http://cdn1sitescout.edgesuite.net/7000/6907/04d2e46e9d7b9e59.swf that is redirecting to http://a.fwed.net/web/FR/click.php leading then to reduxmediia.com and avadslite.com :
 Example :
http://a.fwed.net/web/FR/click.php - (144.76.207.229)
http://a.fwed.net/web/FR/stats.php - (144.76.207.229)

http://www.reduxmediia.com/apu.php?n=&zoneid=4960&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1

http://tah.avadslite.com/?kw=4960s1=1456785536.242716.2f6ce9a7b5.4960.29d29e960563b549b1e0d650d261f839&s2=pc (184.170.128.86)

http://yb0zz.playnow.mediamother.eu/?sov=444346705&hid=dljhrhvjjhpd&id=XNSX.1456785536.242716.2f6ce9a7b5.4960.29d29e960563b549b1e0d650d261f839%3A%3Apc

http://yb0zz.playnow.mediamother.eu/templates/np.codec.mini/mediaplayer_update_keyed_DLIK/images/logos/logo1.png (107.191.48.203)

I got today a Media Player popup on Deviant Art – the redirection to the SWF is made by Rubiconproject and then we still find fwed.net / reduxmediia.com :

The Malvert : http://cdn1sitescout.edgesuite.net/7000/6907/04d2e46e9d7b9e59.swf

EDIT – June 24

As usual, Appnexus did some clean up.
Pubmatic said they gonna check the issue :https://twitter.com/PubMatic/status/481089326861004800
The Malvertising at ValueClick / Convertmedia Network is still online – i got it from MangaReader.net (~1000 at Alexa) – by the way, if you look at the graph, they lose traffic, i guess malvertising are probably responsible :http://www.alexa.com/siteinfo/mangareader.net

i got another malvertising still at mangareader.net from onclickads.net Network via popup :

http://onclickads.net/afu.php?zoneid=19227

http://www.livesoccer2014.com/?ci=8828&version=1.1.5.55&ti1=8224766571

http://www.livesoccer2014.com/css/newstyle_FR.css

http://www.all-pages.net/LPfiles/css/downloadIndicator.css

http://www.all-pages.net/LPfiles/js/jquery.js

http://www.html-files.com/AMddlT.js

http://www.all-pages.net/LPfiles/js/common2.js

http://www.all-pages.net/LPfiles/js/networkCommon.js

a TVapp to watch World Cup Match :https://www.virustotal.com/fr/file/b81100083f6d118b647ab850ea456ff03cd40e943cf1f72703e2f22ac2c263eb/analysis/

SHA256:    b81100083f6d118b647ab850ea456ff03cd40e943cf1f72703e2f22ac2c263eb
Nom du fichier :    TVapp__8826_i942936337_il269.exe
Ratio de détection :     9 / 54
Date d’analyse :     2014-06-24 14:23:02 UTC (il y a 42 minutes)

AVG     BundleApp_r.R     20140624
AhnLab-V3     PUP/Win32.Amonetiz     20140624
AntiVir     ADWARE/Adware.Gen2     20140624
Avast     Win32:Amonetize-BX [PUP]     20140624
ESET-NOD32     a variant of Win32/Amonetize.AW     20140624
Kaspersky     not-a-virus:HEUR:AdWare.Win32.Amonetize.heur     20140624
Malwarebytes     PUP.Optional.Amonetize     20140624
Sophos     Amonetize     20140624
VIPRE     Amonetize (fs)     20140624

EDIT – July 1 : Adcash – Ad-sys.com and adorika.net

seems some cleanup has been made 

I notice a malvertising on www.hinata-online.fr from adcash that redirect to http://a.ad-sys.com / http://a.adorika.net / http://main.vodonet.net
It replaces the websites you are trying to visit.

Redirector : http://iron.zbane.com/MAIN/ironsource/rev_share_v2.php /
Binary : http://cdn.adorikacontentportal.com/?ic_user_id=321

ad-sys / adorika usual actor in thoses malvertising – already mentioned there :http://malvertising.stopmalwares.com/2014/05/installcoreconduit-fake-flash-player-malvertising/

PUP Detection :

https://www.virustotal.com/fr/file/73c986e6506eb8a2c978f223029d1501a4f91aef3665cfe230c735a0690d9e1b/analysis/1404199056/

SHA256:     73c986e6506eb8a2c978f223029d1501a4f91aef3665cfe230c735a0690d9e1b
Nom du fichier :     flvplayer.exe
Ratio de détection :     7 / 54
Date d’analyse :     2014-07-01 07:17:36 UTC (il y a 9 minutes)

AVG     Generic.953     20140701
ESET-NOD32     a variant of Win32/InstallCore.PL     20140701
K7AntiVirus     Unwanted-Program ( 00454f261 )     20140630
K7GW     Unwanted-Program ( 00454f261 )     20140630
Norman     InstallCore.CERT     20140701
Sophos     Install Core Click run software     20140701
VIPRE     Trojan.Win32.Generic!BT     20140701

 

EDIT – July 18 : Adcash / PopAds / Directrev still loading fake Java/Flash malvertising

Still some fake Java/Flash malvertising around

• adsrvmedia.com – 184.168.221.78 (no information about this domain, so suspicious) : https://twitter.com/malekal_morte/status/489671945701818368
• directrev network : https://twitter.com/malekal_morte/status/489669307220361216
• popads network : https://twitter.com/malekal_morte/status/489665661409308672

below a screenshot of popads replies :

also adcash network that is loading content to admailtiser :https://twitter.com/malekal_morte/status/490011867931496450

Adcash is also loading another kind of fake flash malvertising :https://twitter.com/malekal_morte/status/489816300735451136

Notice also that adcash is loading a lot of fake virus alert for mobile, see this topic :http://malvertising.stopmalwares.com/2014/07/mobile-malvertising-fake-virus-alert/

EDIT – July 19 : adk2 / plymedia : Matomy

Again a fake Java Malvertising on mangareader.
The souce id darchmedia network that is loading content to adsmedia.com (yes again) that load content to adk2 network and load the fake java malvertising:

http://nc4.darchermedia.com/rub/manga10/300×250.html

http://cdn.adsrvmedia.com/adsrvmedia/tags/banner/banner.js?context=35181161&size=300×250

http://ads.adk2.com/player.html

http://www.sheinsiade.com/frch.php?pc1=show3

http://www.kellimindre.com/FR/index.php

adk2.com has some alias whis a mention of plymedia :

host ads.adk2.com
ads.adk2.com is an alias for pool.plymedia.iponweb.net.
pool.plymedia.iponweb.net has address 54.85.163.191
pool.plymedia.iponweb.net has address 54.85.157.244
pool.plymedia.iponweb.net has address 54.85.67.10
pool.plymedia.iponweb.net has address 54.85.76.240
pool.plymedia.iponweb.net has address 54.85.170.59
pool.plymedia.iponweb.net has address 54.85.121.122
pool.plymedia.iponweb.net has address 54.84.211.226
pool.plymedia.iponweb.net has address 54.84.222.248
pool.plymedia.iponweb.net has address 54.85.166.61
pool.plymedia.iponweb.net has address 54.85.177.25
pool.plymedia.iponweb.net has address 54.85.150.60
pool.plymedia.iponweb.net has address 54.84.34.147
pool.plymedia.iponweb.net has address 54.84.200.63
pool.plymedia.iponweb.net has address 54.85.164.185
pool.plymedia.iponweb.net has address 54.85.69.175
pool.plymedia.iponweb.net has address 54.84.129.127

plymedia.com is also mentionned in the whois :

Admin Name: David Markowitz
Admin Organization: PLYmedia Israel (2006) Ltd.
Admin Street: 48 King George
Admin City: Tel Aviv
Admin State/Province: NA
Admin Postal Code: 64337
Admin Country: Israel
Admin Phone: +972.972547631761
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: david@plymedia.com

and yeah another israli stuff.
Matomy (another israli company already mentionned) is mentionned on their website.

Adk2 and Plymedia contacts are the same :

 

Do you remember m2pub ? it’s already mentionned in this topic (Mars 13 EDIT and June 2)
Also :

creative.m2pub.com is an alias for cdn.adk2.com.
cdn.adk2.com is an alias for cdn.adk2.co.edgekey.net.
cdn.adk2.co.edgekey.net is an alias for e332.g.akamaiedge.net.
e332.g.akamaiedge.net has address 2.16.120.96

m2pub load also PUPs :
Fake Virus Alert : https://twitter.com/malekal_morte/status/473414276116664320Java Log use : https://twitter.com/malekal_morte/status/468111720184311808

and…. the m2pub.com whois lead to Matomy :

egistry Registrant ID:
Registrant Name: Shlomi Sharabi
Registrant Organization: Matomy Media Group
Registrant Street: Hanechoshet st.
Registrant Street: 6
Registrant City: Tel Aviv
Registrant State/Province: Tel Aviv
Registrant Postal Code: 69719
Registrant Country: Israel
Registrant Phone: 773606060
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: it@matomy.com

~~

about admailtiser.com – it’s related to convertmedia – another israli company.
=> https://twitter.com/malekal_morte/status/472339472378785792
=> https://twitter.com/malekal_morte/status/469815653730631680

So, some israli companies are linked.
Admailtiser.com is loading fake Java/Flash malvertising for mouths.
adsrvmedia.com is new and is also always leading to fake Flash/Java malvertising see https://twitter.com/malekal_morte/status/489671945701818368
There is no information about the source of this domain, but it load content to ad2k.com that is redirecting to fake Java malvertising.

Thoses israli companies are always around.

EDIT – July 29 2014  ; exchange.continular.com replace exchange.admailtiser.com

just to make notice that exchange.continular.com replace exchange.admailtiser.com

on the whois, we can find a domain contextin.com :

Registry Registrant ID:
Registrant Name: Gil Shiff
Registrant Organization: ArgumTech Ltd.
Registrant Street: Marcel Janco 3
Registrant City: Tel-Aviv
Registrant State/Province: Israel
Registrant Postal Code: 69413
Registrant Country: Israel
Registrant Phone: +97-254-464-4320
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: gil@contextin.com

This domain lead to convertmedia.com :

EDIT – August 5 2014 : new kind of Java Malvertising

Since some days, a new kind of malvertising.
A popup come up, then you are redirecting to a fake Java webpage.

 

Zedo network is currently hit by thoses malvertising :

http://uwk.iphoneintroduce.com/300×250.html

http://dl82.xzstny.com/topic/java/go.php?code=java&country=FR&aid=137&ext=3

Domain are random : https://www.virustotal.com/fr/ip-address/192.186.132.194/information/

The whois is suspicious :

Domain Name: IPHONEINTRODUCE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS61.DOMAINCONTROL.COM
Name Server: NS62.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-jun-2014
Creation Date: 09-jul-2013
Expiration Date: 09-jul-2015

Admin Name: James Kirk
Admin Organization:
Admin Street: 134 Michael’s Bay Rd
Admin City: Manitowaning
Admin State/Province: Ontario
Admin Postal Code: P0P 1N0
Admin Country: Canada
Admin Phone: +1.7053687010
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: JamesKirk1979@start.ca

EDIT – August 12 2014 : adk2x.com

another israli domain :

Domain Name: ADK2X.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS-1399.AWSDNS-46.ORG
Name Server: NS-1737.AWSDNS-25.CO.UK
Name Server: NS-72.AWSDNS-09.COM
Name Server: NS-936.AWSDNS-53.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-mar-2014
Creation Date: 13-feb-2014
Expiration Date: 13-feb-2015

Admin Name: David Markowitz
Admin Organization: PLYmedia
Admin Street: 48 King George
Admin City: Tel Aviv
Admin State/Province: NA
Admin Postal Code: 64337
Admin Country: Israel
Admin Phone: +972.547631761
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: david@plymedia.com

The redirection to the Fake Flash webpage :

   

The redirection to the binary – (java.exe – hey it’s Flash!).
Solimba affiliation program.

http://4.track404od.com/d/536ccaac561ca36f1e8b4708/6602816573

http://flv2.dmrcdn.com/n/3.1.22.6/12912912/java.exe?tid=53e9ac69561ca359198b459b

https://www.virustotal.com/fr/file/6e76040741f3c07cf9fd2465a974cd59be0413ff2f2b22fdad73a099857dbf80/analysis/1407823055/

SHA256:	6e76040741f3c07cf9fd2465a974cd59be0413ff2f2b22fdad73a099857dbf80
Nom du fichier :	java.exe
Ratio de détection :	16 / 53
Date d’analyse :	2014-08-12 05:57:35 UTC (il y a 1 minute)

AVG	BundleApp_r.AJ	20140812
AVware	Solimba	20140812
Agnitum	PUA.Solimba!	20140810
AntiVir	APPL/Firseria.Gen8	20140812
Avast	Win32:Trojan-gen	20140812
Comodo	Application.Win32.Firseria.MAP	20140812
DrWeb	Trojan.DownLoader11.24441	20140812
ESET-NOD32	a variant of MSIL/Solimba.AH	20140812
K7AntiVirus	Unwanted-Program ( 0040f8f51 )	20140811
K7GW	Unwanted-Program ( 0040f8f51 )	20140811
Malwarebytes	PUP.Optional.Popeler	20140812
Panda	Trj/Genetic.gen	20140811
Sophos	Solimba Installer	20140812
Symantec	SecurityRisk.BL	20140812
VBA32	Downware.Morstar	20140811
VIPRE	Solimba	20140812