A thread about fake Java/Flash update webpage.
PUP (Potentially unwanted programs) became one of the third thread, there are many differents ads pages trying to bundle it, one of them are Fake Java / Flash update pages.
This kind of malvertisings begin to spread around from July 2013.
This campaign has malvertising way :
- It replaces the website you visit by the malvertising – so website lose traffic. Disgusting way.
- They are trying to maintain theses campaign. For Example in my website, the ads network that dont want them have big difficulties to get them removed completly. It comes back over and over via Appnexus network. For this reason, i have to suspend this ads network in my website until they find a way to remove this malvertising campaign completly.
- They use domains rotation to bypass detections as most of malware campaign does.
Vidéo :
or an example how Flash / Java malvertising campaign can replace the website content you are trying to view
Screenshosts :
Theses nasty ads are very common in Warez websites…(for example directrev and adcash bundle it directly) and sometime in mainstream websites, like dailymotion in the past :http://www.malekal.com/2014/01/07/en-yahoo-ads-for-fake-java-pup-domaiq/
An ads network, i use for my website (malekal.com), is currently hit by this malvertising for some weeks.
Malvertisers spread them using third network ads party (using Yahoo ads network and adnxs network ).
Java fake update webpages bundle PUP.DomaIQ.
Flash Fake update webpages bundle OutBrowse.
PUP.DomaIQ :
URLs Example :
http://ttb.javxdown.net/download/request/[..]
http://dlp.allfiles139.com/[..]
ttb.javxdown.net is an alias for ttb.tuguu.com.
ttb.tuguu.com is an alias for TTBBalancer-990915133.us-west-2.elb.amazonaws.com.
TTBBalancer-990915133.us-west-2.elb.amazonaws.com has address 54.213.33.153
dlp.allfiles139.com is an alias for dlpr1.tgusrv.com.
dlpr1.tgusrv.com has address 37.59.93.44 (OVH – ES)
OutBrowse :
Dropper :https://www.virustotal.com/fr/file/67212965b20bfd44ebed0c29354455a1b0969e0d7d625566ea55899d7c1f2e10/analysis/1399558069/
URLs Example :
http://cld2r.com/?a=11453&c=61975&s1=&ckmguid=38314886-fadc-4de2-80e5-953dbcfa86ac
http://get.file2desktop.com/DownloadManager/Get?p=7302&d=1775&l=1694&n=0&d1=11453&clickid=674178558
cld2r.com has address 162.13.169.123 (Rackspace Hosting)
cld2r.com has address 54.194.139.2 (Amazon)
get.file2desktop.com is an alias for runtimedownloader.elasticbeanstalk.com.
runtimedownloader.elasticbeanstalk.com has address 50.16.187.254 (Amazon)
Some days ago, i tweet this : https://twitter.com/malekal_morte/status/461570799624024064and gave some URLs http://pjjoint.malekal.com/files.php?read=20140430_f11p8s12h14k6
The last actives domains :
www.carmetdoir.com has address 50.117.127.250
www.upvstardown.com has address 174.139.115.118
www.autocarq5.us has address 195.162.68.10
adobes.us has address 195.162.68.10
brarawan.us has address 173.230.139.89
www.downsain.com has address 174.139.115.117
dualmint.com has address 74.207.248.233
bulkdedating.com has address 103.251.91.74
www.myhanbite.com has address 209.73.156.22
www.jomearsine.com has address 209.73.156.20
www.jomeshoping.com has address 209.73.156.19
www.nanguofeng.us has address 195.162.68.10
urlcco.us has address 96.126.98.88
Rotator :
https://www.virustotal.com/fr/ip-address/96.126.98.88/information/
https://www.virustotal.com/fr/ip-address/195.162.68.10/information/
https://www.virustotal.com/fr/ip-address/209.73.156.19/information/
https://www.virustotal.com/fr/ip-address/209.73.156.20/information/
https://www.virustotal.com/fr/ip-address/209.73.156.22/information/
https://www.virustotal.com/fr/ip-address/195.162.68.10/information/
https://www.virustotal.com/fr/ip-address/50.117.127.250/information/
https://www.virustotal.com/fr/ip-address/173.230.139.89/information/
https://www.virustotal.com/fr/ip-address/74.207.248.233/information/
Network involved : LINODE-US – NCONNECT-NET (Russia) – EGIHOSTING (USA)
Fake Java/Flash webpage :
https://www.virustotal.com/fr/ip-address/174.139.115.118/information/
https://www.virustotal.com/fr/ip-address/174.139.115.117/information/
https://www.virustotal.com/fr/ip-address/195.162.68.10/information/
Network involved : NCONNECT-NET (Russia) / VPLSNET (Canada)
EDIT – May 9 : Last IPs
A video showing the fake Java/Flash update page : https://www.youtube.com/watch?v=jTxG2aaaujE
Rotator :
LINODE-US : https://www.virustotal.com/fr/ip-address/198.58.127.136/information/
Egihosting : https://www.virustotal.com/fr/ip-address/50.117.127.251/information/
Fake Java/Flash webpage :
VPLSNET : https://www.virustotal.com/fr/ip-address/174.139.67.147/information/
LINODE-US : https://www.virustotal.com/fr/ip-address/173.230.147.191/information/
LINODE-US : https://www.virustotal.com/fr/ip-address/50.116.23.244/information/
LINODE-US : https://www.virustotal.com/fr/ip-address/69.164.218.7/information
EDIT – May 12 : Last IPs
Last IPs :
VPLSNET : https://www.virustotal.com/fr/ip-address/174.139.67.150/information/
LINODE-US : https://www.virustotal.com/fr/ip-address/23.239.11.160/information/
SWEDENDEDICATED-NET: https://www.virustotal.com/fr/ip-address/188.126.79.74/information/
NCONNECT-NET : https://www.virustotal.com/fr/ip-address/195.162.68.12/information/
Egihosting : https://www.virustotal.com/fr/ip-address/209.73.156.18/information/ <=https://twitter.com/malekal_morte/status/465807214360670209
Got it from two big french websites – first t411.me – 1k at Alexa and 55 in France :http://www.alexa.com/siteinfo/t411.me
They are talking (in french sorry) about thoses fake Java redirections :
and second is uptobox.com 2k and 175 in France http://www.alexa.com/siteinfo/uptobox.com
both redirections are made by exchange.admailtiser.com :
Domain Name: ADMAILTISER.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS-1292.AWSDNS-33.ORG
Name Server: NS-1604.AWSDNS-08.CO.UK
Name Server: NS-207.AWSDNS-25.COM
Name Server: NS-991.AWSDNS-59.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 28-jul-2013
Creation Date: 25-oct-2006
Expiration Date: 25-oct-2015
Registry Domain ID: 646060661_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-07-28 03:00:33
Creation Date: 2006-10-25 10:53:55
Registrar Registration Expiration Date: 2015-10-25 10:53:55
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Gil Shiff
Registrant Organization: Shiff
Registrant Street: Marsel Janco 3
Registrant City: Tel-Aviv
Registrant State/Province:
Registrant Postal Code: 69413
Registrant Country: Israel
Registrant Phone: +972-54-4644320
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: gil_shiff@hotmail.com
EDIT – Mars 13 : uptobox.com and mangareader.net hits too
again exchange.admailtiser.com is leading to fake Java/Flash update malvertising.
Like from uptobox, that is still online, it’s from m2pub.com
This time i got it from exoshares.com 57k and 17k in France at Alexa.com
The malvertisig was/is also in mangareader.net (1k at Alexa.com)
'malware ' 카테고리의 다른 글
| How to bypass Zeus Trojan’s self protection mechanism (0) | 2014.08.12 |
|---|---|
| Zbot Malvertising (Links) (0) | 2014.08.12 |
| Browlock Ransomware Malvertising Campaign (Link) (0) | 2014.08.12 |
| Mobile Malvertising : Fake Virus Alert (0) | 2014.08.12 |
| DomaIq / OutBrowse : Fake Java/Flash update malvertising campaign (0) | 2014.08.12 |