Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution

July 13th 2009 in Uncategorized

image

 

Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware).  In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit by that one).

Today I saw a malvertizement that did not expose victims to fake security software, or unwanted pornography.  Instead, it exposed victims to a web site that tried, via various security exploits, to infect computers.

If a victim is exposed to the dangerous content via the malvertizing discovered today, a malicious PDF is downloaded, which takes advantage of two exploits affecting Adobe Acrobat and Adobe Reader (CVE-2008-2992 and CVE-2009-0927).  These vulnerabilities are used to try to download even more malicious software via a web page.

Anyway, here is how it happened. 

ad.yieldmanager.com loaded content in an iframe from served.antventure.com

served.antventure.com in turn pulled content, again in an iframe, from ad.antventure.com.  The ad.antventure.com content was a slew of script that brought us back to ad.yieldmanager.com.

Then there was some back and forth between ad.yieldmanager.com and ad.adventure.com in iframes until, eventually, ad.antventure.com content loaded, you guessed it, ad.yieldmanager.com content.

From here on in it gets really interesting. 

ad.yieldmanager.com loaded content from banner.yellowlinebanner.com

The banner.yellowlinebanner.com content is a 728×90 banner advertisement featuring expedia.com.au. The HREF for the banner advertisement is an expedia.com.au URL but the graphic for the advertisement (a GIF) is pulled from creatives.redhousebanner.com

The URL hosting the gif from creatives.redhousebanner.com contains an iframe that loads content from t.banner0709.com.

t.banner0709.com is where things get real nasty.  The t.banner0709.com URL is redirected to knocklis.com (HTTP response code 302 – “temporary” move), and it is the knocklis.com web page that exposes the victim to the malicious PDF via an iframe in a PHP page. 

The knocklis.com page also tries (and fails) to load a graphic (test.gif) and (unsuccessfully) to load other content from the knocklis.com domain, as well as content from xn--18ba.example.com (this, too, fails).

You will have to forgive my obscuring the URLs – the content is simply too dangerous for curiosity.  The exploits being utilized by the malicious PDF is known as “win32/pdfjsc.av”:
http://www.securityhome.eu/malware/malware.php?mal_id=5738206704a311ed2d81c38.88824099

 

As a final note, if we visit the creatives.redhouse.com URL directly, the iframe does not appear.  Also, antventure.com has been problematic in the past:

http://www.bluetack.co.uk/forums/lofiversion/index.php/t19489.html

http://gigablast.com/get?c=main&d=109162469411&q=antventure.com&

 

The redhousebanner.com GIF

image

The banner.yellowlinebanner.com content with the iframe content:

image

 

image


5 comments to...
“ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution”

Jon

Hi sandi,

This is Jon from Right Media Exchange support (yieldmanager.com). Very much interested in the specific details/logs that you may have on this issue. With the http logs we’ll be able to pinpoint the exact ad(s) causing the issue and remove them from the Exchange. Please email any details that you’d like to share to: support@rmxsupport.com

Thanks and regards,

Jon



sandi

Hi Jon,

Consider it done.

Sandi &c.



Eric "SecRunner"

I’ve seen this as well.  Good advice, I’m adding those to the blackhole.



johnny

Hello. Thank you for this great info! Keep up the good job!



teinby

thank you! I really liked this post!


Sam Jain I would have loved to shine a light on some nice juicy arguments but, alas, it wasn’t to be.  The entirety of Jain’s answer compromised just a few types of response, as follows: Paragraph text version 1) “Paragraph X of the Complaint contains legal conclusions to which […]

Previous Entry

  The SWF advertisement pictured above retrieves content from the domain adburau.net.  That content is yet another SWF.  At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, […]

Next Entry

Archives