Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

July 29th 2010 in Uncategorized

Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com

Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com

exploit

 

Malicious content (note the 1×1 iframe):

 image

 

Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js

Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13

Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50

85.234.190.13 is in Latvia – Latvia Riga Docsis Ip Pool For Cable Customers

Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227

Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361

Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50

There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)


Comments are closed.

We already know about the comment posted to my blog about adamazing.com – now we can add ad-amazing.com (notice the added hypen) to the list. ad-amazing.com have been caught distributing tags that spoof legitimate companies in a way similar to that described in this article about subdomains. The ad-amazing.com representative supplied the following […]

Previous Entry

Details here: http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx “This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on August 2, 2010. The bulletin addresses a security vulnerability in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, that […]

Next Entry

Archives