Sponsored by..

Friday, 21 March 2014

Porn site beeg.com hacked, aadserver.com and malware sites to block

The folks at Malwarebytes posted an exellent and interesting blog entry on the hack of porn site beeg.com. The technical analysis is spot on.. but sometimes you need actionable intelligence too.

Let's rush towards the climax of the infection chain for a moment. Malwarebytes identify a couple of malicious domains, both hosted on 92.63.109.45 (TheFirst-RU, Russia).

mdquhrp.clark4houk.eu
ipquqoh.lapierre3dudley.eu

Source: Malwarebytes blog
That IP actually contains a lot more bad domains that have all been recently registered with hidden details:

mdquhrp.clark4houk.eu
boqmkwe.lapierre3dudley.eu
wjlxuxt.artola1brodgen.eu
jqeqt.kundel2klimas.eu
ocsck.amar1krauel.eu
qeuhn.kusmider3bossert.eu
ipquqoh.lapierre3dudley.eu
mnsblx.kempffer7hazeldine.eu
alxrjqo.julian7hoscheid.eu
nnmkeseu.clark4houk.eu
jtwwnu.amar1krauel.eu
wbxrufy.hsiang4akai.eu
tanhts.contardo1jak.eu
gcumqix.hazen1ceponis.eu
lgyqyfos.kundel2klimas.eu
qymvauk.artola1brodgen.eu
rugoo.farant4diperna.eu
iyttjqaa.farant4diperna.eu
ekgdb.julian7hoscheid.eu
bteqspe.labranche9allan.eu
pwdulvt.labranche9allan.eu
noslpt.eriksson5akhavan.eu
ywata.kusmider3bossert.eu
yqovf.lamirande9buhler.eu
oidgvrz.kepekci8billoteau.eu
www.kundel2klimas.eu

But how did visitors get delivered to the payload site in the first place? The previous step in the Malwarebytes chain was a site called miofitching3.com on 217.174.108.33 (Domishko Hosting, Russia). A look at the sites recently hosted on that IP shows the following:

aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

One of these things is not like the others. Yes, aadserver.com doesn't match. But the name makes it sound like an advertising network. The domain has hidden WHOIS details but was only registered on 13th February.

A look around the aadserver.com site shows something that looks slick.




It looks slick, but the spelling is terrible and some of the body text has been copied from Wikipedia.. even including a [citation needed] tag. The email contact details are all free webmail providers, and despite promoting itself as an "Australian Ad Server" it has a Russian IP address.

It's pretty obvious that aadserver.com is a fake. The Russian IP address (odd for an Australian business), recent domain registration with hidden WHOIS details, email addresses and poor spelling should have been red flags for an experience media buyer.

So how did these ads end up on beeg.com? Well, if we go back to the first step in the infection chain, we see a reference to a site staticloads.com. This has the same WHOIS details as beeg.com, so my best guess it that the owners of beeg.com were contacted by aadserver.com with a proposition to sell advertising, and a lack of expertise led to fake ads being placed on the site.

So, I mentioned actionable intelligence. Apart from making sure that you properly train media buyers in detecting fake ad agencies, I would strongly recommend applying the following blocklist to your networks to stop any more bad ads from these criminals causing a problems:

92.63.109.45
217.174.108.33
clark4houk.eu
lapierre3dudley.eu
artola1brodgen.eu
kundel2klimas.eu
amar1krauel.eu
kusmider3bossert.eu
kempffer7hazeldine.eu
julian7hoscheid.eu
hsiang4akai.eu
contardo1jak.eu
hazen1ceponis.eu
farant4diperna.eu
labranche9allan.eu
eriksson5akhavan.eu
lamirande9buhler.eu
kepekci8billoteau.eu
aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

1 comment:

Dennis Lewanolowski said...

I can recommend TimeForXxX.com as an alternative ;D