Sponsored by..

Friday, 15 January 2010

zoombanner.com / YieldManager malvertisement on ebuddy.com

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.


Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:
  • Aspoutceringlapham.com
  • Baalcootymalachi.com
  • Bangywhoaswaikiki.com
  • Bertbleepedupsurge.com
  • Bluegumgodfulfrowzly.com
  • Bookletjigsawsenam.com
  • Boursesdeployporomas.com
  • Cabullacoexertstephen.com
  • Camastuthbroomer.com
  • Camocaexcidealaric.com
  • Cursarophitkamass.com
  • Dunnishbribesteen.com
  • Dusaexsurgeenzed.com
  • Eelfishminibusdaniel.com
  • Enyopensilflux.com
  • Fishpotboutademalled.com
  • Galasynjingkoendoss.com
  • Gombayuranidetripper.com
  • Haileschoralephydra.com
  • Haredjuvenalalkyds.com
  • Hoofishsmutsdela.com
  • Jigmenbrasschaves.com
  • Jumnamontanodillon.com
  • Limanadernaggly.com
  • Malabarvoiotiahsln.com
  • Mashlampeasewahima.com
  • Miauwbustianraynold.com
  • Mowewindsortejo.com
  • Nahshufrosterpappus.com
  • Negreetflurtagma.com
  • Nitrotowelvidovic.com
  • Oaterhabeasroyalet.com
  • Ospswraxledfummel.com
  • Oundycelticrecomb.com
  • Pcdosbahnerdalea.com
  • Pealedlupulicdunker.com
  • Polarlyfoetiskart.com
  • Potwareabipondeana.com
  • Psatchargeehewart.com
  • Puddyolderrippon.com
  • Sallierdiaushawed.com
  • Sarddieterchuted.com
  • Scullogmooerslarking.com
  • Siwardupttorntrib.com
  • Skouthlazordurning.com
  • Suttenbnetifla.com
  • Tacomanheathsdisodic.com
  • Temperabiceswayaka.com
  • Teughlyhesperegerek.com
  • Toterterrenobrasero.com
  • Vaccarykakkakcaddoan.com
  • Viperanmeatsoths.com
  • Viznomyboohoorigs.com
  • Voluntyseventechny.com
  • Wartedbiterhunter.com
  • Woodardvirgetoruli.com
  • Yawybottlersuccahs.com
  • Zirklehalavahhaunchy.com
I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.

2 comments:

Alucard said...

"I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment."

Really? Blacklist the entirety of one of the largest VPS providers which has five datacenters in the US & EU, based on 15 malware IPs?

Have you e-mailed abuse@linode.com about this? They're very responsive and if these people are breaking their Terms of Service, action will be taken.

Conrad Longmore said...

Abuse report re-sent.

Null-route *everything*, it's the only way to be safe. ')