Monday, February 18, 2008

Serving Malware Through Advertising Networks

In need of fresh binaries and malware serving domains? Start feeding your honeyfarm, or professional interests by participating in an affiliate network -- just like pharmaceutical scammers do -- that's literally serving live exploit URLs and dropping malware in real-time.

Upon registering at, you're enticed to IFRAME your web property, and point to (, also responds to and and currently trying to exploit MDAC ActiveX code execution (CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading IFRAMEs to : ( ( ( - Neosploit malware kit

Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit serving URLs. loads : (; the malware embedded attack againt the French government's Lybia site) loads : ( ( ( ( ( ( ( ( loads :

Upon registering at the second affiliate program, the participant is asked to use the following URL to redirect traffic to (; (; ( Known domains/IPs with bad reputation. It gets even more interesting as we try to further expand the affiliate program under the many other different domain names they use such as :

Why would they bother sharing the revenues with other parties at the first place? To hedge of risk of getting caught serving malware directly, so what they're basically doing is risk-forwarding the serving process to each and every participant in the affiliate network. The bottom line - is a frontend to's malicious practices, and itself is a frontend to, among the many affiliate programs that once establishing trust with a web site owner, start abusing it by randomly serving live exploir URLs and dropping malware.