Monday, February 18, 2008

Serving Malware Through Advertising Networks

In need of fresh binaries and malware serving domains? Start feeding your honeyfarm, or professional interests by participating in an affiliate network -- just like pharmaceutical scammers do -- that's literally serving live exploit URLs and dropping malware in real-time.

Upon registering at xbanners.biz, you're enticed to IFRAME your web property, and point to xtraff.biz/banner.php (67.228.11.176, also responds to interace8.com and cheap-web-host.net) and xtraff.biz/ads2.htm currently trying to exploit MDAC ActiveX code execution (CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading IFRAMEs to :

funppc.com/cgi-bin/pl/affiliates/referral.cgi?referral=3098 (63.219.176.194)
look.fxlayer.net/hop.php (87.98.255.2)
hartnetwork.org/cgi-bin/in.cgi?p=1018b (216.246.31.236) - Neosploit malware kit

Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit serving URLs. xtraff.biz/ads1.htm loads :

winhex.org/tds/in.cgi?9 (85.255.120.194; the malware embedded attack againt the French government's Lybia site)
195.93.218.25/kam/index.php

xtraff.biz/ads2.htm loads :

todub.com/tod.php?username=kamilet (72.167.54.150)
search-fantasy.info/go.php?u=fxlayer (208.109.178.115)
netsearch.cc/go.php?u=fxlayer (208.109.90.122)
upperhits.com/index.php?id=kamilet (72.52.154.96)
itsptp.com/promote.php?uid=160 (72.232.241.20)
validall.com/portal.php?ref=kamilet (207.150.179.58)
feisearch.com/portal.php?r=0&username=fxlayer (63.246.133.63)
g2xml.com/portal.php?r=0&username=kamilet (74.86.191.98)

xtraff.biz/ad3.htm loads :

utracker.pl/stat.php
xtraff.biz/filtercountry.php

Upon registering at the second affiliate program, the participant is asked to use the following URL to redirect traffic to asearchfor.com/search.php (207.226.164.195); getmysearch.com/search.php (207.226.164.195); merrysearch.com (207.226.164.194). Known domains/IPs with bad reputation. It gets even more interesting as we try to further expand the affiliate program under the many other different domain names they use such as :

buckspacks.com
serious-partners.com
real-bucks.com
funsempire.com
czcash.com
extreme-traffic.net
funsempire.com
risecash.com
favouritecash.com

xxl-cash.com
partner.loveplanet.ru
partner.gameboss.ru

Why would they bother sharing the revenues with other parties at the first place? To hedge of risk of getting caught serving malware directly, so what they're basically doing is risk-forwarding the serving process to each and every participant in the affiliate network. The bottom line - xbanners.biz is a frontend to xtraff.biz's malicious practices, and xtraff.biz itself is a frontend to FunPPC.com, among the many affiliate programs that once establishing trust with a web site owner, start abusing it by randomly serving live exploir URLs and dropping malware.