<![CDATA[[SecurityRatty] tag: xtraff]]> http://securityratty.com/tag/xtraff Mon, 18 Feb 2008 07:58:53 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Serving Malware Through Advertising Networks]]> http://securityratty.com/article/611f196eeff4dd95bd37c6eaecb46ad4 http://securityratty.com/article/611f196eeff4dd95bd37c6eaecb46ad4 In need of fresh binaries and malware serving domains? Start feeding your honeyfarm, or professional interests by participating in an affiliate network -- just like pharmaceutical scammers do -- that's literally serving live exploit URLs and dropping malware in real-time.

Upon registering at xbanners.biz, you're enticed to IFRAME your web property, and point to xtraff.biz/banner.php (67.228.11.176, also responds to interace8.com and cheap-web-host.net) and xtraff.biz/ads2.htm currently trying to exploit MDAC ActiveX code execution (CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading IFRAMEs to :

funppc.com/cgi-bin/pl/affiliates/referral.cgi?referral=3098 (63.219.176.194)
look.fxlayer.net/hop.php (87.98.255.2)
hartnetwork.org/cgi-bin/in.cgi?p=1018b (216.246.31.236) - Neosploit malware kit

Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit serving URLs. xtraff.biz/ads1.htm loads :

winhex.org/tds/in.cgi?9 (85.255.120.194; the malware embedded attack againt the French government's Lybia site)
195.93.218.25/kam/index.php

xtraff.biz/ads2.htm loads :

todub.com/tod.php?username=kamilet (72.167.54.150)
search-fantasy.info/go.php?u=fxlayer (208.109.178.115)
netsearch.cc/go.php?u=fxlayer (208.109.90.122)
upperhits.com/index.php?id=kamilet (72.52.154.96)
itsptp.com/promote.php?uid=160 (72.232.241.20)
validall.com/portal.php?ref=kamilet (207.150.179.58)
feisearch.com/portal.php?r=0&username=fxlayer (63.246.133.63)
g2xml.com/portal.php?r=0&username=kamilet (74.86.191.98)

xtraff.biz/ad3.htm loads :

utracker.pl/stat.php
xtraff.biz/filtercountry.php

Upon registering at the second affiliate program, the participant is asked to use the following URL to redirect traffic to asearchfor.com/search.php (207.226.164.195); getmysearch.com/search.php (207.226.164.195); merrysearch.com (207.226.164.194). Known domains/IPs with bad reputation. It gets even more interesting as we try to further expand the affiliate program under the many other different domain names they use such as :

buckspacks.com
serious-partners.com
real-bucks.com
funsempire.com
czcash.com
extreme-traffic.net
funsempire.com
risecash.com
favouritecash.com
xxl-cash.com
partner.loveplanet.ru
partner.gameboss.ru

Why would they bother sharing the revenues with other parties at the first place? To hedge of risk of getting caught serving malware directly, so what they're basically doing is risk-forwarding the serving process to each and every participant in the affiliate network. The bottom line - xbanners.biz is a frontend to xtraff.biz's malicious practices, and xtraff.biz itself is a frontend to FunPPC.com, among the many affiliate programs that once establishing trust with a web site owner, start abusing it by randomly serving live exploir URLs and dropping malware.
]]> Mon, 18 Feb 2008 07:58:53 +0000 malware php attempt php neosploit malware kit xtraff exploit live exploit urls urls htm Serving Malware Through Advertising Networks