Tonight I saw another one, this time from TMZ.com.
Like last time, I took a look:
% ls -l 710.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-26 02:44 710.pdf
% file 710.pdf
710.pdf: PDF document, version 1.1
% cksum 710.pdf
279936831 14720 710.pdf
% strings -a 710.pdf | less
var bd = "10%32%118%97%114%32%86%121%103%76%78%100%106%32%61%32%110%101%119...etc.
Firefox history contained two URLs, with path components of /kn/in.php and /kn/pdf.php, both from the same server.
> host s.hhxzao.info
s.hhxzao.info has address 220.127.116.11
s.hhxzao.info has address 18.104.22.168
s.hhxzao.info has address 22.214.171.124
> host 126.96.36.199
188.8.131.52.in-addr.arpa domain name pointer sever3.adv-basesrv.net.
> host 184.108.40.206
220.127.116.11.in-addr.arpa domain name pointer server2.advert-base.net.
> host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer server1.advert-base.net.
Look familiar? It should, it's the same outfit as last time!
Wikipedia's entry for TMZ.com say it "has major corporate backing" and names AOL/Time Warner. As I cited from Another virus infection, courtesy of Yahoo News in the prior post:
Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers.The scope and breadth of this is startling, and it's been going on for months!
What gives? Why aren't people up in arms? If the Internet trade press has covered this, please let me know; I haven't seen anything. Is scandalous news being covered up?
Update: I moved the 710.pdf file to a Windows machine and scanned it with both Trend Micro HouseCall and AVG Free and neither one found a thing.
Update 2: See Steps To Prevent Gumblar / Martuz / Nine-Ball for things you can do to stay safe.