Monday, June 22, 2009

Ad servers being used to spread exploits

Tonight I went to look at Blue's News to see what's up in gaming today. Firefox popped up a dialog wanting to save a file called 941.pdf. It's not the first time this has happened, but this time I decided, sure, since I'm on Ubuntu, let's have a look at the thing.
> ls -l 941.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-22 20:14 941.pdf
> file 941.pdf
941.pdf: PDF document, version 1.1
> evince 941.pdf
Error: PDF file is damaged - attempting to reconstruct xref table...
>
Sure looks fishy.

Running 'strings -a' showed some Javascript that included a long string containing the payload. Next I looked into the machine that served up the file.
> host w.eaaxra.info
w.eaaxra.info has address 64.34.162.71
w.eaaxra.info has address 64.34.172.142
w.eaaxra.info has address 66.135.37.21
> host 64.34.162.71
71.162.34.64.in-addr.arpa domain name pointer sever3.adv-basesrv.net.
> host 64.34.172.142
142.172.34.64.in-addr.arpa domain name pointer server2.advert-base.net.
> host 66.135.37.21
21.37.135.66.in-addr.arpa domain name pointer server1.advert-base.net.
Searching on adv-basesrv.net didn't turn up much, but a search on advert-base.net led to this blog from April 9th, Another virus infection, courtesy of Yahoo News which opens:
Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers. When will the people in charge of these web sites wake up and start screening the ads that they are serving?
Apparently the blogger over there was infected, and after cleaning up he traced his infection back to good old advert-base.net.

So after two and a half months, this advertising outfit is still spreading exploits in addition to the ads. Why is such an irresponsible company still in business?

No comments:

Post a Comment