More rogue adverts

Filed Under: Malware, SophosLabs

Last night, The Register asked us to look into a reader tip in regard to the website of the Daily Mail newspaper.

While doing an initial investigation I may have not been clear as to what was happening - this blog should clear up any misunderstanding.

Investigating the affected website initially I could see nothing untoward. However, the site did have links to lots of other websites and it contained several advert related links.

Investigating further on a goat machine which has an aggressively logging webproxy, I was able to see suspicious behaviour.

At the beginning Internet Explorer loads its default homepage and then I access the affected webpage.

top.jpg

After half a dozen refreshes I was able to see the following. (Note that I am obscuring the malicious webpages.)

bot.jpg

The last few IPs are known to SophosLabs as having hosted malware in the past.

So what is happening here?

  • The Daily Mail is loading adverts from various sites.
  • One of those adverts site is loading the malicious IP.

Initially, the finger of suspicion pointed at the sites preceding the bad IP. However, further investigation showed that the site anm.co.uk was hosting the malicious code and legitimate adverts. Going to one of the bad adverts I saw a legitimate advert and when I viewed the source code:

source.jpg

As you can see from the above image this page references bs.serving-sys.com and has an obfuscated script on it. This script is detected by Sophos as Mal/ObfJS-BI in the WS1000. When the obfuscated script is decoded it loads the malicious IP via an iframe.

Doing a WHOIS lookup on this IP I saw it was hosted in Russia.


inetnum: 77.221.128.0 - 77.221.143.255
netname: DATAPOINT-NET2
descr: Colocation and virtual hosting
descr: For abuse, spam an other comliants mailto:abuse@infobox.ru
country: RU
admin-c: IBA-RIPE
tech-c: IBA-RIPE
status: ASSIGNED PA
mnt-by: INFOBOX-MNT
source: RIPE # Filtered


person: Infobox Abuse Manager
address: 29, Viborgskaya nab.,
address: 198215 Saint Petersburg, Russia
e-mail: abuse@infobox.ru
phone: +7 812 xxxxxxx
nic-hdl: IBA-RIPE
mnt-by: INFOBOX-MNT
source: RIPE # Filtered

Searching Google for the IP brings up several references to malware. Recently, SophosLabs has seen IPs in this network range associated with W32/MarioF-Gen.

We are still investigating this malicious IP and will update the blog at a later date.

You might like