Cyphort Detects Surge in Ad Network Infections, a.k.a. “Malvertising”

Thursday, July 24, 2014

Ali Golshan


By: McEnroe Navaraj, security researcher at Cyphort

We recently noticed a surge where exploit packs are served from DMO (Destination Marketing Organization) websites using an Ad network called during the July 4th long weekend. Cyphort Labs reached out to on July 2, but as of today, we have not received a response or acknowledgement.

Serving malware/exploit using Ad network is a common problem in recent years, and threat actors have special interest on DMO Ad networks during summer holidays and long weekend holidays because more users are looking for travel information during those times, providing a large audience for exploitation. It is a serious enough issue that the US Senate discussed the hazards of this form of malware delivery mechanism and its implications for consumer security in a recent report

With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all. If you have any interaction with Ad Network or DMO sites, we encourage you to read and share this post, and if anyone does business with, whether they respond to us or not (and we hope they do), encourage them to address our findings.

Here’s how the attack works:

Each tourist destination is promoted by a DMO. Mostly it is a Government organization or Government subsidized organization. Most of the content to the DMO website is provided by the backend providers like Destination Travel Network (DTN)


We analyzed a few of the incidents where malicious Ad injected to the DMO websites and other leisure activity websites. The exploit delivery pattern is common across all the injections. In all these incidents, we noticed that the actors used one single central server to deliver exploits from his “cluster of domains”. We were able to correlate this “pattern” with other non-leisure website infections too. The actors have very good control over various Ad networks. Some of the domains from Italy/UK also served exploits from his “cluster of domains”.


List of DMO’s served malware around the July 4 holiday weekend:

Screen Shot 2014-07-21 at 9.18.40 PM

List of DMO’s uses Simpleviewinc’s Ad Servers:

























So it is very likely that a number of the above DMO websites also have served the exploits around the same time. List of other websites that are affected in the same infection campaign:

Screen Shot 2014-07-21 at 9.21.01 PM

We believe the actors behind these infection sites are from the same group. They share a common infection pattern and their infection chain uses the same servers.

Technical Details:

The exploit pack is fingerprinting JAVA/PDF/Flash versions and delivers exploits based on the vulnerable applications. It delivers multiple exploits for all the vulnerable applications in attempt to maximize the chance of infection. It is built from the Nuclear Pack exploit kit. infection chain:

DMO-3 infection chain:


    It infects the machine with following application versions:

  1. JRE 6

  2. JRE 7u17 and less

  3. JRE 7u21

  4. Flash 11.9.900.170

  5. Flash

  6. Flash

  7. Flash

  8. Adobe Reader 8

  9. Adobe Reader 9.3

  10. IE 8/9/10

The vulnerabilities it tries to exploit include:

Java - CVE-2013-2465 and others

SWF - CVE-2014-0515

PDF - CVE-2010-0188

IE     - CVE-2013-2551

The hashes of Droppers:

  • 1937039ABC019DE0A7AB9FEC2A89AE29

  • E1768CE2A08FD4116A16961E5158E284   (Win32.Cidox)

As of writing, both of these droppers from exploit chain are detected by AV vendors.

The sample dropped through (MD5: E1768CE2A08FD4116A16961E5158E284) is a rootkit that overwrites the MBR and NTFS loader. Once executed it overwrites part of NTFS loader and reboots the machine and loads a driver to control various processes. We see a similar behavior as mentioned in this blog. This payload decodes a “shellcode” from resource section into memory and executes it.



Decoded using following operation:


This “shellcode” uses process hollowing technique to create another process to do the malicious activities.

00410B37   50             PUSH EAX                                 ; UNICODE "C:\sample\exe.exe" 00410B38   53             PUSH EBX 00410B39   FF95 2CFEFFFF   CALL DWORD PTR SS:[EBP-1D4]             ; kernel32.CreateProcessW …. 00410B58   FFB5 48FEFFFF   PUSH DWORD PTR SS:[EBP-1B8] 00410B5E   FF95 3CFEFFFF   CALL DWORD PTR SS:[EBP-1C4]             ; kernel32.GetThreadContext

It copies data to remote process using writeprocessmemory


It copies itself to suspended process using writeprocessmemory

00410C25   FF95 54FEFFFF   CALL DWORD PTR SS:[EBP-1AC]             ; kernel32.WriteProcessMemory

It uses SetThreadContext and ResumeThread to start new processes.


The hash of the second process/file is b0ee70b4c5f46fd61aa7d5e35feac801. It overwrites MBR/NTFS loader.


Again: With the increasing complexity of Ad syndication and dynamic content creation, we anticipate more incidents of infection delivered through Ad networks. We strongly encourage Ad network providers take steps to enhance their security monitoring on the Ads content in order to build a more secure ecosystem for all.

I like to thank Abhijit Mohanta and other Cyphort Labs colleagues for helping me in analyzing this campaign.

This was cross-posted from the Cyphort blog.

Firewalls IDS/IDP Network Access Control Network->General SCADA General Impersonation Phishing Phreaking
Post Rating I Like this!
makejoh makejoh So I immediately became irritable mood, because I was too clear who the owner is a. Sure, Ran and Mi Lan has from two car went out. louis vuitton outlet M color looked at me, I try to calm myself, then told her he did not indicate a problem. Ran and Mi Lan side by side into the inn, cheap louis vuitton monogram macassar canvas bags first meters Lan spoke: "Sister, how you come back from the United States did not give me a call ah, cheap louis vuitton handbags but for the American people over there told me that I did not know you back the.
smith alexander
Best in Selling good and fresh cvv fullz ,Dumps,track 1 and 2,bank login,bank transfer,wu bug,wu transfer

writing checks transfer to cc ...
Ship(Laptop , led tv ,iphone 3G or 4G, Ipad , Black Bery tourch ....and more)Book Flight Tickets,Hotels

Online on this Airline!!

Contact me Yahoo:
-ICQ: 668870649
- PHONE NUMBER +1515-992-9377


1cc US (visa) : 3$
1cc US(master) : 3$
1cc US(amex/discover): 5$
1cc US with bin : 6$
1cc US fullz : 20$
1cc uk random : 9$
1cc uk with dob : 25$
1cc uk with bin : 15$
1cc uk bin+dob : 30$
1cc uk fullz : 30$
1cc eu(visa /master) : 10$
1cc eu(Amex/Discover): 15$
1cc ca random : 9$
1cc ca bin : 15$
1cc ca fulls : 20$
1cc au random : 9$
1cc france : 20$
1cc france with dob : 25
1cc germany : 20$
1cc germany with dob : 25$
1cc italy : 20$
1cc italy with dob : 40$
1cc japan : 15$
1cc japan with dob : 25$
1cc belgium : 15$
1cc denmark : 15$
1cc spain : 15$

CC fullz info, CC DOB....Domain hosting.
And many country orther...
Fulls come with this info
Firstname, Lastname, Address, City, State, Zipcode, Phone, SSN, Mother'sMaidenName, DOB,
Driver's License # and state, Email pass , Verifiedbyvisa pass, Cardnumber, Expiry Date, CVV2,
Employment, Position Held , Bank pass, number, name, account number and Routing Number and others infos.

1 Paypal with pass email = 80$
1 Paypal don't have pass email = 30$
1 Banklogin us or uk (personel) = 1000$

Sell Paypal account US reg 3 month ago: 18$/1 acc: Verified
Sell Paypal account US : 10 $/1 acc: Verified
Sell Bank account info US : 7 $
Sell PVN to ----> US : 8 $/month ( Fake IP US)
Sell Visa Debit US : 120$

**BankLogins Prices:

Balance In Chase : 70K To 155K = 160$
Balance In Wachovia : 24K To 80K = 80$
Balance In Boa : 75K To 450K = 300$
Balance In Credit Union : Any Amount = 300$
Balance In Hallifax : ANY AMOUNT = 300$
Balance In Compass : ANY AMOUNT = 300$
Balance In Wellsfargo : ANY AMOUNT = 300$
Balance In Barclays : 80K To 100K = 400$
Balance In Abbey : 82K = 700$
Balance in Hsbc : 50K = 350$

**You can contact me for more and many Bank Logins you need.

1 .Comersus Software With Bank Login And Bank Credit Card Code : 1500$
2 .Comersus Software Without Bank Login And Bank Credit Card Code : 1000$
3. New Western Union Hacking Bug For World Wide Transfer : 300$
4 .New Paypal Login Hackware For Hacking Fresh Paypal : 250$
5. New Shop Admin Hackware For Hacking Online Shop For Credit Card : 620$
6 .New Credit Card Amount Checker Software For Peoples Wanting
To Know Balance on Cc : 150$
7 .New Credit Card Validator For Validation Any Full CC Info : 120$

Contact me Yahoo:
-ICQ: 668870649
- PHONE NUMBER +1515-992-9377

**Prices For Western Union Online Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and Nigeria):
3000$ = 250$
2500$ = 200$
2000$ = 150$
1500$ = 100$
1000$ = 70$
500 $ = 30$
I tranfer minimum 500$ with price 50$ first for u trust
Western Union Online Software(Western Union Bug(WU Bug)
Version 2008/2009 With an Activation Code :80$
Mailers(Inbox Mailer,Webmail Mailers) :15$
Cpannel :25$

**Other Services Include:

Bank To Bank Transfer To Any Usa Bank
Bank To Bank Transfer To Any Uk Bank
Bank To Bank Transfer To Any Europ Country Bank
Amount To Pay For That Depend On Amount You Want To Transfer

PRICES FOR Teach to Spam ( cc , bank login and more ) :

Complete teach with tools for try = 150$
Complete teach not with tools for u try = 100$
Teach for get spam tools (Mailer , Shell) = 50$
Teach for get spam tools (Cpanel , smtp) = 100$


I can registrer for u, or i can pass to u others accounts i have already activate !

PRICES FOR DUMPS WITH PIN with original track1 and track2 :

Track1=5232556061018719^WYATT/ROBERTSON 1007101171410000271000000

Track1 : B4096663104697113^FORANTO/CHRI STOPHER M^09061012735200521000000
Track2 : 4096663104697113=09061012735250054190
Pin : 6701

MasterCard Standart, Visa Classic - $40
Visa Gold|Platinum|Corporate|Signature|Business ? $40
American Express - $30 ( WITHOUT SID )
Discover - $50
*CANADA:101 201
MasterCard, Visa Classic - $500
Visa Gold|Platinum|Corporate|Signature|Business ? $50
*EU:101 201
MasterCard, Visa Classic - $90
Visa Gold|Platinum|Corporate|Signature|Business ? $130
*Other countries:101 201MasterCard| Visa Classic - $70
Visa Gold|Platinum|Corporate|Signature|Business ? $100
*ASIA/AUSTRALIA/Exotic:101 , 201 , 121 and others
MasterCard| Visa Classic - $50
Visa Gold|Platinum|Corporate|Signature|Business ? $70


MSR505 / MSR2000 : $ 549
MSR505 / MSR300* : $ 499
MSR505 / TA-48 : $ 639
MSR206 / MSR3000 : $ 729
MSR206 / MSR300 : $ 549
MSR206 + 2x MSR400 : $ 900
MSR206 + 2x MSR500m (Mini123) : $ 875
MSR206 + 2x TA-32 : $ 990
MSR206 + 2x CRM42 : $ 869
MSR206 + 2xCRM41 : $ 929

Some Bins :

us bins: 510774,517805,473691,488893,492536,408181,542432,482880,374355,374372
uk bins: 492942,4547,5506,5569,5404,5031,4921,5505,5506,4921,4550
ger bins: 490762,530127
aus bins: 543568,450605,494053,450606,456475,521893,519163
and others bins for others country.....

+ I can check balance in cvv, balance will be as good as you expect and price follow of agreements .

+ All my cvv are tested before sell, that's sure.


Contact me Yahoo:
-ICQ: 668870649
- PHONE NUMBER +1515-992-9377
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.