Malvertising on Youtube.com redirects to EKs

– Update 8/1

This seems to be more EKs than just SO.

Redirects to EK Redirector from Youtube.com

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “^http://[a-zA-Z0-9-.]+\/[a-z]+\/$”

Examples:

top. lossa .be /pro/
zxroll. doniz .nl /stats/
purchasing. nookid .nl /stats/

Redirects to Sweet Orange EK from Youtube.com

Have seen a lot of this in the past week.

All domains are dynamic dns domains.

eg.

*.is-a-lawyer.com
*.servehalflife.com
*.no-ip.org
…many others

HTTP Method = GET
HTTP Referer = http://www.youtube.com/*
Regex HTTP URI for “\.php\?[a-z]+=[0-9]+$

This also appears to have modified the URI of the EXE request in this case.

The last field is a longer number.

/trans.php?title=567&intl=672&licensing=4&bugs=147&warez=171&entry=730&game=270
&mapa=189&asia=8&cart=807088360

A regex like this works:

\/[a-z]+?\.php\?([a-z]+?=[0-9]{1,3}&){4,}[a-z]+?=[0-9]+$

Sweet Orange IP Addresses

64.187.226.228
64.187.226.231
64.187.226.232
93.190.45.225
38.126.174.31
204.45.200.235
204.45.200.236
195.3.147.126
195.3.147.152
217.23.138.42
217.23.138.31

Example URIs

/administratie/guest/cnstats/releases.php?subject=92
/zip/releases.php?subject=92
/imode/webalizer/releases.php?subject=93
/panel/results/message.php?adclick=192
/gcc/mysql-admin/chat/releases.php?subject=93
/picture_library/releases.php?subject=92
/power_user/lite/message.php?adclick=192
/musics/fedora.php?read=58
/ccp14admin/gallery/loginflat/fedora.php?read=58
/haddan_files/releases.php?subject=92
/foren/test/webapp.php?display=64
/navSiteAdmin/gp/priv8/classes.php?plugins=127
/hpwebjetadmin/webmasters/classes.php?plugins=127
/engine/ftps/classes.php?plugins=128
/admincp/webapp.php?display=64
/bigadmin/webapp.php?display=64

1 Comments.

Trackbacks and Pingbacks: