On Sept 18, Cyphort Labs monitoring system started to identify various infected websites with a similar web infection chain. We found around 20 sites daily that served malware through various Ad Network(s) across different verticals. The ZEDO infection chain caught our attention because of the widespread usage in short period of time. We have seen similar incidents reported by our friends at MalwareBytes. ZEDO is a very popular online advertising platform. Today Zedo.com is ranked 75 for US traffic on Alexa. In July 2014 the site had an estimated 24 million unique visitors. ZEDO has over 250 employees in 4 countries. On Sep 18 we have notified ZEDO by email of the infection and the next day ZEDO site was cleaned up from infection and is not exhibiting the redirection behavior any more. This blog focuses on the “infection pattern” seen in this campaign. Here is one such infection chain example:

http://www.myjewishlearning.com/

http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=[random number]

http://adsweb.wiab-service.se/geobalancer/geo2.php?acc=3%3B…..%B8%E5&nrk=[randomnumber]

http://ingrigulfenesy.uni.me/4090c783c7m653.html

Our monitoring system started to pick up this particular infection chain early by last Sunday (14th Sep 2014). Looking at the logs, during the initial day (14th Sep 2014) it didn’t serve any exploit. It served empty page while accessing http://static.the-button.com/d2.php?ds=true&dr=. We believe it was a testing phase and a way to evade the detection systems at the Ad network provider side. Most of the malvertising we have seen in recent days followed this similar pattern. During the initial days, they serve just a “passive”/empty page (a non-malicious one) and later use that chain to serve exploits once the Ad is accepted by the Ad-Network. Looking at the infection chain activation timing, it looks like they work only on weekdays. Here is a diagram listing domains that have ZEDO related malware infections found by Cyphort: zedo-1

List of infection chains we have seen till date:
Sep 14:

Chain 1: (Not harmful) http://probablycrafting.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr= (empty page)

Chain 2: (Not harmful) http://www.hiphophavoc.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr= (empty page)

Chain 3: (Not harmful) http://www.tcmag.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr= (empty page)

Sep 15:

Chain 1: (Harmful) http://www.sugarbeecrafts.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://static.dougtreadwell.com/pop2.php?acc=g%40% 09M….7HN&nrk=

http://growromotor.uni.me/f06df993ojcfj.html (Exploit page)

Chain 2: (Harmful) http://www.yourblackworld.net/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://static.thc.lv/pop2.php?acc=e%D1…%5E&nrk=

http://partidbrank.uni.me/42de7137q6euuj.html (Exploit page)

Sep 17:

Chain 1: (Harmful) http://www.virtualjerusalem.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://instagram.blawg.ch/pop2.php?acc=3%3B%…%FFk&nrk=3984204224

http://cronintesianda.uni.me/79c063c4nlxil.html (Exploit page)

Chain 2: (Harmful) http://www.myturnforus.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://static.wiab-service.se/pop2.php?acc=3%3B..%1CgAN&nrk=4423739039

http://enervintrostor.uni.me/3d40773cbn491q.html (Exploit page)

Chain 3: (Harmful) http://www.myjewishlearning.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://adsweb.wiab-service.se/geobalancer/geo2.php?acc=3%3B%….E5&nrk=

http://ingrigulfenesy.uni.me/4090c783c7m653.html (Exploit page)

Sep 18:

Chain 1: (Harmful) http://naturallymoi.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=6472961592

http://online.wiab-service.se/geobalancer/geo2.php?acc=3%3B…8%18&nrk=

http://ballitingtockw.uni.me/254fcf71dg33.html (Exploit page)

Chain 2: (Harmful) http://www.craft-o-maniac.com/

http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=4271177914

http://inter.wiab-service.se/geobalancer/geo2.php?acc=%3B%….%2F&nrk=

http://carrylexjetixc.uni.me/0c5bba20i53mg0.html (Exploit page)

Chain 3: (Harmful) http://www.ericabuteau.com/
http://d3.zedo.com/jsc/d3/fo.js

http://static.the-button.com/d2.php?ds=true&dr=

http://inter.wiab-service.se/geobalancer/geo2.php?acc=%60%….9E&nrk=

http://cobbsenticepla.uni.me/3c87e8b3uujv.html

“Malvertising Button” (static.the-button.com): The “malvertising button” (static.the-button.com) has been used since July 2014 in various other infection chains too. (It seems to be a “toggle button” to enable the infection as the infection chain is continued based on the response to this particular query.)

Here is the full List of infected websites around this time by Date and Website :
14th Sep www.abowlfulloflemons.netwww.debka.co.ilwww.tcmag.comwww.hiphophavoc.comwww.probablycrafting.com
15th Sep www.yourblackworld.netwww.s2smagazine.comwww.pedigreedatabase.comwww.positivelysplendid.comwww.roubinek.netwww.algemeiner.comwww.sugarbeecrafts.comwww.hiphopnews24-7.comwww.crystalandcomp.comwww.jta.org
16th Sep www.gigionthat.comwww.andhraprabha.comwww.dukesandduchesses.comwww.kulturekritic.comwww.blackcelebkids.comwww.willcookforsmiles.comwww.ishouldbemoppingthefloor.comwww.practicallyfunctional.comwww.babylovingmama.com
17th Sep www.israel21c.orgwww.wagbrag.comwww.jewishworldreview.comwww.sandandsisal.comwww.sippitysup.comwww.gossiponthis.comwww.debbieschlussel.comwww.myjewishlearning.comwww.a-z-animals.comwww.dogforums.comwww.funkydineva.com www.myturnforus.com www.virtualjerusalem.com
18th Sep www.justdogbreeds.comwww.organized31.comwww.justagirlandherblog.comwww.mybrownbaby.com

 

The exploit is served through various websites under different categories across the world. Technical Details The ad from the ZEDO network is included into the main page of the website.

zedo-2

The script d3.zedo.com/jsc/d3/fo.js is obfuscated using simple string replacement technique.

zedo-3

After decoding this leads to the “malvertising button” (static.the-button.com) that returns another obfuscated code to the target exploit server.

zedo-4

The target exploit server serves the Nuclear Exploit pack. The Nuclear Exploit pack serves IE, PDF, Flash, Silverlight exploits and leads to a CryptoWall binary payload. We have covered CryptoLocker and Cryptowall families in our June’s Malware Most Wanted series – http://www.slideshare.net/Cyphort/malwares-most-wanted-cryptolockerthe-ransomware-trojan

We will continue to monitor for other domains that serve malvertising and release our findings on this blog. I would like to thank Alex Burt, McEnroe Navaraj and the rest of the Cyphort Labs team for their help with the analysis.