salefale-dot-com is bad

Published: 2010-03-04
Last Updated: 2010-03-04 00:42:21 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

We are currently analyzing several reports on sites that contain malicious iframes from google-analitics-dot-net (no, this has nothing to do with the real Google).  The iframes redirect to several sub-domains under salefale-dot-com, where a big pile of exploits lurks. All 8 exploits that we identified so far in the end download the same EXE (Virustotal Link). The pretty good coverage that this fresh file already has indicates that many people must have tripped over those malicious iframes today and sent them in to the AV companies.

The image above shows a small section of the malicious iframe as dished out by salefale-dot-com. The code politely checks to see which version of Adobe Acrobat is installed, and then serves up the PDF exploit most digestible to the target at hand - ranging from the old "collab.geticon" to the recent "media.newplayer" vulnerability.

google-analitics-dot-net, by the way, has interesting whois information ... the domain is registered to ??? in the state of Taliban.  <sarcasm> Some DNS registrars are obviously doing their utmost to catch bogus domain registrations </sarcasm>.

A special thanks to ISC reader Tom for his detailed report, and to Jan B for spotting this one early on!

Keywords: malware
3 comment(s)


This particular domain, google anilitics has been around since 2008. Do you mean to imply that attacks related due to this particular domain are on the rise?

It looks like the former "owner" of this domain let the registration expire in December 09, and a different gang of malware crooks snapped it up. Yes, we verified several reports today with samples off both domains that were clearly malicious.
This domain joins many others registered with similar information. A search for the phone number, 84.4562425583, shows registrations and domains associated with 419 scams, banking scams, malware (including Zeus botnets).

Diary Archives