Our reader Travis sent us the following message:
I went ahead and downloaded the "ml314.com" URL using wget, and what comes back is heavily obfuscated Javascript. I am just quoting some excerpts of it below:
In short: Very obfuscated (not just "minimized"), and a lot of keywords that point to detecting plugin versions. Something that you would certainly find in your average exploit kit. But overall, it didn't quite "add up". Not having a ton of time, I ran it through a couple Javascript de-obfuscators without much luck. The domain "ml314.com" also looked a bit "odd", but lets see when it was registered:
The domain name isn't new, and hosted in what I would call a "decent" neighborhood on the Internet. The owner information doesn't look outright fake, and indeed gives us a bit more information to solve the puzzle. Turns out that "Madison Logic" is in the web advertisement / click through business, so what you are seeing is likely their proprietary Javascript to track users better. In the end, I call this a "false positive", but then again, feel free to correct me. This is just one example how sometimes things are not simple "black/white" when it comes to odd Javascript. --- |
Johannes 4505 Posts ISC Handler Aug 29th 2014 |
Thread locked Subscribe |
Aug 29th 2014 7 years ago |
I have been seeing similar requests, although the response from ml314.com is much longer, more elaborate and again checks for plugins like Silverlight and Windows Media Player.
I would agree that this is almost certainly advertising of some sort, but with my experience of malware infested ad servers, I am choosing to block it. |
amilroy 9 Posts |
Quote |
Aug 29th 2014 7 years ago |
We've had a ticket open with FireEye support on this to determine whether or not it's a false positive since it began firing heavily on Wednesday. We haven't received an answer yet, however.
|
bkendall 7 Posts |
Quote |
Aug 29th 2014 7 years ago |
Fireeye support just notified us that it's a false positive detection that was removed 8/27/2017 at 12:00 PM PST in SC 348.120.
|
bkendall 7 Posts |
Quote |
Aug 29th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!