Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious Ads from Yahoo SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Ads from Yahoo

According to a blog post from fox-it.com, they found ads.yahoo.com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe.   Yahoo appears to be aware and addressing the issue, according to the blog.

Has anyone else seen this?

--

Tom Webb

 Tom

58 Posts
ISC Handler
Jan 4th 2014
Thread locked Subscribe Jan 4th 2014
7 years ago
Both registrants are Russian:

One box is in the Netherlands, but the owner is in Kiev:

inetnum: 193.169.244.0 - 193.169.245.255
descr: FOP Zemlyaniy Dmitro Leonidovich
country: NL
organisation: ORG-FZDL2-RIPE
org-name: FOP Zemlyaniy Dmitro Leonidovich
org-type: LIR
address: FOP Zemlyaniy Dmitro Leonidovich
address: Zemlyaniy Dmitro
address: Onore de Balzaka str. 86, app.29
address: 02232
address: Kyiv
address: UKRAINE

The second is likely in California, but run by a Russian:

NetRange: 192.133.136.0 - 192.133.143.255
OrgName: Serverel
OrgId: ST-1
Address: 970 Corte Madera ave
City: Sunnyvale
StateProv: CA
PostalCode: 94085
Country: US
OrgTechHandle: KUSHN-ARIN
OrgTechName: Kushnireuski, Andrei
OrgTechPhone: +1-877-246-7863
OrgTechEmail: noc@serverel.com

I suspect there is a connection. ;-)
 Moriah

133 Posts
Quote Jan 4th 2014
7 years ago
Quoting Moriah:Both registrants are Russian:

[...]
address: Kyiv
address: UKRAINE


Kyiv is the capital of _Ukraine_.
(btw. In Russian it's spelled "Kiev".)

Quoting Moriah:
Kushnireuski, Andrei


https://en.wikipedia.org/wiki/Kushnir:
"Kushnir [...] is a Ukrainian and Jewish surname."
And
https://en.wikipedia.org/wiki/Ski_%28disambiguation%29:
"-ski, a common ending of predominantly Polish surnames of Slavonic origin"

pryvit (Ukrainian)
pozdrowienie (Polish)
regards (English)
 Moriah
1 Posts
Quote Jan 5th 2014
7 years ago
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
 packetdude

22 Posts
Quote Jan 9th 2014
7 years ago
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
 packetdude

22 Posts
Quote Jan 9th 2014
7 years ago
I wrote this up at http://www.zdnet.com/yahoo-serves-malicious-ads-7000024775/

Yahoo gave me a statement:

"At Yahoo, we take the safety and privacy of our users seriously. From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.

We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly."
 Larry Seltzer

26 Posts
Quote Jan 9th 2014
7 years ago

Sign Up for Free or Log In to start participating in the conversation!