Malvertising Quick Look: Kooora.com

June 6, 2013 - By Chris Larsen

[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]

 

The next in our series of drill-downs into breaking malvertising attacks (via the "Popular Site Monitor" list) is a popular Arabic sports forum, kooora.com. It jumped into our "Top 10" list of popular sites acting as referrers to malicious sites on Tuesday.

The malicious sites involved included freshestfine.com and ripperbullied.net, on subdomains like "yhbj." and "xcbtrgvc.", using port 8000. They're on a server we've been tracking for several days, so all of the requests were blocked in real-time by WebPulse -- our users were not at risk, and were able to access all of the kooora.com content without interruption.

 

As usual, the malicious domains are not found directly in the page HTML, so it's not a "site injection" attack. That leaves one of the ad networks as the most likely source of the links. Unfortunately, I wasn't able to get the site to serve me one of the ads. :(

Luckily, last night I had a bit of extra time to go deeper into the logs. (And several of our analysts added comments to my internal blog -- which is one of the reasons we publish there first.)

 

I was able to locate the affected page on kooora.com, and it was indeed an ad-serving page. Widening the net, it looked like the malicious ads had come from a WebAd service at n2vads.com, an Arabic-language ad site which has been around for a few years now.

Here's what the ad looks like now; I'm not sure if this was the same one users would have seen while the attack was running:

banner ad from kooora.com

 

Also, our analysts pointed out that the malware domains we'd blocked were on a server flagged as an exploit kit host for the Neutrino exploit kit.

We haven't done a blog post yet on Neutrino, but I've got a bunch of research notes from the analyst team that got buried in the e-mail mountain that built up while I was in Hong Kong. So I'll try to get that pushed out in a day or two. In the meantime, here's the best early write-up I've seen on it.

 

As of Wednesday, kooora.com had dropped off of our "hot list", so it appears that whichever ad network affiliate was fooled into participating has cleaned things up. Neutrino, however, rolls merrily along -- Jeff says that he's seeing more of Neutrino than BlackHole these days.

As of last night, WebPulse had blocked nearly 6,000 requests so far this week, just to one server. (And probably tens of thousands more requests blocked via the automatic updates pushed out to all of the ProxySGs, as we auto-rate the new host domains.)

 

--C.L.

@bc_malware_guy