**[SUCURISUCURI](http://sucuri.net/)** **[ENGLISHENGLISH](https://blog.sucuri.net)** **[ESPAÑOLESPAÑOL](https://blog.sucuri.net/espanol/)** **[PORTUGUÊSPORTUGUÊS](https://blog.sucuri.net/portugues/)** **[WEBSITE ANTIVIRUSWEBSITE ANTIVIRUS](http://affl.sucuri.net/?affl=5f37c2f361ef3b1ddadae7d6627427e1&trid=sucurienglish&signup=http://sucuri.net/website-antivirus/signup)** **[WEBSITE FIREWALLWEBSITE FIREWALL](http://affl.sucuri.net/?affl=5f37c2f361ef3b1ddadae7d6627427e1&trid=sucurienglish&cpsignup=http://sucuri.net/website-firewall/signup)** # Massive Admedia/Adverting iFrame Infection **[By Denis Sinegubko on February 1, 2016 .](https://blog.sucuri.net/author/denis/)** **31 Comments** **This past weekend we registered a spike in WordPress infections where hackers injected** **encrypted code at the end of all legitimate .js files.** ----- **Encrypted admedia code (shortened version).** **The distinguishing features of this malware are:** **1. 32 hex digit comments at the beginning and end of the malicious code.** **E.g. /*e8def60c62ec31519121bfdb43fa078f*/ This comment is unique on every** **infected site. Most likely an MD5 hash based on the domain name.** **2. The first comment is immediately followed by ;window[“\x64\x6f…. and a long array of** **string constants in their hexadecimal representation.** **3. It always ends with “.join(\”\”);”));“** **The encrypted part mutates from site to site, but once decrypted it always looks like this:** ----- **Decoded admedia script** **This malware only infects first time visitors, it sets the ad-cookie cookie (er2vdr5gdc3ds)** **that expires in 24 hours and injects an invisible iframe.** # IFrame URL – Admedia / Adverting **The URL of the iFrames is the only changing part of the code.** **hxxp://template.poln1uewt1aniwki[.]ws/admedia/?** **id=8695834&keyword=85c86e3646fb1b15c0bc0647c257c029&ad_id=Twiue123** **hxxp://js.polnue2wtani2wki[.]ws/admedia/?** **id=8695834&keyword=396f3d9d490aed315d71b60ec1efda53&ad_id=Twiue123** **hxxp://get.malenkiuniger[.]net/admedia/?** **id=8695834&keyword=8580b2135c1fdc0c650156eb174b4985&ad_id=Twiue123** **hxxp://track.findyourwaytotr[.]net/admedia/?** **id=8695834&keyword=46731f99a65ceac12e0632d08e551ca5&ad_id=Twiue123** **hxxp://img.oduvanchiksawa[.]biz/adverting/?** **id=5345896&keyword=fd2f2243cd2046d674aeec495cd2e74b&uyijo=86tyh978** **It’s easy to spot a pattern in these URLs:** **Third level domains** **Ad** **di** **d** **ti i** **i** **th** **th** **t** **f th** **URL (** **ll d thi** **l** ----- **The same structure of URL parameter, including ad_id which is always the same –** **Twiue123.** # Malicious Domains **The use of the third level domains is typical for “domain shadowing.” This involves adding** **malicious subdomains on legitimate second level domains after gaining access to DNS** **records. In this case we deal with a domain registered specifically for this attack.** **WHOIS records show that they all had been registered by “Vasunya” at valera.valera-146 @** **yandex.ru within the last two months:** **poln1uewt1aniwki[.]ws – created on Dec 22, 2015** **findyourwaytotr[.]net – created on Jan 8, 2016** **oduvanchiksawa[.]biz – created on Feb 1, 2016** **malenkiuniger[.]net – created on Feb 1, 2016** **The last one was created Feb 1st,** **probably to work around blacklisting of the other domains.** **Nonetheless, Google has already blacklisted it as** **well: https://www.google.com/transparencyreport/safebrowsing/diagnostic/?** **#url=malenkiuniger.org** # Digital Ocean **It is worth mentioning that all the malicious domains and subdomains point to servers** **to Digital Ocean’s network: 46.101.84.214, 178.62.37.217, 178.62.37.131, 178.62.90.65** **It’s not common to see malware hosted there, so it’s not a surprise to see Google listing only** **domains related to this attack as examples of known dangerous site on the AS202109** **(DIGITALOCEAN-ASN-2) network.** # Previous Version of the Malware **In the screenshot below you can see the gabosik12345[.]ws domain that I didn’t mention** **above. This domain was registered by the same “Vasunya” on December 23, 2015. It was** **used in the previous incarnation of this attack along with some other domains registered last** **fall: trymyfinger[.]website, goroda235[.]pw, suchka46[.]pw, etc.** ----- **SafeBrowsing report for AS202109 (DIGITALOCEAN-ASN-2)** **[We still detect quite a few sites infected with the last fall’s malware variation:](https://sitecheck.sucuri.net/)** **SiteCheck reports malware in a .js file** **It also injected similar JavaScript code at the bottom of .js files and also used the ad-** **cookie=”er2vdr5gdc3ds” cookie, but the iframe URLs were slightly different,** **e.g. hxxp://static.suchka46[.]pw/?id=6947627&keyword=557334&ad_id=Xn5be4 .** ----- **This malware uploads multiple backdoors into various locations on the webserver and** **frequently updates the injected code. This is why many webmasters are experiencing** **constant reinfections post-cleanup of their .js files.** **The malware tries to infect all accessible .js files. This means that if you host several domains** **on the same hosting account all of them will be infected via a concept known as cross-site** **contamination. It’s not enough to clean just one site (e.g. the one you care about) or all but** **one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site** **[will be the source of the reinfection. In other words, you either need to isolate every sites or](https://blog.sucuri.net/2015/03/why-website-reinfections-happen.html)** **clean/update/protect all of them at the same time!** **[filed under: website security, wordpress security](https://blog.sucuri.net/category/website-security/)** **[tagged with: iframe, javascript, digitalocean, encoded,](https://blog.sucuri.net/tag/iframe/)** **[admedia, adverting](https://blog.sucuri.net/tag/admedia/)** **About Denis Sinegubko** **Denis is the founder of Unmask Parasites and a Senior Malware Researcher at Sucuri.** **[Follow him on Twitter at @unmaskparasites.](https://twitter.com/unmaskparasites)** |Blog Search|Col2| |---|---| ||Search| |Search this website …|| ||| **We love to socialize, let’s connect..** **[�](https://www.facebook.com/SucuriSecurity)** **[�](http://www.linkedin.com/company/sucuri-security)** **[�](http://feeds.feedburner.com/sucuri/blog)** **[�](http://twitter.com/sucurisecurity)** **[�](http://youtube.com/SucuriSec)** ###### Join 20,000 Subscribers!! ##### * indicates required **Email Address** ## * **First Name** ----- **Categories** **[Ask Sucuri](https://blog.sucuri.net/category/ask/)** **[ddos](https://blog.sucuri.net/category/ddos/)** **[Drupal](https://blog.sucuri.net/category/other-cms-security/drupal/)** **[Ecommerce Security](https://blog.sucuri.net/category/website-security/ecommerce-security/)** **[godaddy](https://blog.sucuri.net/category/godaddy/)** **[htaccess](https://blog.sucuri.net/category/htaccess/)** **[Joomla! Security](https://blog.sucuri.net/category/joomla-security/)** **[Learn](https://blog.sucuri.net/category/ask/learn/)** **[Linux Server](https://blog.sucuri.net/category/linux-server/)** **[Magento Security](https://blog.sucuri.net/category/other-cms-security/magento-security/)** **[malware_updates](https://blog.sucuri.net/category/malware_updates/)** **[Modx Security](https://blog.sucuri.net/category/other-cms-security/modx-security/)** **[OpenX Security](https://blog.sucuri.net/category/other-cms-security/openx-security/)** ----- **[ossec](https://blog.sucuri.net/category/ossec/)** **[Other CMS Security](https://blog.sucuri.net/category/other-cms-security/)** **[PCI DSS](https://blog.sucuri.net/category/website-security/pci-dss-website-security/)** **[pharma](https://blog.sucuri.net/category/pharma/)** **[Presentation](https://blog.sucuri.net/category/ask/presentation/)** **[Product Update](https://blog.sucuri.net/category/product-update/)** **[Ruby on Rails Security](https://blog.sucuri.net/category/other-cms-security/ruby-on-rails-security/)** **[SEO Spam](https://blog.sucuri.net/category/website-infections/website-spam/seo-spam/)** **[Server Security](https://blog.sucuri.net/category/server-security/)** **[SiteCheck](https://blog.sucuri.net/category/product-update/sitecheck/)** **[sucuri](https://blog.sucuri.net/category/sucuri/)** **[Uncategorized](https://blog.sucuri.net/category/uncategorized/)** **[vBulletin Security](https://blog.sucuri.net/category/other-cms-security/vbulletin-security/)** **[vulnerability](https://blog.sucuri.net/category/vulnerability/)** **[Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure/)** **[Webserver Infections](https://blog.sucuri.net/category/website-infections/webserver-infections/)** **[Website Attacks](https://blog.sucuri.net/category/website-security/website-attacks/)** **[Website Auditing](https://blog.sucuri.net/category/website-security/website-auditing/)** **[Website Backdoor](https://blog.sucuri.net/category/website-infections/website-backdoor/)** **[Website Backup](https://blog.sucuri.net/category/website-security/website-backup/)** **[Website Blacklist](https://blog.sucuri.net/category/website-infections/blacklisted/)** **[Website Defacement](https://blog.sucuri.net/category/website-infections/website-defacement/)** **[Website Firewall](https://blog.sucuri.net/category/website-firewall/)** **[Website Hacked](https://blog.sucuri.net/category/website-infections/hacked/)** **[Website Infection[s]](https://blog.sucuri.net/category/website-infections/)** ----- **[Website Security](https://blog.sucuri.net/category/website-security/)** **[Website Spam](https://blog.sucuri.net/category/website-infections/website-spam/)** **[woocommerce](https://blog.sucuri.net/category/woocommerce/)** **[WordPress Security](https://blog.sucuri.net/category/wordpress-security/)** **[WordPress Security Plugin](https://blog.sucuri.net/category/product-update/wordpress-security-plugin/)** **[Zencart Security](https://blog.sucuri.net/category/other-cms-security/zencart-security/)** **People are Talking:** **[Mohammad Javed on Fake SUPEE-5344 Patch Steals Payment Details](http://www.mjcoder.co.uk)** **[disciple2819 on The Hidden Backdoors to the City of Cron](https://blog.sucuri.net/2014/01/the-hidden-backdoors-to-the-city-of-cron.html/comment-page-1/#comment-7335)** **[Rafael Corrêa Gomes ♛ on Fake SUPEE-5344 Patch Steals Payment Details](http://rafaelstz.github.io)** **[William LA on Massive Admedia/Adverting iFrame Infection](http://william.solutions)** **[Todd on Malicious Google Analytics Referral Spam](https://wireflare.com/)** **[Peter Kulcsár on Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html/comment-page-1/#comment-7331)** **[Piet on Malicious Google Analytics Referral Spam](http://senlinonline.com/)** **[Namit Mhatre on Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html/comment-page-1/#comment-7329)** **[Todd on Malicious Google Analytics Referral Spam](https://wireflare.com/)** **[Piet on Malicious Google Analytics Referral Spam](http://senlinonline.com/)** ###### Recent PostsRecent Posts **[Fake SUPEE-5344 Patch Steals Payment Details](https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-details.html)** **[Seo-moz.com SEO Spam Campaign](https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html)** **[Magento PCI Compliance Issues and Theft Over TLS](https://blog.sucuri.net/2016/02/theft-over-tls-or-illusion-of-pci-compliance.html)** **[Server Security: Import WordPress Events to OSSEC](https://blog.sucuri.net/2016/02/server-security-adding-wordpress-visibility-into-ossec.html)** ----- **[The Risks of Hiring a Bad SEO Company](https://blog.sucuri.net/2016/01/hiring-the-wrong-seo-company.html)** **[Security Advisory: Stored XSS in Magento](https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html)** ###### TagsTags **[apache](https://blog.sucuri.net/tag/apache/)** **[Ask Sucuri](https://blog.sucuri.net/tag/ask/)** **[awareness](https://blog.sucuri.net/tag/awareness/)** **[backdoor](https://blog.sucuri.net/tag/backdoor/)** **[best practices](https://blog.sucuri.net/tag/best-practices/)** **[brute force](https://blog.sucuri.net/tag/brute-force/)** **[cloudproxy](https://blog.sucuri.net/tag/cloudproxy/)** **[conditional](https://blog.sucuri.net/tag/conditional/)** **[ddos](https://blog.sucuri.net/tag/ddos/)** **drive-by-** **download** **[godaddy](https://blog.sucuri.net/tag/godaddy/)** **[google](https://blog.sucuri.net/tag/google/)** **[htaccess](https://blog.sucuri.net/tag/htaccess/)** **[iframe](https://blog.sucuri.net/tag/iframe/)** **[iis](https://blog.sucuri.net/tag/iis/)** **[JavaScript](https://blog.sucuri.net/tag/javascript-2/)** **[Joomla! Security](https://blog.sucuri.net/tag/joomla-security/)** **[linux](https://blog.sucuri.net/tag/linux/)** **[malvertising](https://blog.sucuri.net/tag/malvertising/)** ### malware_updates osCommerce Security passwords pharma phishing php redirect research **[scan](https://blog.sucuri.net/tag/scan/)** **[seo](https://blog.sucuri.net/tag/seo/)** **[sucuri](https://blog.sucuri.net/tag/sucuri/)** **[updates](https://blog.sucuri.net/tag/updates/)** **[vBulletin Security](https://blog.sucuri.net/tag/vbulletin-security/)** **[vulnerability](https://blog.sucuri.net/tag/vulnerability/)** **[waf](https://blog.sucuri.net/tag/waf/)** **[Website Backdoor](https://blog.sucuri.net/tag/website-backdoor/)** **Website** ###### Blacklist Website Blacklist 2 Website Hacked Website Malware ## Website Security Website Spam wordpress WordPress Security **[WordPress Security Plugin](https://blog.sucuri.net/tag/wordpress-security-plugin/)** **[xss](https://blog.sucuri.net/tag/xss/)** ###### BookmarksBookmarks **[Has Google Blacklisted Your Website?](https://sucuri.net/website-security/google-blacklisted-my-website)** **[Is your website infected? Hacked?](https://sucuri.net/website-antivirus/malware-removal)** **[Learn more about WordPress Security?](https://sucuri.net/wordpress-security/)** **[Monitor WordPress for Security Issues?](https://sucuri.net/wordpress-security/wordpress-security-monitoring)** **[Need more info on PCI Compliance?](https://sucuri.net/website-firewall/pci-compliance)** **[Website under a DDoS Attack?](https://sucuri.net/website-firewall/ddos-protection)** **[Worried about Software Vulnerabilities?](https://sucuri.net/website-firewall/stop-website-attacks-and-hacks)** **[Copyright © 2016 Sucuri Inc. · Terms of Service · Privacy Policy](http://sucuri.net)** **Sucuri® is a registered trademark of Sucuri Inc. in the United States and/or other countries.** **Return to top of page** -----