This is a really straightforward example of an unpatched OpenX instance that was compromised to serve ads. We reached out to the website and haven't heard back, but hopefully they will address the issues with the vulnerable software on their website.

Often times we will see redirectors play a pivotal role in monetizing compromised websites. Miscreants can sell large batches of traffic to exploit kit authors and Traffic Redirection Systems are a key way of doing that. Often times web filtering companies will only detect the exploit kit, and mis-categorize or not categorize the redirector at all.

If we look at VirusTotal, we can see that is the case here. On the original date we scanned, there was 0/61 detections on the TDS and even over 2 weeks later there are only 2/61 detections.

Technical Indicators

This example appears to be exploiting users using the Angler Exploit Kit. We observed traffic being driven by a malicious redirector that we call FramesetRedir hosted on bug.bugliker.com.

The blacklist incident in the RiskIQ system for reference is located here.

TDS Domains

bugs.bugliker.com

Domain Name: BUGLIKER.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.AFRAID.ORG
Name Server: NS2.AFRAID.ORG
Name Server: NS3.AFRAID.ORG
Name Server: NS4.AFRAID.ORG
Status: clientTransferProhibited
Updated Date: 23-aug-2014
Creation Date: 23-aug-2014
Expiration Date: 23-aug-2015
Registrant Name: soleh setiawan
Registrant Organization: jaya
Registrant Street: damar
Registrant City: cilacap
Registrant State/Province: Jawa Tengah
Registrant Postal Code: 53252
Registrant Country: ID
Registrant Phone: +62.85747942673
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: solehsetiawan93@gmail.com

TDS IP Addresses

217.172.185.38

Name:        bunf.bundanoonmed.com.au.
Type:        A
Last Seen:   2014-10-29T01:06:04.000-0700
First Seen:  2014-10-28T02:17:16.000-0700
Data:
             217.172.185.38

Name:        caba.cabargas.cl.
Type:        A
Last Seen:   2014-10-28T23:56:13.000-0700
First Seen:  2014-10-28T05:26:07.000-0700
Data:
             217.172.185.38

Name:        bolt.boltsuper4g.ml.
Type:        A
Last Seen:   2014-10-28T00:10:47.000-0700
First Seen:  2014-10-27T15:50:19.000-0700
Data:
             217.172.185.38

Name:        bor.bocrsy.com.
Type:        A
Last Seen:   2014-10-28T02:58:53.000-0700
First Seen:  2014-10-27T06:44:39.000-0700
Data:
             217.172.185.38

Name:        bug.bugliker.com.
Type:        A
Last Seen:   2014-10-29T01:20:42.000-0700
First Seen:  2014-10-27T15:47:23.000-0700
Data:
             217.172.185.38

Name:        teache.swmodule.com.
Type:        A
Last Seen:   2014-10-29T01:40:49.000-0700
First Seen:  2014-10-27T06:50:24.000-0700
Data:
             217.172.185.38

Name:        farawa.waxiaojie.com.
Type:        A
Last Seen:   2014-10-28T10:52:04.000-0700
First Seen:  2014-10-28T07:23:02.000-0700
Data:
             217.172.185.38

Exploit Kit Domains

EK IP Addresses

62.75.167.129

inetnum:        62.75.167.129 - 62.75.167.129
netname:        ripe-62-75-167-129-32
descr:
country:        LV
admin-c:        DSH22-RIPE
tech-c:         DSH22-RIPE
status:         ASSIGNED PA
remarks:
mnt-by:         BSB-SERVICE-MNT
source:         RIPE # Filtered
person:         Dedicated Servers Hoster
address:        Mapp Street 1  0000 Belize City
phone:          +1 347 4349735
phone:          +1 347 4349735
phone:          +1 347 4349735
nic-hdl:        DSH22-RIPE
remarks:
mnt-by:         BSB-SERVICE-MNT
source:         RIPE # Filtered
% Information related to '62.75.128.0/17AS8972'
route:          62.75.128.0/17
descr:          Plusserver AG
origin:         AS8972
mnt-by:         INTERGENIA-MNT
mnt-lower:      INTERGENIA-MNT
source:         RIPE # Filtered