Security Threat on a page (Ad?)

[kevinsbane]

Noticed this when I tried to access a page on Anandtech.


AVG Warning
URL: eus2.admxs.com/index.php?d=9
Name: Blackhole Exploit Kit (type 1397)

The page that was loaded was the CPU forum page, the top page ad is a new one I haven't seen before, soundscience rockus 3D. The bottom left ad is an OCZ power supply ad for the ZX series.

 

[postmortemIA]

yep, it is bad, tries to use some java vulnerability. not direct AT fault, that is how badware spreads lately.

 

[ViRGE]

That's definitely not good...

Do you have any more details on the threat? I'm not finding much on Blackhole Exploit Kit. We've had a problem with false AVG warnings once before, so I'd like to be able to get some confirmation on this before getting too far ahead.

 

[zi0n.]

I'm getting the same at work.. running Avast.

 

[VirtualLarry]

No Java installed here, and ABP installed on FF 4.0. Am I safe? Running MSE.

 

[kevinsbane]

I just got this alert on another website; but from the (similar) URL: URL: a1.admxs.com/index.php?d=9

Can't give any other information about it though, that's all I saw as I was browsing.

http://www.symantec.com/connect/blogs/blackhole-theory

 

[ViRGE]

Alright, the link is back up and I've been able to parse the JS; it's definitely shady.

For those of you guys getting it, it's the same as tracking down pop-up ads: I need you to get a list of each ad on the page (there are 3; top, left, bottom), and ideally capture the origin URL of each ad. The AnandTech IT guys can't fix this until they know the ad and ad network that's compromised.

Edit: And it's not the Rockus ad; that's a local ad coming right from the AT ad servers and is coming up clean.