Our researcher Patrick Jordan has found a group of web sites that uses an ever changing array of redirects to deliver a .pdf exploit. VIPRE detects it as Exploit.PDF-JS.Gen (v), which is ranked 19 in our VIPRE ThreatNet detections at the moment.
One of main links in the group of malicious PPCSearch sites, celltonesfinder.com, presents visitors with a link to toshtube.net which is used to re-direct them to a (changing) group of sites that offers the malcode.
(Click on graphic to enlarge)
The malicious .pdf file has been in VIPRE detections for some time:
(Click on graphic to enlarge)
The PPCSearch sites include:
bestrxfinder.com
celltonesfinder.com
daofinder.com
fastfinder10.com
gamesearchnetwork.com
homefinder10.com
jokerfeed10.com
megasearch10.com
nextfreefinder.info
searchforpills.com
superfinder10.com
top10feedsearches.com
topcasinofeed.com
topdaocasino.com
topdaodating.com
topdaodrugs.com
topdaofinance.com
topdaofinder.com
topdaogames.com
topdaoimage.com
topdaoringtones.com
topdaotravel.com
topfindersup.com
topseachresults.com
toptripsfinder.com
ultrasearch10.com
youfindmore.com
yourdatingnetwork.com
yourlivesearch10.com
yourpillsfinder.com
Today’s sites used to distribute the PDF exploit:
nijade.info/shop/jmclhpgmcmjn.pdf
bestefa.info
gogrefa.info
zealhu.info
Thanks Patrick.
Tom Kelchner