Unknown html - known yads.zedo malvertiser....

[polonus]

See: Up(nil):   unknown_html     ARIN   US   abuse at qwest dot net   63.146.170.87    to 63.146.170.87   care2 dot com   htxp://www.care2.com/?ptrxcz_mzCObo0CPbo1DQcp1EPbr3GSes5IUg
See: http://urlquery.net/report.php?id=1133608
RBN Known Malvertizer (iframe) yads.zedo dot com/ads3/a?
Found:  if​rame src="htxp://d3.zedo.com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90" frameborder=0 marginheight=0 marginwidth=0 scrolling="no
which is Zlob Zedo click tracking! Throwing up an issue similar to the "Ads Everywhere"-problem (adware) - bordering on being benign?
Code hick-up
nothing detected] (iframe) d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90
     status: (referer=www.care2 dot com/?mzCObo0CPbo1DQcp1EPbr3GSes5IUg)saved 3757 bytes bfbedd4f3036a71d4abbfb1ed4bba7bf8e11c448
     info: [iframe] d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/
     info: [script] d7.zedo dot com/bar/v17-005/d3/jsc/gl.js
     info: [iframe] yads.zedo dot com/ads3/a?
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Image
     error: line:5: TypeError: Image is not a constructor
     suspicious:
Read: http://www.ehow.com/how_12100513_remove-powered-zedo-popups-windows-7.html
A Quttera scan also flags this as potentially suspicious:
dingo.care2.com/pictures/static/js/www/js/c2/care2-jquery/care2-jquery.1361399361.js
Severity:   
Potentially Suspicious
Reason:   
Detected procedure that is commonly used in suspicious activity.
Details:   
Too low entropy detected in string [['=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26async=%26=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=']] of length 591 which may point to obfuscation or shellcode. see: http://quttera.com/detailed_report/www.care2.com  for the threat dump
which may point to obfuscation or shellcode, but also can be benign code used in sharing...
dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/yahoo-dom-event.1234488966.js benign
[nothing detected] (script) dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/yahoo-dom-event.1234488966.js
     status: (referer=dingo.care2 dot com/pictures/static/js/www/js/c2/care2-jquery/undefined)saved 31637 bytes 7a4f80649be5ecba2bca886b037d58448ec4b442
     info: [decodingLevel=0] found JavaScript
     error: undefined variable clearInterval
     error: undefined function clearInterval
     error: undefined function O.addEventListener
     error: undefined variable O
     info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista,      281 bytes
     info: Decoding option browser=Opera and browser=Firefox,      0 bytes
     info: [element] URL=dingo.care2 dot com/pictures/static/js/www/js/yui/build/yahoo-dom-event/yahoo-dom-event/undefined
     info: [decodingLevel=1] found JavaScript
     suspicious
Known history of banner clck code through cross site scripting...

polonus

[Pondus]

Sucuri.  http://sitecheck.sucuri.net/results/care2.com

unmaskparasites say suspicious
http://unmaskparasites.com/security-report/?page=care2.com

[polonus]

Hi Pondus,

Thanks for checking and good to know that Google Safebrowsing does alert the site.
And sucuri flags

Site found to be used on spam campaigns (either forum, comment or SEO spam).

Good to know,

polonus