A month ago, we blogged about a malvertising attack centered around fake Java updates…
We're currently tracking a similar ad-driven campaign, with a somewhat different-looking landing page:
Or, you may see the "scary" version:
Unlike the previous campaign, this one uses much more believable domain names. In the past month or so, we've seen the following:
(It's interesting that most of the names appear designed to play upon peoples' fears about vulnerabilities in Java. After all, who wouldn't want a secure version of Java? Sign me up!)
Today [10/02], clicking on the Download button relayed me to a different site: 123mediaplayer.com. Which, unfortunately, wouldn't actually give me a download to play with, so I can't report on current detection rates. (I like Bad Guys who are more sporting, or who have more faith in their payload encryption and polymorphism…) However, some of our other analysts have been more successful, and their notes are consistent in flagging the payloads as Malware, not PUS (Potentially Unwanted Software).
Anyway, the main ad networks feeding this campaign include directrev.com, popads.net, wigetmedia.com, and an interesting network of junk .SE domains that appear to be linked to ThePirateBay and other torrent sites.
There is also a buddy network involved in the relays to the downloads, and many of those URLs have codes that specifically reference campaigns in a half-dozen countries: Australia, France, Spain, Germany, Italy, and the UK. Which highlights why malvertising is such a great way to reach a world-wide audience…
Leave a reply