Monthly Malvertising Update: More Fake Antivirus

December 20, 2013 - By Chris Larsen

When last we looked at this never-say-die malvertising network, it was using IP-based URLs to funnel people to a Fake AV attack.

Well, they're still at it... The recent traffic comes from a couple of evil sites: and In the case of the latter one, it's getting all of its traffic from, a sports betting site. In the case of, the traffic is coming from a variety of sites:,,,, and more...

After bouncing through some junk subdomains on the whimsically named, the traffic ends up in a family of fake-antivirus sites with names like these:


and so on. (There are a LOT of variants.) There, a victim would see a warning like this:

screenshot of fake virus warning

(Let's see... Only one spelling error, and one awkward phrase, so I'd probably give the Bad Guys a B+ for the believability of their warning message this time.)


If you accept their offer to "Clean computer", you get a program called, simply enough, setup.exe.

Running a sample through VirusTotal yielded a less-than-encouraging 8 hits: 29c53733fc17fe8d6f3/analysis/

Fortunately, WebPulse is on guard...