Monthly Malvertising Update: More Fake Antivirus

December 20, 2013 - By Chris Larsen

When last we looked at this never-say-die malvertising network, it was using IP-based URLs to funnel people to a Fake AV attack.

Well, they're still at it... The recent traffic comes from a couple of evil sites: 5.61.32.183 and 192.241.81.86. In the case of the latter one, it's getting all of its traffic from covers.com, a sports betting site. In the case of 5.61.32.183, the traffic is coming from a variety of sites: kids-in-mind.com, universalnightlife.com, blackcelebkids.com, thefashionspot.com, and more...

After bouncing through some junk subdomains on the whimsically named dreamfolk.info, the traffic ends up in a family of fake-antivirus sites with names like these:

  • webantivirusav.nl
  • xc-webvirusdefence.nl
  • webantiviruszr.nl
  • 2013-webantivirus.nl

and so on. (There are a LOT of variants.) There, a victim would see a warning like this:

screenshot of fake virus warning

(Let's see... Only one spelling error, and one awkward phrase, so I'd probably give the Bad Guys a B+ for the believability of their warning message this time.)

 

If you accept their offer to "Clean computer", you get a program called, simply enough, setup.exe.

Running a sample through VirusTotal yielded a less-than-encouraging 8 hits:

https://www.virustotal.com/en/file/b5e3577867c83bec62a03e56d5a289f8acc5636814258 29c53733fc17fe8d6f3/analysis/

Fortunately, WebPulse is on guard...

--C.L.

@bc_malware_guy