An Aggressive Chinese Malvertising Network (sort of...)

February 11, 2014 - By Chris Larsen

True Story: As I was researching this network last weekend, I was actually thinking "Cool -- it's been awhile since I did a post that wasn't about malvertising" -- and then I found an advertising trail that led straight to it.

Oh well. Sorry if you're tired of reading about malvertising, but this case is different. Keep reading...


The attack trail starts on any of a number of Chinese entertainment sites (movies, TV shows, pop culture stuff), where a visitor encounters an ad like this:

static screenshot of animated ad telling you that your computer is infected

(The real one was animated, with the circled exclamation mark and the green button rapidly flashing on and off. But I didn't want to include the actual SWF, and the animated GIF version I made was too "jumpy" -- I didn't get the borders set consistently. So you get a static image, since I'm not a graphics wizard...)

Anyway, a quick translation reads "Baidu Anti-Virus - Document Monitor. Discovered Malicious (Evil) Trojan, Immediately Delete."

Clicking the ad drops you onto a fake Kaspersky anti-virus page, warning you about the infections on your computer:

screenshot of fake virus scan

This entire page was a graphic image; the little blue bar at the top was a short "progress bar" animation, designed to convey an impression that it's scanning your computer for malware -- and sure enough, it "found" some!

(Quick translations: Green text: "Complete Vulnerability Scan"; Red text: "Root Directory Scan Detected 5 Threats")


Depending on the path you take as you interact with the site, you may encounter one of the following scripted pop-ups:

screenshot of pop-up number one...

(Quick translation: "Sorry, your computer does not have antivirus software installed; it cannot remove the virus. Click OK to download and run the automatic virus remover.")

screenshot of pop-up number two...

(Quick translation: "Your computer has a suspected Trojan, it may steal your accounts, please kill it!")

There's also a slightly different version of the main page, incorporating a pop-up to add some additional urgency:

screenshot of fake scan page, with additional warning pop-up

I collected a couple of different EXE payloads. One was called xblzy_70354.exe -- a 1.9 megabyte file. The other was called xblzy_70351.exe and was smaller (204.7 KB).

Neither payload was well detected on VirusTotal: the larger one had 0 hits, and the smaller one just had one hit (from one of the Chinese AV vendors, appropriately): a95fb8b563dc905ba72/analysis/ c252f865151aae8957e/analysis/


So far, so good -- it looks like a clear case of a Fake-AV attack, with poorly-detected payloads, using junk .PW sites for its distribution. However, I handed both samples over to a colleague to do some analysis, and things got more complicated...


Some Pieces That Don't Fit the Puzzle

Andy reported that the installed software actually does have anti-malware functionality, successfully detecting and removing a number of malicious programs that he exposed it to. (Without demanding payment, which is also out of character for a typical "rogue AV" package.)

However, some of the components escalated their privileges more than he liked, embedding themselves so deeply that they were difficult to uninstall. And, in his words, "it is beaconing like crazy"...

So, that means we probably need to classify this beast not as Malware, but as Potentially Unwanted Software --which is using deliberately misleading tactics (I'd describe it as "lying through its teeth") to scare users into installing it.

And that counts as malvertising in my book.



P.S. Thanks to ChrisM for help with the Chinese translations, and Andy for the network analysis! :)