Tag : dailymotion.com site infected

Home/Posts Tagged "dailymotion.com site infected"
DM FV

DailyMotion.com redirects to Fake AV Threat

Warning:

Today we noticed that browsing to hxxp://www[.]dailymotion[.]com yields a Fake A/V threat as seen in the brief video below. Details of the malware have been provided below. The payload has a current virustotal.com detection ratio of 10/47.

As of the time of this blog (1:30 EST 1/7/14) the payload was still being served to our knowledge. We have been in contact with the web property and disclosed this information. We will provide updates/further analysis as we have it available.

The threat compels the target to download a malicious .exe as a ruse to “clean” their “infected” machine…traditional Fake A/V attack. Noteworthy is the fact that the web property is ranked around 90th in the world with more than 17m monthly viewers and that this payload is served through 3rd party ad network similar to what was witnessed a few days ago with Yahoo!

Dailymotion fake av

The redirect is to hxxp://853e4f39[.]webantivirusprorh[.]pl/ (93.115.82.246) as seen in the Invincea forensic data captured from running the malware in the virtual container:

 


dailymotion.com fake av

A javascript based redirect is loaded via engine.adzerk.net and seen here.  You can see the obfuscated script tag on the first line which gets written to the page via a document.write():

Fake AV Dailymotion.com

This following script loaded from 162.210.196.238 does another document.write() to the .pl site hosting the FakeAV binary as seen here:

Fake av dailymotion

Contents of the index page hosted on 853e4f39[.]webantivirusprorh[.]pl

Fake dailymotion anitvirus

Upon successful installation, the system is rebooted and the victim is presented with the following image showing an active “scan” of their system:

Fake dailymotion anitvirus-1