Today we noticed that browsing to hxxp://www[.]dailymotion[.]com yields a Fake A/V threat as seen in the brief video below. Details of the malware have been provided below. The payload has a current virustotal.com detection ratio of 10/47.
As of the time of this blog (1:30 EST 1/7/14) the payload was still being served to our knowledge. We have been in contact with the web property and disclosed this information. We will provide updates/further analysis as we have it available.
The threat compels the target to download a malicious .exe as a ruse to “clean” their “infected” machine…traditional Fake A/V attack. Noteworthy is the fact that the web property is ranked around 90th in the world with more than 17m monthly viewers and that this payload is served through 3rd party ad network similar to what was witnessed a few days ago with Yahoo!
The redirect is to hxxp://853e4f39[.]webantivirusprorh[.]pl/ (18.104.22.168) as seen in the Invincea forensic data captured from running the malware in the virtual container:
This following script loaded from 22.214.171.124 does another document.write() to the .pl site hosting the FakeAV binary as seen here:
Contents of the index page hosted on 853e4f39[.]webantivirusprorh[.]pl
Upon successful installation, the system is rebooted and the victim is presented with the following image showing an active “scan” of their system: