USAToday.com Ads Redirect to Rogue AV

Print Friendly, PDF & Email

Today a customer using the PWSS was directed to a Rogue AV website after viewing a news article on USAToday.com. The redirection occurred via an ad (included on the article page) that had malicious javascript appended towards the end of it; neither clicking nor hovering over the ad was required to activate the malicious code. In addition, it should be noted that the ad could have been (and likely was) served almost anywhere on USA Today’s website; for example, a PWSS developer was redirected to a different Rogue AV site (that was part of the same campaign) upon simply visiting the “Life” section (http://www.usatoday.com/life/default.htm).

The ad itself was for Roxio Creator 2009, and was served from http://idatrinity.com/?id=51546405 . The domain idatrinity.com is not malicious, but part of a legitimate ad network. Regardless of how it got there, malicious javascript accompanied the ad content, which directed the user to:

hxxp://liveavantbrowser2.cn/go.php?d=2006-40&key=0522c7066&p=1

The above URL is a landing page that redirects the user to one of at least two different Rogue AV domains:

hxxp://antivirusquickscanv1.com/1/?id=2006-40&smersh=a54b37c24&back=%3DzQ21zT3MAQNMI%3DM
hxxp://fullantispywarescan.com/1/?id=2006-40&smersh=a54b37c24&back=%3DzQ21zT3MAQNMI%3DM

which both contain javascript-based Rogue AV pop-up scanners.

 

Rogue AV Pop-up Scanner

If the user clicks “OK” on the dialog box asking whether they want to download the “Personal Antivirus” and remove the (fake) threats on their system, one of the following URLs:

hxxp://antivirusquickscanv1.com/download.php?id=2006-40
hxxp://fullantispywarescan.com/download.php?id=2006-40

provide the Rogue AV binary. Detections for this malware instance are poor; only 1/40 tools identify it as malicious.

Users of the PWSS are protected from this threat.

Scroll to top
Tweet
Share
Share