eWeek Web Site Leads Users to Rogue Anti-Virus (AV) Application
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors.
Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe.
eWeek.com is the online version of the popular business computing magazine.
When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]inside.com/
Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.
With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.
The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details.
Websense® Security Labs has let eWeek know about the problem and they are working to fix it.Screenshot of the rogue Anti-Virus application:
Screenshot of the URL call that triggers the rogue AV download:
Websense Messaging and Websense Web Security customers are protected against this attack.