Kaleh has informed me of some interesting issues with the foxnews.com site which I had a closer look at. And indeed Kaleh is right, badware is distributed from the site.
This is not intentional on the part of foxnews.com but rather it seems one or more of their advertising partners have been infected or the ads themselves are originating from an infected system.
The infection I noticed was advertising being redirected through the known .htaccess redirection mechanism to antimalware-scannerv2.com
The problem is also reported here:
http://www.dslreports.com/forum/r22225362-foxnewscom-infected
Google has scanned foxnews.com a few times, but have failed to identify this threat so far.
Thanks Kaleh for noticing this one, which has a wide distribtuion.
good catch! the details are somewhat sketchy though regarding which exact ads were causing the issue.
Best,
-A
Already on top of that issue Anirban. I have a preliminary dump showing the pages loaded and the effects. I’ll have to dig deeper though to detect the malicious scripts or the redirection itself. – Going to delve into that part a little later today.
I’ll keep everyone informed, including Foxnews, dslreports as well as Google, Stopbadware and ConsumerWebWatch.
Just verified a 2nd time, the site is still infected.
I also managed to get a full TCP packet dump of the malware so that it can be properly investigated.
Let’s hope this helps to get to the bottom of this.
Feels good to have people like you helping out :-)
Keep up the good work.
-A
Looks like foxnews.com have cleaned up something, or the advertisement partner has done so. – I cannot force the infection from the site anymore.
If anyone still get the popup from the site, please let us know.
I take that back. dslreports.com users are still reporting infection from the site.
I managed to catch an attempted reinfection today. So I can verify the problem is still present.
But there is hope.
Foxnews has made contact and are now investigating the issue.
I have a few users that I support also get redirected to spyware sites from foxnews.com
Here are some domains / ip addresses to avoid. My firewall recorded this after being redirected from foxnews.com:
“static.66.172.47.78.clients.your-server.de” “http://securedliveuploads.com/?act=fr&type=PAV&id=2006-60&update=1604”
“static.153.91.47.78.clients.your-server.de” “http://protectionupdatecenter.com/wincontrol.dll”
“static.66.172.47.78.clients.your-server.de” “http://securedliveuploads.com/buy.php?id=2006-60”
“static.66.172.47.78.clients.your-server.de” “http://internetsoftwarepayments.com/buy.php?id=2006-60”
“94-76-213-227.static.as29550.net” “http://antimalwarescannerv2.com/1/?id=2006-60&back=%3DjQ4wzDwMAQMMI%3DM”
That would have been yesterday the 18th. I’ve noticed the domains have changed since then. It seems the redirect is rotating.
Yep, I originally notified stopbadware.org about this on 4/14. Got an email from them on the 15th, stating they had pointed that to the folks here. Next time I’ll go right to the source so to speak, and come here.. Good work folks.