Foxnews.com distributing malware
by Cometcom1
11 months ago

Kaleh has informed me of some interesting issues with the foxnews.com site which I had a closer look at. And indeed Kaleh is right, badware is distributed from the site.

This is not intentional on the part of foxnews.com but rather it seems one or more of their advertising partners have been infected or the ads themselves are originating from an infected system.

The infection I noticed was advertising being redirected through the known .htaccess redirection mechanism to antimalware-scannerv2.com

The problem is also reported here:

http://www.dslreports.com/forum/r22225362-foxnewscom-infected

Google has scanned foxnews.com a few times, but have failed to identify this threat so far.

Thanks Kaleh for noticing this one, which has a wide distribtuion.

by anirban
11 months ago

good catch! the details are somewhat sketchy though regarding which exact ads were causing the issue.

Best,
-A
by Cometcom1
11 months ago

Already on top of that issue Anirban. I have a preliminary dump showing the pages loaded and the effects. I’ll have to dig deeper though to detect the malicious scripts or the redirection itself. – Going to delve into that part a little later today.

I’ll keep everyone informed, including Foxnews, dslreports as well as Google, Stopbadware and ConsumerWebWatch.
by Cometcom1
11 months ago

Just verified a 2nd time, the site is still infected.

I also managed to get a full TCP packet dump of the malware so that it can be properly investigated.

Let’s hope this helps to get to the bottom of this.
by anirban
11 months ago

Feels good to have people like you helping out :-)

Keep up the good work.
-A
by Cometcom1
11 months ago

Looks like foxnews.com have cleaned up something, or the advertisement partner has done so. – I cannot force the infection from the site anymore.

If anyone still get the popup from the site, please let us know.
by Cometcom1
11 months ago

I take that back. dslreports.com users are still reporting infection from the site.
by Cometcom1
11 months ago

I managed to catch an attempted reinfection today. So I can verify the problem is still present.

But there is hope.

Foxnews has made contact and are now investigating the issue.
by computerguy7
11 months ago

I have a few users that I support also get redirected to spyware sites from foxnews.com
by computerguy7
11 months ago

Here are some domains / ip addresses to avoid. My firewall recorded this after being redirected from foxnews.com:

“static.66.172.47.78.clients.your-server.de” “http://securedliveuploads.com/?act=fr&type=PAV&id=2006-60&update=1604”
“static.153.91.47.78.clients.your-server.de” “http://protectionupdatecenter.com/wincontrol.dll”
“static.66.172.47.78.clients.your-server.de” “http://securedliveuploads.com/buy.php?id=2006-60”
“static.66.172.47.78.clients.your-server.de” “http://internetsoftwarepayments.com/buy.php?id=2006-60”
“94-76-213-227.static.as29550.net” “http://antimalwarescannerv2.com/1/?id=2006-60&back=%3DjQ4wzDwMAQMMI%3DM”
by Cometcom1
11 months ago

That would have been yesterday the 18th. I’ve noticed the domains have changed since then. It seems the redirect is rotating.
by CajunTek
11 months ago

Yep, I originally notified stopbadware.org about this on 4/14. Got an email from them on the 15th, stating they had pointed that to the folks here. Next time I’ll go right to the source so to speak, and come here.. Good work folks.