Websense’Security Alert
February 2009 by Websense
Websense® Security Labs ThreatSeeker Network has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors.
eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes.
Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.
With no user interaction, a file named "winratit.exe" (MD5: 12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user’s temporary files folder.Two additional files are dropped onto the user’s machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.
The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details.
Websense® Security Labs has let eWeek know about the problem and they are working to fix it.
Websense Messaging and Websense Web Security customers are protected against this attack.