OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus

[Jack]

SeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.

Read more

Malvertising via OpenX on speedtest.net, spreading Security Sphere 2012 fake antivirus
Uploaded by ArmorizeTech on Oct 9, 2011

 

[win7holic]

thanks for video jack.
it very useful information.

 

[McLovin]

Wow, thanks for the information Jack. Glad I now know this so that I can beware when surfing SpeedTest. I also hope that they fix it in the upcoming days because if they don't, well there will be trouble.

 

[GabiCRX]

Thanks for the video Jack.
I like these videos from Armorize !

 

[enaph]

I think it is a small fire with a lot of smoke
Look at the conditions of the infection - IE6 running on Windows XP without any security software + outdated plugins.
Any HIPS or BB should avoid infection in my opinion.

 

[Valentin N]

important info thanks. He had some nice tools I must say

 

[nldmyanmar]

Thanks for sharing this Jack

 

[jamescv7]

I feel no safe in Windows even I have security application up to date. As speedtest is one of the famous site visited to test the speed and might not notice that the malicious was running background.

 

[WinAndLinuxTutorials]

Thanks for the news. But what's the use of creating fake antivirus software?

 

[Deleted member 178]

Thanks for the news. But what's the use of creating fake antivirus software?

force you to buy them.

 

[WinAndLinuxTutorials]

Thanks for the news. But what's the use of creating fake antivirus software?

force you to buy them.

They just dream

 

[WinAndLinuxTutorials]

To protect our PC from this infection, I think Secunia PSI does the job.

 

[Jack]

They just dream

Rogue programs are very dangerous and this type of attack is very popular.
In this particular case , I can only say that our How to remove Security Sphere 2012 (Removal Guide) got 500 views so far (of course not related with this incident and of course we aren't the only site who is giving a removal guide for this rogue...so the number of users seeking info on this rogue is a lot higher...)
This is a very nasty rogue which comes bundled with a rootkit thus making it very hard to remove.

 

[win7holic]

i try this on my OLD laptop.
and , my connection dead in 3 mins. just load speedtest.net 70% ,then stopped.
i don't know why. probably block it?
:dodgy:

 

[jamescv7]

Also telling that your computer is infected with exaggerated result of the scan.

 

[win7holic]

Not found.
Scan with Hitman pro during computer start up. as you know my config.
not detected anything.
just wanna do it again later.
curious. :dodgy:

 

[Deleted member 178]

They just dream

no it works, many people has been fooled.

 

[AyeAyeCaptain]

IE of all browsers though, assume with Firefox + ABP + No-script then this would not work? And with CIS Def + Paranoid then the HIPS would spew up all sorts of warnings if it managed to get that far.

Inspired me to have a dive into the unknown and use some Virtual Machine software to play about with stuff, what does everyone use, Virtual Box... VmWare or whatever?