Poisoned Adverts hit TV sites

Earlier this week we were asked to investigate a URL by a journalist working at The Register. A web user had contacted The Register claiming they were prompted to install some software when browsing a page on ITV.com, the website of the UK’s independent television network (the competitors to the BBC).

When I visited the site I saw the prompt to install some software. After downloading I scanned it and Sophos Anti-Virus identified Cleanator Installer (a PUA). Further investigation was then needed.

When I re-visited the site on a machine with all analysis tools to hand, I saw some interesting sites get loaded.

Proxy Log

The above snippet from the proxy log has been edited to obscure the malicious site. Upon downloading the ‘PHP’ file I saw that it was actually a Macromedia Flash file, now detected as Troj/Gida-B. It contained a link to another PHP file on the same site. This loaded a Shockwave Flash file, also detected as Troj/Gida-B. The Shockwave file contained a script to redirect to another site that then loaded the cleanator dot com page.

Once on the Cleanator page I was presented with the following:

Cleanator says

After several different button presses I was presented with these worrying images.

Warning

And:

Main page

Cleanator has become somewhat infamous recently, and the group behind it are widening their scope beyond Windows users. Recently we saw MacSweeper, the first rogue application targeting Mac users. Sure enough, in the case described here, if the user browsing the ads is on a Mac (browser user-agent string suggestive of Safari), they get redirected to the macsweeper dot com page.

Mac Sweeper

Some interesting information about Cleanator, MacSweeper (and others) is available here. The facts are simple – loading content from other parties is potentially dangerous (see older blog article).