Earlier this week we were asked to investigate a URL by a journalist working at The Register. A web user had contacted The Register claiming they were prompted to install some software when browsing a page on ITV.com, the website of the UK’s independent television network (the competitors to the BBC).
When I re-visited the site on a machine with all analysis tools to hand, I saw some interesting sites get loaded.
The above snippet from the proxy log has been edited to obscure the malicious site. Upon downloading the ‘PHP’ file I saw that it was actually a Macromedia Flash file, now detected as Troj/Gida-B. It contained a link to another PHP file on the same site. This loaded a Shockwave Flash file, also detected as Troj/Gida-B. The Shockwave file contained a script to redirect to another site that then loaded the cleanator dot com page.
Once on the Cleanator page I was presented with the following:
After several different button presses I was presented with these worrying images.
Cleanator has become somewhat infamous recently, and the group behind it are widening their scope beyond Windows users. Recently we saw MacSweeper, the first rogue application targeting Mac users. Sure enough, in the case described here, if the user browsing the ads is on a Mac (browser user-agent string suggestive of Safari), they get redirected to the macsweeper dot com page.