A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and lo and behold, we found Antivirus 2009 being distributed from Motigo’s ad system.
*Update* We have noticed our keyword search hit for “quickupdates” has increased 70% of our total keyword hit statistics over the past 24 hours. If you are viewing our site as a result of experiencing this pop-up, please leave us a comment and be sure to include what site you were on at the time.
We traced the AV09 pop-up down to the following JavaScript counter code.
The ID has been removed to protect the victims identity
< !– Begin Motigo Webstats counter code — > < a id=”*” href=”hxxp://webstats.motigo.com/”> < img src=”hxxp://m1.webstats.motigo.com/n.gif?id=*” border=”0″ alt=”Free counter and web stats” width=”18″ height=”18″ /> < script src=”hxxp://m1.webstats.motigo.com/c.js?id=*” type=”text/javascript”> < !– End Motigo Webstats counter code — >
Resulted in this pop-up being displayed on his site:
Clicking the pop-up brought us to:
hxxp://quickupdates29.com <–don’t go here
File distributed:
File: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
MDB: /lithium-malware/AV2009Install.zip
The motigo webstat counter code is responsible for several pop-up’s and one of them is Antivirus 2009. This is a scary thought. This means that everyone hosting this code on their website can potentially infected their viewers/customers. This is an extremely cost effective distribution method for the malware creators and I bet we will see more like it as time goes by.
Important note to website owners!
If you are going to use any service (free or paid), you’d better make sure you understand all of the terms and conditions. It’s not unusual for free services to be accompanied by ad’s or pop-ups but you must ask yourself the following questions before putting anything on your site.
1. What is the service providers privacy policy?
2. What are their terms of service?
3. How do they screen their affiliate links for malware/phishing attacks?
Finally, it’s important to see what their users think of the service. As we can see, Motigo has a laundry list of pop-up complaints:
- http://answers.yahoo.com/question/index?qid=20080619211250AAhrXpJ
- http://forum.statcounter.com/vb/archive/index.php/t-28478.html
- http://edward.de.leau.net/the-end-of-the-first-dutch-weblog-era-revised-webstats-becomes-motigo-webstats-20070312.html
- http://insidecable.blogsome.com/2007/12/19/death-to-popups/
- http://thingywotsit.blogspot.com/2008/03/sorry-about-that.html
- http://arguelifeblog.blogspot.com/2007/06/ticking-along.html
Related News: PandaLabs reports on the sudden increase of rogue (fake) security products. -> Report
I just got this virus on my computer– it didin’t visit any ’sketchy websites,’ but I’ll bet someone accidently put it on. I am running norton ultities and had recently updated virus profiles. Any ideas/links on how to get rid of this?
thanks so so much
I know exactly where I got this damn virus……it was from the New York Post website. I went to their site for maybe 1 minute and immediately was barraged by that damn “quickupdates29.com” trying to load Antivirus 2009. I’ve tried AdAware Plus and Spybot and nothing is getting rid of this pop-up. I too am in desperate need of help to get rid of this pop-up. Any assistance would be gratefully appreciated.
Thanks,
Richard
I also have it. The site hxxp://quickupdates29.com/2009/1/_freescan.php?aid=77052104 cam up and started some fake virus scan. Avg did not seem to be able to get rid of it. Any ideas? Thanks
I don’t exactly remember the site I visited but I saw Antivirus 2009 trying to install. Tried to close,abort, no way! My system was infected by a trojan. I tried a couple of anti virus, spyware malware gave up and reinstalled xp on another drive. It redirects my web search to an advertisement page and couldn’t do any surfing, kind of Zombie? The trojan and key logger was traced by an anti virus malware spyware but was unable to remove it. It is also password protected.
I’m trying to install this on my VMware Workstation.. but can’t install it!!
You can try using Malwarebytes Anti-Malware to remove it…
http://remove.malwaredatabase.net
Mats
got through google chrome downloaded 3 copies of course i did not open that would be stupid deleted end of story