Malware Database

A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and lo and behold, we found Antivirus 2009 being distributed from Motigo’s ad system.

For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product. You can see a video of it in action here.

*Update* We have noticed our keyword search hit for “quickupdates” has increased 70% of our total keyword hit statistics over the past 24 hours. If you are viewing our site as a result of experiencing this pop-up, please leave us a comment and be sure to include what site you were on at the time.

We traced the AV09 pop-up down to the following JavaScript counter code.

The ID has been removed to protect the victims identity

< !– Begin Motigo Webstats counter code — > < a id=”*” href=”hxxp://webstats.motigo.com/”> < img src=”hxxp://m1.webstats.motigo.com/n.gif?id=*” border=”0″ alt=”Free counter and web stats” width=”18″ height=”18″ /> < script src=”hxxp://m1.webstats.motigo.com/c.js?id=*” type=”text/javascript”> < !– End Motigo Webstats counter code — >

Resulted in this pop-up being displayed on his site:

Clicking the pop-up brought us to:

hxxp://quickupdates29.com <–don’t go here

File distributed:

File: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
MDB: /lithium-malware/AV2009Install.zip

The motigo webstat counter code is responsible for several pop-up’s and one of them is Antivirus 2009. This is a scary thought. This means that everyone hosting this code on their website can potentially infected their viewers/customers. This is an extremely cost effective distribution method for the malware creators and I bet we will see more like it as time goes by.

Important note to website owners!

If you are going to use any service (free or paid), you’d better make sure you understand all of the terms and conditions. It’s not unusual for free services to be accompanied by ad’s or pop-ups but you must ask yourself the following questions before putting anything on your site.

1. What is the service providers privacy policy?

2. What are their terms of service?

3. How do they screen their affiliate links for malware/phishing attacks?

Finally, it’s important to see what their users think of the service. As we can see, Motigo has a laundry list of pop-up complaints:

• http://answers.yahoo.com/question/index?qid=20080619211250AAhrXpJ
• http://forum.statcounter.com/vb/archive/index.php/t-28478.html
• http://edward.de.leau.net/the-end-of-the-first-dutch-weblog-era-revised-webstats-becomes-motigo-webstats-20070312.html
• http://insidecable.blogsome.com/2007/12/19/death-to-popups/
• http://thingywotsit.blogspot.com/2008/03/sorry-about-that.html
• http://arguelifeblog.blogspot.com/2007/06/ticking-along.html

Related News: PandaLabs reports on the sudden increase of rogue (fake) security products. -> Report

Removal:

Remove this threat with MalwareBytes!