Incident: SpeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.
Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."
Cause: SpeedTest.net runs its own online advertisement platform using OpenX, using the domain ads.ookla.com. The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:
Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:
The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.
Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:
2011-09-XX 00:00 UTC Initial injection into SpeedTest.net and other websites
|
|
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
|
(We don't know how long this period was)
|
|
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.
2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32
2011-09-30 15:00 UTC 3 / 43, Dr. Web
2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda
2011-09-30 23:00 UTC 9 / 43, AVG, Symantec
2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware
2011-10-01 07:00 UTC 14 / 43,
2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE
2011-10-01 15:00 UTC 17 / 43,
2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos
2011-10-01 23:00 UTC 22 / 43,
2011-10-02 03:00 UTC 22 / 43,
2011-10-02 07:00 UTC 22 / 43,
2011-10-02 11:00 UTC 22 / 43,
2011-10-02 15:00 UTC 22 / 43,
2011-10-02 19:00 UTC 22 / 43,
2011-10-02 23:00 UTC 22 / 43,
2011-10-03 03:00 UTC 22 / 43,
2011-10-03 07:00 UTC 22 / 43,
2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster
2011-10-03 15:00 UTC 30 / 43,
2011-10-03 19:00 UTC 31 / 43, nProtect
2011-10-03 23:00 UTC 31 / 43,
2011-10-04 03:00 UTC 31 / 43,
2011-10-04 07:00 UTC 31/ 43,
2011-10-04 11:00 UTC 31 / 43,
2011-10-04 15:00 UTC 31 / 43,
2011-10-04 19:00 UTC 31 / 43,
2011-10-04 23:00 UTC 31 / 43,
2011-10-05 03:00 UTC 31 / 43,
2011-10-05 07:00 UTC 31 / 43,
2011-10-05 11:00 UTC 32 / 43, eTrust-Vet
2011-10-05 15:00 UTC 32 / 43,
2011-10-05 19:00 UTC 32 / 43,
2011-10-05 23:00 UTC 32 / 43,
2011-10-06 03:00 UTC 32 / 43,
2011-10-06 07:00 UTC 32 / 43,
2011-10-06 11:00 UTC 33 / 43, Fortinet
2011-10-06 15:00 UTC 33 / 43,
2011-10-06 19:00 UTC 33 / 43,
2011-10-06 23:00 UTC 33 / 43,
2011-10-07 03:00 UTC 33 / 43,
2011-10-07 07:00 UTC 33 / 43,
2011-10-07 11:00 UTC 33 / 43,
2011-10-07 15:00 UTC 33 / 43,
2011-10-07 19:00 UTC 33 / 43,
2011-10-07 23:00 UTC 33 / 43,
2011-10-08 03:00 UTC 33 / 43,
2011-10-08 07:00 UTC 33 / 43,
2011-10-08 11:00 UTC 33 / 43,
2011-10-08 15:00 UTC 33 / 43,
2011-10-08 19:00 UTC 33 / 43,
2011-10-08 23:00 UTC 33 / 43,
2011-10-09 03:00 UTC 33 / 43,
2011-10-09 07:00 UTC 33 / 43,
2011-10-09 11:00 UTC 33 / 43,
2011-10-09 15:00 UTC 33 / 43,
2011-10-09 19:00 UTC 34 / 43, JIangmin
2011-10-09 23:00 UTC 34 / 43,
Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot
Read more (rest of article)...
