Blue Coat Labs

Labs Blog

Follow-up on Major Malvertising Network

Follow-up on Major Malvertising Network

Chris Larsen

Partly because the previous post got a bit of publicity, but mostly due to the fact that there were a lot more sites to research, I decided to do a follow-up post on the big malvertising network that's been running for months.

To begin with, I should answer the most-asked question, namely, "Is the LA Times still serving the malicious ads?"

As of last Friday, the answer was definitely "Yes". We were still seeing traffic from the various subdomains to It was down to a relative trickle in our logs, compared to what it had been, but this is only because all of our customer base (except a few K9 stragglers) had already checked in with WebPulse, and been told that it was Malware. So the actual level of exposure to the malicious ads was much higher than we were seeing.

Last Friday was also the day that I became much more proactive about reaching out to contacts in the WebAd industry and anti-malvertising groups, and sharing my lists with them. (This has gone really well, btw. I got some good lists back in return. Thanks to all who helped!)


Anyway, traffic to dwindled away, and it went silent on 9/06. After a short break, however, a new site from the same malvertising network ( appeared in the traffic, beginning on 9/10, with thousands of hits in our logs. This continued into 9/11, but the traffic looked like it was dwindling away yesterday, so I'm guessing the Times cut this one off pretty quickly.


It's a similar story for the other most-asked-about victim site, As of last Friday, I wasn't seeing any more in the traffic from its malvertising parasite ( The traffic from had switched -- it was mostly coming from,, and But a lack of in this traffic chain isn't conclusive, for the reasons in the previous paragraph -- most of our users were already immunized against visiting, in short order. (And I'm pleased to report that there has been no traffic to this week.)

However, was showing up as a referrer to a new malvertising site -- -- so they were definitely still running the malicious ads...


And there are lots of other sites involved; here's a sampling, adding on to the table from the previous post:

Domain Registration Date Traffic Began Primary Traffic Sources (Victim Sites) 9/17/2012 8/22/2013,, 11/09/2012 8/23/2013 10/19/2012 8/08/2013 (a SAS web ad server) 8/07/2012 8/07/2013 subdomains 11/09/2012 7/15/2013,,, 11/08/2012 7/30/2013, 10/19/2012 7/25/2013 8/07/2012 8/05/2013 8/07/2012 8/14/2013,, 10/26/2012 4/02/2013, various job sites 10/26/2012 9/10/2013 (and subdomains),
(and several more...)      


The importance of this story, however, is not "Which well-known sites were victimized?"

And it's not "Hey, look! It's also hitting Australian sites!" (Or French sites, as I pointed out last week.)

The significance is how patiently the Bad Guys wove their web: registering a ton of sites (mostly anonymously) last year; holding them in reserve for months; getting them trusted by various ad providers; targeting one or more popular sites; and hiding their true nature with layers of relays between them and the malware.




Share this: