Blue Coat Labs

Labs Blog

Big Malvertising Attack in South Africa

Big Malvertising Attack in South Africa

Chris Larsen

One of the malvertising gangs we track has a track record of showing up in different countries. In checking the logs to see where they're active this week, we found a lot of traffic coming from visitors to a major South African news media site, the Mail and Guardian (

A large number of visitors to the site are being served an ad that sends their browser to a server in The Netherlands (currently at *).

This site forwards the victims to a variety of junk subdomains on (such as kanplnv., ltute., utxq., vrsfylj. -- there is pretty rapid turnover: typically just one or two requests to each one).

The sites, in turn, are relaying the traffic to a family of "Fake Antivirus" sites with names like, which use scare tactics like this to convince people that their computer is infected, and to download the Fake-AV software to "clean" it.

screenshot of fake malware warning

Clicking the "OK" and "Clean computer" buttons yields a setup.exe program that was rather poorly detected in a quick VirusTotal check (just 3/47 engines). Which is the kind of situation we built WebPulse for...


[Update 1/10/2013]: The Mail and Guardian security team reached out to us immediately, and we sent them some additional details about the attack traffic (which ceased a few days ago). They reported this morning that they believe they have identified the offending ad service. We would like to publicly commend them for the speed and thoroughness of their response; they're the type of security staff every company needs. (In contrast, we have yet to hear from, and the malvertising traffic from them to is continuing.) Malvertising is a very tricky beast: even when you think it might be happening on your web site, it is hard to verify; and even when you know that a particular IP address or domain is evil, it can be very difficult to pin down exactly where it is coming from in an advertising ecosystem. [/Update]


Bonus Notes on the Malvertising Attack

And while we're on the topic of malvertising, the big news last week was a malvertising campaign that hit, which was nicely covered by the Fox-IT blog. As defensive suggestions they recommended blocking two different IP address blocks:


This would work, but it's a fair amount of overkill. The first range (the malvertising servers) had a total of 47 addresses in use by this gang in the past, with some other shady-but-different traffic on some others, and most of the rest lying fallow.

The second block contains the single address ( identified by Fox-IT as the host of the exploit kit domains in the attack. (The exploit kit level is where we were blocking.) This address was the 15th (all in this block) used by this gang, beginning on December 19th.

Most interesting to me is that this gang is not exclusively a malvertising operation. In the first two days of operation (12/19 - 12/20), their Magnitude exploit kit domains were receiving traffic from injected subdirectories on hacked sites, with page names showing that at least some of the traffic was coming from poisoned searches, on such terms as:

  • mexican strawberry tamales
  • honda fit wiper blades
  • calories in publix chocolate chip cookie cake
  • how to become a mechanical engineer technician
  • call of duty 4 modern warfare pc controller
  • what is the next american girl doll of the year 2014
  • what is mama d's recipe for pink sauce

...and the other gloriously random stuff people search for that the Bad Guys target in Search Engine Poisoning attacks.





* As a footnote, a rogue ad domain ( that we've had rated as Malware in our database for several months, is also showing up on that IP now, although that's not the traffic we're talking about in this post. The traffic is coming from ads served to, which needs to work with its ad provider to at least eliminate traffic to long-time malvertising sites.