Fake Antivirus XP pops-up at Cleveland.com

Fake Antivirus XP pops-up at Cleveland.com

Summary: Have we reached the phrase when targeted advertising would equal evasive malware campaigns pushed through third-party ad networks, to a geolocated set of visitors only? Could be.

TOPICS: Security

Have we reached the phrase when targeted advertising would equal evasive malware campaigns pushed through third-party ad networks, to a geolocated set of visitors only? Could be. During the weekend, rogue antivirus XP pop-ups were served to visitors of Cleveland.com, according to visitors' complaints which I also managed to verify.

Investigating further reveals that the very same ad network that was used to serve similar Antivirus 2009 pop-ups at AllRecipes.com in November, appears to have been the one (tacoda.net) that cybercriminals once again used in Cleveland.com's case.

With efficiency-centered ad networks in terms of allowing publishers faster access to their networks, every cybercriminal, no matter the ad network in question, can easily become a publisher - the basics of malvertising whose key advantage from the cybecriminal's perspective remains the opportunity to target high trafficked web sites which aren't susceptible to common exploitation tactics.

What ad networks should set as a priority is establishing a more transparent process about what measures -- if any -- have they undertaken to verify that the publisher's sites aren't disseminating malware or client-side exploits. For instance, plain simple cross-checking (for starters) of the rogue security software domains that appeared at Cleveland.com against Google's Safebrowsing database, indicates that they're already marked as harmful.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • something needs to be done about antivirus 2009

    I click on a url link from a legit site and this page with anti-virus 2009 popped up.

    The only way to get rid of it was to turn off my PC and restart.
    • Lucky... and smart

      Actually you're lucky and smart. One thing never to do is click on anything in those ads. In most of the any button you press - even "Cancel" does the same thing as saying "install me". Killing IE would of most likely helped as well.

      Try changing your DNS to OpenDNS. They've blocked the Antivirus XP/2008/2009 sites - which helps.
      Gis Bun
      • Lucky... and smart????

        How does clicking on something in your browser install software on your computer? Is there some sort of unpatched vulnerability in your operating system?
        • It does not matter.

          Clicking "cancel" in a browser is like clicking "OK." It's the same effect, no matter if you've patched Windows.
          Grayson Peddie
          • It does not matter???

            Really! A feature, not a bug. Surely Windows cannot be that bad? Isn't there some way to turn it off? Is it enabled by default?
          • Their trick...

            ...is to use an image link that looks exactly like a default Windows XP dialog box.

            Since it's an image/link displayed in a browser window, every last pixel of that dialog will steer you to their "download". Cancel, OK, control buttons in upper corner, title bar, little triangle/exclamation point icon, text, etc., you may click on will produce the same effect.

            In these guys case, it's malware city for clicking on their "link"...
          • So basically

            The picture is a link to their site..

            How is this a problem, unless you are using IE and they employ some kind of drive-by installation? In any other browser wouldn't you be asked before the site is allowed to download a file and run it?
          • Dose not matter what web browser you use

            I work computer support at my university and AntiViruse 2009 is biggest problem we have when it comes to mailware. I have ran test in virtual machines and found that in both IE and Firefox that if you click the link it is able to install its self the con artist that writes this maleware is pretty clever in the exploits he/she uses.
          • Okay

            So he found a drive-by exploit that works for IE [i]and[/i] Firefox? Still not a problem, since any sane Firefox user will have Adblock and NoScript, so the ad containing it won't even load to begin with.
          • Not realy

            It can be that the whole thing is in fact just one big "OK" button.

            Also, what a button say, and what it does realy don't need to be the same thing.
            You can very easily have a "Cancel" button that realy is an "OK" button.
            Even the close button of a window can be rigged to do something else than cleaning up and close the application, like installing some malware in a background task.
      • Alt-F4

        Just use the Widows shortcut Alt-F4 to close the advert window. Don't use the mouse. They have all mouse events wired to basically click OK
        • thanks for Alt-F4

          Thanks for telling us that. I wish I had known that before automatically trying to cancel it with the red X. Now, how to get rid of it?
        • It to can be usurpated

          The safest way is to use the task manager and kill the process.

          The Alt-F shortcut calls the shut down process of the programm running in the window.
          That process normaly do some house cleaning tasks before exiting.
          It can also do all sorts of other thing. What if that "house cleaning" goes on to actualy install some stuff?
        • Don't need Alt+F4

          Just use Firefox and set it not to allow javascript to disable window controls. "Problem" solved!
    • Antivirus 2009 complications

      I got bagged on a home machine that was running AVG. The popup has the AVG logo in the top left corner, and I thought it was AVG reacting to a virus. Mistake. This thing is so insidious, it's nearly impossible to get out once it's in there. I ended up getting virtumond and smitfraud before I pulled the 'net connection, and every combination of Spybot, Ad-Aware and AVG scans I throw at them are useless. They get cleaned out, you reboot and they're back, even WITHOUT an internet connection. It ended up wiping out some init files, and I couldn't get past the XP login screen (google "XP logon/logoff problem" and you'll see). I did a "repair" install of XP from the original discs, and the login problem was fixed, but I lost access to one of my RAID channels. This thing has grown into a full-blown disaster. If you see that screen popup, PULL THE PLUG. Crash your system, then start scanning to see if it stuck. I've been doing this stuff since 286s were around, and this is as bad as I've ever had to deal with.

      Good luck all.
    • Zdnet sponsored by antivirus 2009?

      on the previous screen, under sponsored links, there was a link to Antivirus 2009 - so even Zdnet is being sponsored by Antivirus 2009??????? I saved a screenshot, because I could not believe my eyes!!!! The link underneath the ad read "www-download24.com"
      • Silly

        It has nothing to do with ZDNet or any other website. It's being served up by the ad servers. If you use a decent browser like Firefox and block the ads you won't see it anymore.
  • RE: Fake Antivirus XP pops-up at Cleveland.com

    Removing this from a friend's pc, I spend considerable time until I found a download that did the job for free


  • But but..

    If I only go to well known sites, I'm safe!!!

    • Ummm.... No.

      The way I go about surfing is I treat every and any site as a potential to serve malware.
      The one and only, Cylon Centurion