Overnight we saw a number of adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent.
Some of the search terms used:
“FireFox Download”
“Download Skype”
“Download Adobe Player”
As you can see, they’re not particularly complicated or unusual searches so you probably wouldn’t be jumping through hoops to reach these things.
Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you’ll notice that some of the ads display the “real” URL of the program mentioned, but take you to a rogue site such as the “Download uTorrent Free” advert above which actually takes you to aciclistaciempozuelos(dot)es/torrent).
All of the malicious downloads are coming from en-softonic(dot)net, and here’s their open directory with various files waiting to be launched on unsuspecting end-users:
As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search – we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off.
It’s entirely possible these sites will show up somewhere else, so be careful when downloading programs and make sure you’re on the official site before grabbing anything. These are definitely not the kind of files you want on your system.
Christopher Boyd (Thanks to Matthew for finding this one).