ScanSafe Web Malware Scanning service has been blocking malicious code being downloaded from an ad server hosted on an anonymous IP address allocated to a German ISP. Most of the infected sites appear to be “parked” sites—sites that have become inactive and then used to host ads using a service from NameDrive. ScanSafe has detected infected ads on 126 sites, the majority of which have a .de or .nl top level domain.
NameDrive offers a service whereby domain owners can park domains free of charge. NameDrive then places targeted advertising on the parked domains and allows the domain owner to earn money whenever visitors to the domains click on the ads. According to Alexa, ndparking.com—the site run by NameDrive, is in the top 200 websites in the world.
There is no evidence that NameDrive is knowingly serving up infected ads.
Since initial detection in early June, the threat has accounted for 10 percent of all ScanSafe virus blocks.
Delivering malware via an infected ad or compromised ad server is a tactic commonly used by cyber criminals. Many legitimate sites have unknowingly hosted infected ads.
The georgehotelcley.com website was once an active site. Links to the hotel site were found on other websites, including The Daily Telegraph. Once the hotel site registration lapsed, the domain was parked using a service from NameDrive. Using this service, georgehotelcley.com now hosts ads for profit.
Since June, this site was among many sites that hosted an infected ad. The ad contains javascript which opens a popup. The popup downloads a file setup.exe from www.smalltool.net. The setup program includes a disclaimer in German and installs an executable cchost.exe into program files/cchost and updates the registry to start this executable on startup.
The overall behavior is similar to Trojan.Win32.Agent.aev, but the exact behavior is uncertain.
Threat Center
Security Status
Geographical Distribution of Malware
Anatomy of an Attack
