MAD Monday

Posted by on Jan 23, 2012 in Mad Monday, Malvertising

Google is responsible for distributing an ad (link) which takes you to  These folks are offerring a free download of the 7-zip tool (really available for free here). If you look around their site, you will find many other tools that are available for download. Of course, advertisers that feature on my Mad Mondays are distributing a little more than just freely available software.

W3i, LLC is responsible for the binary distributed from downlopedia. When you have downloaded it, you’ll notice that they have been clever enough not to raise too many alarms with the virus scanners (for what they are distributing simply isn’t there — yet). The Virus Total report for the first file downloaded is available here (only 2/43 virus scanners had a problem with this binary).

The trick, as always, is to install everything that the binary has for you (it will phone home when you double click the executable) and then send that off to Virus Total. The report of what installed into the “Program Files” folder is then a little different to the first one, check it out here.

Notice that 28/43 virus scanners have a problem with this binary.

What’s happening to your machine when 28 virus scanners have a problem with what is on it? Who knows. In this particular instance, we do know that a host of addons has been installed into the browser. Much like the injectors that have featured in my previous Mad Mondays, these folks are exploiting the hard work of other entities by injecting advertisements directly into DOMs that don’t belong to them (for which they will be paid a sum of money for a click — sometimes just for the impression!).

One target of theirs that I stumbled upon this evening is In the top right hand corner of the following image, note the ad that doesn’t belong there. If you can’t read the near-invisible tiny text above the ad that has been courteously included by the DOM injectors, it reads: “ads not by this site”

In the real world, this is like me setting up a table outside of Best Buy and selling XBox’s. At the bottom of my table, in near-invisible tiny ink reads: “XBox’s not by this merchant”.

« »

1 Comment

  1. yoshi
    January 24, 2012

    Demand more doodles on pictures! Demands are not met! Developers, Developers, Developers, Developers!