How To Remove The Bedep Malware From XHamster

James Frew 29-04-2017

In early 2015, visitors to the adult website xHamster saw a huge increase in malware, according to a report on the Malwarebytes blog. Over the 25th and 26th of January 2015, they saw a 1500% increase in malware infections from xHamster.

Worse still, it’s still out there.

What happened? What can you do if you’re infected? And how can you protect yourself?

The Infection: Angler Exploit Kit

According to MalwareBytes, the homepage of xHamster linked to, where an iframe hosted there served as the gateway to a malicious ad. That ad used a vulnerability in Adobe Flash Player to download a piece of malware called Bedep. The practice of injecting malicious adverts into a site like this is known as malvertising What Is Malvertising and How Can You Prevent It? Malvertising is on the rise! Learn more about what is it, why it's dangerous, and how can you stay safe from this online threat. Read More and can often go undetected. As a result, a lot of antivirus apps initially missed the infection in the iframe. According to IBTimes 57 apps missed the iframe, with only two detecting the malware download.

This infection is an example of an attack that uses an exploit kit (EK) — in this case one known as Angler. An EK looks for security vulnerabilities on your computer that can be used to infect you in the background without your knowledge. Angler is one of the more successful EKs by using a combination of complex techniques to avoid detection. It has also been widely adopted by cyber criminals for “pay-per-install” malware services as it undercuts the competition’s pricing.

The Malware: Bedep

Once Angler EK has downloaded Bedep to your computer, the malware will connect to a Command & Control (C&C) server that will issue instructions. This could be to download additional malware to your computer, or to serve fraudulent ads.

How To Remove The Bedep Malware From XHamster BEDEP Trend Micro

Bedep initially managed to avoid detection by using Angler to load directly into memory and open a new Internet Explorer instance on a virtual desktop. This meant that it could hide by using legitimate Microsoft file properties. Fortunately most of the major antivirus providers have now updated their definitions to include the hard-to-spot Bedep.

With the ability to download additional malware to your computer, it could lead to your private information being stolen. Worse, the malware could disable your antivirus, or even modification of your system settings. An investigation by TrustWave found that Bedep might have even been used as a means of political propaganda by directing you to certain videos and political websites in order to increase view counts.

The Removal: Bedep Be-Gone

If you’ve been unfortunate enough to be infected with Bedep then you probably want to get rid of it as soon as possible. While it may initially just serve spam adverts, it can also be used to distribute other malware in the background. Would you be happy if your PC was collecting your private information, or was subverted to run as a zombie bot Is Your PC A Zombie? And What's a Zombie Computer, Anyway? [MakeUseOf Explains] Have you ever wondered where all of the Internet spam comes from? You probably receive hundreds of spam-filtered junk emails every day. Does that mean there are hundreds and thousands of people out there, sitting... Read More ?

While Microsoft’s antivirus Windows Defender (Microsoft Security Essentials for Windows 7 and older) is known to detect and remove Bedep, it’s not considered the most robust antivirus How Reliable Are Default Windows Security Apps? The first computer my family owned ran Windows 95. It had just arrived, and we purchased a computer with it so that we could have easy access to this new-fangled thing called “the Internet.” At... Read More . Luckily there are plenty of other options The Best Antivirus Software for Windows 10 Want to tighten security on your PC? Here are the best antivirus software options for Windows 10. Read More out there — both paid and free The 10 Best Free Antivirus Software No matter what computer you're using, you need antivirus protection. Here are the best free antivirus tools you can use. Read More — that might suit you better.

How To Remove The Bedep Malware From XHamster Malware Bytes Screenshot

If you aren’t looking for a full antivirus software then a great alternative is MalwareBytes anti-malware software. If you browse security forums Listen to the Experts: The 7 Best Security Forums Online If you need security advice, and you can't find the answers you need here at MakeUseOf, we recommend checking these leading online forums. Read More and discussions on malware removal then MalwareBytes is often the first recommendation. It can scan for all types of malware and remove them automatically. It can also protect you from becoming infected in the first place by monitoring current exploits and blocking compromised connections.

The Defence: Protecting Yourself from Bedep

To protect yourself it’s best to avoid xHamster. Bedep isn’t the first time that the site has been compromised and it likely won’t be the last. Other popular adult sites like PornHub and RedTube have also been known to distribute malware.

Adobe’s Flash Player has one of the worst security reputations of any software in history. This is why many companies are phasing it out, and why Steve Jobs famously didn’t allow Flash on iOS devices. If you absolutely need to use Flash, protect yourself by making sure you have the latest version. While many online adverts instruct you to download the “latest update for Flash” you should only download from Adobe’s website.

How To Remove The Bedep Malware From XHamster Trend Micro Malverstising
Image Credit: Trend Micro

The Angler Exploit Kit scans for bugs, or unpatched security flaws, to find the best way to distribute its payload. Angler is also known for being one of the first to incorporate Flash zero-day exploits What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More . Making sure that your software is always up-to-date is one of the most effective means of protecting yourself.

As Angler often targets websites by compromising ad networks, some advice suggests using ad-blockers as a layer of security. However, this only works as long as the attack comes from a compromised ad. If the attack uses other methods like JavaScript then ad-blockers are ineffective. You could liken it to closing the window but leaving the door open.

Don’t Get Infected!

xHamster is one of the world’s most popular websites, with a current Alexa ranking of the 79th most visited site in the world. Adult sites are often seen as easy-targets for spreading malware 5 Ways Visiting Adult Websites Is Bad for Your Security & Privacy While pornography is often discussed in the context of morality, there's a huge security-and-privacy angle that is often overlooked. If you know what to look out for, the safer you'll be. Read More as they often aren’t subjected to the same standards or precautions as other areas of the web.

Although xHamster was the most common site for Bedep infection, it wasn’t the only one. Any website can be vulnerable, especially where Flash is concerned. Hopefully threats like this will become less likely in the future as more websites pull support for Flash in favor of more secure methods.

For now though, the best way to stay protected is to stay away from suspicious websites, keep alert to unwelcome downloads Found a Suspicious File? Test It In A Virtual Machine! Don't run that suspicious file on your PC to check if it alerts your anti-virus software - instead, find out what it is capable of by running the file in a virtual machine. Read More , use an antivirus or other security software, and make sure everything is up-to-date How & Why You Need To Install That Security Patch Read More .

Have you dealt with Bedep? How did you get rid of it? Do you know of any other apps that work to prevent or remove it? Share your thoughts below!

Related topics: Adobe Flash, Anti-Malware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. B. Chaste
    May 5, 2017 at 2:15 pm

    Why are you telling disgusting porn addicts to protect themselves? They would be better off protecting themselves by NOT USING PORN!

    • James Frew
      May 5, 2017 at 2:17 pm

      xHamster was one of the largest infection points for bedep - but it wasn't the only one. The article makes reference to the largest infection but its applicable to all bedep infections.

    • np
      May 6, 2017 at 1:55 am

      Why do you want to force your beliefs on others and interfere with their business? MakeuseOf, I hope you don't cave in and keep these useful articles coming.

      • James Frew
        May 6, 2017 at 3:24 pm

        Glad you find our articles helpful!

  2. Moby
    May 3, 2017 at 2:45 am

    The article would've been better appreciated if it gave me some relevant information like what OS & browsers were affected. If I'm running Firefox on Linux, could I have been affected? Is there a test to check if the system is infected?

    • James Frew
      May 3, 2017 at 9:03 am

      Bedep is a Windows exploit only, but can affect all browsers as it isn't using a browser vulnerability but one in Flash. That said, Chrome and Firefox both now block Flash content by default making this exploit less likely.

      There isn't a test specifically for bedep but making sure you have an up to date antivirus/malware tool and any OS/browser updates are installed then you are best protected.

  3. jimbobdooley
    November 23, 2015 at 6:24 am

    So far, it looks like Chrome is safe, so how much where you paid to say they where safe i wonder?

    99.9% of all viruses and trojans are downloaded through their unsafe app store (they have more problems then mozilla by a long way. never the less there are easy and secure way to prevent yourself from getting these trojans, and it does not involve downloading heavy software programs..which typically never work anyway
    ADBLOCK AND NO SCRIPT are you really, they are! what kind of dumb ass goes surfing the net without adblock anyway? Never had any problems on any site really, because i ensure the ads are completely blocked. Enable no script before you go surfing, then only unblock shit you don't want. I really don't see why it's that difficult.

    • Dann Albright
      November 23, 2015 at 1:40 pm

      This article was written almost a year ago (you can see the date of the article's publication near the top of the page), so it's quite possible that Bedep has spread to other browsers by now. Also, you seem awfully sure that 99.9% of viruses and trojans are downloaded through the Chrome app store, so I'm sure you'll be happy to provide evidence of that. Please share a link so we can all see the proof!

  4. TrafficHaus
    February 21, 2015 at 9:23 am

    Xhamster was not infected, it was attacked.
    As a top-rated ad network handling about 1.5 billion impressions every day, TrafficHaus takes internet security very seriously. We frequently catch advertisers attempting to post malware and part of our job is to keep it off our network or immediately remove it as soon as it’s discovered.

    Contrary to what your post insinuates, TrafficHaus and xHamster were targets of this attack – not participants. The intruder made it through 2 complex malware prevention system we have running thousands of times per hour, all day, and once we were alerted, we were able to eliminate the malware within a matter of hours, it was removed within 48 hours of the original article being released. It has been the only breach in more than a year.

    TrafficHaus was able to quantify that the breach affected a mere .018% of xHamster users and did not have the expansive effect that you anticipated in your blog. With the detection from MalwareBytes and fast action of TrafficHaus and xHamster, we were able to prevent a malware attack that could have affected millions.

    However, we wish malwarebytes could have brought this important malware intrusion to our attention in a more discreet manner, as it would have quickly, easily and appropriately been handled without attempting to harm the reputation of the affected parties involved.

    We continue to be vigilant in our protection of our customers and their users, with 2 concurrent detection systems, and vmware manual detections using 5 different security softwares. We are on the front lines protecting our sites and users daily.


    • Dann Albright
      February 21, 2015 at 7:43 pm

      I didn't mean to insinuate in any way that TrafficHaus was at fault here—all I wrote, and meant to say, was that xHamster linked to TrafficHaus, where malicious code had been housed. Because of how this sort of ad-embedded malware works, it needs an ad network to distribute it.

      I'm not sure why you feel that I implied that xHamster and TrafficHaus were participants in this distribution—I thought it was clear that xHamster, along with every other site that wants traffic, wouldn't be involved in distributing potentially reputation-destroying malware to thousands of visitors, and harming their source of income.

      I'm glad that you stopped to be comment, though—if you've been villainized elsewhere, we're always happy to provide a neutral forum for you to defend your actions. Again, I'm sorry if you felt like I insinuated that you were complicit in this attack; I was only trying to bring the facts of where the malware was coming from to light. I absolutely believe that you took swift action and that you got rid of the infection as fast as possible. And that's a good way to do business!

  5. SomeDude
    February 3, 2015 at 1:52 am

    Or, Just do not drop your IQ by 10000% by watching porn anyways

    • Dann Albright
      February 3, 2015 at 10:40 am

      While that's an option, I'm fairly certain that advice wouldn't be received very well. Especially when there are pretty easy solutions to the problem.

      Also, I'd think twice before making a connection between porn and IQ; Asia Carrera is reported to have an IQ of 156. [Broken URL Removed]

  6. dragonmouth
    February 2, 2015 at 2:09 pm

    If one insists on visiting xHamster and similar sites, a dedicated , throw-away PC would be of benefit. At regular intervals it would be restored with a basic system from a backup. Any malware would be overwritten and rendered ineffective.

    • Dann Albright
      February 2, 2015 at 2:20 pm

      If only that was a viable option! If everyone had a Chromebook that they formatted and restored once a week, I think we'd see a lot less problems with malvertising.

    • dragonmouth
      February 2, 2015 at 5:40 pm

      It is a viable option, or could be. Almost everyone who is of age to visit these sites has had at least one computer already. Instead of putting them out to the curb when tey get too slow for the latest games, repurpose them for visiting dodgy sites. No need to go out and buy a Chromebook.

    • Dann Albright
      February 3, 2015 at 10:37 am

      Yeah, I suppose using an old computer would work, if that computer was still running fast enough. By the time I upgrade to a new computer, there's not a whole lot of power left in the old one! That's actually a really good idea, though, having a second one for visiting potentially infected websites. Good call!

    • Uncle Mike
      May 5, 2017 at 9:28 pm

      I have been using Sandboxie for years now,and never have any issues with malware. Of course,I also immediately update my AV and Firefox to the latest versions.

      • James Frew
        May 8, 2017 at 11:27 am

        Great idea to use Sandboxie. Using a separate environment for trying out applications makes sure that your important data/computer doesn't get infected. Glad you keep all software up to date too!

  7. Mike
    February 1, 2015 at 3:10 pm

    How come I never read in these articles about protection afforded by sandboxing programs? Especially for zero day threats,sandboxing can give you an additional layer of protection.I am running Win7,with the free version of Avast!,and to top it off,Sandboxie. I can't recall the last time I had an infection,and I admit I've visited some pretty sketchy sites.

    • Dann Albright
      February 2, 2015 at 7:07 am

      To be honest, I didn't know about sandboxing programs. That's a great way to significantly reduce your vulnerability. If I remember correctly, Chrome does some sandboxing, which is why it's not vulnerable to Bedep. So using Sandboxie or another program like it seems like a very effective way to stay safe.

      Thanks for pointing this out!

  8. A41202813GMAIL
    February 1, 2015 at 6:06 am

    Before Being Infected:

    - Change Your Browser Settings For Plugins To Need Click To Play.

    After Being Infected:

    A - Start In Safe Mode,

    B - Delete/Disable Some Startup Programs ( If You Know All The Ones That Should Not Be There ),

    C - If Necessary, Do A System Restore To The Oldest Date Possible ( All Programs Installed Since Must Be Installed Again ).

    Happy Porn.

    • Dann Albright
      February 1, 2015 at 7:31 am

      Proper browser settings will help a lot, but malware distributors are getting better all the time. I hope that still works as a strategy in the future, but having an anti-virus program installed is a better fail-safe, I'd say.

      As for the instructions, that would probably work fine if you know exactly what to delete. Because I'm not on Windows, I can't take a look at what the startup programs list looks like. Have you tested this particular strategy with Bedep? Do you know that it works?

      Also, if you need to do a system restore and reinstall all of your programs, I'd say using anti-virus software is a much better way to go. No restore, no reinstalling. Much easier.

    • A41202813GMAIL
      February 1, 2015 at 1:43 pm

      What I Said Is A Generic Way To Deal With Some Malware, Not That One In Particular.

      Some AV Programs Are Just Plain Useless, Even When Theoretically Updated To The Latest Release.

      AV Programs Can Not Act Before The Threat Is Manifested ( Some Days To Be Updated And Some More Days For The Customers To Install Those Updates ) - So, There Is Always A Window For Infection, Even With The Best Ones.

      The System Restore Points Are Clones Of Your System Settings That Are Made Automatically 3 Or 4 Times A Week ( You Can Manually Make As Many As You Like, Too ) - Depending On The Most Recent Or Oldest Date Chosen You Only Have To Reinstall The Programs That Were Installed Since.

      I Had To Do What I Said Personally In The Last Few Weeks, And It Still Stands.

      Thank You For Responding.

    • Dann Albright
      February 2, 2015 at 7:05 am

      Ah, I see that—that makes more sense as a general strategy than one tailored to this case. Like I said, I'm not on a Windows machine, so I can't test that (hopefully someone else will stop by and say how effective or easy this strategy is).

      And you're right about anti-virus software; even the best ones could potentially have a window where your system is vulnerable. Fortunately, developers of these kinds of programs seem to be very committed to keeping them up-to-date and letting users know when they could be vulnerable. In general, I think they're doing a really good job.

      So a system restore point isn't a backup of your whole system? I'm not sure I totally understand what it is. What do you use to create them? Is that a Windows-only thing?

      Thanks for your insights!

    • A41202813GMAIL
      February 2, 2015 at 7:30 am

      I Only Know Windows.

      It Is A Copy Of The Register ( The Core System Configuration ) And Only Takes A Few Seconds.

      Reverting To A Previously Made Restore Point ( It Is A Truly Time Machine, Because You Can Jump Both Ways ), Implies The Reboot Of Your PC To Reinstall A Different System Configuration.


  9. Zhong
    February 1, 2015 at 6:00 am

    Kinda awkward discussing about porn sites. I assume that the malware could spread through all OSes, however it seems Windows users are easier to exploit. Linux users receive security updates for their Flash Player so they are most likely safe from this attack.

    • Dann Albright
      February 1, 2015 at 7:28 am

      As far as I know, Bedep is Windows-only. Different types of malware are targeted at different OSes, and I'm sure there are plenty out there that can infect multiple. But yes, security updates for Flash are crucial in preventing exploits like this.

      Thanks for reading!

  10. lilpimp
    January 31, 2015 at 9:17 pm

    I been jerking to XHamster for years on Windows 7, without any AV software. All you really need is uBlock (works on Chromium, Firefox, and Safari). If you using Adblock Plus uncheck "Allowing acceptable ads in Adblock Plus".

    • Dann Albright
      February 1, 2015 at 7:27 am

      Yes, an ad blocker can be a very effective way of keeping your from picking up malware through advertising. But because you can pick up malware in other ways that would get back ABP or uBlock, it's still a good idea to run AV software, especially because there are so many great free options.

  11. dragonmouth
    January 31, 2015 at 7:21 pm

    "If you’ve done those two things, you’re well on your way to being immune to Bedep. But if you want to make sure that you’re not going to get it, you can download the free version of Malwarebytes Anti-Exploit."
    Since Bedep is designed for Windows, another option is to switch to Linux. Bedep will have a hard infecting anything then.

    • Dann Albright
      February 1, 2015 at 7:26 am

      Or OS X. :-)

      But yes, because Bedep is a Windows virus, using any other operating system should keep you safe. Though I doubt many people will switch because of one virus, it definitely could be a consideration in the future.

      Thanks for pointing that out!

  12. Max
    January 31, 2015 at 6:18 pm

    I have to admit i've visited xhamster yesterday and on my phone so some ad pages did open(but didn't load since my phone is rooted and i'm using a blocking method based on the hosts file).
    Do you think that Bedep can affect Android too?The phone hasn't been acting strange since I went there.

    • Kannon Y
      January 31, 2015 at 7:28 pm

      I believe Bedep is using a Flash exploit. Android doesn't support Flash anymore, so it's likely that you are safe. Unfortunately, there's not a great selection of effective malware scanners available on the Android platform.

    • Kannon Y
      January 31, 2015 at 7:29 pm

      That was a really great and tasteful handling of this issue, Dann. Thanks for writing it!

      Advertisers are really an atrocious group of people. They're always doing something sketchy.

    • Dann Albright
      February 1, 2015 at 7:23 am

      Yep, I agree with Kannon here—because it's a flash exploit, you're probably fine. Running a quick virus scan is never a bad idea, though!

    • Dann Albright
      February 1, 2015 at 7:25 am

      Kannon, I totally agree—advertisers can be pretty infuriating. I hope someone comes up with a good solution for handling malvertising in the near future, because it seems like it's working really well at the moment. Obviously an anti-virus program makes a huge difference, but the fact that it's so necessary now is a bit irritating.

      Glad you liked the article. Thanks for commenting!

  13. likefunbutnot
    January 31, 2015 at 5:34 pm

    Adblock Plus with a reasonable selection of subscription lists massively reduces your chances of picking up a drive-by infection.

    • Dann Albright
      February 1, 2015 at 7:22 am

      That's true—if you're not worried about the ethical implications of running an ad blocker, that's a great way to go. It's one of the reasons that I use one most of the time; malvertising is becoming increasingly effective, blocking ads is a great first-line defense.

      Thanks for reading!

    • dragonmouth
      February 1, 2015 at 2:21 pm

      If the ubiquitous THEY do not worry about the "ethical implications" of malvertising, why should I worry about the "ethical implications" of an ad-blocker?

      When it comes to keeping my system secure, ethical implications be damned.

    • likefunbutnot
      February 1, 2015 at 3:24 pm

      @Dann Albright,

      There's no contract between myself and any web site that requires me to view advertisements. Content is made available on the internet. It is within my right to decide when or how much of that content I choose to view. I fundamentally reject the premise that ad blocking is unethical, but even if I did not, I still have a greater responsibility to the security of my and my clients' computers. Advertising on the internet as it is presently implemented is the bar-none greatest single vector for malware delivery and it should be treated for the pestilence that it is.

    • ReadandShare
      February 2, 2015 at 1:53 am

      I wonder... for those people who are ethically bothered about ad blocking... do they never fast forward the remote or take bathroom breaks during commercials?

    • Dann Albright
      February 2, 2015 at 6:57 am

      dragonmouth, you're certainly not alone in that feeling. My guess is that if malvertising gets to be more common, the usage of ad blockers will go up. It's obvious that a well-placed malicious ad can infect thousands of people, so it seems like a strategy that nefarious characters will continue to use . . . it'll be interesting to see how that changes opinions on whether ad blockers should be used (or doesn't). It could be a whole difference argument when there's not just minor annoyance involved, but security threats as well.

    • Dann Albright
      February 2, 2015 at 7:01 am

      likefunbutnot, you make a good point, much the same as dragonmouth in the preceding comment. If you don't feel any guilt for running an ad blocker—and clearly you don't—it's a great way to prevent these sorts of malware attacks (at least for now; no telling how they might become more advanced in the future). Even if you were to feel bad about not helping fund the websites you visit, it still might be worth it to use an ad blocker; it would very much depend on how a specific user values the different things in the discussion.

      Thanks for your comment!