In early 2015, visitors to the adult website xHamster saw a huge increase in malware, according to a report on the Malwarebytes blog. Over the 25th and 26th of January 2015, they saw a 1500% increase in malware infections from xHamster.
Worse still, it’s still out there.
What happened? What can you do if you’re infected? And how can you protect yourself?
The Infection: Angler Exploit Kit
According to MalwareBytes, the homepage of xHamster linked to traffichaus.com, where an iframe hosted there served as the gateway to a malicious ad. That ad used a vulnerability in Adobe Flash Player to download a piece of malware called Bedep. The practice of injecting malicious adverts into a site like this is known as malvertising and can often go undetected. As a result, a lot of antivirus apps initially missed the infection in the iframe. According to IBTimes 57 apps missed the iframe, with only two detecting the malware download.
This infection is an example of an attack that uses an exploit kit (EK) — in this case one known as Angler. An EK looks for security vulnerabilities on your computer that can be used to infect you in the background without your knowledge. Angler is one of the more successful EKs by using a combination of complex techniques to avoid detection. It has also been widely adopted by cyber criminals for “pay-per-install” malware services as it undercuts the competition’s pricing.
Why bothering with an EK when you have CVE-2015-0311?Being used in standalone mode to spread Reveton on Adult Traffic pic.twitter.com/0a8JLzhOD7
— Kafeine (@kafeine) January 24, 2015
The Malware: Bedep
Once Angler EK has downloaded Bedep to your computer, the malware will connect to a Command & Control (C&C) server that will issue instructions. This could be to download additional malware to your computer, or to serve fraudulent ads.
Bedep initially managed to avoid detection by using Angler to load directly into memory and open a new Internet Explorer instance on a virtual desktop. This meant that it could hide by using legitimate Microsoft file properties. Fortunately most of the major antivirus providers have now updated their definitions to include the hard-to-spot Bedep.
With the ability to download additional malware to your computer, it could lead to your private information being stolen. Worse, the malware could disable your antivirus, or even modification of your system settings. An investigation by TrustWave found that Bedep might have even been used as a means of political propaganda by directing you to certain videos and political websites in order to increase view counts.
The Removal: Bedep Be-Gone
If you’ve been unfortunate enough to be infected with Bedep then you probably want to get rid of it as soon as possible. While it may initially just serve spam adverts, it can also be used to distribute other malware in the background. Would you be happy if your PC was collecting your private information, or was subverted to run as a zombie bot?
While Microsoft’s antivirus Windows Defender (Microsoft Security Essentials for Windows 7 and older) is known to detect and remove Bedep, it’s not considered the most robust antivirus. Luckily there are plenty of other options out there — both paid and free — that might suit you better.
If you aren’t looking for a full antivirus software then a great alternative is MalwareBytes anti-malware software. If you browse security forums and discussions on malware removal then MalwareBytes is often the first recommendation. It can scan for all types of malware and remove them automatically. It can also protect you from becoming infected in the first place by monitoring current exploits and blocking compromised connections.
The Defence: Protecting Yourself from Bedep
To protect yourself it’s best to avoid xHamster. Bedep isn’t the first time that the site has been compromised and it likely won’t be the last. Other popular adult sites like PornHub and RedTube have also been known to distribute malware.
Adobe’s Flash Player has one of the worst security reputations of any software in history. This is why many companies are phasing it out, and why Steve Jobs famously didn’t allow Flash on iOS devices. If you absolutely need to use Flash, protect yourself by making sure you have the latest version. While many online adverts instruct you to download the “latest update for Flash” you should only download from Adobe’s website.
The Angler Exploit Kit scans for bugs, or unpatched security flaws, to find the best way to distribute its payload. Angler is also known for being one of the first to incorporate Flash zero-day exploits. Making sure that your software is always up-to-date is one of the most effective means of protecting yourself.
Don’t Get Infected!
xHamster is one of the world’s most popular websites, with a current Alexa ranking of the 79th most visited site in the world. Adult sites are often seen as easy-targets for spreading malware as they often aren’t subjected to the same standards or precautions as other areas of the web.
Although xHamster was the most common site for Bedep infection, it wasn’t the only one. Any website can be vulnerable, especially where Flash is concerned. Hopefully threats like this will become less likely in the future as more websites pull support for Flash in favor of more secure methods.
For now though, the best way to stay protected is to stay away from suspicious websites, keep alert to unwelcome downloads, use an antivirus or other security software, and make sure everything is up-to-date.
Have you dealt with Bedep? How did you get rid of it? Do you know of any other apps that work to prevent or remove it? Share your thoughts below!