March 25, 2011

Spotify application serves malicious ads

Patrik Runald

Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect users with the Windows Recovery fake AV application. Our Advanced Classification Engine has full coverage for the Blackhole kit and protected users proactively. The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24. 

Malvertising is nothing new, we've seen it effect large websites in the past but this case is slightly different. In the past the malicious ads have been displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside of the Spotify application, like in the picture below (note that the ad below is not malicious, it's just an example): 


The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again. 

Once the ad was displayed, the computer would connect to hxxp://uev1.co.cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains:


Again, it was enough for the ad to just be displayed in the Spotify application, the user didn't have to click on the ad or do anything else. One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit which is a packed version of TDSS: 

  • tuartma.in
  • rappour.in
  • findstiff.org
  • searchcruel.org
  • findclear.org
  • replity.in
  • searchgrubby.org
  • demivee.in
  • ripplig.in


Here's a screenshot of what the application looks like on the user's PC: 


One interesting thing is that we have only seen reports from infected users in the UK. This could mean that the attack only targets UK users or it's just that we haven't received reports from users anywhere else. If you are outside of the UK and have been affected by this, please send us a note using the comments feature below.


UPDATE: We got a tweet from our friends at Avast who report this breakdown of users who have seen the malicious ad: Sweden 59%, 40% UK and 1% for other countries. Thanks Avast, appreciate the info!


Thanks to Adam Hiscocks for providing information and samples to us.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.