Incident Response, Malware, TDR

Website observed serving 83 executable files, more than 50 percent malware

Researchers with Cyphort Labs observed a website distributing 83 Windows executable files – EXE and DLL binaries – with no user interaction.

The website is 49lou[dot]com, a high definition video sharing site that, according to Alexa on Friday afternoon, has a 13,709 global rank and a 1,446 rank in China. While nearly 90 percent of the site's visitors are in China, almost two percent are from the U.S.

Cyphort Labs observed the website infection just once on April 16, Fengmin Gong, cofounder and chief strategy officer of Cyphort, told in a Friday email correspondence. Gong said that the website is no longer infected, but at the time it was distributing 83 executable files with zero interaction required from the user.

Of the 83 files, 79 were unique, and more than 50 percent were confirmed to be malware, adware, or potentially unwanted programs used for stealing data, click-fraud and more, Gong said. A Wednesday post indicates that only 37 of the 79 files were reported to VirusTotal at the time of discovery, and that 29 of the 37 were found to be malicious by at least one anti-virus engine.

The issue stems from an embedded “script src” tag on the main page of the website that would ultimately redirect visitors to a website serving an exploit for CVE-2014-6332, a Windows OLE Automation Array remote code execution vulnerability.

“We do not know exactly how the site was infected,” Gong said. “Our suspicion is it could have been a vulnerability in [the] web server engine or [an] infection of the administrator machine.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.