Security experts at Webroot says that they have been detecting malicious ads that are designed to lure users into installing privacy-invading Potentially Unwanted Applications (PUAs) to their systems. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore.
According to the blog post, the malicious download URL is: hxxp://www.ez-download.com/mozilla-firefox and the Potentially Unwanted Application that have been detected by antivirus scanners are Adware.InstallCore.86; Win32/InstallCore.BL; InstallCore (fs).
The rogue sample is digitally signed by ‘Secure Installer’ and once executed phones back to:
media.ez-download.com – 18.104.22.168
os.downloadster2cdn.com – 22.214.171.124
cdn.secureinstaller.com – 126.96.36.199
img.downloadster2cdn.com – 188.8.131.52
They advise users to avoid interacting with ads enticing them into downloading any well-known software applications, but instead visit the official Web sites for such package in order to obtain the latest versions and avoid potential traps.
To see all the URLs and IP Addresses connected to these malicious programs, visit Webroot Threat Blog.