[en] Malvertising on tube8.com leads to Trojan.Zbot

Already got it some days ago, but i didnt pay any attention.

Tube8.com is a large porn website – 130k at Alexa.com


The Exploit Kit : Tube8_malvertising2

engine.phn.doublepimp.com leads to dblpmp.com
then it leads to dateroute.com ( – LeaseWeb -NL) 


then leads to a TDS clickstatonlinetreker.com/in.cgi?4 ( – LEASEWEB – NL) Tube8_malvertising5
leads to appletreestore.com/ ( – LeaseWeb -NL) Tube8_malvertising6
and finally to the Exploit Kit – mixicams.com/discussing/soon-rarely_bodies_combinations.php ( – Creative-Telematics-Trade
– CZ) Tube8_malvertising7
This time, it’s not a ransomware Fake Police but a Trojan.Zbot.
More Zbot last times, there is also a malvertising on Clicksor that leads to Zbot.
(but clicksor leading to malware, this is « normal »)



SHA256: 574180f75800d59d2bc57b3421944d668ee08e27ef0302f7264c85c60abc909a
Nom du fichier : nature.exe
Ratio de détection : 3 / 46
Date d’analyse : 2013-04-30 09:27:50 UTC (il y a 16 minutes)

Comodo UnclassifiedMalware 20130430
Kaspersky Trojan-Spy.Win32.Zbot.kyug 20130430
Kingsoft Win32.Troj.Zbot.ky.(kcloud) 20130422



The malvertising is probably present on the others websites of the PornHub Network


For example,  got it also on extremetube.com (1000 at Alexa.com) Tube8_malvertising_PornHub_Network2or in spankwire.com (550 at Alexa.com)

EDIT 05/01/2013 : 150k / 240k day

Thank to MalwareScene

Looks like fixed.

Got Access to the TDS statistics.
100k / 200k uniq day.
With around 10% of success, they probably reached 15k / 24k infected computers per day.

The malvertising on PornHub Network begans 04/28.
Look like before, they were somefind in redtube.com according the referrer.

Tube8_TDS France and Germany are the main targets : Tube8_TDS2

Statistics by browser :



The TDS is a quite old, they targed others country in the past.

Japan and Poland : Tube8_TDS7
Germany and Japan :
Poland and France : Tube8_TDS5


Print Friendly, PDF & Email
(Visité 200 fois, 1 visites ce jour)

Add Comment