Malvertising on KickAssTorrents ( , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (, ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
Our users that are using the Avast anti-virus might have noticed that suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.

In another thread, KickAss Torrents said:

Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:


It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different domain name every hour, in the format of, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE At this time the domain resolved to an Netherlands IP The domain started to resolve to on Aug 23rd. This IP and the domain are both currently still up and working.


KickAssTorrents serves its ads via its OpenX installation at This platform has been compromised and made to serve browser exploits. In our video, this URL:§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:


Jason D.Seimesi said...

The domain names are "". Two I've seen are "" and "".

Jason D.Seimesi said...

Sa said...

Well i just got, a denied acces to from esset nod 32 antivirus

Poweruser75 said...

same here from nod32... this sucks... i love that site! i do hope they figure it out soon...

Poweruser75 said...

does anyone know what's being done about this? why is saying it's site is safe?!?! does anyone know when things will be back to normal?

Cesar R. said...

thank you wayne huang for this clear and very informative video. 

Fucku said...

yup it was about time before my nod32 blocked this site. Hope they fix this problem asap.

bakaohki said...

nice analysis, thanks - I too love fiddler, it saved me countless of hours of debugging.

Wayne Huang said...

Hi Jason, yes and so roborira should have been found four hours after robonenw: n->r, e->i, n->r, w->a ;)

Miggscrptr said...

ESET Smart Security 5 Blocked this website. *-.-

FEB-ibig Zulla said...

same here

domain registration india said...

Amazing blog, I am regular visitor of this website, keep up the good work.

cheap domain registration said...

Nice blog. I will keep visiting this blog very often.

Dj^Kingreefa said...

all i did was add to nod32 and apply, and that was it. now works fine again.

vistasecurity 2012 virus said...

Just want to report recent virus with KAT.  I've been using KAT for years successfully, and love the site.  BUT during the last week I've gotten hit with a nasty version of the virus that appears every time I log onto site.  

web hosting in india said...

I am pleased to have read some of them on your blog.

Forum hosting said...

Really i feel very happy to visit your blog,because i will get more information in your article,thanks for sharing.

viagra blog said...

I use avst, nod i think suks))

Best web Hosting said...

The website is amazing, I have a look at out it continually and always has interesting information. Considered and very well-organized.

Register Domain Name said...

Great reading I really loved reading your blog. Thanks to sharing

commercial loans said...

Thanks, for very interesting post. I have a high regard for the valuable information
you offer in your articles.

loan rates said...

Nice information, I would like to appreciate your good work and also would like to encourage you to keep it up.

Best forum hosting said...

Thanks for sharing this information,really its very interesting and informative to me.

sildenafil said...

This is really great post and I love watch mr bean show

commercial loan interest rates said...

I am visiting your site for a past one month. I feel happy by reading these blogs. These blogs are very much useful for news   bb

glycoflex said...

This article is very interesting for me. I learned a lot new. Write more.

business loans said...

I am very happy to read this post..Thanks for giving us nice info. Fantastic walk-through. I appreciate this post.
I am visiting your site for a past one month.

ecommerce development said...

This is very valuable information.I found out this site to be specific ,informative and attractive too.Thanks for sharing.

outsourcing websites said...

I always appreciate someone who imparts knowledge, and so today i m also doing the same..i m pretty impressed by the useful & knowledgeable stuff..

Kukic Sanel said...

Whenever I go to, my Malwarebytes says the site is malicious and it blocks it.

Pankaj Tiwari said...

First of all I would like to say thanks for sharing such nice Article. I will be glad to read a such nice post. It's really so Informational and I learn much from them. Keep posting.

With Regards,

elnaser said...

شركة الصفرات لتسليك المجارى بالرياض
شركة الصفرات لتنظيف الخزانات بالرياض
شركة الصفرات لعزل الخزانات بالرياض
شركة الصفرات لرش المبيدات بالرياض
شركة الصفرات لمكافحة الحشرات بالرياض

شركة الزهراء said...

شركة الصفرات لتسليك المجارى بالرياض
شركة الصفرات لتنظيف الخزانات بالرياض
شركة الصفرات لعزل الاسطح بالرياض ..
شركة الصفرات لتنظيف الشقق بالرياض
شركة الصفرات لتنظيف الفلل بالرياض
شركة الصفرات لرش المبيدات بالرياض
شركة الصفرات لمكافحة النمل الابيض بالرياض
شركة الصفرات لغسيل السجاد بالرياض
شركة الصفرات لكشف تسربات المياه
شركة الصفرات لنقل الاثاث بالرياض
شركة الصفرات لخدمات التنظيف

love said...

شركة تسليك المجارى بالرياض
شركة شفط البيارات بالرياض
شركة تنظيف الخزانات بالرياض
شركة عزل الاسطح بالرياض
شركة تنظيف الشقق بالرياض
شركة تنظيف الفلل بالرياض
شركة رش المبيدات بالرياض
شركة مكافحة النمل الابيض بالرياض
شركة غسيل السجاد بالرياض
شركة كشف تسربات المياه بالرياض
شركة نقل الاثاث بالرياض


Unknown said...

هل لديها أي شك كان من أن هنالك تسرب للمياه متواجد بمنزلك حسنا إن كنت لديها فى منزلك نسبه طفيفة من أن هنالك تسريب بالمياه بالفعل لا يلزم عليك إهمال هذه المعلومة نظرا لما قد يترتب عليها من عواقب وخيمة بالمستقبل والتي إذا لم تعالج على نحو موائم قد تكون السبب في أسوء الظروف بإنهاء حياتك حيث أنه من الهام طول الوقت لك أن تتعامل مع هذا النوع من المشكلات بكل جدية بطلبك للمختصين والمتخصصون في معالجتها وفي مؤسسة أعلن تسرت المياه نقدم إليك كل الإجابات والأساليب التي بفضلها تتخلص من إشكالية تسرب المياه على نحو ختامي .
شركة كشف تسربات بجازان

شركة كشف تسربات بنجران

شركة كشف تسربات ببيشه

Unknown said...

نحمل اليكم الان افضل واهم الانباء وهو ان نقدم اليكم افضل شركات المكافحه فى المملكه بشكل عام وفى الجنوب بشكل خاص وتلك احدى خدمات شركة امانى المملكة بالملكة العربية السعويه

مكافحة حشرات بجازان

مكافحة الصراصير بجازان

مكافحة الفئران بجازان

رش مبيدات بجازان

Post a Comment