Malvertising on KickAssTorrents ( , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (, ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
Our users that are using the Avast anti-virus might have noticed that suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.

In another thread, KickAss Torrents said:

Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:


It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different domain name every hour, in the format of, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE At this time the domain resolved to an Netherlands IP The domain started to resolve to on Aug 23rd. This IP and the domain are both currently still up and working.


KickAssTorrents serves its ads via its OpenX installation at This platform has been compromised and made to serve browser exploits. In our video, this URL:§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:

Read more (rest of article)...