Monthly Archives: February 2014

FakeAV is still alive…

Like it’s 2010 i guess. This is just a simple FakeAV being delivered from ads on sites like and No exploit, just relying on the user to click yes to download and then run it.


All activity I have seen appears to be for a few IP addresses and domains utilize the .nl TLD.,, and range highly utilized by Neutrino lately)

As far as i can tell this campaign appears to have become active around Jan 23rd 2014 and is currently ongoing.


1) Come from google to site that displays the advertisement
1) Advertisement loads, redirs you
2) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex] < Main page 3) http://wed322d2.windowsdefence-rv .nl/message.png (classic antivirus popup) < Scary image 4) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex]&key2=download < EXE Post-Compromise Traffic:

Cool splash screen