Like it’s 2010 i guess. This is just a simple FakeAV being delivered from ads on sites like telegraph.co.uk and dailymotion.com. No exploit, just relying on the user to click yes to download and then run it.
All activity I have seen appears to be for a few IP addresses and domains utilize the .nl TLD.
As far as i can tell this campaign appears to have become active around Jan 23rd 2014 and is currently ongoing.
1) Come from google to site that displays the advertisement
1) Advertisement loads, redirs you
2) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex] < Main page 3) http://wed322d2.windowsdefence-rv .nl/message.png (classic antivirus popup) < Scary image 4) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex]&key2=download < EXE Post-Compromise Traffic: http://18.104.22.168/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7=kyxnujmwnn