Adult site Xtube compromised, serving exploits

Adult site Xtube compromised, serving exploits

Our systems have detected infections coming from popular adult site Xtube, ranked #780 in the US and with an estimated 25 million visits.

Unlike other attacks we have seen in recent times, this one does not use malicious ads (malvertising) to compromise users.

Instead, it injects a malicious snippet of code directly into Xtube itself (dynamic, on-the-fly injection) with rotating domains:

insertion2

The jsloggery.com domain serves as a redirector to an Exploit Kit landing page:

redir2

Here’s a list of redirectors we have observed so far:

hxxp://adstager.com/index.php hxxp://adversal2.com/index.php hxxp://adlivecity.com/index.php hxxp://jsloggery.com/

The final step is the Neutrino Exploit Kit which promptly fires a Flash exploit:

swf2
exploit

The payload is detected by Malwarebytes Anti-Malware as Trojan.MSIL.ED.

Here is a summary of the attack flow:

Fiddler2

Malwarebytes Anti-Exploit users are protected from this threat.

xtubeMBAE

We have warned the administrators at Xtube about this problem and will update the post as soon as we get more details.

ABOUT THE AUTHOR