Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Spotify application serves malicious ads

View all posts > 

Spotify application serves malicious ads

Posted: 25 Mar 2011 10:25 AM | Patrik Runald | 4 comment(s)

Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect users with the Windows Recovery fake AV application. Our Advanced Classification Engine has full coverage for the Blackhole kit and protected users proactively. The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24.


Malvertising is nothing new, we've seen it effect large websites in the past but this case is slightly different. In the past the malicious ads have been displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside of the Spotify application, like in the picture below (note that the ad below is not malicious, it's just an example):



The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again.


Once the ad was displayed, the computer would connect to hxxp://uev1.co.cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains:



Again, it was enough for the ad to just be displayed in the Spotify application, the user didn't have to click on the ad or do anything else. One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit which is a packed version of TDSS:


  • tuartma.in
  • rappour.in
  • findstiff.org
  • searchcruel.org
  • findclear.org
  • replity.in
  • searchgrubby.org
  • demivee.in
  • ripplig.in


Here's a screenshot of what the application looks like on the user's PC:



One interesting thing is that we have only seen reports from infected users in the UK. This could mean that the attack only targets UK users or it's just that we haven't received reports from users anywhere else. If you are outside of the UK and have been affected by this, please send us a note using the comments feature below.


UPDATE: We got a tweet from our friends at Avast who report this breakdown of users who have seen the malicious ad: Sweden 59%, 40% UK and 1% for other countries. Thanks Avast, appreciate the info!


Thanks to Adam Hiscocks for providing information and samples to us.


GARY RICHARDSON said on Tuesday, March 29, 2011 1:05 PM

Yesterday I had to remove this from this ol' ladies computer. Comodo Antivirus, Windows Defender nor a AVG Boot disk could remove same. Since said computer was running a copy of Windows VISTA that was on the computer when purchased we had no restore disk. Nor could we use the restore function on the computer due to this malware. As such we were forced to wipe the hard drive and purchase a copy of Windwos 7 from Wal Mart for $around $130.00 after taxes. As such I feel your Co. should reimburse me for same.  A check from you for $100.00 will suffice. please make said check out too GARY RICHARDSON and mail too 1029 Shady Lane  Westlake, Louisiana  70669  Thanking you for your time and assistance in this matter, I remain



by: Gary Wayne Richardson, Authorized Rep.

Martin Sweet said on Wednesday, March 30, 2011 2:56 AM

Whata bout those who had antivirus software in place and still got infected? My son is in this position and can't get rid of the virus - McAfee are being pretty useless helping even though their software was up-to-date and working.

Claire Harris said on Tuesday, April 5, 2011 12:10 AM

I also was infected, and had both Malwarebytes and Virgin security systems running at the time. Both did no good, and the virus was able to get in. I haven't completely managed to remove the virus, so would appreciate any info you can offer to get rid of this.

Robert Smith said on Wednesday, April 6, 2011 5:03 AM


here the enquirer asks about the threat blocked and is informed that it is just an over cautious antivirus and that she should allow it!

I couldn't even figure out how to alter this wrong answer!

Leave a Comment


Email address: (required)