Pornhub is believed to have been the victim of a malware attack the tricked its users into downloading a virus named Kotver.
What did the Pornhub Malware Affect?
The Pornhub malware altered the Traffic Junky service that provides advertising on the Pornhub website to display its adverts, and then presented users with a browser update request that was not genuine.
The Kotver malware was identified on the Pornhub website in October 2017 by a third party who then notified Traffic Junky and Pornhub who then quickly removed the issue.
What did the Pornhub Kotver Malware do?
Once downloaded and installed from the Pornhub website to a Windows based machine, the Kotver application would launch invisible browsing sessions that would slow the computer and click on adverts that have been covertly downloaded to the computer and then automatically clicking them in order to generate advertising revenue for the attackers.
How Did the Pornhub Kotver Malware Infect a Computer?
Once successfully installed from the Pornhub website, the Kotver application will alter the file named regsvr32.exe and will then attempt to connect to a remote address from where it will source the adverts.
The Kotver application installed from Pronhub may also attempt to download additional software to the computer if it is not already installed such as Microsoft.net runtime, Adobe flash player and Internet explorer.
The Kotver program will then make alterations to the following Windows Registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
- HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\
Kotver malware will also detect whether the computer has the Powershell installed and, if not, will create a copy of itself within the following path:
- %UserProfile%\Application Data\[RANDOM FOLDER NAME]\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\\
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on enquiries@athenaforensics.co.uk, further details are available on out contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our computer forensics experts are fully aware of the significance and importance of the information that they encounter. Our computer forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.
Athena Forensics
https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/
https://athenaforensics.co.uk/service/computer-forensic-experts/