Errata:  In the original blog, credit was accidently given to the incorrect person for providing us with the info that Exfol was using this exploit.  Correct credit goes to Dan Hubbard/WebSense. And thanks, Gadi Evron.

Exfol/WebExt is a piece of adware that is often offered through popup ads at various sites.   This means they buy advertising through an advertising network (a “third party ad network”) which then places Exfol’s ads on various websites.

We originally saw mention of Exfol hoisting off this exploit on a private expert spyware discussion list, and knowing Exfol’s behaviour (we had been researching them earlier), we went to a site where we knew their popup ads were often placed.  Well, there was an Exfol pop spawning exploit. 

Ok, here is why this is bad.  You don’t have to go to a crack site or a porn site.  You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.

Wallpapers4uexploitpage

I have a video taken by Sunbelt Researcher Patrick Jordan to show the point here.. The exploit is not coming off of Wallpapers4u(dot)com.  It’s coming from a popup generated by a third party ad network.

As an aside, we also were provided a link to a place where you can see how well Exfol is doing.  Busines looks good (note that this is not installs only using the WMF exploit, they are just general Exfol download stats):

Daily statistics 
DateHits
12/29/2005192,487
12/28/2005322,857
12/27/2005316,617
12/26/2005277,103
12/25/2005271,639
12/24/2005292,915
12/23/2005349,438
12/22/2005696,507
12/21/2005608,402
12/20/2005503,861
12/19/2005501,661
12/18/2005112,855
12/17/2005320,787
12/16/2005445,630
12/15/2005468,806
12/14/2005531,140
12/13/2005576,974
12/12/2005530,167
12/11/2005435,616
12/10/2005454,213
12/9/2005513,488
12/8/2005404,149
12/7/2005446,025
12/6/2005497,170
12/5/2005426,465
12/4/2005378,563
12/3/2005375,680
12/2/2005353,507
12/1/2005413,862
11/30/2005370,949
11/29/2005274,809
11/28/2005183,754
11/27/200527,761
11/24/200520,849
11/23/2005153,974

 

Alex Eckelberry
1/4 Update:  The Wallpapers4u(dot)com site no longer appears to have this popup.   But it does try to push you to install adware…  Exfol has also disappeared…

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.