Errata:  In the original blog, credit was accidently given to the incorrect person for providing us with the info that Exfol was using this exploit.  Correct credit goes to Dan Hubbard/WebSense. And thanks, Gadi Evron.

Exfol/WebExt is a piece of adware that is often offered through popup ads at various sites.   This means they buy advertising through an advertising network (a “third party ad network”) which then places Exfol’s ads on various websites.

We originally saw mention of Exfol hoisting off this exploit on a private expert spyware discussion list, and knowing Exfol’s behaviour (we had been researching them earlier), we went to a site where we knew their popup ads were often placed.  Well, there was an Exfol pop spawning exploit. 

Ok, here is why this is bad.  You don’t have to go to a crack site or a porn site.  You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.

Wallpapers4uexploitpage

I have a video taken by Sunbelt Researcher Patrick Jordan to show the point here.. The exploit is not coming off of Wallpapers4u(dot)com.  It’s coming from a popup generated by a third party ad network.

As an aside, we also were provided a link to a place where you can see how well Exfol is doing.  Busines looks good (note that this is not installs only using the WMF exploit, they are just general Exfol download stats):

Daily statistics 
Date Hits
12/29/2005 192,487
12/28/2005 322,857
12/27/2005 316,617
12/26/2005 277,103
12/25/2005 271,639
12/24/2005 292,915
12/23/2005 349,438
12/22/2005 696,507
12/21/2005 608,402
12/20/2005 503,861
12/19/2005 501,661
12/18/2005 112,855
12/17/2005 320,787
12/16/2005 445,630
12/15/2005 468,806
12/14/2005 531,140
12/13/2005 576,974
12/12/2005 530,167
12/11/2005 435,616
12/10/2005 454,213
12/9/2005 513,488
12/8/2005 404,149
12/7/2005 446,025
12/6/2005 497,170
12/5/2005 426,465
12/4/2005 378,563
12/3/2005 375,680
12/2/2005 353,507
12/1/2005 413,862
11/30/2005 370,949
11/29/2005 274,809
11/28/2005 183,754
11/27/2005 27,761
11/24/2005 20,849
11/23/2005 153,974

 

Alex Eckelberry
1/4 Update:  The Wallpapers4u(dot)com site no longer appears to have this popup.   But it does try to push you to install adware…  Exfol has also disappeared…