Limelight Networks serving up Malware
Landing on the following bogus "Security Center" page the visitor is presented with (typical) bogus scare tactics, etc.
Clicking any link on that page the visitor is redirected (several times) and then lands on this prompt ...
What's interesting is the players involved (WinFixer related) in this scam ...
"SecurityOnPage" is paid a commission to set up the page (supplied by WinFixer) which redirects to "kukkakreck(dot)com" and if you Google that site you'll find thousands of people complaining about being hijacked.
Next is the redirect via "b2adz(dot)com" ... so who is that? Well it resides on the same IP address (190.15.73.254) as many of the other sites that are directly involved with the latest rash of Malware served up via infected ads on quite a few mainstream sites. Sandi Hardmeier (Microsoft MVP) blog has documented quite a history of this ...
Next we land of the "storageprotector(dot)com" page, however the actual download is from "bsa.safetydownload(dot)com" (69.28.159.249) now here's were it get interesting ...
69.28.159.249 download.cdn.winsoftware.com
69.28.159.249 bsa.safetydownload.com
69.28.159.249 software.protectdownloads.com
69.28.159.249 content.onerateld.com
69.28.159.249 cdn.drivecleaner.com
The above are all aliases for "setuphost.vo.llnwd.net" and that IP block is assigned to Limelight Networks ... so why is LimeLight hosting malware files for the WinFixer Group and it's clones? And this is nothing new ... if you Google any of the above you'll find thousands and thousands of references to the WinFixer Group and their shady tactics.
Now back to "storageprotector" ... CA Antispyware just last week released the following:
"Installs without informed consent of the user. Runs immediately on installation and shows large number of errors and asks user to register to clean the purported errors. Violates PestPatrol ScoreCard V3.0 item 21 by giving false information to user with the objective of making the user to register by paying money."
McAfee SiteAdvisor states much the same ... now back to the download (setup_en.exe) which is detected as: Downloader.Win32.WinFixer.ba, you can view the VirusTotal results here
Limelight Networks boasts of their (high profile) partners here ... but I fail to see any mention of the WinFixer Group. Perhaps contacting these "partners" and informing them of the above, I'm sure they would take a dim view of being associated with this type activity ...