Xtube porn website spreads malware, after being compromised by hackers

XtubeThe popular Xtube hardcore porn website, visited by approximately 25 million people every month, has been compromised by hackers and is spreading malware onto visiting computers.

According to a report from security firm Malwarebytes, the infection has not come through boobytrapped third-party adverts on the site, but instead through malicious hackers managing to dynamically inject a line of code onto the Xtube website.

Injected code

The code points to JavaScript on a third-party site that ultimately leads to the execution of the Neutrino Exploit Kit, activating an Adobe Flash exploit in unprotected computers to install malware via a drive-by-download.

Adobe Flash exploit

In short, you visit Xtube for some cheap thrills, and end up having your computer pwned by hackers.

Something has clearly gone badly wrong at Xtube, if hackers have been able to hijack their website's HTML code and abuse it in this way.

Malwarebytes says it detects the malware the exploit attempts to run on vulnerable computers as Trojan.MSIL.ED.

As always, be sure to keep Adobe Flash - and other software - fully patched to reduce the chances of attackers successfully infecting your computer.

And remember, it's not just naughty websites like Xtube and RedTube that can infect your computer with malware.

It's also more family-friendly websites (like that belonging to celebrity chef Jamie Oliver) which might have fallen foul of hackers, and be silently installing malicious code onto your PC.

Stay safe out there.

For more details of the Xtube attack, check out the Malwarebytes blog post.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Anonymous

    March 26, 2015 at 11:21 am #

    "Something has clearly gone badly wrong at Xtube, if hackers have been able to hijack their website's HTML code and abuse it in this way."

    From reading the Malwarebytes blog Graham the malware is served up by "dynamic, on-the-fly injection". There's not much that Xtube can do to prevent this apart from blocking the infringing ads, which, Malwarebytes go on to say, use "rotating domains". Essentially the malware is being injected into the cached version of the webpage as it's being downloaded to the user, i.e. no actual modification is being made to the online/server-side version of the site.

    Preventing such exploits would be near impossible with sites like Xtube because of how they render their videos: HTML5 / Flash.

    Users who haven't got their version of Flash patched should be protected by Microsoft's EMET if it has been properly configured. Malwarebytes note that users of their "Anti-Exploit [software] are protected from this threat."

    • Coyote in reply to Anonymous.

      March 26, 2015 at 1:49 pm #

      Well… to be fair, he did indeed point out that it is dynamic injection. But the bottom line is that they're vulnerable, and one could argue that that is what Graham is getting at. Up to interpretation of course, and how things are worded can change the meaning to different people, drastically, but in that case maybe it is semantics (and maybe not – even that is up to interpretation, I suppose).

  2. Coyote

    March 26, 2015 at 1:44 pm #

    Will check their website momentarily (or rather check the information on the trojan horse, hoping that they give an analysis with enough detail, to determine this) but in the meantime… do we know if this malware places them in to a botnet ? Not that I can do much about it, but it seems more and more, there are more surges in mail relay (and mail to never-existing email addresses at the domains being served) attempts… and that each has far more bots (presumably) involved….

Leave a Reply