A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:
If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.
The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:
This forces the browser to load a fake and malicious “FlashPlayer” executable that looks like a legitimate updater:
According to our findings, the infection is aimed at Windows users running Internet Explorer. Also, the language of the fake yellow “Missing Plugin” alert bar at the top of the page is Brazillian, even for non-Brazillian IPs, which tells us that this is a targeted attack.
While the file is detected by a few Anti-Virus vendors already, not all of them are (especially the most popular AV engines):
Note that the malicious script is encoded JavaScript, which injects a link to the installer and refreshes the browser, redirecting to the malicious file as the URL. This results in an attempt to automatically download the file. You can see the final injection decoded by our own Denis Sinegubko here:
We’re performing further investigation and will update this blog post with new information if available.