As noted in various places, a malware provider managed to trick various ad distribution networks such as doubleclick to distribute ads containing malware. The malware "HDD plus" pretends to detect hard disk errors on infected computers and suggests - in the same way that Fake AV programs do - that the victim upgrade to a pay package that can 'fix' the problems.

Unsurprisingly ThreatSTOP subscribers were protected by this as the ip addresses that the malware was being dropped from were either in our database before the attacks started or were added shortly afterwards. As far as I can tell the majority of the addresses were already blocked by a combination of the Spamhaus DROP list and the Malware Domain list with the others being added once the ip addresses were reported to Malware Domains or DShield.

This kind of attack highlights the advantages of ThreatSTOP's approach. By blocking the IP address of the malware server, ThreatSTOP enabled firewalls prevent computers behind them from being infected which they otherwise might well do so since the main sites visited were legitimate web addresses.