I left Charles (web proxy debugger) running and waited for the re-direct again. I found the site that is originating the request to sponsor.adverstitial.com, it is ad.cpmaxads.com.
A request to that site goes out, then it brings back a lot of shady looking javascript/HTML mix with this in the middle:
{var v=Math.floor((Math.random()*100000));setTimeout(function(){try{window.top.location.href="http://sponsor.adverstitial.com/view/advertisement?loc="+v+"&adv="+p+"&camp="+o+"&w="+t+"&h="+B+"&rnd=4878995824626992114"}catch(d){}},2000)}}
The request to ad.cpmaxads.com from the web page was:
GET /audience/campaign?adid=2832800&cpid=657304&w=728&h=90&rn=1397433511&ct=http://clk.specificclick.net/click/v=5%3Bm=3%3Bl=12679%3Bc=657304%3Bb=2832800%3Bts=20140413195831%3Bui=9BHmMkGDmpd5VsqEQpYbPNeNVqvOhgeY_JYZTk4np7i31BriQpt2BAVz7vpcD5rKAI1kfLriLvqflWaNGuBRQA%3Bdct=
And the referring page was from Slashdot.org.
I'm pretty sure now this is specifically an advertisement that manages to force the whole page to load a new URL, as you can kind of make out from the Javascript - so at least it's not malware. I'm going to try setting a /etc/hosts entry as follows to block the origin of the offending Javascript:
0.0.0.0 sponsor.adverstitial.com
0.0.0.0 ad.cpmaxads.com
As it comes from advertising, this probably occurs for any other sites using that advertiser. If people are not comfortable editing /etc/hosts, you could also try installing an ad-blocker, and just blacklisting ad.cpmaxads.com if you didn't want the whole ad-block experience (I don't like how it slows things down and I do want to support sites I like with advertising revenue - as long as ads do not infuriate me be repaving the whole page...)
For those interested in the whole HTML/javascript block that comes back from ad.cpmaxads.com, it is:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="expires" content="0"><meta http-equiv="Pragma" content="no-cache"><meta http-equiv="cache-control" content="no-cache">
</head>
<body>
<div id="adarea" style="position:absolute; top:0px; left:0px; width:300px; height:250px;">
<!-- default -->
<!-- end default -->
</div>
<img src="http://s.viewalytics.com/t/e?p=52&t=7&ev=1&asrc=0&site=0&rnd=0" width=1 height=1 border=0 style="position:absolute; top:-4px;">
<script type="text/javascript">
function getParameterByName_fromURL(b,f){try{b=b.replace(/[\[]/,"\\[").replace(/[\]]/,"\\]");var a="[\\?&]"+b+"=([^&#]*)";var d=new RegExp(a);var c=d.exec(f);if(c==null){return""}else{return decodeURIComponent(c[1].replace(/\+/g," "))}}catch(g){return""}}var placement_oo="1";var placement_lo="1";(function(){function H(f,w){try{f=f.replace(/[\[]/,"\\[").replace(/[\]]/,"\\]");var d="[\\?&]"+f+"=([^&#]*)";var r=new RegExp(d);var h=r.exec(w);if(h==null){return""}else{return decodeURIComponent(h[1].replace(/\+/g," "))}}catch(J){return""}}function C(e,d){var f=document.getElementById("adarea");if(f){if((e==728)&(d==90)){f.style.width="728px";f.style.height="90px";f.innerHTML='<iframe width=728 height=90 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_728_90.html"></iframe>'}else{if((e==300)&(d==250)){f.style.width="300px";f.style.height="250px";f.innerHTML='<iframe width=300 height=250 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_300_250.html"></iframe>'}else{if((e==120)&(d==600)){f.style.width="120px";f.style.height="600px";f.innerHTML='<a href="http://www.stjude.org/moments?sc_cid=bnn103"><img src="http://ad.cpmaxads.com/audience/default/psa/120x600.gif" width="120" height="600" border="0"></a>'}else{if((e==160)&(d==600)){f.style.width="160px";f.style.height="600px";f.innerHTML='<iframe width=160 height=600 border="0" frameborder="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" hspace="0" vspace="0" scrolling="NO" src="http://ad.cpmaxads.com/audience/default/default_160_600.html"></iframe>'}else{f.style.width="300px";f.style.height="250px";f.innerHTML='<a href="http://www.stjude.org/moments?sc_cid=bnn102"><img src="http://ad.cpmaxads.com/audience/default/psa/300x250.gif" width="300" height="250" border="0"></a>'}}}}}}var p;var o;var t;var B;var l;try{p=H("adid",window.location.href)}catch(D){p=0}try{o=H("cpid",window.location.href)}catch(D){o=0}try{t=H("w",window.location.href)}catch(D){t=0}try{B=H("h",window.location.href)}catch(D){B=0}try{l=H("ct",window.location.href)}catch(D){l=""}C(t,B);function i(r,K,h){var J=new Array();J[0]="0";J[1]="0";J[2]="0";try{var d=r.indexOf(" ",K+h);if(d==-1){d=r.length}var f=r.substring(K+h,d);if(f.indexOf(".")>0){J=f.split(".");if(!J[0]){J[0]="0"}if(!J[1]){J[1]="0"}if(!J[2]){J[2]="0"}}}catch(w){}return J}var G=false;var b=0;var k=0;var c;try{c=navigator.userAgent;if(!c){c="unknown"}c=c.toLowerCase();if(c.indexOf("msie")>0){b=1}else{if(c.indexOf("chrome/")>0){b=2;G=true}else{if(c.indexOf("safari/")>0){b=3;G=true}else{if(c.indexOf("firefox/")>0){b=4;G=true}else{if(c.indexOf("trident/")>0){b=7;G=true}}}}}if(c.indexOf("windows")>0){k=1}else{if(c.indexOf("macintosh")>0){k=2}}}catch(D){}var s=0;try{if(b==1){var q=i(c,c.indexOf("msie"),5);s=Number(q[0]);if((s==8)||(s==9)||(s==10)){G=true}}}catch(D){}function j(){var f;try{if(typeof document.hidden!=="undefined"){f="hidden"}else{if(typeof document.mozHidden!=="undefined"){f="mozHidden"}else{if(typeof document.msHidden!=="undefined"){f="msHidden"}else{if(typeof document.webkitHidden!=="undefined"){f="webkitHidden"}}}}}catch(r){}var e=0;if(f){try{if(typeof document.addEventListener!="undefined"&&typeof f!="undefined"){if(document[f]){e=2}else{e=1}}}catch(h){e=0}}return e}var u="true";var a=j();if(!a){a=0}var m=false;try{var n=document.location.href;var g=document.referrer;if((n.indexOf("delta")>0)&&(n.indexOf(u)>0)){m=true}if((n.indexOf("11526")>0)||(n.indexOf("42823")>0)){m=true}if((g.indexOf("delta")>0)&&(g.indexOf(u)>0)){m=true}if((g.indexOf("11526")>0)||(g.indexOf("42823")>0)){m=true}}catch(E){}if((p>0)&&(o>0)&&(G==true)&&(a!=2)&&(k>0)){if(((t==728)&(B==90))||((t==300)&(B==250))||((t==120)&(B==600))||((t==160)&(B==600))){try{if((window.location.protocol=="http:")&&(m==false)){var v=Math.floor((Math.random()*100000));setTimeout(function(){try{window.top.location.href="http://sponsor.adverstitial.com/view/advertisement?loc="+v+"&adv="+p+"&camp="+o+"&w="+t+"&h="+B+"&rnd=4878995824626992114"}catch(d){}},2000)}}catch(E){}}else{}}else{var y=t;var x=B;if((a==2)&&(placement_oo=="1")){var I="http://ad.cpmaxads.com/audience/default/psa/default.swf?width="+y+"&height="+x+"&rn="+Math.round(Math.random()*100000000);var z=navigator.userAgent.toLowerCase();var A="";if((z)&&(z.indexOf("msie")<0)){A='<object style="position:absolute; top:0px; left:0px; display:block; line-height:0px; margin:0; padding:0;" id="defaulted_banner" name="defaulted_banner" type="application/x-shockwave-flash" data="'+I+'" width="1" height="1"><param name="movie" value="'+I+'"/><param name="quality" value="low"/><param name="bgcolor" value="#808080"/><param name="play" value="true"/><param name="loop" value="false"/><param name="wmode" value="window" /><param name="allowScriptAccess" value="always" /><param name="hasPriority" value="true"/></object>'}else{if(z){A='<object style="position:absolute; top:0px; left:0px; display:block; line-height:0px; margin:0; padding:0;" id="defaulted_banner" name="defaulted_banner" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1"><param name="movie" value="'+I+'"/><param name="quality" value="low"/><param name="bgcolor" value="#808080"/><param name="play" value="true"/><param name="loop" value="false"/><param name="wmode" value="window" /><param name="allowScriptAccess" value="always" /><param name="hasPriority" value="true"/></object>'}}if(A){var F=document.createElement("div");F.style.position="absolute";F.style.top="4px";F.style.left="4px";F.style.margin="0";F.style.padding="0";F.style.zIndex=2147483647;F.innerHTML=A;try{document.body.appendChild(F)}catch(E){}}}}})();
</script>
</body>
</html>
Best Answer
I'm the developer of DetectX.
A few facts about my app pertinent to your question:
i. DetectX does not ask for admin rights either to install or run.
ii. DetectX does not install any 'helper' apps or contain any other binaries save for i. it's own macOS binary and ii. the Sparkle updater binary.
iii. DetectX cannot delete anything save for the things shown in the Search panel. The user has to authorise any deletion by first pressing the 'Trash All' button, and if the offending item requires admin privs, by further providing authorisation to either the Finder or osascript. This happens on a per-file basis - i.e., the user has to authorise each file individually. DetectX cannot do mass deletions of files outside of user space.
iv. DetectX itself never asks for or sees your admin password. Any requests made for permissions is done via osascript or the Finder, and they deal with the password request and carry out the requested task.
i., ii., iii. and iv. were all deliberate design choices to make DetectX as safe as possible. Unlike some other security tools, DetectX itself cannot be hijacked to take over the user's system as it does not have - nor can it acquire - any root privileges.
A word of warning about using Avast in particular with DetectX: last I checked, Avast flags DetectX as a threat. I believe this is due to the fact that Avast is not smart enough to recognise that DetectX contains search strings that look for adware, malware and other associated badware. Users can inspect these search strings themselves as most are in plain text in the Resources folder of the app's bundle. This is stated on the DetectX home page, and there is a link there to further info about problems with Avast. All other reputable AV software recognises DetectX as safe.
Please contact me through the website if you haver further questions about DetectX.