By Andrew Brandt
For a couple of weeks now, I’ve been noticing a curious (and increasingly prevalent) phenomenon: Some of the free Web hosts popular among those who engage in phishing are popping new types of multimedia ads over the tops of the pages they host. Not only does the victim, in this case, risk having their login credentials to banks or social media sites phished, but many of those ads behave almost identically to “missing codec” social engineering scams that have been popular among malware distributors for years.
The ads — and I use the term very loosely, because these contrivances fall well over the shady side of the ethical line for online advertisements — appear in banners or (in the multimedia-heavy version) glide down in front of the page the Web surfer happens to be browsing, annoyingly obscuring the page. In most cases, these “ads” take on the appearance of some sort of media player window that appears to be stuck in a “video loading” loop, but this is a ruse. There is no media player. The Flash animation is designed to look like one, with the goal to convince the viewer to click the fake video player window, which initiates the download of something called XvidSetup.exe from a server on the domain appbundler.net.
That domain, as well as appbundler.com and clickpotato.tv, appear to be owned by a company with a less than stellar online reputation called Pinball Corp. The executables are not malware, but they also don’t entirely do what they say they will, either. And while the programs also distribute an old, outdated version of the XviD codec (in addition to other sponsored apps, more about this below), they do so without the permission of the publisher of that software, and possibly in vi0lation of the GPL software license terms that XviD uses. A new term of art seems to be required to describe this type of advertising; I propose calling the ads scads, a concatenation of scam and ads. Scadware describes the fraudulent software more precisely than the prosaic Potentially Unwanted Application.
The deceptive way in which Pinball Corp’s ad convinces users to download and install the sponsored software certainly leaves a bad taste in my mouth. Read on for the details.
We’ve been seeing the bogus ads, and undesirable installers, of this type since late fall, 2010. The distribution method, with fake video pages, fooled me at first, and if you’re familar with this kind of fraud, it might fool you, too. I thought this was just the latest instance of Koobface at first glance.
One of the pages that led me into an AppBundler app looked like a YouTube page, only the site logo said TouTube, but the headline on the fake video constitutes social engineering at its most repugnant: “HORRIBLE! a young girl did SUICIDE in front of cam – Watched this video!“
What ad agency approves creative (again, I use the term loosely) that looks like this?
Another distribution appeared as a banner ad with just the words Download Now and Play Now atop a phishing page (hosted on facebookonlinegiriss.tr.gg) designed to look like the Turkish-localized Facebook homepage.
On the Facebook phishing page, the scad warned me (in a window labeled Onvertise) that “you are missing the plugin VLC to play videos.” VLC, if you’re not aware, is the name of a popular, free, open-source media player. There is no “plugin VLC” for anything.
If you click the Flash animation — no, it’s not a real video player — this is what you’re presented with:
They didn’t even try to match the name of their “plugin” and the name of this file.
In some other cases, including the fake YouTube page, the scad alerted me to download the XviD Codec. XviD is, in fact, an MPEG video codec plugin for media players. When I clicked the fake-video on the fake-YouTube page, it spawned another browser window on yet another domain called megaplayerhd.com, with yet another Flash animation disguised as a video player.
If you click that window, which is prominently labeled Download the XviD Codec and carries the XviD Video logo and service mark, once again, it downloads XviDSetup.exe from icr01.appbundler.net.
Of course, I wasn’t trying to watch a video at all, and I already had the VLC Player and XviD codec installed before seeing the scad, so the premise of this “warning” message is specious, at best.
One interesting characteristic of these installers is that they are all digitally signed by Pinball Corporation, but unlike more conventional signed files, there is no other information in the digital signature properties.
Another characteristic of this scadware installer is that the distributors are using server-side randomization when they deliver the files. This is a technique employed (until now) exclusively by distributors of malware and some publishers of commercial keylogger software. The technique exists solely for the purpose of defeating antimalware scanners. Every time you send a request to the server for an installer, the server ever-so-slightly modifies the installer and delivers a file that has a unique MD5 hash. Each time I downloaded the installer, I got a slightly different file, all with the same name.
But enough about the distribution method, because the installer itself is another piece of work: The installer (which calls itself the xvid Premium Setup Wizard) claims that you will only be required to “view” the “sponsor offer” — a well-known, proprietary media player — before it will let you install the XviD codec.
Apparently there’s some confusion as to what “view” means. I always thought it meant you got to look at the offer, decide if it meets your needs, and then install if you want. But that’s apparently not the kind of “view” these guys were talking about. In the samples we obtained last week, the installer immediately begins downloading and installing the sponsor’s media player. You just get to watch it all happen.
Once the sponsor’s app is fully installed, then the Appbundler pulls down the setup program for version 1.2.1 of the XviD Codec (from servers other than the ones XviD uses).
Technical and distribution issues aside, the act by Pinball of bundling XviD along with a commercial, closed-source program into a customized installer also may violate both the spirit and letter of the GPL license under which XviD is distributed. The license states (in part) that “This General Public License does not permit incorporating your program into proprietary programs.”
When I contacted XviD to ask them if they’re involved in the distribution of their software, the managing director of the organization, Michael Militzer, responded flatly, no. Militzer also said that, while he is aware of his software being distributed by Pinball Corp., he has never given permission for them to do so; He also added that his nonprofit would sue Pinball to stop the practice, but that because XviD doesn’t charge for its software, the organization has no income from which it could draw to pay for the high cost of a lawsuit.
Following the demise of firms like 180Solutions and Zango, which pioneered the broad use of highly deceptive advertising practices (and were heavily sanctioned by the FTC as a result), some online ad networks spent considerable effort to promote ethical behavior. Now it looks like the pendulum is swinging back towards less ethical practices. Pinball Corp owns some of the former-Zango properties. I hope I’m wrong, but I fear this is only the beginning.