Tag Archives: fake codec

Pinball Corp’s Appbundler Employs Malware-like Techniques

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

For a couple of weeks now, I’ve been noticing a curious (and increasingly prevalent) phenomenon: Some of the free Web hosts popular among those who engage in phishing are popping new types of multimedia ads over the tops of the pages they host. Not only does the victim, in this case, risk having their login credentials to banks or social media sites phished, but many of those ads behave almost identically to “missing codec” social engineering scams that have been popular among malware distributors for years.

The ads — and I use the term very loosely, because these contrivances fall well over the shady side of the ethical line for online advertisements — appear in banners or (in the multimedia-heavy version) glide down in front of the page the Web surfer happens to be browsing, annoyingly obscuring the page. In most cases, these “ads” take on the appearance of some sort of media player window that appears to be stuck in a “video loading” loop, but this is a ruse. There is no media player. The Flash animation is designed to look like one, with the goal to convince the viewer to click the fake video player window, which initiates the download of something called XvidSetup.exe from a server on the domain appbundler.net.

That domain, as well as appbundler.com and clickpotato.tv, appear to be owned by a company with a less than stellar online reputation called Pinball Corp. The executables are not malware, but they also don’t entirely do what they say they will, either. And while the programs also distribute an old, outdated version of the XviD codec (in addition to other sponsored apps, more about this below), they do so without the permission of the publisher of that software, and possibly in vi0lation of the  GPL software license terms that XviD uses. A new term of art seems to be required to describe this type of advertising; I propose calling the ads scads, a concatenation of scam and ads. Scadware describes the fraudulent software more precisely than the prosaic Potentially Unwanted Application.

The deceptive way in which Pinball Corp’s ad convinces users to download and install the sponsored software certainly leaves a bad taste in my mouth. Read on for the details.

Continue reading

Blog Comment Spam Points to Drive-By Site

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

I just want to take a moment to thank the malware author who posted a spam comment to the Webroot Threat Blog blog the other day. You guys make my job so easy.

The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats.

Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used.

The link claims to point to a page hosted on the free Blogspot blog site to a nude video — not of Paris Hilton, Venus Williams, or Erin Andrews — but of…Diane Sawyer, the respected, award-winning anchor of ABC’s World News Tonight.

Diane Sawyer Nude” — seriously? News anchor porn? Whatever happened to malware authors touting nude photos of starlets as an enticement?
Continue reading

Chinese Phishers Get On the Fake Codec Bandwagon

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Malware distributors in China have started pushing the same kinds of fake codec scams on unsuspecting Chinese Web surfers that criminals elsewhere in the world have mastered.

I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime.

In the course of investigating some odd-looking URLs (including one which uses the name of every popular Chinese portal), I stumbled into a maze of Web sites that forcefully urge visitors to download and install software.

The scams start at Chinese porn sites — though, it must be noted, the photos on most of these sites are significantly less racy than what you’d find on your typical college coed’s MySpace page, even before Spring Break. The sites promote streamed video, but warn users that they must download and install a special “video on demand” player in order to watch the videos. Sound familiar?

In the course of a few hours, I pulled down and researched five distinct Trojaned software packages, all of which originated from a “click here to download the player” link on a Web page. At best, the programs attempt to convince users to pay 100 Yuan (about $15) for access to what the program promises is a vast library of TV shows and movies from China and the rest of the world.

At worst, the programs pull down dozens of keylogging Trojans, downloaders, and backdoors at the same time as they install benign Chinese video software, such as the popular (and completely free) QVOD player.
Continue reading