This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
CA Security Advisor Research Blog
Internet searches under attack: next in series
by Rossano Ferraris
Another interesting case I would like to bring to your attention is the effect of the so-called
“fake-codec” trojans.
Here is what I figured out after searching the phrase “daily dawn” on the Google search engine.
The screenshot reflects a blogspot webpage from the search results:
There is a video displayed on the page.
Out of curiosity, I click on the arrow-button to watch it. After doing so, another window comes up
stating that I need to install a new version of Video ActiveX Object software for the video to play
correctly.
Then after clicking on the continue button a popup window comes up asking whether I want to save or
run an executable file.
Before going on with this analysis I would like to encourage you to sharpen your observation skills.
Take a look at the address bar of the first window which came up asking to install a new version of
ActiveX to download, shown again below.
The web site hxxp:// siski<DOT>cn is a very interesting link which is still active and whose IP address
changes day by day.
The content of this weblink is very small:
<html>
<head>
<title>play video</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body> <div align="center">
<iframe src="hxxp://mymetavids<DOT>com/l/error/id/3913230/" height="400" width="502" marginwidth="0"
marginheight="0" scrolling="no" frameborder="0"></iframe>
</div>
</body>
</html>
This site contains an iframe (see http://en.wikipedia.org/wiki/IFrame for an explanation of iframes)
which redirects the active browser to another website allegedly containing the Video ActiveX Object
software. In actuality, the iframe redirects to a trojan file.
Let’s see what happens when the video-codec trojan executes.
The installation starts with a EULA presentation which appears to the user to be something serious and legitimate:
Once installed the end-user is requested to restart the browser:
When I restart the browser my network sniffing tool begins to track a lot of traffic being transmitted
between my local machine and the domain creatonproject.com:
oggview32.dll is an interesting malicious file installed in my C:\Windows folder and operating as
a Browser Helper Object. The file is caught during the transmission process as showed in the screenshot:
The funny thing about this malicious dll is that it pretends to be a file belonging to Kodak, getting the user to maintain it on the system. In truth the description of the file reveals it belongs to a certain inexistent Kodack company and not the well known Kodak!!
The bottom of the story is that the fake codec file we have installed is definitely malicious, dropping a BHO
(Brower Helper Object) which in turn communicates with a third-party server without our permission
and alters the settings of the browser.
CA AntiVrus and CA Anti-Spyware products detect and remove the pests we have discussed above as
Burgspill trojans.
The sad situation is that cybercriminals do not know any limits for their malicious actions.
For example, they exploited the tragic news of the assassination of Benazir Bhutto to inject
malicious code into Google search results for news about the event.
Some recommendations:
Since the problem is getting worse and worse day by day I suggest to our readers to take into consideration
the following steps:
- Be aware of the details of the search-results from your search engine
- Do not trust any video asking to you to download a new version of ActiveX software if coming
from unknown sources. I suggest you to navigate to the media players website and download
the codec you need. For example: if you use Windows Media Player you can go to http://www.microsoft.com/windows/windowsmedia/forpros/format/codecdownload.aspx - Always mind the instructions you are getting: take a look at the address bar of your browser
when you are required to download something - Ensure that you have the latest updates of your anti-malware software; that way you are better
protected from the latest powerful threats - Consider using a browser plugin that provides granular control over Javascript : an example could be
the use of Firefox browser together with NoScript extension
About Rossano Ferraris
Rossano Ferraris is located in Italy where he lives and works for the CA Anti-Spyware Research Team as a research engineer. He was one of the first employees of PestPatrol and has been working for CA since its acquisition. At CA he has taken the worldwide responsibility for supporting the CA Anti-Spyware product family as a senior specialist engineer, where he has trained the CA Threat Support Team on spyware issues. His main interests include spyware research, phishing, exploits and potentially unwanted software falling within CA Anti-Spyware’s scope of detection. Rossano is an active member of various well known security forums and a member of ISSA association. He is the author of many articles on security matters for Italian newspapers and magazines and he is also author of a book on the spyware phenomenon published in Italy. He holds a degree in Computer Science and he is a GREM certified.
Print
Email
Rate
Comments
Paula said:
I wanted to comment that a client of mine received a Google Alert that seemed so legitimate I tried it on my machine (I"m now running several scans to avoid any malicious downloads). The Google Alert actually used the company name and its primary product and stated that a newspaper, the Worcester "something or other" had a video on their product. When clicking on the link, it prompted the download of the ActiveX as stated in this thread. I kept clicking 'no' that I didn't want to install, but the window to install the ActiveX kept popping up.....while some heavy breathing and pornographic sounds were coming from the undisplayed (Thank goodness!!) video.
Cathie Dunklee-Donnell said:
A client of mine had this same problem. The more we fight spyware, the more it takes surprising twists and turns. I think I got rid of the BHO "Helper". I tell all my clients to use Firefox.
Cathie Dunklee-Donnell said:
Thanks for this article. I had a client with this same problem. I tell all my clients to use Firefox.