June 2007 Archives

Pornoplayer installed from fake Windows Codec

| | Comments (0)

There are several ways modern spyware is infecting unsuspecting systems these days. The most common is still the method of bundling malware into trojans so that the user has as little to do with the installation process as possible. Downloader-ADV is a very large series of Trojan downloaders designed to cripple a machine with adware, password crackers, spyware, and other malware. One instance of Downloader-ADV, innocently named loader.exe, drops a pornography media player under the guise of a perfectly legitimate Windows codec. The name of this player is appropriately named, Pornoplayer.

Upon installing loader.exe, it will phone home to kozirodstwo.com. You may recognize this site for such infamous hits as PWS-Pinch and Agent-ECM. You are then directed to a pornography site called porn-party.net.

codec.png

This site pushes on the user a seemingly legitimate codec from Microsoft.

screenie.png

This is actually an installer for Pornoplayer!

pornoeula.png

Other files are also installed along with the Downloader-ADV/Pornoplayer combo. Research also points to pornstar-photos.com installing another part of the Trojan downloader as well as being redirected to rones.porn-host.org. This site is a warehouse for pornography that installs ICOO products.

Over the weekend there was apparently an issue with the registration of Live ID accounts, which could allow nefarious characters to indulge in a spot of phishing. More here at CIO.com.

I'll be speaking on "The Internationalization of Spyware" at the upcoming ASC Conference in June. Agenda and speakers can be found here.

If you happened to open up certain profiles on Myspace these past few days, you'd have the misfortune of seeing the following appear in the middle of your screen:

http://blog.spywareguide.com/upload/2007/06/myspaceremove1-thumb.jpg
Click to Enlarge

That's a vaguely scary thing to have appear on a Myspace profile, because you just know it's going to be pressed a ridiculous amount of times. Upon downloading the file, if the user runs it, when using Internet Explorer they'll see some of the below sights:

http://blog.spywareguide.com/upload/2007/06/myspaceremove2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/06/myspaceremove3-thumb.jpg
Click to Enlarge

Of course, no hijack like this would be complete without some fake Taskbar warnings, right?

myspaceremove4.jpg


myspaceremove5.jpg

If you click on either the popups or the hijacked IE banner you're taken to a site called Antispysolutions.com:

http://blog.spywareguide.com/upload/2007/06/myspaceremove6-thumb.jpg
Click to Enlarge

Time for a quick detour. Here's some coverage of one of the programs, Spy Away, from March of this year. Have a look at the fake "detection" in the detections box - note that it simply says "Sistray.exe". Apparently the application and / or site vanished for a while. Well, fast forward to the present day and if you download and run the executable, you'll see a very interesting difference:

http://blog.spywareguide.com/upload/2007/06/myspaceremove7-thumb.jpg
Click to Enlarge

...the application claims to "detect" 180 Solutions (Zango), along with a few other items. This is done by downloading some "dummy" files that the scanner then magically finds. The files themselves don't do anything as far as we can tell apart from sit there and feed the results of the scanner - of course, they aren't legitimate Zango executables. Here's a screenshot of some of the files deposited onto the PC:

http://blog.spywareguide.com/upload/2007/06/myspaceremove8-thumb.jpg
Click to Enlarge

Myspace users would do well to give these so-called security applications a miss. This particular install works best on Windows 2000 - if the user is on XP, there's a good chance nothing will happen. Thanks to LoLo for the tipoff.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

About this Archive

This page is an archive of entries from June 2007 listed from newest to oldest.

May 2007 is the previous archive.

July 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.