8:24 pm (UTC-7) | by Ryan Flores (Threat Research Manager)
We discovered more holiday mischief while further digging into fake codecs, which Sunbelt most recently blogged about.
As discovered by Sunbelt, certain Google queries may lead you to certain blog sites that require the download of a “codec” that is actually a variant of the ZLOB malware.
These blogs seem to be recently created; entries were all posted just this December.
Blog titles revolve around topics related to Christmas such as Santa Claus and Christmas movies, but the scope is also extended to Christmas-related activities, such as cooking (recipes of Christmas dinner?), road conditions (traveling to spend the holidays with in-laws, relatives, or friends?), and gadgets (as gift items?).
Some topics outside the holidays revolve around sports, celebrities, and digital media.
Blog titles can be as broad as “wheres santa” or as specific as “is walmart open on Christmas day.”
These blog entry topics are obviously chosen to suit specific searches that Internet users the world over are making these days.
In order to increase their search engine result ranking (SEO poisoning), the blog entries’ bodies are composed of sentences containing the search keywords/blog entry title.
These sentences seem to be sourced from various sites and it is highly possible that the perpetrators used Web scrapers to fill the contents.
As of this writing, there are probably thousands of blog sites that use this modus operandi. Just to give you an idea on how large this might be, here are some of the sites we discovered (emphasis ours):
No matter how numerous the blog sites involved, they all point to any of these domains when the user clicks on the play button: siski.cn, obebos.cn, somemisc.info, and video.googl.name.Here are the pages the user will encounter when redirected to any of the four sites:
OBEBOS.CN and SISKI.CN
Of the four, video.googl.name is the most interesting because it pretends to be a video repository site (notice the search box on the top right corner of the page).
The amazing thing about video.googl.name is it contains all the videos you’ll ever want! When using the search feature, the site will always return a result, that will, of course, require you to download a “codec” to successfully play.
Messing around with the site, an absolutely absurd search for “TARANTELLABEERMANIA PARTYGATECRASHER” will incredibly give this result. Beat that!
Finally, the “codec”!
The actual download of the “codec” will only happen should the user decide to click the Continue button.
Both obebos.cn and siski.cn will point the user to shockbabetv(dot)com to download the ZLOB Trojan, while somemisc.info and video.googl.name will download the ZLOB Trojan from 82(dot)103(dot)137(dot)14.
Shockbabetv(dot)com already has a history of hosting these Trojan malware while 82(dot)103(dot)137(dot)14 is somewhat new, as we’ve seen this only this December.
Share this article