Chinese Phishers Get On the Fake Codec Bandwagon

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Malware distributors in China have started pushing the same kinds of fake codec scams on unsuspecting Chinese Web surfers that criminals elsewhere in the world have mastered.

I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime.

In the course of investigating some odd-looking URLs (including one which uses the name of every popular Chinese portal), I stumbled into a maze of Web sites that forcefully urge visitors to download and install software.

The scams start at Chinese porn sites — though, it must be noted, the photos on most of these sites are significantly less racy than what you’d find on your typical college coed’s MySpace page, even before Spring Break. The sites promote streamed video, but warn users that they must download and install a special “video on demand” player in order to watch the videos. Sound familiar?

In the course of a few hours, I pulled down and researched five distinct Trojaned software packages, all of which originated from a “click here to download the player” link on a Web page. At best, the programs attempt to convince users to pay 100 Yuan (about $15) for access to what the program promises is a vast library of TV shows and movies from China and the rest of the world.

At worst, the programs pull down dozens of keylogging Trojans, downloaders, and backdoors at the same time as they install benign Chinese video software, such as the popular (and completely free) QVOD player.

Anyone who’s familiar with the various fake codec scams should recognize these Chinese versions immediately. The video player screen, which is just a JPEG image overlaid with Javascripted animations, is clean and slickly produced. An animation makes it appear that the Web site is buffering the video, and then — uh oh — something goes wrong. The big  button that appears center-frame is the download link. But even without machine translation of the text, you could tell that the scam desperately wanted the user to download and run the installer, because the page started pushing down the installer before I’d even clicked anything.

And then, after I’d downloaded the installer, the page directed me to yet another fake video player page, where it tried to push a different installer to my computer. After a while clicking through the same pages, I ended up on a Chinese pill-vendor Web site. I noted with some amusement that the graphic designer responsible for this disaster used a doctored (ahem) image of the space shuttle as some sort of visual metaphor for male virility.

Each of the five installers came from similar looking pages, but each was very different, in terms of the level of technical sophistication they employ, and damage they cause. One was just a self-extracting archive with malware inside; One contained a series of Visual Basic scripts that could do a wide variety of things, including hijack the browser’s homepage and replace the browser shortcuts elsewhere on the computer; Three were polished installer wizards, which also happen to drop malware.

We were amused to see how the distributors appeal to the prurient interests of the Chinese Web surfer; Apparently homegrown smut isn’t as good as the stuff made by foreign devils. Several of the players describe, as part of the feature set, the ability to bypass network restrictions that would otherwise prevent users in China from viewing non-Chinese porn.

The names of the installer apps can be generic, in English (such as “movie_setup_889.exe”) or specific, with Chinese characters (such as AV专用播放器.exe — AV Dedicated Player — or 免费成人播放器.exe, aka “Free Adult Player”). The oddball icons include a stylized TV set and an oddly cute cartoon cat (wearing a distinctive, shocked expression).

Once installed, the “players” actually act as Website loaders, framing Internet Explorer inside a box with no Address Bar or Status Bar (so you can’t see the URLs) and you can’t right-click anything. The programs load Web sites with inscrutable names like Intermediate Belt Video and Music which claim to offer the hottest releases. But we didn’t test it out because we couldn’t pay for the service: We don’t have an account with Yeepay (a kind of Chinese version of Paypal) or at the Industrial and Commercial Bank of China, and they don’t take credit cards.

But as yukworthy as the Chinglish translations are, the damage these Trojans cause is no laughing matter. The worst of the fake video player installers dropped a copy of the QVOD player, contacted a server on port 6668, then retrieved 24 separate malicious payloads within about four minutes. Most of those payloads are phishing Trojans designed to steal game passwords.

Other installers:

  • hijacked the browser’s homepage

  • Replace IE shortcuts from the Desktop or Start menu with shortcuts that open a Web site

  • deleted any Favorites or Shortcuts from both the Internet Explorer and Firefox browsers

  • downloaded and installed additional malware, and sent profile information about the infected computer to a server.

It looks like all that remains is for the Chinese to write malware designed to infiltrate social networks, and they’ll finally be playing in the Big Leagues with the other malware distributor dirtbags.
wordpress blog stats

One thought on “Chinese Phishers Get On the Fake Codec Bandwagon

  1. Pingback: Chinese Phishers Get On the Fake Codec Bandwagon - Donna's SecurityFlash

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s