[unisog] Significant Rogue DNS Activity To 85.255.112.0/22 (thanks to the "FreeVideo Player" Trojan)

John Ladwig jladwig at mango.lioness.net
Sat Nov 18 00:17:42 GMT 2006


On Fri, Nov 17, 2006 at 03:32:22PM -0600, Brian Eckman wrote:
> Warning: long, somewhat detailed analysis below.

Nice work.


As you stated, bogus codecs are (and have been) a growth area for
malware installation.  The Sunbelt software blog regularly warns about
specific sites, including some very professional looking websites and
installers. 

SANS-ISC had a "Follow the bouncing malware" piece over a year ago on
a codec-installer trojan with EULA.  With the rapid mutation of
modular droppers/installers, it's pretty hard to rely on anitvirus
signatures to defend against this sort of threat. 

   -jml


http://sunbeltblog.blogspot.com/2006/11/supercodec-latest-fake-codec.html
Thursday, November 16, 2006
SuperCodec -- latest fake codec

As always, do not download these fake codecs, as they are a hotbed of
malware. 

IP: 69.50.188.99    
supercodec.com           

 [ ... ]


http://www.f-secure.com/weblog/archives/archive-112006.html#00001021
Tuesday, November 14, 2006
Codec No. 107 	Posted by Kamil @ 14:31 GMT

While browsing the Internet for movies . *cough* pr0n . people often
end up downloading some DRM protected material, bundled with a license
that uses social engineering tactics to push the victim into
dowloading a "codec". These supposed codecs are downloading and
installing malware known as Zlob. 

[ ... ]


http://sunbeltblog.blogspot.com/2006/11/more-fake-codecssecurity-scam-hijack.html
Friday, November 10, 2006
More fake codecs/security scam hijack sites

IP: 216.255.187.70 
lightcodec(dot)com 

IP: 69.50.188.104   
elitecodec(dot)com 

IP: 85.255.118.243 
eupdatepage(dot)com          

[ ... ]


http://www.techworld.com/security/news/index.cfm?newsid=6781
04 September 2006
zCodec promises video, delivers nasties

By Matthew Broersma, Techworld

Users looking for the latest and greatest video software may not just
be in danger from media lawyers. Security firm Panda Software last
week warned that zCodec, which claims to offer "up to 40 percent
better (video) quality," is in fact an adware program that can install
Trojans, rootkits and other malicious software. 

zCodec is freely available online and, as of Monday afternoon, was
easy enough to find, offering downloads from its own website -
zcodec.com. The site uses images from the films Sin City and Pulp
Fiction, and claims zCodec will boost audio as well as video quality. 

 [ ... ]


http://isc.sans.org/diary.php?date=2005-07-13
Published: 2005-07-13,
Last Updated: 2005-07-14 03:33:23 UTC by Tom Liston (Version: 1)
  [...]
The Big Con

The file that Joe downloaded was "vc3_05b.exe," a 16,373 byte long
executable. On the VCodec site, there is also a file called
"vc1_05a.exe" (9341 bytes) which is what you get if you follow the
main "download" link on the VCodec site. Also, like an extra surprise,
hidden on the vcodec.com index page is some JavaScript that attempts,
in several ways, to download the file "vc105a.htm" which is simply a
copy of vc1_05a.exe. Both files are packed with the executable
compressor FSG, and while they are superficially different, running
either of them has the same result: version 3.5 just has a
dog-and-pony show to go along with it. 

Perhaps by now, you.ve gotten the idea that we.re not dealing with a
plain old video codec here. After all, this *is* another installment
of "Follow the Bouncing Malware." Well, no, it isn.t just a codec. 

In fact, it isn.t a codec at all.

[ ... ]


Plenty other reports out there.

   -jml


More information about the unisog mailing list