Earlier this month, our colleagues at the Online Services Security & Compliance Incident Management team were alerted to content on a Spaces page that was allegedly violating copyrights. The reporting party (a well-known band) was particularly concerned as this content was turning up on numerous web portals, having been leaked in Europe only 24 hours prior.
Upon investigating the Spaces page, rather than display copyrighted material, an embedded "video" prompted investigators to download a codec that was apparently lacking. From within a controlled environment, “MediaTubeCodec.1.220.2.exe” was downloaded- the name alone elevated suspicions. Preliminary analysis determined that the file was not being detected by the MMPC, and that this appeared to a variant of Win32/Zlob.
Naturally, we updated our generic detection to cover it (the threat is detected as TrojanDownloader:Win32/Zlob.gen!CD). Upon execution, it will install Win32/Zlob, which typically reconfigures Internet Explorer settings like the home page and default search engine. In this case, once the fake codec installer is executed, it drops several of its installation components to temporary folders on the system, runs them, and then ‘phones home’ (presumably to update itself). The variant we found tries to connect to the following three hosts:
Only the first two are responding at the time of writing—both appear to be running nginx (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.
Russ McRee & Tareq Saade