Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively.
Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service.
For example, here’s a search for “NFL playoff bracket video” on Google:
And here’s a search for a recipe for deviled eggs:
How about checking the holiday hours at B of A?
Generally, clicking on one of those links will bring up a page like this:
Which, when clicked, leads to a page pushing a fake codec (and one not very widely detected by AV engines, incidentally):
And, in another case, off of the “holiday hours” search above, we get a different fake codec being pushed:
Now, clicking on that link brings us to a website that tries to make you believe it’s a Google Video site:
(Malware researchers, just try googling “”christmas dinner prayer” site:blogspot.com” for a rash of results — or playing with other search terms in the sites.)
Here’s a list of some sites that I found on some searches — I’m sure there’s more:
zagadko(dot)blogspot(dot)com
xboxlivevidz(dot)blogspot(dot)com
xa4ubablo(dot)blogspot(dot)com
videokfda(dot)blogspot(dot)com
video-ase(dot)blogspot(dot)com
video-aa(dot)blogspot(dot)com
veryhotpaper(dot)blogspot(dot)com
theneeeez(dot)blogspot(dot)com
supekom(dot)blogspot(dot)com
sukanahi(dot)blogspot(dot)com
page47vidz(dot)blogspot(dot)com
modotvidz(dot)blogspot(dot)com
melancholyvidz(dot)blogspot(dot)com
maxjetvideoz(dot)blogspot(dot)com
lohanvideoz(dot)blogspot(dot)com
kdotvidz(dot)blogspot(dot)com
habbovideoz(dot)blogspot(dot)com
greetingsvidz(dot)blogspot(dot)com
gaizocd(dot)blogspot(dot)com
f-videoq(dot)blogspot(dot)com
europemyusa(dot)blogspot(dot)com
dubigom(dot)blogspot(dot)com
dubigom(dot)blogspot(dot)com
directusapolls(dot)blogspot(dot)com
daysprings(dot)blogspot(dot)com
daibabla(dot)blogspot(dot)com
cityscoopvidz(dot)blogspot(dot)com
chattingcom(dot)blogspot(dot)com
carrievideoz(dot)blogspot(dot)com
bjpvideoz(dot)blogspot(dot)com
babliko(dot)blogspot(dot)com
10xgoogle(dot)blogspot(dot)com
Again, these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing.
(Note that I wouldn’t put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split.)
Alex Eckelberry
(Thanks to David Glosser for the heads-up on this)