Taking a Look at the FreeVideo Player Trojan

Published: 2006-11-19
Last Updated: 2006-11-20 12:51:43 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
ISC reader Brian Eckman shared with us a comprehensive write-up about malicious activity he observed in association with the FreeVideo Player software distributed by www-dvdaccess-net. (We do not recommend visiting that URL.) According to Brian, the program's EULA grants its authors the right to install third-party software on the user's machine; however, most users would not find the activities of this program desirable.

The main purpose of the FreeVideo Player, in its current state, seems to be redirection of web search results and DNS queries for non-existent domains to ad-hosting websites. As Brian notes, the capabilities of the program could "allow it to be incredibly effective (i.e., devastating) if used for phishing. If they decided to return false DNS answers for banks, credit monitoring companies, auction sites, etc., there is almost no protection for the end user. Even if they return valid DNS responses, they can present any page they want to the Web browser."

The program includes relatively advanced features seen in malware, such as rootkit functionality to make it difficult to discover its presence or to remove it from the affected system. In addition, its distribution mechanism gives its authors the ability to create customized or fingerprinted executables for each person downloading the program. According to Brian, the website hosting this program distributes unique executables based on the IP address of the system that is downloading the program.

Some anti-virus companies recognize variants of this program as Zlob. Others may tag it Emcodec, or may not recognize it as malware at all.

Brian states, "I believe that this software clearly fits the definition of a Trojan Horse. From what I have been able to gather thus far, the apparent motive is profiting from pay-per-click advertising. ... The engineering of this Trojan and the social engineering behind its spread appear to me to be far more advanced than typical Web browser exploits and IRC bots."

The network that is making use of the FreeVideo Player trojan falls in the netblock that belongs to Inhoster. We've been recommending that companies block access to this netblock, as per our January 1, 2006, diary. One of the indications that systems on your network are infected with the FreeVideo Player is the regular presence of DNS queries aimed at servers on the Inhoster netblock.

Full text of Brian's write up is available here.

Lenny Zeltser
ISC Handler on Duty
0 comment(s)


Diary Archives