14 DAY TRIAL // Security researchers from Sunbelt Software have stumbled upon a scareware campaign, which pushes a rogue AV program as an update for the VLC media player Web plugin.
The attack was observed on a site allegedly offering video content and it looks like the Firefox error page normally displayed when a plugin crashes.
The rogue page shows a "The VLC Web plugin has crashed" message, along with a button that reads "Please, Install Update."
The site offers an executable file for download, which according to the Sunbelt experts, is the installer for a fake antivirus program called "Security Essentials."
Serving malware as a required codec or a Flash Player update is a common social engineering trick, that has been used by attackers for years.
However, while a Flash Player update would sound familiar to a lot of people, considering the plugin's ubiquitousness, it's not very clear why these attackers chose to use VLC's plugin.
VLC is an open source cross-platform multimedia player that doesn't require additional codecs to play the most common video and audio formats.
The player integrates with both Internet Explorer, though an ActiveX control, and with Mozilla Firefox, via an NPAPI plugin.
However, this "VLC Mozilla and Mozilla Firefox plugin," as it is officially called by the VLC developers, is normally distributed through the program's installer and comes unchecked by default.
There is a "VLC Media Player - Web Plugin" distributed through the Mozilla add-ons repository, but it has been uploaded by a third party and doesn't work with Firefox 3.6.
All of these signs point to a pretty low distribution of the plugin amongst Firefox users, at least lower than what the rogue AV distributors usually target.
But maybe the explanation is not that complicated and the attackers only tried to abuse the VLC name, not the plugin in particular, since the player itself is popular enough.
Regardless of the reason, users are strongly advised against downloading codecs or other updates offered by Web pages under the pretense of being required to view the content.