14 DAY TRIAL // Fake download websites serving malicious executables masquerading as music files are still making a lot of victims, a security company recording hundreds of clicks per day from its users, even if the locations are properly flagged as suspicious.
The practice of setting up a bogus MP3 download site to deliver malware or potentially unwanted programs has a long history and it has been brought to public attention numerous times.
Typically, on such a website, any search query returns results, even if logic dictates that chances for this to happen are zero.
Results returned despite ridiculous queries
Security engineer Chris Larsen from Blue Coat profiled one of these locations and looked for a non-existent song. As expected, several results popped up, all advertising a valid download location. Moreover, at the end of the result list, buttons were displayed for playing, streaming or downloading the “song.”
At the bottom of the page, though, in a text string similar to fine print, the user was informed that no results could be found.
“The results were somewhat schizophrenic: on one hand, the bottom of the page reported ‘No Result Found,’ but on the other hand, there were certainly plenty of links on the page to download this non-existent song,” Larsen wrote in a blog post on Thursday.
After several redirects, the MP3 is served as an executable
Upon checking one of the bogus download buttons displayed, it was revealed that the link behind it directed to “systemcallpointcamel[.]info,” a location totally not credible for hosting music files.
However, clicking on it would actually take the user to a different website promising to deliver the non-existent song. The redirection chain continued as a file was served from yet another domain, and it was an executable with the same name as the search query.
Testing the file on VirusTotal showed its malicious nature, being flagged as a risk by 16 antivirus engines, several of them identifying it as MultiPlug, a program created for the purpose of adding to the system a torrent of other programs, most likely as part of an affiliate marketing scheme.
Larsen says that the file was polymorphic, which means that it changes on a constant basis in order to evade detection.