14 DAY TRIAL // Users of a video sharing website with more than 30 million members reported pop-up messages asking them to update Adobe’s Flash Player to the latest version.
The video sharing service is provided by Nico Nico in Japan and the prompt was caused by a malicious script injected into the code of advertisements distributed through MicroAd and displayed during the video play.
The pop-up directed the users to a Flash Player download site mimicking the original Adobe page that delivered malicious content. The current version is 14.0.0.125, but the fake page offers to install build 11.9.900.152.
If installed, the malicious update proceeds to collect software and hardware information from the infected machine and delivers it to a remote server. An additional item is dropped, which downloads an encoded configuration file.
Symantect analyzed the fake installer and determined that it included “a lot of references to remote software installers, which will be downloaded to the affected computer in a sequence.”
Also, “a lot of the terms seen in the configuration file are IDs for the scammer’s affiliates, such as MinitizationTypes, Payout, Promotion Rate, CTID, and affilid. When the relevant downloaded software is executed, the scammer claims affiliate rewards based on the number of successful installs of the software,” Shunichi Imano from Symantec writes in a blog post.
According to Imano, among the applications that are surreptitiously downloaded on the victim’s system there is FLV Player, System Speedup, Search Protect, VuuPC, RegClean Pro, Hao123, Buzz-it, ConstaSurf, VLC and Plus HD2.
However, the developers of these programs do not seem to be involved in the scheme because upon installing them, a different software is actually added to the system.
For instance, when the installation of FLV Player is deployed, the user agreement dialog screen clearly informs that the user is actually accepting to install ConstaSurf and not the video playing utility. This may not be the only software pushed by the scammers.
Online sources say that ConstaSurfs is a browser plugin with adware capabilities, which displays ads on web pages or places hyperlinks on random words.
Although it is not a virus per se, its activity is most annoying. Having antivirus protection can prevent its installation on the computer.
Users have the possibility to decline the terms of agreement and thus stop the installation of the program.
This is a common practice for scammers to make some money through affiliation services that pay them for each installation of the program.
MicroAd released a statement regarding the incident and said they were currently investigating the issue.