Danger Will Robinson - don't watch that video

I got a taste today of the ever present danger that is the Internet. A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer. Hopefully the details of the scam, described below, will educate anyone not yet sufficiently skeptical about life on the Internet.

Initially, Google sent me to
clarkjohnlzl22.blogspot.com
which purported to mention my client by name. It doesn't. But it does have a big video box with the usual Play button on it. Clicking the Play button, at least as of this writing, takes you to
gift-vip.net/videos/?name=crystal+children
Recently it took me to
gift-vip.net/videos/?name=steve+harvey+bald
On another computer, it took me to
websoft-a.com/download/504/411/0/

Update. January 24, 2008: The next day, the Google Alert email linked to another malicious web page peggynoonztj46.blogspot.com. Just like the clarkjohnlzl22 phony blog, this site too had a video that required the installation of software from gift-vip.net

The video doesn't play, but instead generates the error window shown below.

Clicking anywhere in this error window leads you down a dangerous path. There is almost no getting away from the nagging to install the software. For example, clicking Cancel, just results in nags similar to those below (one is from Firefox, one from IE6).

Here again, clicking Cancel or the official "X" does nothing useful. These prompts also prevent access to other open Firefox tabs. The only way to get out of this is to kill your web browser. But, clicking the "X" in the top right corner of the browser window does nothing (technically, the install prompts are modal). Normally you can right click on the task bar entry for a program and close the program from there. That too, doesn't work in this case.

To kill your browser in Windows XP, use Task Manager (see my prior posting Task Manager - useful enough to run all the time). Right click on the task bar and select Task Manager from the pop-up menu, then navigate to the Applications tab. Click on your web browser in the list of active applications, then click on the End Task button at the bottom of the window.

In the interest of research, I downloaded the file. Don't try this at home. Needless to say, I didn't install the software. Instead I had it analyzed at VirusTotal.com a great web site that analyzes a single file with many different antivirus products. (for more see Can you trust that file?).

As is usual at VirusTotal, some antivirus programs found the file to be malicious, others gave it clean bill of health. Among those that felt the software was safe were NOD32, BitDefender, Ewido and eTrust-Vet. Most products however, considered the file malicious. Among them were:

AntiVir 7.6.0.48 2008.01.23 HEUR/Malware
Avast 4.7.1098.0 2008.01.23 Win32:DNSChanger-SF
AVG 7.5.0.516 2008.01.23 Generic_c.FTY
ClamAV 0.91.2 2008.01.23 Trojan.DNSChanger-2168
F-Secure 6.70.13260.0 2008.01.23 Trojan.Win32.DNSChanger.aqd
Kaspersky 7.0.0.125 2008.01.23 Trojan.Win32.DNSChanger.aqd
McAfee 5214 2008.01.23 Puper.gen.d

There are two lessons here. First, any one anti-malware product can only provide so much protection. Second, any software that is pushy about getting itself installed, you don't want.

Update. January 25, 2008. As a couple people commented below, another point here is that you are safer by not running Windows. The comments were about Macs but the same can be said about Linux.

See a summary of all my Defensive Computing postings.

[spilledenvironment]

Hee hee. I went to that link. Just don't click the image that looks like a YouTube video. Hehh... they get trickier every day.!!

[ruminator]

Oh, didn't you know? This blogger doesn't believe any software is mature until at least 18 months...so to be extra safe with Internet software...I figure he'll be using IE 7 sometime in 2011. Check back then for the latest bugs on old software that no one's using.

[SCSNSE]

I have encountered this very same virus, and what I do since I'm lazy is click "OK" to download it and simply stop the download immediately afterwords before it finishes. Works for me.

[Wild Eep]

I have a mac, and it's pretty funny on it.
I opened the blog, clicked the youtube window on it (which by the way looks like a 50% quality jpeg) and was lead to a youtube source copy. On that page, there was a windows XP style window (on my mac) that was embedded in the webpage. It immediately started downloading the "video codec" (a .exe) and then I canceled it.
I love it when I see those xp/2000 style popup windows, while I smile at my beautiful Aqua. Stupid malware-ers

[BetterthanurX]

Haha, i love how i just did all these on my mac and i saw an XP style window and the file could not wait to be downloaded to my HDD. Its a .exe file though so no dice. I love OSX/Unix

[stephonboggs1]

How do I get rid of the program?

[cps1321]

Tried to download the file today and my installation of NOD32 3.0.621.0 with virus signature database 2825 (Jan 27, 2008) detected the file as potential malware and terminated the connection. Since I just came across this article today, I'm curious what engine and virus definition of NOD32 didn't detect it.

[mhinnewyork]

to: cps1321
I wrote this posting on the 23rd and was using NOD32 v3 with definitions dated the 23rd.
Michael Horowitz

[JPSerino]

I have had great results every time I caught a malware trojan, virus or whatever, by running Stop Sign. Between that and McAfee from AOL, I can remove anything that comes up. Also, running a registry cleaner helps delete the residual commands that seem to remain from some deleted programs.