We all love football and when the world cup is around, we take a break from office, switch on the TV and enjoy the game! According to the estimates, billions of people will watch the matches live. A good proportion of people watch it online as well. Not surprisingly, the Brazil World cup matches are being used as an opportunity by attackers to post spam links, adware and Trojans in various sports related websites. The chances of visiting these websites is of course much given World Cup fever. One of the more popular websites to watch live streamed sports matches is lshunter.com.
I recently tried to watch the Brazil vs Croatia match on lshunter.com. It asked me to click on ‘Start’ button to begin the live stream.
When we start the video stream, it redirects to hxxp://www.sofler.com/lp/videoperformer/v18/?v=18&cid=4151&clickid=0066965515096773257&a=8, asking for the installation of the ‘Latest Video Converter’. The page looks similar to Adobe’s Flash update website and tricks the user into downloading an updater executable. In our excitement to watch the match, we may sometimes just follow the links and install the update/software before even verifying the source.
Our internal analysis confirmed that the installer is a Potentially Unwanted Program(PUP) that contains adware, installs toolbars or has other unclear objectives. It can be downloaded directly from: hxxp://www.appoder.com/download3/$m%2BI%2FeZA3ZUMplwkZ?v=18&cid=4151&clickid=0066965515096773257&a=8&cert=r2&installer=tt&resources=tt&maker=pth.
Such programs are made mainly for advertising purposes and for inflating a site's page rank in Google search results. At the same time it troubles the user by changing some browser settings like default home page and default search engine.
File : VideoPerformerSetup.exe
VirusTotal Report: 11/54
Another such example we found was located at hxxp://antenasport.net
When clicking on the link, we are taken to a fake torrent software download page.
Our dynamic and behavioral analysis runs confirmed it to be adware. It also drops few DLLs, tmp and gif files in system folder to support its activities.
Users also need to be aware of various random Facebook posts and comments mentioning live streaming sites like hxxp://soccertv.blogdns.com/
. We have also encountered such links when shared by friends on social networks.
The aforementioned link takes us to a video player updater site: hxxp://www.sweetplayer.com, which also hosts some adware scripts in it.
End users should be very wary of any site pushing executables. Browser plugin updates should only be proactively downloaded directly from the associated vendor. Don’t ever blindly trust a site suggesting a browser update.
Enjoy the World Cup!