By: Sameer Patil

FIFA World Cup Fake Streaming

Social Engineering

We all love football and when the world cup is around, we take a break from office, switch on the TV and enjoy the game! According to the estimates, billions of people will watch the matches live. A good proportion of people watch it online as well. Not surprisingly, the Brazil World cup matches are being used as an opportunity by attackers to post spam links, adware and Trojans in various sports related websites. The chances of visiting these websites is of course much given World Cup fever. One of the more popular websites to watch live streamed sports matches is lshunter.com.

I recently tried to watch the Brazil vs Croatia match on lshunter.com. It asked me to click on ‘Start’ button to begin the live stream.
 

When we start the video stream, it redirects to hxxp://www.sofler.com/lp/videoperformer/v18/?v=18&cid=4151&clickid=0066965515096773257&a=8, asking for the installation of the ‘Latest Video Converter’. The page looks similar to Adobe’s Flash update website and tricks the user into downloading an updater executable. In our excitement to watch the match, we may sometimes just follow the links and install the update/software before even verifying the source.
 
 

Our internal analysis confirmed that the installer is a Potentially Unwanted Program(PUP) that contains adware, installs toolbars or has other unclear objectives. It can be downloaded directly from: hxxp://www.appoder.com/download3/$m%2BI%2FeZA3ZUMplwkZ?v=18&cid=4151&clickid=0066965515096773257&a=8&cert=r2&installer=tt&resources=tt&maker=pth.
Such programs are made mainly for advertising purposes and for inflating a site's page rank in Google search results. At the same time it troubles the user by changing some browser settings like default home page and default search engine.
 
File : VideoPerformerSetup.exe
MD5: 99bbdce5fa1fe4692164a7c5425e552f
VirusTotal Report: 11/54

Another such example we found was located at hxxp://antenasport.net

When clicking on the link, we are taken to a fake torrent software download page.

Here, if we try to install the video downloader, it again redirects to a downloader page with a very long URL: hxxp://cdn.download-videos-free.com/lp/?appid=277&subid=20rUiz2FyHs6jI4D3kXVAW1wVn4T000.&line_item=561741&info=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd-P22981310_CR17481133_CA18661040&dp=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd&dp2=P22981310_CR17481133_CA18661040&c8=service.srvmd6.com

Our dynamic and behavioral analysis runs confirmed it to be adware. It also drops few DLLs, tmp and gif files in system folder to support its activities.
File: setup.exe
MD5: 77a2f54fee9438a7dd4c20199a85737c
VirusTotal Report:8/54

Users also need to be aware of various random Facebook posts and comments mentioning live streaming sites like hxxp://soccertv.blogdns.com/. We have also encountered such links when shared by friends on social networks.
 
The aforementioned link takes us to a video player updater site: hxxp://www.sweetplayer.com, which also hosts some adware scripts in it.
File: SweetPlayer_TSA24NBA7.exe
MD5: b035162687f54779a7c5739f08b9b79b
VirusTotal Report: 8/54

End users should be very wary of any site pushing executables. Browser plugin updates should only be proactively downloaded directly from the associated vendor. Don’t ever blindly trust a site suggesting a browser update.
Enjoy the World Cup!

Learn more about Zscaler.