Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

FIFA World Cup Fake Streaming

June 17, 2014 - 3 min read
We all love football and when the world cup is around, we take a break from office, switch on the TV and enjoy the game! According to the estimates, billions of people will watch the matches live. A good proportion of people watch it online as well. Not surprisingly, the Brazil World cup matches are being used as an opportunity by attackers to post spam links, adware and Trojans in various sports related websites. The chances of visiting these websites is of course much given World Cup fever. One of the more popular websites to watch live streamed sports matches is lshunter.com.

I recently tried to watch the Brazil vs Croatia match on lshunter.com. It asked me to click on ‘Start’ button to begin the live stream.

When we start the video stream, it redirects to hxxp://www.sofler.com/lp/videoperformer/v18/?v=18&cid=4151&clickid=0066965515096773257&a=8, asking for the installation of the ‘Latest Video Converter’. The page looks similar to Adobe’s Flash update website and tricks the user into downloading an updater executable. In our excitement to watch the match, we may sometimes just follow the links and install the update/software before even verifying the source.

Our internal analysis confirmed that the installer is a Potentially Unwanted Program(PUP) that contains adware, installs toolbars or has other unclear objectives. It can be downloaded directly from: hxxp://www.appoder.com/download3/$m%2BI%2FeZA3ZUMplwkZ?v=18&cid=4151&clickid=0066965515096773257&a=8&cert=r2&installer=tt&resources=tt&maker=pth.
Such programs are made mainly for advertising purposes and for inflating a site's page rank in Google search results. At the same time it troubles the user by changing some browser settings like default home page and default search engine.
File : VideoPerformerSetup.exe
MD5: 99bbdce5fa1fe4692164a7c5425e552f
VirusTotal Report: 11/54

Another such example we found was located at hxxp://antenasport.net
When clicking on the link, we are taken to a fake torrent software download page.
Here, if we try to install the video downloader, it again redirects to a downloader page with a very long URL: hxxp://cdn.download-videos-free.com/lp/?appid=277&subid=20rUiz2FyHs6jI4D3kXVAW1wVn4T000.&line_item=561741&info=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd-P22981310_CR17481133_CA18661040&dp=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd&dp2=P22981310_CR17481133_CA18661040&c8=service.srvmd6.com
Our dynamic and behavioral analysis runs confirmed it to be adware. It also drops few DLLs, tmp and gif files in system folder to support its activities.
File: setup.exe
MD5: 77a2f54fee9438a7dd4c20199a85737c
VirusTotal Report:8/54

Users also need to be aware of various random Facebook posts and comments mentioning live streaming sites like hxxp://soccertv.blogdns.com/. We have also encountered such links when shared by friends on social networks.
The aforementioned link takes us to a video player updater site: hxxp://www.sweetplayer.com, which also hosts some adware scripts in it.
File: SweetPlayer_TSA24NBA7.exe
MD5: b035162687f54779a7c5739f08b9b79b
VirusTotal Report: 8/54

End users should be very wary of any site pushing executables. Browser plugin updates should only be proactively downloaded directly from the associated vendor. Don’t ever blindly trust a site suggesting a browser update.
Enjoy the World Cup!
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.