Jump to content

Bogus Video player update FIREFOX


  • Please log in to reply
3 replies to this topic

#1
NEMISIS

NEMISIS

    Advanced Member

  • Full Member
  • 102 posts
  • LocationThe ussual place.

Bullshit Alert




Today I was asked to update my video player due to an out dated version of Firefox.

This was a tip off that something nefarious was about to happen, as I have the latest version of FF.

There are more clues.

A huge full page pop under after visiting a page claimed my video player needed updating because my Firefox was out of date.
That is rather a stupid mistake, why update one because of the other?
The pop under url was about half a mile long and contained two web addresses not associated with Mozilla or any video players that I use.
The page looked like an official Mozilla bulletin, however Mozilla does not do that and the FF logo was backwards.
Blue on the bottom orange on top.

This is the url.

http://www.bvozo1y90j.com
/6A445F3F404E38314571783373295B561AFB0521A460350CF5FA43A0C5E1F21BAD112B3F431355DEDEFFB79F5D7EDC58?pixel=1413809000529_1413808997775_112_590_11694859_1&tgu_src_lp_domain=ww.dlsofteclipse.com

Notice the built in redirect?
Notice the word "BAD"? Seriously why not just call it "harmlessupdatenotmalware" ?


Basically what will happen here is a folder will be created that allows a browser ad on to install silently that will allow malware to install itself , and then reinstall itself if it is removed.
Do not click on this pop under. Use ALT-F4 to kill the process while it is displayed.  If you continue to get this pop under do a malware scan.
Reset Firefox via the " troubleshooting information " link in the Help tab.

I have not seen this on IE and I don't use Chrome or Opera so I do not know if the scam is on them.


Enjoy

#2
Zutroy_II

Zutroy_II

    Advanced Member

  • Registered User
  • PipPipPip
  • 57 posts
  • LocationCanada
bvozo1y90j.com

This gibberish domain was purchased specifically to act as a proxy to front the delivery

Domain Name: BVOZO1Y90J.COM
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2014-10-15T11:28:58-06:00
Creation Date: 2014-10-15T11:28:58-06:00
Registrar Registration Expiration Date: 2015-10-15T11:28:58-06:00
Registrar: Name.com, Inc.

See, it was bought last week.

Next is a set of data parameters to the server providing the actual payload

6A445F3F404E38314571783373295B561AFB0521A460350CF5FA43A0C5E1F21BAD112B3F431355DEDEFFB79F5D7EDC58
This is a hex encoded 'resource'. Likely an encrypted message meaning something useful like the source domain, or a key. 96 digits (ie 48 bytes) long.

pixel=1413802900059_1413808997775_112_590_11694859_1
the first two numbers are unix timestamps with microsecond precision
10 / 20 / 14 @ 11:01:40am UTC
10 / 20 / 14 @ 12:43:17pm UTC
Oh look its this morning :)
Not sure what the others are. Likely some other kind of tracking data.

tgu_src_lp_domain=ww.dlsofteclipse.com
Likely the source domain where this request is directing the proxy server to fetch the payload from. Registered to someone in Spain.

I could figure out more for you if I was at work, my home machine isn't hardened enough for me to want to fire off requests :)

#3
NEMISIS

NEMISIS

    Advanced Member

  • Full Member
  • 102 posts
  • LocationThe ussual place.
Thanks Zut, I forwarded the info to Mozilla and Yahoo and the Adobe.

Avast was key to stopping this from being self installed.

If anyone else has encountered it cough up some info : browser and security suite

#4
DisMeMbeR

DisMeMbeR

    Advanced Member

  • Registered User
  • PipPipPip
  • 63 posts
  • LocationIdaho
i have seen this pop up on my pc but never installed. normally it happens when i am looking for free TV and movies episodes online.
Dip Dip potato chip
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users