Danger Will Robinson - don't watch that video

I got a taste today of the ever present danger that is the Internet. A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer. Hopefully the details of the scam, described below, will educate anyone not yet sufficiently skeptical about life on the Internet.

Initially, Google sent me to
clarkjohnlzl22.blogspot.com
which purported to mention my client by name. It doesn't. But it does have a big video box with the usual Play button on it. Clicking the Play button, at least as of this writing, takes you to
gift-vip.net/videos/?name=crystal+children
Recently it took me to
gift-vip.net/videos/?name=steve+harvey+bald
On another computer, it took me to
websoft-a.com/download/504/411/0/

Update. January 24, 2008: The next day, the Google Alert email linked to another malicious web page peggynoonztj46.blogspot.com. Just like the clarkjohnlzl22 phony blog, this site too had a video that required the installation of software from gift-vip.net

The video doesn't play, but instead generates the error window shown below.

Clicking anywhere in this error window leads you down a dangerous path. There is almost no getting away from the nagging to install the software. For example, clicking Cancel, just results in nags similar to those below (one is from Firefox, one from IE6).

Here again, clicking Cancel or the official "X" does nothing useful. These prompts also prevent access to other open Firefox tabs. The only way to get out of this is to kill your web browser. But, clicking the "X" in the top right corner of the browser window does nothing (technically, the install prompts are modal). Normally you can right click on the task bar entry for a program and close the program from there. That too, doesn't work in this case.

To kill your browser in Windows XP, use Task Manager (see my prior posting Task Manager - useful enough to run all the time). Right click on the task bar and select Task Manager from the pop-up menu, then navigate to the Applications tab. Click on your web browser in the list of active applications, then click on the End Task button at the bottom of the window.

In the interest of research, I downloaded the file. Don't try this at home. Needless to say, I didn't install the software. Instead I had it analyzed at VirusTotal.com a great web site that analyzes a single file with many different antivirus products. (for more see Can you trust that file?).

As is usual at VirusTotal, some antivirus programs found the file to be malicious, others gave it clean bill of health. Among those that felt the software was safe were NOD32, BitDefender, Ewido and eTrust-Vet. Most products however, considered the file malicious. Among them were:

AntiVir 7.6.0.48 2008.01.23 HEUR/Malware
Avast 4.7.1098.0 2008.01.23 Win32:DNSChanger-SF
AVG 7.5.0.516 2008.01.23 Generic_c.FTY
ClamAV 0.91.2 2008.01.23 Trojan.DNSChanger-2168
F-Secure 6.70.13260.0 2008.01.23 Trojan.Win32.DNSChanger.aqd
Kaspersky 7.0.0.125 2008.01.23 Trojan.Win32.DNSChanger.aqd
McAfee 5214 2008.01.23 Puper.gen.d

There are two lessons here. First, any one anti-malware product can only provide so much protection. Second, any software that is pushy about getting itself installed, you don't want.

Update. January 25, 2008. As a couple people commented below, another point here is that you are safer by not running Windows. The comments were about Macs but the same can be said about Linux.

See a summary of all my Defensive Computing postings.