Monday, January 30, 2012

Naked Emma Watson video used to spread malware

Fake videos with funny or sexual content, have long been used to entice users to download and install malware. The technique is used by hackers to convince users that they need to install additional codecs, or software, in order to play the video.

I've found several websites redirecting to "Emma Watson never seen before home video" hosted on various rr.nu domains: strongrzholder.rr.nu, smartutnetwork.rr.nu, etc. The page looks very similar to a YouTube page, with related videos on the left, and fake comments below the player.

Emma Watson never seen before home video


A click on the Play button, or any link on the page, shows a warning that the Flash player is out of date and a new version needs to be installed in order to play the video.

Warning about outdated Flash version
The warning is very well designed. It feels like a desktop software with an animated download function, despite being part of the web page. The user is enticed into downloading and installing a file called scandsk.exe.

Malicious executable
 

Virustotal report

Be aware of any update done outside of official vendor websites.