Malware From Celebrity Video: But I Thought I Just Installed a Video Player!

Erin Andrews is a popular ESPN sports reporter in the United States who recently made headlines outside the sports arena. In an unfortunate case of privacy invasion, a video purportedly capturing private moments of the reporter through a hotel room peephole was released on the Internet. The video generated a considerable amount of news.

In our world of anti-malware, we follow a simple formula, “Media + Celebrity = Watch out for malware”. Whether you are an eager fan or just someone surfing on the web for news, beware. An Internet search, combined with the right keywords on your favorite search engine, is expected to lead you to malware. In our investigation on the following case, it has led us to a malicious website hosted at [removed].report-cnn.com/[removed].

Although it was made to look like a real one, this website is NOT related to CNN. At the time of research, it was still live and distributing malware using the “you need a video player” technique that has been repeatedly used in similar attempts in the past. Using this method, the user is often enticed to an attractive video but must install a new video player program.

The victim clicks on a link that allows downloads and installs an executable program which subsequently installs malware. It usually follows with a pop-up message reporting that the downloaded video player program is corrupted!

The current case comes with a slight twist. An option to download the “video player” is given only if you already have Adobe Flash installed. This first step allows users to view some initial pictures, as if they were browsing legitimate news content from the site. It then further entice users to view the “live video” by installing a video player, which instead contains malware. Once the malware is downloaded, a video is actually streamed to the user off an external link from Google. This link, of course, has nothing to do with the downloaded video player. Gullible users would actually believe that running the downloaded program enabled them to view the video.

This malicious website recognizes the target operating system by checking the User-Agent banner information sent to the web server by the web browser client. In our tests, a .exe file is delivered to a Windows-based web browser while a .dmg file is delievered to Mac OS-based web browsers.

The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For Mac OS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a Trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.

We advise Internet users to refrain from installing programs that are linked to hot news and media sites.