Yesterday I saw a link to a very recent Spanish movie in a Torrents site. It caught my attention because it was said that it had a very good video&audio quality, what was improbable due to the fact that it opened just some days ago. So, I started to download it just to see if it was a fake or not.
When it was finally downloaded, I tried to opened it with VLC Player. I could watch 4 seconds and suddenly it stopped playing. First I thought that the "unRARing" process went wrong (which was strangely fast), so I did it again. However, I obtained the same result.
I decided to open the file with a hexadecimal editor, just to see if there was something "odd", and there was. Firstly, I noticed that this film was edited with "Windows Movie Maker" and trans-coded with WMV codec.
Then, I continued observing it: meaningless bytes for me (seemed to be video data for those 4 seconds) and after that..... the word "PADDING" repeated thousands of times. The file was not corrupted, it was filled with text.
 |
| Video file opened with a hexadecimal editor |
Taking this fact into account, the compressed file should have been much smaller, but it wasn't (700MB). I checked with the "rar" utility and it threw a message telling me that the compression rate was set to 0%...
So, everything was absolutely done on purpose. Who would do that? Firstly I thought about the film industry, but then I found a comment attached to the RAR file:
"Thanks for downloading!
If you have problem playing the movie, download and install the codec below :
http://7d9e0c22.linkbucks.com"
That link led me to a website which offered the download of a XVID codec. I knew I had it already installed, so that was not the problem. However, I downloaded it and sent it to some online antivirus: It was detected as "NSIS:LoudMo-B [Drp]".
Microsoft Malware Encyclopedia says:
"Adware:Win32/LoudMo is a program that delivers advertisements, monitors Web browsing habits and prompts advertising popups, while automatically updating itself."
Doing a WHOIS to the domain in which the alleged XVID codec was (downloaddirect.com) I could find that it was owned by somebody who has an email account at loudmo.com. If you visit Loudmo website, you'll see that is a company which pay per every install of their applications (which all of them are fake copies of popular apps with spyware).
Summing up, all this mess was made with the aim of gaining money and stealing information from the users without their permission, but in a quite smart way.
A naive user would have downloaded it and when they see that their video players can't play it, would have downloaded the "codec" and got infected with the spyware.
Today I found some more files in torrents site with the same "content". So... double check what you download!
