Saturday, February 26, 2011

Padding video files to earn money!


Yesterday I saw a link to a very recent Spanish movie in a Torrents site. It caught my attention because it was said that it had a very good video&audio quality, what was improbable due to the fact that it opened just some days ago. So, I started to download it just to see if it was a fake or not. 

When it was finally downloaded, I tried to opened it with VLC Player. I could watch 4 seconds and suddenly it stopped playing. First I thought that the "unRARing" process went wrong (which was strangely fast), so I did it again. However, I obtained the same result. 

I decided to open the file with a hexadecimal editor, just to see if there was something "odd", and there was. Firstly, I noticed that this film was edited with "Windows Movie Maker" and trans-coded with WMV codec. 

Then, I continued observing it: meaningless bytes for me (seemed to be video data for those 4 seconds) and after that..... the word "PADDING" repeated thousands of times. The file was not corrupted, it was filled with text. 

Video file opened with a hexadecimal editor
 
Taking this fact into account, the compressed file should have been much smaller, but it wasn't (700MB). I checked with the "rar" utility and it threw a message telling me that the compression rate was set to 0%... 

So, everything was absolutely done on purpose. Who would do that? Firstly I thought about the film industry, but then I found a comment attached to the RAR file:
"Thanks for downloading!
If you have problem playing the movie, download and install the codec below :
http://7d9e0c22.linkbucks.com" 

That link led me to a website which offered the download of a XVID codec. I knew I had it already installed, so that was not the problem. However, I downloaded it and sent it to some online antivirus: It was detected as "NSIS:LoudMo-B [Drp]". 

Microsoft Malware Encyclopedia says:
"Adware:Win32/LoudMo is a program that delivers advertisements, monitors Web browsing habits and prompts advertising popups, while automatically updating itself." 

Doing a WHOIS to the domain in which the alleged XVID codec was (downloaddirect.com) I could find that it was owned by somebody who has an email account at loudmo.com. If you visit Loudmo website, you'll see that is a company which pay per every install of their applications (which all of them are fake copies of popular apps with spyware). 

Summing up, all this mess was made with the aim of gaining money and stealing information from the users without their permission, but in a quite smart way.
A naive user would have downloaded it and when they see that their video players can't play it, would have downloaded the "codec" and got infected with the spyware. 

Today I found some more files in torrents site with the same "content". So... double check what you download!

4 comments:

  1. Hey Miguel...nice post about the spyware...I also downloaded a movie which wouldn't play but instead of downloading the player I put the website in the google search to see if there was any kind of a warning from anyone and your article was one of the first I saw.

    I thought your article was really informative and well-written. It saved me from downloading a virus and for that I thank you. I like the look of your blog and I think if you would write more articles protecting us pirates from crap viruses I think your blog would pick up traction.

    I'm an American living in Saudi Arabia and about to move to China and so if I don't pirate, I am not entertained. When I teach people how I get movies and TV shows and VPN's everyone's number one concern is about getting viruses. Being a guide to avoid viruses is a real service many downloaders, in particular newbies would appreciate.

    Thanks for the good work.

    Dave

    ReplyDelete
  2. Thanks! I downloaded a movie, can't play it, and read the text file along with it, and it also has this URL

    http://7d9e0c22.linkbucks.com

    So I searched the net and I found you, thanks for the heads up!

    ReplyDelete