NEWS FROM THE LAB - Tuesday, November 14, 2006

Codec No. 107 Posted by Kamil @ 14:31 GMT

While browsing the Internet for movies – *cough* pr0n – people often end up downloading some DRM protected material, bundled with a license that uses social engineering tactics to push the victim into dowloading a "codec". These supposed codecs are downloading and installing malware known as Zlob.

I've been keeping an eye on some of these codecs for quite a while and one of my conclusions: they need more templates for their websites. The thing is, all them look alike. They basically choose one of a few templates, and then only change a couple of things such as the top-left corner logo and the codec name. So here's an example:



Right now, all of these sites (keycodec, ivideocodec, jpegencoder, lightcodec, elitecodec, qualitycodec, et cetera) default to using a filename of "FakeCodec.107.exe". So currently, fake codecs with the number 107 in their name should be an easy tell to avoid. However, when an affiliate pushes one of these sites, the filename number might also change to reflect his ID.

Here are some other templates used by this gang:



Sunbelt's blog frequently posts fake codec site URL's to avoid. Good Guys.

Kurt Wismer also has some good advice: Get a good media player that handles multiple formats, and then be very suspicious of anything else prompting you for a new codec.

No to narazie,