We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware.
The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name, of course. So, a search phrase such as “obsessed movie online free full video” would yield results similar to the following:
The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie:
However, when a user clicks on the link it redirects to a blog hosted on blogspot.com:
Then, once the user clicks on an image that appears to be a video player window, it redirects to a codec download. Unfortunately this turns out to be a fake codec. More investigation revealed that blogspot.com has been abused by attackers with multiple, similarly styled posts. The immediate and interesting observation is that these blogs are using similar templates.
The table below shows attackers are closely pursuing new movie releases in order to spread malware:
For example, the image below shows the blog that was posted for the movie InkHeart. This blog used a template similar to the one used in the previous sample and it also redirects users to a website that is hosting malware:
These blogs usually contain a link that redirects users to malicious sites using multiple redirections. This enables cybercriminals to continually change the site that finally delivers the malware.
Interestingly enough, the malicious site to which users are being redirected is serving malware for Windows as well as for Mac OS. This is based on the user-agent string of the browser. For a Windows browser agent it delivers a Trojan intended for the Windows operating system, and for a Mac OS browser agent it delivers a Trojan for the Mac operating system. The following image shows the same URL delivering a Win32 Executable for IE8, as well as a .dmg file for Safari4 when the user agent for the Mac OS is used:
Symantec antivirus products detect this threat as Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS. Users should be aware of these social engineering techniques and should use caution when visiting any such sites. Symantec customers are protected from this attack with the latest antivirus and IPS definitions.