Nico Nico, meaning “smile” in Japanese, is one of the biggest video sharing sites in Japan, with more than 30 million free members and over 2 million paid subscribers.
Rumors surfaced earlier today, claiming that some users who were watching videos on Nico Nico saw a strange pop-up message, asking them to update Flash Player to the latest version.
Figure 1. The suspicious pop-up message, which says “This page cannot be displayed! Update to the latest version of Flash Player!”
The domain that the pop-up message appears from, downloads.[REMOVED].biz, does not look like it belongs to Adobe or Nico Nico.
If the user clicks “OK” on the pop-up message, they will be redirected a fake Flash Player download site, which mimics the appearance of the legitimate Adobe website.
Figure 2. Fake Adobe Flash Player page observed in this campaign
The latest legitimate update for Adobe Flash Player is version 14.0.0.125, but the fake download page claims to offer 11.9.900.152.
Figure 3. Legitimate Adobe Flash Player download page
If the user downloads and installs the fake update, the software gathers information, such as the user’s Web browser, the computer’s globally unique identifier (GUID), the hard drive’s serial number, and the MAC address. It then sends these details to a remote location. The software also drops an additional file which downloads a configuration file. This configuration file is encoded and changes at every download.
While some have suggested that users have been redirected to the attacker’s page through ads displayed on Nico Nico, we have not yet confirmed the exact redirection method. We also have not seen any evidence to suggest that Nico Nico has been compromised.
At any rate, Symantec customers will not see the fake download site if they have enabled their Intrusion Prevention System (IPS), as the product blocks access to the site through the following signature:
Symantec also protects users against the fake Flash Player installer file under the following detection:
If users need to install the latest version of Adobe Flash Player, they should do so from the legitimate Adobe website or through the program’s auto-update feature.
Symantec is continuing to investigate this threat and will update this blog with more information in due course.
Update – June 20, 2014
Nico Nico posted an announcement today, confirming that the redirect was caused by script inserted into ads that were distributed through MicroAd. MicroAd said in a statement that its investigation is under way.
In our analysis of the downloaded installer, we observed that the installer’s configuration file is compressed and is in the JSON format.
Figure 4. Compressed configuration file downloaded by the installer component
The uncompressed configuration file’s behavior resembles that of SecurityRisk.Downldr’s.
Figure 5. Uncompressed configuration file.
This file includes a lot of references to remote software installers, which will be downloaded to the affected computer in a sequence.
A lot of the terms seen in the configuration file are IDs for the scammer’s affiliates, such as MinitizationTypes, Payout, Promotion Rate, CTID, and affilid. When the relevant downloaded software is executed, the scammer claims affiliate rewards based on the number of successful installs of the software.
Some of the software that the fake Flash Player page delivers includes:
- FLV Player
- System Speedup
- Search Protect
- VuuPC
- RegClean Pro
- Hao123
- Buzz-it
- ConstaSurf
- VLC
- Plus HD2
We believe that the developers of this software are not behind this scam. The only responsible party is the affiliates and their associates.
Before the downloaded software is executed, a window is displayed, asking users to accept the software installation. In one example, despite the fact that “FLV Player” is displayed in big letters on the top of the message, a closer look reveals that this offer is really for the ConstaSurf software. This could allow the scammer to trick users into installing certain software.
Users can opt out of the software installation by simply clicking “decline”.
Figure 6. Offer screen for ConstaSurf
The fake Flash Player download website was likely created by the affiliate or their associates. It’s unclear if the affiliate compromised MicroAd to redirect users to this fraudulent site, but it would not be a huge surprised if they took part in the incident.
The Symantec IPS signature that blocked access to the fake Flash Player download website also stops download activities that are triggered by unwanted means.
The installer file has been remapped to SecurityRisk.Downldr from Trojan Horse.