A few weeks back we blogged about malware-laced codecs embedded in various Blogspot domains. Today within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.

Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video (at the time of writing this blog) which redirects the users to the typo-squatted domain containing fake codec:

http://video.googl.[removed]

Malicious code hosted on the 3322 domain is not something novel. One of the recent high profile attacks which pointed to a malicious script from the 3322 domain was the Indiatimes Mail hack.

There are a plethora of websites which attempt drive-by installations when unsuspecting users visit websites returning search engine results for “Benazir Bhutto”. Many of these compromised webpages have malicious scripts injected into the webpage which points to the 3322 domain. These webpages contain obfuscated variants of the MS06-014 exploit which is perhaps one of the most popular of all the exploits we see on a daily basis.

This fake Trojan Codec is detected by the current DATS as Puper. The downloaded exploit is detected as VBS/Psyme and the executable is detected as Generic Downloader.c

(Credits to Pradeep Govindaraju for the great malware analysis)