{"id":11487,"date":"2013-06-19T00:00:26","date_gmt":"2013-06-19T07:00:26","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=11487"},"modified":"2018-01-30T12:36:44","modified_gmt":"2018-01-30T19:36:44","slug":"rogue-oops-video-player-attempts-to-visually-social-engineer-users-mimicks-adobe-flash-players-installation-process","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/06\/19\/rogue-oops-video-player-attempts-to-visually-social-engineer-users-mimicks-adobe-flash-players-installation-process\/","title":{"rendered":"Rogue &#8216;Oops Video Player&#8217; attempts to visually social engineer users, mimicks Adobe Flash Player&#8217;s installation process"},"content":{"rendered":"<p>Our sensors have just detected yet another rogue advertisement served through the Yieldmanager ad network, this one enticing users into downloading a rogue video player known as the &#8216;Oops Video Player&#8217;. What&#8217;s particularly interesting about this rogue ad campaign is that the PUA (<a href=\"http:\/\/blog.webroot.com\/tag\/pua\/\"><strong>Potentially Unwanted Application<\/strong><\/a>) attempts to visually trick users by mimicking Adobe Flash Player&#8217;s installation process.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshot of the rogue ad:<\/strong><\/p>\n<p><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player_01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-11489\" alt=\"Oops_Video_Player_Rogue_Bogus_Fake_Adobe_Flash_Player_01\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player_01.png\" width=\"301\" height=\"247\" \/><\/a><\/p>\n<p><strong>Sample screenshot of the landing page mimicking Adobe Flash Player&#8217;s installation process:<\/strong><\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter  wp-image-11490\" alt=\"Oops_Video_Player_Rogue_Bogus_Fake_Adobe_Flash_Player\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player.png\" width=\"706\" height=\"267\" \/><\/a><\/p>\n<p>Detection rate for the rogue video player &#8211; <a href=\"https:\/\/www.virustotal.com\/en\/file\/01225d2810da7769d4f0ca4bce20ddf3240a0ed8f0f959291e22ce10f9a103ce\/analysis\/1371461998\/\"><strong>MD5: 9df30aa7a7796ae73b33a6ba7ba7bfb3<\/strong><\/a> &#8211; detected by 4 out of 47 antivirus scanners as Win32\/DomaIQ.C; Adware.DomaIQ; DomainIQ pay-per install; DomaIQ (fs). The sample is digitally signed by &#8216;Awimba LLC&#8217;.<\/p>\n<p><strong>Domain name reconnaissance:<\/strong><br \/>\n<em>ooopsvideo.com<\/em> &#8211; 54.214.92.56<\/p>\n<p><strong>More domains of rogue applications, part of the same network, are known to have phoned back to (domaiq.com\u00a0&#8211; 37.59.180.17), for instance:<\/strong><br \/>\n<em>api.v2.domaiq.com<\/em><br \/>\n<em>api.v2.madodls.com<\/em><br \/>\n<em>api.v2.secdls.com<\/em><br \/>\n<em>crud.v2.domaiq.com<\/em><br \/>\n<em>dl.v2.domaiq.com<\/em><br \/>\n<em>dl.v2.madodls.com<\/em><br \/>\n<em>dl.v2.secdls.com<\/em><br \/>\n<em>dls.123mplayer.com<\/em><br \/>\n<em>dls.adcdls.com<\/em><br \/>\n<em>dls.archivospc.com<\/em><br \/>\n<em>dls.dlsofteclipse.com<\/em><br \/>\n<em>dls.downhq.com<\/em><br \/>\n<em>dls.download1server.com<\/em><br \/>\n<em>dls.downloadgratuiti.com<\/em><br \/>\n<em>dls.downloadsetup.com<\/em><br \/>\n<em>dls.downquick.com<\/em><br \/>\n<em>dls.driverdls.com<\/em><br \/>\n<em>dls.famdls.com<\/em><br \/>\n<em>dls.favfiles.com<\/em><br \/>\n<em>dls.filesonar.com<\/em><br \/>\n<em>dls.filezor.com<\/em><br \/>\n<em>dls.flashmplayer.com<\/em><br \/>\n<em>dls.freemplayer.com<\/em><br \/>\n<em>dls.freiesoft.com<\/em><br \/>\n<em>dls.gamerdls.com<\/em><br \/>\n<em>dls.gufairu.com<\/em><br \/>\n<em>dls.gufile.com<\/em><br \/>\n<em>dls.lastplayerfree.com<\/em><br \/>\n<em>dls.livedls.com<\/em><br \/>\n<em>dls.mpalyerfreeware.com<\/em><br \/>\n<em>dls.mplayerdownloader.com<\/em><br \/>\n<em>dls.mplayerfree.com<\/em><br \/>\n<em>dls.mplayerfull.com<\/em><br \/>\n<em>dls.mplayertotal.com<\/em><br \/>\n<em>dls.nicdls.com<\/em><br \/>\n<em>dls.pitisoft.com<\/em><br \/>\n<em>dls.popdls.com<\/em><br \/>\n<em>dls.realdls.com<\/em><br \/>\n<em>2dls.securedonwloadepiclab.com<\/em><br \/>\n<em>dls.softdls.com<\/em><br \/>\n<em>dls.softgratuit.com<\/em><br \/>\n<em>dls.softlate.com<\/em><br \/>\n<em>dls.softluv.com<\/em><br \/>\n<em>dls.sweetdls.com<\/em><br \/>\n<em>dls.themplayerupdater.com<\/em><br \/>\n<em>dls.topsoft.co.uk<\/em><br \/>\n<em>dls.totalvideoplugin.com<\/em><br \/>\n<em>dls.xvidupdate.com<\/em><br \/>\n<em>dls.yourmplayer.com<\/em><br \/>\n<em>domaiq.com<\/em><br \/>\n<em>madodls.com<\/em><br \/>\n<em>static.v2.madodls.com<\/em><br \/>\n<em>track.v2.domaiq.com<\/em><br \/>\n<em>track.v2.madodls.com<\/em><br \/>\n<em>catdls.com<\/em><br \/>\n<em>madodls.com<\/em><\/p>\n<p>The monetization takes place through the DomaIQ (<strong>domaiq.com<\/strong> &#8211; 37.59.180.17) pay-per-install affiliate network, with the cybercriminals participating in it earning revenue every time a successful installation of the rogue application takes place.<\/p>\n<p style=\"text-align:center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player_02_domaiq.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter  wp-image-11492\" alt=\"Oops_Video_Player_Rogue_Bogus_Fake_Adobe_Flash_Player_02_DomaIQ\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/06\/oops_video_player_rogue_bogus_fake_adobe_flash_player_02_domaiq.png\" width=\"655\" height=\"538\" \/><\/a><\/p>\n<p><strong>We&#8217;re also aware of the following rogue MD5s part of the same affiliate network monetization process:<\/strong><br \/>\n<em>MD5: 8a41066e79e14b542fadbf2e79bf4490<\/em><br \/>\n<em>MD5: 0655343de61b717175df1b65f9de7aee<\/em><br \/>\n<em>MD5: 8154698fb256f62321e13408c00f1503<\/em><br \/>\n<em>MD5: 57d3f98a3465c837be72b769895c3123<\/em><br \/>\n<em>MD5: 949c84ed7d8ddc093635df8e4152e1b3<\/em><br \/>\n<em>MD5: be06f0dd30404a875b27336821879d16<\/em><br \/>\n<em>MD5: 4368b7b5445ca1237601673f995b9992<\/em><br \/>\n<em>MD5: a7d60fd7e6ee33b3eea43ed0be82d6e9<\/em><br \/>\n<em>MD5: dd70c58925b37e3d7655ba25cf77cb83<\/em><br \/>\n<em>MD5: 0d374245e0913ea5ec740323b4b15cb5<\/em><br \/>\n<em>MD5: 69e2cd3327f91970f8285989724f5802<\/em><br \/>\n<em>MD5: 53676ff21d4607b7f8b8d975d6b0c405<\/em><br \/>\n<em>MD5: 4f6ac57a18340ac3cdfb9351ca2d4628<\/em><br \/>\n<em>MD5: 4f71871dbdc6a3ae949fb5c9586c010f<\/em><br \/>\n<em>MD5: 65a1fe05c915e2bd586cdedd6d1a792f<\/em><br \/>\n<em>MD5: 475832e7f291521046b1a7d5f9ff7b58<\/em><br \/>\n<em>MD5: d7f58ca6d63304f5f6e1a77bcf6a9567<\/em><br \/>\n<em>MD5: aef8f79851237a27215959fdea14a6f3<\/em><br \/>\n<em>MD5: 2e7ac59db7594347e496d94411a835b7<\/em><br \/>\n<em>MD5: e647b2130580a571079d3a45f38a7caf<\/em><br \/>\n<em>MD5: 78725dd1530463d33e156f6307ad96b7<\/em><br \/>\n<em>MD5: 7c1f03ce20333e1fb738a6bab852e832<\/em><br \/>\n<em>MD5: a382bbaa3abf952ae3f64798bffad1da<\/em><br \/>\n<em>MD5: 184909e269af30735f690c441948369c<\/em><br \/>\n<em>MD5: 02223e41331a9d7265234be07d0a6b8a<\/em><br \/>\n<em>MD5: 68a600cd1a9db3797f97df4124c4d2e1<\/em><br \/>\n<em>MD5: f3ace640b79542290669116d850483f6<\/em><br \/>\n<em>MD5: 88f7914a5db9154c9886a32e3e06a152<\/em><br \/>\n<em>MD5: ef2d28dc42c0b5b00bc7ff195f8da89f<\/em><br \/>\n<em>MD5: 814d5b7c53f148b61af80d6bdb0c222a<\/em><br \/>\n<em>MD5: 320efca7c179376e28a7ad80dfcbac58<\/em><br \/>\n<em>MD5: 3ac89dbe98d817402e98b70dede51395<\/em><br \/>\n<em>MD5: 2179d3e6caf3b057506207ad040c2a5e<\/em><br \/>\n<em>MD5: a1f31f1d4ea07039b053ce7e9e4e854c<\/em><br \/>\n<em>MD5: f057123739c892c1c335af95f2e3efb1<\/em><br \/>\n<em>MD5: a6e75eff7c07fd81fe9542a709a97ccd<\/em><br \/>\n<em>MD5: 8dccf579bacae71d0fc01e8181fac1f3<\/em><br \/>\n<em>MD5: 6be3b6451c5b4d28267344e29745bc9e<\/em><br \/>\n<em>MD5: 14445616a8318b4e1c2d136338d4ba63<\/em><br \/>\n<em>MD5: 0f714922a0b7d3f1db740de375bdca1c<\/em><br \/>\n<em>MD5: c96b02e866d6f29f7420c3299caeddaf<\/em><br \/>\n<em>MD5: 9940749abfc2f0064fbdbfaf0db309cc<\/em><br \/>\n<em>MD5: 1c548424a14497e696ffb77952497008<\/em><br \/>\n<em>MD5: b287a636646196f049e2ba7dbb5be153<\/em><br \/>\n<em>MD5: 750fb1f17e502ad8456d2d8cccb0d7eb<\/em><br \/>\n<em>MD5: 30248c2041f68acfd97b41a4efb3d066<\/em><br \/>\n<em>MD5: 77c3ef7af4954c2f53b179ed280915f1<\/em><br \/>\n<em>MD5: fbd0bc3a7eb34ea36f9e65d5daff6f4e<\/em><br \/>\n<em>MD5: e1855ac92f2674d30f6ebc3a21fa4b50<\/em><br \/>\n<em>MD5: b545cf0f7a956d9b3d6a960d6b260a5a<\/em><br \/>\n<em>MD5: 5141d92ec1c9a9d8be92657a02e68f40<\/em><br \/>\n<em>MD5: 661a6bee24fc85a22d27521448c0a49a<\/em><br \/>\n<em>MD5: 55e82ad54926f3feaf9e0fc5a25ecb0d<\/em><br \/>\n<em>MD5: 182ecf374d2279ea0d7763ec619086ac<\/em><br \/>\n<em>MD5: 2be906864a697056af3f4a99e383a06a<\/em><br \/>\n<em>MD5: cdd7267deeedbd508f6bfa0a4126b640<\/em><br \/>\n<em>MD5: 20b606accaaba0612edee6d20cc798b6<\/em><br \/>\n<em>MD5: d0ee8ed683628c2cba4bba14acd51cec<\/em><br \/>\n<em>MD5: 743fe85ae1bd39b88035d64161ad3827<\/em><br \/>\n<em>MD5: 156197b754ffb65a129b4c43fb327363<\/em><br \/>\n<em>MD5: 69e533f0c8ccb017f4d65d80e349d37f<\/em><br \/>\n<em>MD5: 230bd86ff36d1ec00a52484d831bcc34<\/em><br \/>\n<em>MD5: 606e6b86f065d88d7be93aac05e5237f<\/em><br \/>\n<em>MD5: cfd09403f4ee70291ef978e098b2c83f<\/em><br \/>\n<em>MD5: c8abbc7e3bb89ecc6d4613512b8ceab5<\/em><br \/>\n<em>MD5: 338b1f9d8806a88f26b0bfbc7458625b<\/em><br \/>\n<em>MD5: 9ab56e5d49ef57b1f55b6f1e09704ea7<\/em><br \/>\n<em>MD5: bac642ad6e3bb3fcf3d728b507cce496<\/em><br \/>\n<em>MD5: 977605ddfb08cac78f0f57775bda5572<\/em><br \/>\n<em>MD5: 0bee0f472b32ed23dd4b69917150b4d8<\/em><br \/>\n<em>MD5: c21e694c00d580c5ea5b73eae7a421b8<\/em><br \/>\n<em>MD5: f5536e02aa104fc6dbc4299b78d9096d<\/em><br \/>\n<em>MD5: d788d78a6930200f1e679f45c4fe233d<\/em><br \/>\n<em>MD5: 976e0dfdee81fe215d57317d4958eca6<\/em><br \/>\n<em>MD5: 989a9c56949cabd134e608c4a2ae87f8<\/em><br \/>\n<em>MD5: 7248c37dd0532a50f64884e085cc0eab<\/em><br \/>\n<em>MD5: 5ccece08ae4e5fd5730a3399efae2824<\/em><br \/>\n<em>MD5: 520b07f1670f87b367b30cb727bdf31c<\/em><br \/>\n<em>MD5: b8d91fa98aae8e3c813058e7f827e9dd<\/em><br \/>\n<em>MD5: b755b00886cddff8dcbf7a87b56bac72<\/em><br \/>\n<em>MD5: 6114210a10d207310841e44a8e5f865c<\/em><br \/>\n<em>MD5: 6d415cff4b03d3e7e7baf15293605fa1<\/em><br \/>\n<em>MD5: 37c695426979bb471f8e4904471403f2<\/em><br \/>\n<em>MD5: df6c97f2fa729b43902f14217c582afd<\/em><br \/>\n<em>MD5: 052290f7cc109b47fcac4a68c72beba5<\/em><br \/>\n<em>MD5: 129d4f14f168053e08017a726f1793a2<\/em><br \/>\n<em>MD5: c6006cc2d52537e8a40228edac028983<\/em><br \/>\n<em>MD5: 10b4118f46346b2071e9657de8f1cbfc<\/em><br \/>\n<em>MD5: cf24d23d765252939b023327a1818b0e<\/em><br \/>\n<em>MD5: dab3b44e41a310024cb1f34cce160c16<\/em><br \/>\n<em>MD5: 2a552118ef6aaab609770c18ef882c18<\/em><br \/>\n<em>MD5: e96ca6177e75a0b03e0d405ad927a8cf<\/em><br \/>\n<em>MD5: f0f50dd3701275541841ef81ee24fd2b<\/em><br \/>\n<em>MD5: 06483d31e30154a3f37195d89a97e853<\/em><br \/>\n<em>MD5: e48842a5d2e47274759c712b3db6e250<\/em><br \/>\n<em>MD5: 18fa2f5a6da88aa123acb9dcddd11397<\/em><br \/>\n<em>MD5: d91068aca21d173e095a9e236db4e31b<\/em><br \/>\n<em>MD5: 0326e1313be59e3cd6ac66bbcacc3291<\/em><br \/>\n<em>MD5: 41ed16661ec7f5b792749b941d47042f<\/em><br \/>\n<em>MD5: c944a09a0ceb95f1d8bf90a02c8e2816<\/em><\/p>\n<p>We&#8217;ll continue monitoring this pay-per-install affiliate network&#8217;s activities. Meanwhile, users are advised to avoid interacting with the &#8216;Oops Video Player&#8217;.<\/p>\n<p><em>You can find more about Dancho\u00a0Danchev at his\u00a0<strong><a href=\"http:\/\/linkedin.com\/in\/danchodanchev\">LinkedIn Profile<\/a><\/strong>. You can also\u00a0<strong><a href=\"http:\/\/www.twitter.com\/danchodanchev\">follow him on Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our sensors have just detected yet another rogue advertisement served through the Yieldmanager ad network, this one enticing users into downloading a rogue video player known as the &#8216;Oops Video Player&#8217;. What&#8217;s particularly interesting about this rogue ad campaign is that the PUA (Potentially Unwanted Application) attempts to visually trick users by mimicking Adobe Flash [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4985,15057,9675,15063,15075,15073,15061,15071,15055,15049,11349,4893,15069,15065,15053,15059,15051,5605,4791,15067],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11487"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=11487"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11487\/revisions"}],"predecessor-version":[{"id":23842,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11487\/revisions\/23842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=11487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=11487"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=11487"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=11487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}