March 4, 2015 · computer security trojans hacking

Avoid getting hacked - watch out for trojans

Earlier today, I received a message on Skype on my PC from a friend.

Malisa Ncube video: :)

The message came through a contact on Skype, who I suspect has infected his PC. On clicking the link, one would see a screen like this below.

It quite deceptive in that, it pretends to be buffering the video and the play button in the center glows like any common video you can play. It was quite suspicious for me in that moment because I was accessing internet from a restricted network which does not allow videos, YouTube, and other social networks. I was curious, so I clicked the play button. The site pretended to be loading and then displayed the following message.

This was even more interesting because, I wondered what plugin I need to run this video. My first assumption was that when I click on the Install plugin... button it would redirect me to and enable me to install flash before redirecting back to the site, but No. Clicking on the link downloads a setup.exe file which you don't know what it may do to your PC.

Lets get back to the beginning and look at the address bar. It reads

so I tried a couple of things. I changed it to

and you may already suspect what happened. The initial impression is that of a video personalised to you, but by changing the url to Saggy Pants, it will be dedicated to Mr Saggy Pants. Now lets look at the source.

The code that presents the install button is as follows

            <div id="cap">
                <p><img src="images/icon.png?id=5"></p>
                <p>A plugin is needed to display this video</p>
                <p><button onclick="nw()">&nbsp;Install plugin...&nbsp;</button></p>

By clicking on the button you invoke the nw() function shown below. The entire site is made up of one HTML file with javascript embedded and the truth is there is no video to talk about here. The player you see on the first page is drawn by a CSS style.

        var nw=function(){

            var b="http://"+location.hostname+"/setup.exe";
      "data:text/html,"+encodeURIComponent("<html><head><script>window.location.href='about:blank';\x3c/script></head></html>"),"__dFrame");window.setTimeout(function(){var a=window.document.createElement("script");a.type="text/javascript";a.text="window.location.href='"+b+"'";___newWindow.document.head.appendChild(a)},100)

            ga('send', 'pageview', '/d');


I also noticed the developer of the site is interested in analytics of his site. So he embedded some google analytics on it as follows.

There is also a comment box below which look like it will post the comment to your facebook account. The code is shown below. Check the data-href :)

        <div id="comments">
            <div style="position:absolute;top:0;right:0;width:100%;height:400px;z-index:9999"></div>
            <div id="fb-root"></div>
            <script>(function(d, s, id) {
              var js, fjs = d.getElementsByTagName(s)[0];
              if (d.getElementById(id)) return;
              js = d.createElement(s); = id;
              js.src = "//";
              fjs.parentNode.insertBefore(js, fjs);
            }(document, 'script', 'facebook-jssdk'));</script>
            <div class="fb-comments" data-href="" data-width="1000" data-numposts="5" data-colorscheme="light"></div>


NOTE: So next time you open a link, it is important to ensure that it does not prompt you to download some setup file that will possibly enable the hacker to gain access to your PC, or spread through your Skype application sending messages to your contacts.

Comments powered by Disqus