Slashdot Mirror
zCodec Video Codec Is a Trojan
Bride of Chucky writes "There's a new video codec out there that claims to offer 'up to 40 percent better video quality' but that resets your computer's DNS settings — opening the way for Trojans, rootkits, or whatever. Techworld warns that zCodec looks professional enough, is widely available, and comes in at 100KB. What's the bet the media companies are behind this somewhere?"
I'd give a lot more consideration to an enterprising spammer/botnet advertiser being behind this.
Follow the money. The MPAA has plenty to make off p2p lawsuits to risk the kind of bad press and fines they'd get by doing something like this.
Basically, the submitter is an irrational idiot pandering to the anarchist conspiracy theorists in an attempt to start a flamewar. Congratulations, you've probably got it.
40% better video performance but NO LINK TO IT? Come on!
What are "the media companies" and why would they be behind this?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
... then this problem won't arise.
Is there any evidence that they are behind this codec?
Don't you think that after the sony rootkit most companies wouldnt bother with such schemes....
Gimme an S.
S!
Gimme an O.
O!
Gimme an N.
N!
Gimme a Y
Why? They put rootkits on CDs. They are just the kind of company that would make a video codec that is a trojan.
The Uncoveror: It's the real news.
If it opens backdoors it would make sense that media companies can use it to check for pirated software.
I was able to connect fine this morning, then for some reason many sites stopped working. After various troubleshooting, I discovered that my computer had been changed from obtaining the DNS automatically to specifying 4.2.2.2
Anyone have any idea what might have happened? I didn't download or install anything in the time frame that this happened.
A tin-foil hat is a mark of someone who can, in all seriousness, say 'if it looks like a duck, and quacks like a duck, then it must be a concealed listening device placed by the government under the instruction of the military-industrial complex and funded by the media industry.' The poster should wear his with pride.
I am TheRaven on Soylent News
"looks professional enough"?? No way! It has a direct link to the .exe from the front page, without any annoying EULA or email-address harvesting page to click through first. That's a dead giveaway that this isn't legit! (Sad but true.)
Just had a quick run through their therms[sic] and at the bottom there's a URL for http://www.vcodec.com/terms.html. However, that URL just leads to a page of sponsored links.
They also have a Support form on their site. Wonder if they actually are reading the support enquiries or just harvesting emails?
I've got a fever and the only prescription is more COBOL.
This ranks right up there with the scores of malware programs that pretend to be malware removers. I assume the original poster would have us believe that all those are really written by the likes of Symantec and McAfee?
First rule of trauma: Bleeding always stops.
This is another great example of how lack of technical knowledge can be used to take advantage of "home users".
Joey Dell doesn't see the difference between technical details of OSS and Proprietary Software, all he sees is the malware being marketed as "Faster SMaller Better"
perpetually dwelling in the -1 pits
And why is the webpage still active?!?
Will it run on Linux? We don't want to feel left out again. These damned malware-laden proprietary crap!
That's incredibly presumptuous and a completely baseless accusation. There are lots of people who can clearly benefit from trojans, and someone obviously has seen the potential in video codecs as a nice "social engineering" way of fooling the gullible masses into downloading them. The average person generally searches for video codecs once in a blue moon - they have no way of knowing which sites are legitimate, or which files are legitimate. They'll download whatever sounds promising. In fact, the website looks far more legitimate than some of the genuine codec sites out there.
Smarter users might do regular intensive searching to make sure they are getting a legitimate file, but the average user will not. It's far more likely that the author of this trojan is just exploiting the fact that so many users of codecs are clueless than yet another paranoid conspiracy that the media companies are behind it. Really, will the slashdot editors ever get over their bias and just print actual NEWS.
Enough is a enough. A message needs to be sent to these bastards. Suing and fines only do so much. They fine these bastards, they file for bankruptcy and its over. They close the company and the fines and suits go away. Can't sue what doesn't exist and current corp. laws protect us from going after personal assets.
Time to bring some real charges against these fuckers and send a few of them to prison for a good long stretch. And I'm not talking 6 months in a jail with 500 hours of community service. I'm talking 10 years in maximum security.
I know some people say the punishment doesn't fit the crime but I think its time it did. If we would have locked up some of them bastards from Sony then I bet this one wouldn't' happen.
Supporting World Peace Through Nuclear Pacification
ZCodec Inc
Abrahamen Biderman
webmaster@zcodec.com
5624 17th Ave
Brooklyn
New York
NY,11204-1834
Tel. +718.2364275
Creation Date: 23-Dec-2005
Expiration Date: 23-Dec-2006
Okay first of all, it was registered almost a full year ago and second, even now I could probably drive to his house/office (assuming that info is accurate) and arrest him myself faster than the FBI could. Why does everyone always sit around and do nothing when stuff like this happens? Someone should at least give him a call :-) It's not even nigeria this time, how expensive could it be?
now stop reading and go play Dance Dance Revolution!
...because even if it were true, we'd likely never see proof. As such, that kind of speculation in a story submission is immature on the part of the submitter and allowing it to go out unedited is irresponsible of the editor. (Bonus points if they're the same person, I didn't check.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"The media companies are behind this"? Are you letting twitter loose on the Submit Story function now?
Whoever wrote that needs their heads checking.
By summer it was all gone...now shesmovedon. --
There is a 17th Avenue in Brooklyn.
The address given in the Whois search exists. It's apparently an office building.
I have actually seen legitimate companies make spelling errors on pages. Sometimes, if I like the company, I email them a notice.
.... Therms of use
But what web coder would equally mis-spell the *filename* ??!
a class="link" href="therms.html"
THAT is what cues the alarms.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Fire twinklers and a full spread of light balls! Fukkkkov!
Looks like this is coming from a known source of spyware in Ukraine, "Inhoster.com".
"zcodec.com" is actually "85.255.117.106-xbox.dedi.inhoster.com", a dedicated server at a "nlayer.net" colocation site in San Francisco. The dedicated server appears to be associated with "atrivo".
Both "inhoster.com" and "atrivo" appear to be "psuedo-ISPs"; they have web sites that look like those of an ISP, but they don't really offer services for sale. Both have bad reputations: see "Spywarequake Scam on the Run. The previous attacks were based on phony anti-spyware programs. Now that people are wise to that one, the new frontier is apparently phony codecs.
The WHOIS information for "zcodec.net" appears to be bogus. It's given as "Abrahamen Biderman" at "5624 17th Ave, Brooklyn, New York" There is an "Abraham Biderman" with an office at 5624 17th Ave, Brooklyn, New York, and he's a political figure and investment banker, with a career running major financial institutions. Probably not behind some two-bit spyware scam.
They obviously outsourced their web design.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
It's spelled "provisional".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm lost, and I don't live next to the seeds of the Apple to sort it out.
A. There's no 17th Ave in Brooklyn
B. The address does exist, except its occupant is deemed not likely.
Which one?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
www.zcodec.com
... come on now.
Granted the site does look somewhat professional; but could use a quick spell check. 'Therms of use'
WHOIS:
ZCodec Inc
Abrahamen Biderman (webmaster@zcodec.com)
5624 17th Ave
Brooklyn
New York
NY,11204-1834
US
Tel. +718.2364275
wow a codec is spyware - inconcievable!!! Who the heck told you to download an unheard of codec which you probably didn't need. The vast majority of spyware is around because people download things they don't actually need from an untrusted third party source. I can't begin to count the number of computers I've had to fix because some twit downloaded a codec pack or opened an scr file in their email or downloaded some game crack to pirate a game and found it installed bonzi buddy.
Virtually every bloody codec pack you could download contained spyware/adware - some of them put in by the developers themselves. I've got some lovely versions of Nimo, K-lite and gordian knot to prove it. Hell, DivX pre 5.2 had GAIN in it and if you didn't know where to look on their website you had no way of finding the version without it (it didnt have the encoder so wasn't gain supported) . VLC is all I download for video playback now. If they don't support it I don't need to watch it - I've an flv file convertor for those of you who know how to download the dang yourtube/google videos that vlc cant handle perfectly.
Learnt the hard way not to download things from any third party site even if its trusted back in high school. I run XP because I like playing games. If I had a tinfoil hat I'd read the source and then compile and do MD5 checks but I'm lazy and will take the binary packages, and I suspect one day I will pay for that laziness, despite my use of Tea Timer and the Spybot S&D hosts file and immunization databse, Lavasofts ad aware, windows defender and rootkit revealer, hijack this, peer guardian 2, and spyware blaster. One day I will be an idiot and download a binary with some spyware that is still under the radar for all of these and I will be pissed when I realize it. Atleast, I will realize it, but most users wont.
Reality must take precedence over public relations, for nature cannot be fooled.
I bet PC will be pissed. Poor guy. Spyware, Viruses, physical damage and now....this?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
When the straight line connects much better?
Music companies have huge legal departments that can (and do) get their info from ISPs with subpoenas. Trojan distributors are constantly trying to find new ways to push their junk onto your computer, often by paying heavily for 0day exploits.
Who is more likely to buy a "cheap" way to bug your PC?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What are "the media companies" and why would they be behind this?
The article was posted by a 'kdawson', I bet that's the new guy.
We all know that Taco and his crack team of editors would never let such an unfounded and inflammatory statement on the front page of this outstanding news establishment.
So cut the guys some slack. After all, I bet you this Dawson kid will be reprimanded and articles will be back to the high standard of journalism we're use to in no time.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
There is a legitimate DNS server sitting at 4.2.2.2. I think it belongs to GTE (now Verizon). It has the misfortune of having an easy IP address to remember. In a pinch, if you can't remember the IP of your own DNS, there's always 4.2.2.2. Most people who use it have it as their alternate DNS. Verizon likes to give it names like i-will-not-steal-service.sys.gtei.net.
You've already gotten a reply to your original post that indicates at least one other person has seen this happen to their DNS settings. If I'd never typed in 4.2.2.2 myself, and I had no previous business relationship with Verizon or GTE, I'd call shenanigans. A malware writer needing to disable automatic DNS for some reason would have to specify a replacement IP and 4.2.2.2 is convenient to hard code.
Why in the world would a media company want to publicize a good codec? I thought all they liked was real player!
The government can't save you.
To Terry Pratchett, by the look of it.
What's to bet that a grudge and agenda is behind this unfounded swipe?
since you asked... about 1 in 1,000,000 But I grant you there is still a chance.
If Windows were more secure.
I bet all the /. posts that defend the media companies and accuse the poster of baseless accussations, are sponsored by the media companies.
To Terry Pratchett, by the look of it.
I was thinking more along the lines of Terri Schiavo.
This isn't news - "codecs" have been used for years as spyware/trojan droppers. Great social engineering - "hey, to view this porn, you need to install this codec". It's sufficiently tech sounding, and computery to sound believable, so it works.
--Simon
henry -- the human evolution news relay
Yay, malware!
Also:
Is it me, or is that not the job of a codec?
Nobody else has this sig.
Whaths wrong withs givingth the Igorth a bit of workth ? They are dependable and efficienth. Ith's not their fault they have trouble finding employmenth in their usual line of exhpertiseth. There are only so many brainth floating around you know (ha ha)...
May contain traces of nut.
Made from the freshest electrons.
Window$ really needs to be secured...
and there is more, http://www.pcodec.com/
.exe, but again packed full of trojans.
;)
the same blurb, different
Domain Name: PCODEC.COM
Creation Date: 25-Aug-2006
Expiration Date: 25-Aug-2007
People are being enticed into downloading this codec by the following posting that is being spambotted on to public forums that allow guest posting..
"Br1tney Spe@rs r@ped!
http://britneyspearsrocks.info/"
Use VLC Media Player - has its own decoder, so you don't need to download and install any codecs. It will play essentially anything you throw at it.
There are some reasons for reading the TOS, you know.
Also as a side note, the file name of the "Therms of use" is therms.html for whatever that may mean.
As their THERMS of use point out, they can use this to install other crap on your machine
SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to VCODEC or its affiliates during this process. Licensor may offer additional components through our version checking/update system. These components include: Toolbar, Popup advertising solution, Commercial homepage manager, Commercial messenger.
No thanks, I'll keep my machine the way it is thankyouverymuch
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
Only a few major antivirus vendors consider this malware.
e 6555efe005bebfb3d39f6f327
Complete scanning result of "ZCodec1000.exe", received in VirusTotal at 09.05.2006, 03:14:11 (CET).
http://www.virustotal.com/vt/en/resultadof?c0625f
Aditional Information
File size: 97469 bytes
MD5: 97b95a0a9c31000b6f873320d7acd012
SHA1: 1e1b12288dd48ab02a8e8c5afd8e2997d33867e8
Perhaps someone should notify him. Sounds like he might have enough $$ clout to be heard when finds out how his identy has been 'stolen' (used w/o his permision) to perpetrate this sort of internet scam.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
They don't seem to have trouble finding work up in Uberwald, though...
"Music my rampart, and my only one." -- Millay
Let's all stick to VLC?
Thanks!
DivX has been pumping us full of Spyware for years, this is nothing new.
Share your Knowlege - Kung-Fu Geekery
if it weren't so insecure this problem wouldn't exist.
Blame the user, not the software.
Linus had enough trouble debugging the kernel to get the last lot of malware working, and these virus writers aren't exactly playing fair and giving him the interface specs, or any cash to do the porting work. Sheesh! Virus writers must think those kernel guys are made of money or something.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I love how the 3 different 'versions' on that page all point to the same file.
So is the codec written in Common Lithp?
The info in DNS is most likley fake.
Info on Forbes of the real guy. I doubt a stock broker would have much to do with a scheme like this.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Seems like Panda just drafted up a new press release for a old well known Trojan (ref: http://en.wikipedia.org/wiki/Media_Codec) - one that's been around for months. They just wrote it up like it's something new and distributed it to the likes of TechWorld - to generally "scare" people, and, of course, get their own company name in print (and they apparently didn't even have anything to do with finding it!). Business at Panda must be slow these days...
See Operation Acoustic Kitty
Even though to a first approximation they are always wrong, I have a lot of sympathy for the conspiracy theorists. Almost no matter how outlandish the scheme, it seems, someone somewhere has tried something similar for real, so in a way you really can't blame people for being paranoid.
This is kind of interesting, usually these trojans are targetted at the least technical people (screensavers, games etc) - seems to make sense, there's more of them and they're more likely to fall for it.
But presumably you have to be at least a little technically interested to know what a codec is and think you want one. So are they gaining some advantage by targetting a smaller group who's less likely to fall for it? Are their machines on for longer on faster connections?
ccalam - acoustic versions of new songs.
B
lamenessfilter lamenessfilter
Sig (appended to the end of comments I post, 54 chars)
...manipulate my /etc/resolv.conf or my /etc/hosts?
And I nominate that person to be you! All those in favour raise their hands.
Anyway, Abraham Biderman sounds like a bogus name for someone running major financial institutions. Ivor Bidalot would have been more believable.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
so I wonder why you cheerleadering over a videocodec anyways ;)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Their TOS seems to hide the facts by masking it as a "security feature" instead of spyware.. Look carefully to the TOS:
.. it's a dodgy TOS
(a) "Internet Explorer Security Plugin 2006": Internet Explorer toolbar that protects your computer while you browse by setting high level of security for suspicious hosts.
(b) "Public Messenger ver 2.03": Popup advertising module that opens Internet Explorer ad windows when you are connected to internet.
(c) "Internet Security Add-On": your Internet Explorer homepage will be changed.
(d) Security software: antivirus/antispyware application.
Even I, after reading this would not think this would be "spyware" with exception to (b). I don't like any software to change the settings/homepage or interface without me agreeing to it anyways but still
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
No, especially if you _do_ follow the money, that's a dumb analogy. Yes, please do follow the money:
- Sony's music division makes money by, you know, selling CDs. The Sony "rootkit" was a piece of copy-protection software which was supposed to help sell more CDs. It wasn't just some piece of wanton malware, and indeed the malware uses were simply because it was designed and programmed by the cheapest incompetent monekys. But at any rate, its purpose was to make more money for Sony.
- This codec is just a wanton piece of malware, that doesn't seem to serve any particular purpose other than disabling a PC's protection. It doesn't even install its own malicious payload, it just opens the PC up for whoever gets there next. It doesn't copy-protect DVDs, it doesn't even track copyright infringers, it doesn't do _anything_ which would make more money for the MPAA. It's just a piece of wanton malware.
I.e., if you do follow the money, Sony's rootkit had a financial reason behind it, while linking this codec to MPAA _doesn't_ produce or promise any obvious benefit for the MPAA. I.e., yes, I'll side with the grand-parent post. Whoever was the stupid fanboy that submitted that inflamatory summary, _is_ a retard and doesn't present any obvious link between that and the MPAA. It's just an inflamatory statement pulled out of the ass, with not even conjecture to back it up.
Now I know it's Slashdot and "MPAA is evil" bitching and moaning is the norm and good for karma. But even then I do prefer the kind which can actually put a coherent rationale behind that bitching. You know, something based on facts and logic, and where the extrapolations have at least a hint of plausibility. And this summary just doesn't make that grade. It's just something pulled out of the ass, and badly at that.
A polar bear is a cartesian bear after a coordinate transform.
more specifically, men downloading porn. Click here to see teen whores *** in their *** and *** big ****. ~drool~ Click here for FREE video. ~click~. This content requires zCodec, click here to download and proceed to watch video. ~click~ Oops, where did all these popups come from. Shit, here comes my mom/girlfriend AAARGH.
The intended audience is definitely not tech savy, they only have to click click click.
assignment != equality != identity
Thank you for making me laugh this morning. Seriously. That rocks.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
Don't underestimate how disconnected from reality or logic conspiracy theorists can be. There _are_ people who believe that PC viruses are written by antivirus companies, human/animal diseases are created in the lab by big pharma corporations, fires are started by the firemen, etc. It's the "follow the money" kind of conspiracy theory. And don't get me wrong, "follow the money" is generally good advice, but some people are too stupid or too schizophrenic to actually successfully follw the money... or any coherent train of thought, for that matter. So they arrive at such stupidities instead.
A polar bear is a cartesian bear after a coordinate transform.
~ $ nmap -P0 zcodec.com
/etc/services
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-09-05 06:43 PDT
Unable to find nmap-services! Resorting to
Interesting ports on 85.255.117.106-xbox.dedi.inhoster.com (85.255.117.106):
(The 1143 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
57/tcp filtered mtp
80/tcp open www
111/tcp filtered sunrpc
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
199/tcp open smux
205/tcp filtered unknown
445/tcp filtered microsoft-ds
515/tcp filtered printer
519/tcp filtered unknown
587/tcp open submission
705/tcp filtered unknown
818/tcp filtered unknown
876/tcp filtered unknown
888/tcp filtered unknown
1433/tcp filtered ms-sql-s
1646/tcp filtered sa-msg-port
2111/tcp filtered kx
3306/tcp open mysql
4557/tcp filtered fax
20012/tcp filtered vboxd
27374/tcp filtered asp
Nmap finished: 1 IP address (1 host up) scanned in 22.663 seconds
The hostname is odd (as pointed out before)... and we learn little from a scan.
Well I'm bored. Let's go get beer.
the site has been closed
Shuttup Igorina!!!
Back to the front for you!
* No, the intention to introduce DRM itself is not bad...
Any software that is installed on my computer without my permission is inherently bad. I paid for my computer, not Sony, not the RIAA. Thus, neither Sony nor the RIAA have the right to install software on my computer. If someone wants me to have DRM software on my computer, they should buy me that computer.
Duh. I would not download and/or install anything from a site with "Therms of Use" on the index page.
I.e., Hanlon's Razor fully applies: "Never attribute to malice, that which is adequately explained by stupidity."
So, yeah, rest assured that most of us don't think that Symantec or MacAffee have malicious intent there. Most of us are fully aware that they're just incompetent, and hire the cheapest incompetents
A polar bear is a cartesian bear after a coordinate transform.
I use cubic metres, you insensitive clod!
It doesn't mean much now, it's built for the future.
Porn TGPs have been using this very "codec" for months.
What the hell does that mean? How do you know if something looks "professional"? Are you checking to see if it's a full-time business vs a hobby, or some kind of test like that?
Sometimes I think "professional" is one of the dumbest and most-abused (to the point of being renderred meaningless) words in our language. We're seeing used here as implying lack of spyware (wtf does that have to do with getting paid?!) and it has often been used to describe how someone dresses. What a great word for saying nothing.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.