Pour rappel, VLC est un lecteur vidéo libre qui n'inclue aucune barre d'outils ou programme additionnel quelconque.
Le site officiel est : http://www.videolan.org/vlc/
Depuis peu, des plugins VLC sont distribués sur les sites de streaming et de téléchargement qui installent un composant supplémentaire et VLC.
Le but est de faire installer un élément additionnel sous couvert de plugin vidéo et certainement de toucher de l'argent à chaque installation (le propriétaire du site qui distribue la bannière et la régie de publicitaire).
Ici le Plugin VLC installe OfferBox
puis l'installation de VLC se lance.
Des bannières de publicités font aussi la promotion de ce plugin :
qui lancent directement l'installation de OfferBox :
Code : Tout sélectionner
1289479337.093 4101 192.168.1.27 TCP_MISS/200 331052 GET http://www.telecharger-vlc.org/gateway.php?i=8520&f=vlc_complete_edition.exe - DIRECT/194.150.236.172 application/octet-stream
1289479340.569 138 192.168.1.27 TCP_MISS/200 268 GET http://www.telecharger-vlc.org/pb.php - DIRECT/194.150.236.172 text/html
1289479340.838 242 192.168.1.27 TCP_MISS/200 268 GET http://www.telecharger-vlc.org/route.php - DIRECT/194.150.236.172 text/html
1289479341.093 237 192.168.1.27 TCP_MISS/200 269 GET http://www.telecharger-vlc.org/offerbox.php - DIRECT/194.150.236.172 text/html
1289479351.310 1508 192.168.1.27 TCP_MISS/200 1732868 GET http://app.offerbox.com/download_short_setup.php - DIRECT/188.165.1.11 application/octet-stream
1289479361.375 93 192.168.1.27 TCP_MISS/200 2064 POST http://app.offerbox.com/aconfig.php - DIRECT/188.165.1.14 text/xml
1289479361.849 331 192.168.1.27 TCP_MISS/200 222552 GET http://app.offerbox.com/dconfig.php - DIRECT/188.165.198.165 application/octet-stream
1289479373.988 308 192.168.1.27 TCP_MISS/200 365 GET http://s4.histats.com/stats/e.php?758274&@Ab&@R52736&@w - DIRECT/173.192.226.67 text/plain
1289479463.255 101208 192.168.1.27 TCP_MISS/200 19657544 GET http://www.telecharger-vlc.org/vlc-1.1.4-win32.exe - DIRECT/194.150.236.172 application/octet-stream
1289479464.034 380 192.168.1.27 TCP_MISS/200 4936 GET http://www.telecharger-vlc.org/firststart.php?sp=YES&vlc=1.1.4&s=8520 - DIRECT/194.150.236.172 text/html
Sur un site rapporté par angélique merci http://forum.malekal.com/codec-xvid-t29885.htmltelecharger-vlc.org A 194.150.236.172
http://www.telecharger-vlc.org CNAME telecharger-vlc.org
http://www.dl-vlc.com A 194.150.236.172
http://www.zone-sms.net A 194.150.236.172
Ici c'est sous codec Xvid que le plugin VLC est proposé :
=> hxxp://dl-xvid.com/r/4475/xvid_setup1.2.2-win32.exe
L'animation faux codec est hosté chez dl-xvid.com
dl-xvid.com has address 194.150.236.172
Les bannières semblent être distribuées par cashtrafic appartenant à Webinfluence :
hxtp://www.cashtrafic.com/informations_legales.php
En vidéo :
~~~~
Le plugin peut aussi délivrer du HotBar/ShopperReports/ClickPotato
Code : Tout sélectionner
1289480312.556 475 192.168.1.27 TCP_MISS/302 489 GET http://install.securewebsiteaccess.com/installer/zcdownload/b0e8dea2e2a89662c3b1079d66ce4a7de029879e479e63e894fc68e810891514bc5d1bc8dd0b6d287710af893f2fe886e656d068d911ea30a4e63fb718c66a98b4eede0d99a8386800b060c2b7ff14684b269a24460e4123415c:53d639405ca7de5c8c66ab429865257b:firefox:3:6.3:F:winxp:other:syndication/v.op1%3D83%26v.op2%3D6 - DIRECT/66.150.14.67 text/html
1289480313.116 424 192.168.1.27 TCP_MISS/302 884 GET http://config.clickpotato.tv/gi.aspx?chid=169914&v.method=software&cid=1315344&ix=gplcplite&v.installerName=VLCSetup.exe - DIRECT/64.94.137.105 text/html
1289480314.333 155 192.168.1.27 TCP_MISS/200 8375 GET http://downloads.clickpotato.tv/actionurls/ActionUrlb.799/ActionUrlb.799.1.gz?partner_id=627511928&MT=0208F178A5B5EA87D45A911CBF6A81B2C85E159AE4B5A22AAD64135530B5CC1A3D - DIRECT/81.52.140.59 application/x-gzip
1289480316.110 1828 192.168.1.27 TCP_MISS/200 147164 GET http://downloads.clickpotato.tv/keywords/6/kyfb.2485/kyfb.2485.1.gz?partner_id=627511928&MT=0208F178A5B5EA87D45A911CBF6A81B2C85E159AE4B5A22AAD64135530B5CC1A3D - DIRECT/81.52.140.66 application/x-gzip
1289480316.538 213 192.168.1.27 TCP_MISS/200 628 GET http://downloads.platrium.com/downloads/valueadd/ping/ping.htm - DIRECT/81.52.140.67 text/html
1289480317.288 591 192.168.1.27 TCP_MISS/200 471 POST http://te.clickpotato.tv/pte.aspx?ver=2.0.186.0&rnd=718 - DIRECT/64.94.137.121 text/html
1289480317.290 516 192.168.1.27 TCP_MISS/200 471 POST http://te.clickpotato.tv/pte.aspx?ver=2.0.186.0&rnd=843 - DIRECT/64.94.137.121 text/html
public.zangocash.com A 66.150.14.67
public.pinballpublishernetwork.com CNAME public.zangocash.com
install.pinballpublishernetwork.com A 66.150.14.67
install.pinballpublishernetwork.com CNAME public.zangocash.com
interstitial.powered-by.pinballpublishernetwork.com CNAME powered-by.zango.com
pop-over.powered-by.pinballpublishernetwork.com CNAME powered-by.zango.com
popover.powered-by.pinballpublishernetwork.com CNAME powered-by.zango.com
powered-by.zango.com A 66.150.14.67
watch-movies-apnaview.com.powered-by.zango.com CNAME powered-by.zango.com
friendsview.powered-by.zango.com CNAME powered-by.zango.com
gilmoregirlsview.powered-by.zango.com CNAME powered-by.zango.com
simpsonsview.powered-by.zango.com CNAME powered-by.zango.com
freeporn.z120.powered-by.seekmo.com CNAME powered-by.zango.com
freeporn.z728.powered-by.seekmo.com CNAME powered-by.zango.com
porndirt.com.freeporn.powered-by.seekmo.com CNAME powered-by.zango.com
porndirt.com.gay.powered-by.seekmo.com CNAME powered-by.zango.com
public.securewebsiteaccess.com A 66.150.14.67
uci.securewebsiteaccess.com A 66.150.14.67
uci.securewebsiteaccess.com CNAME public.securewebsiteaccess.com
install.securewebsiteaccess.com A 66.150.14.67
install.securewebsiteaccess.com CNAME public.securewebsiteaccess.com
powered-by.securewebsiteaccess.com A 66.150.14.67
interstitial.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
watchon9.com.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
http://www.zippyclub.com.powered-by.sec ... access.com CNAME powered-by.securewebsiteaccess.com
http://www.movie-watching-site.com.powe ... access.com CNAME powered-by.securewebsiteaccess.com
frezzysoul.com.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
http://www.watchfriendsseason.com.power ... access.com CNAME powered-by.securewebsiteaccess.com
free.porndirt.com.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
livefooty.doctor-serv.com.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
pop-over.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
http://www.wtso.net.powered-by.securewebsiteaccess.com CNAME powered-by.securewebsiteaccess.com
http://www.fganet.net.powered-by.secure ... access.com CNAME powered-by.securewebsiteaccess.com
config1.zango.com A 64.94.137.121
config1.seekmo.com CNAME config.seekmo.com
config.seekmo.com A 64.94.137.121
config.hotbar.com A 64.94.137.121
config.180solutions.com A 64.94.137.121
bis.180solutions.com A 64.94.137.121
bis.180solutions.com CNAME config1.zango.com
te.clickpotato.tv A 64.94.137.121
config.clickpotato.tv A 64.94.137.121
L'installation donnant HotBar/ShopperReports/ClickPotato est bien détecté.
Celui donnant OfferBox est à 0.
En pratique, cela donne ça : http://www.commentcamarche.net/forum/af ... -vlc-virusVirSCAN.org Scanned Report :
Scanned time : 2010/11/11 13:57:03 (CET)
Scanner results: 25% (9/36) a trouvé un malware !
File Name : VLCSetup.exe
File Size : 207152 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 29662c033f567975e2ac9a3ef6150faa
SHA1 : 4263b20220ad603b58b525973820b57ebea99d78
Online report : http://virscan.org/report/cb1ada30508a1 ... ff191.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.20 20101111020843 2010-11-11 0.28 Riskware.WebToolbar.Win32.Zango!IK
AhnLab V3 2010.11.11.01 2010.11.11 2010-11-11 1.43 -
AntiVir 8.2.4.92 7.10.13.208 2010-11-11 0.28 ADSPY/AdSpy.Gen2
Antiy 2.0.18 20101106.5534523 2010-11-06 0.02 -
Arcavir 2010 201011111608 2010-11-11 0.41 -
Authentium 5.1.1 201011101838 2010-11-10 1.33 W32/Busky.B.gen!Eldorado (Possible)
AVAST! 4.7.4 101111-0 2010-11-11 0.05 -
AVG 8.5.850 271.1.1/3250 2010-11-11 1.17 -
BitDefender 7.90123.6222297 7.34629 2010-11-11 5.89 Gen:Variant.Adware.HotBar.4
ClamAV 0.96.3 12232 2010-11-11 0.15 -
Comodo 4.0 6664 2010-11-09 1.98 -
CP Secure 1.3.0.5 2010.11.11 2010-11-11 0.17 -
Dr.Web 5.0.2.3300 2010.11.11 2010-11-11 10.44 -
F-Prot 4.4.4.56 20101110 2010-11-10 1.39 W32/Busky.B.gen!Eldorado (generic, not disinfectable)
F-Secure 7.02.73807 2010.11.11.04 2010-11-11 0.34 -
Fortinet 4.2.249 12.555 2010-11-11 0.36 -
GData 21.1080/21.466 20101111 2010-11-11 8.73 -
ViRobot 20101111 2010.11.11 2010-11-11 0.38 -
Ikarus T3.1.32.15.0 2010.11.11.77136 2010-11-11 5.04 not-a-virus:WebToolbar.Win32.Zango
JiangMin 13.0.900 2010.11.10 2010-11-10 1.45 -
Kaspersky 5.5.10 2010.11.10 2010-11-10 0.26 -
KingSoft 2009.2.5.15 2010.11.11.17 2010-11-11 0.77 -
McAfee 5400.1158 6163 2010-11-10 20.66 -
Microsoft 1.6301 2010.11.11 2010-11-11 4.18 -
Norman 6.06.10 6.06.00 2010-11-10 10.02 -
Panda 9.05.01 2010.11.06 2010-11-06 3.28 -
Trend Micro 9.120-1004 7.612.06 2010-11-10 0.31 -
Quick Heal 11.00 2010.11.11 2010-11-11 3.51 -
Rising 20.0 22.73.03.03 2010-11-11 2.62 -
Sophos 3.13.1 4.59 2010-11-11 3.04 -
Sunbelt 3.9.2457.2 7277 2010-11-10 36.01 Pinball Corporation. (v)
Symantec 1.3.0.24 20101110.002 2010-11-10 0.11 -
nProtect 20101108.01 9066740 2010-11-08 13.86 Gen:Variant.Adware.HotBar.4
The Hacker 6.7.0.1 v00081 2010-11-10 0.51 -
VBA32 3.12.14.1 20101109.1249 2010-11-09 3.78 -
VirusBuster 4.5.11.10 10.130.16/1992536 2010-11-10 3.35 Adware.Rugo.Gen.5
Avis Personnel (chacun se fera son avis) : Les procédés sont assez limites puisque cela consiste à prendre un logiciel libre et bourrer l'install d'autres programmes type adwares. Aucune nouvelle fonctionnalité significative pour l'utilisateur en ce qui concerne VLC.ATTENTION .....AVERTISSEMENT....je me suis pris clickpotato en téléchargeant dernière version vlc demandé par mozilla ????....
On le répètera jamais assez, ne pas installer de programmes proposés via des publicités.
Activez la détection des PUP/LPI sur votre antivirus.
HOSTS Anti-PUPs/Adwares permet de filtrer les adresses distribuant des adwares et programmes potentiellements indésirables
EDIT - Juillet 2012
Basic Scan et PricePeep qui sont proposés :