We recently found a site that not only impersonates the look of the legitimate Twitch TV website, but also sports a so-called video player plugin that needs to be downloaded (as recommended) for the clips to play.
Note that the only plugin one can use to view live game streams on Twich is Adobe Flash Player, so if you know this, seeing an endorsement of a different plugin should immediately raise a flag.
The domain impersonator is twitchtv(dot)net.
click to enlarge
What is downloaded, however, is not the actual plugin but an installer manager, which the site admins only revealed at the foot of the page. Here’s the text transcription:
twitchtv.net is distributing an installer manager that will manage the installation of your selected software. In addition to managing the installation of your selected software, this install manager will make recommendations for additional free software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications and other types of applications. You are not required to install any additional software to receive your selected software. You can completely remove the program at any time in Windows 'Add/Remove Programs'. At the time of downloading you accept the conditions of use and privacy policies stated by twitchtv.net.
Clicking either the “Download Now” link or the two buttons on the user interface downloads the file.
Fortunately for us, Malwarebytes was able to capture two versions of the installer manager being served on the site. One is version 1.0.0.1 and the other is 2.0.0.0.
Both are detected as PUP.Optional.DomaIQ, a known potentially unwanted program (PUP). You can read more about this PUP here.
We’ve looked at both files, and since there are nominal differences between these two, we have considered them as one file.
Upon execution, setup.exe displays a graphical user interface (GUI), as any program do, prompting the user to select how this it is to be installed and what other programs it will download for the user, some of which we have itemized below:
- ArcadeGiant (in new version only)
- Browser App
- Cinema Plus Shopping (in new version only)
- Desktop Temperature Monitor
- Genesis (in new version only)
- MyBestOffersToday
- MYPcBackup
- MySafeProxy (in new version only)
- OptimizerPro (in new version only)
- PepperZip (in new version only)
- SuperPC Tools
- Vuupc
Note that programs installed may vary.
It then performs the following while the extra programs are being installed in the background:
- Opens a free streaming site using the system’s default Web browser to encourage users to register and download video-related files. Here are just some of the sites we have encountered:
- Displays pop-ups on the desktop and browser to notify the user of a number of programs they have to update and install
- Opens a “thank you” page that insinuates a last step: to download another file
- Opens Firefox to prompt users to install browser add-ons
- Auto-executes installed programs, some of which prod users to try out or register with the services they offer
- Opens other sites suited to offer potentially bogus services and programs
To give you an idea of the number of files that could be introduced onto a system with PUP.Optional.DomaIQ installed, here’s a screenshot:
We also haven’t seen evidence of this recommended Twitch TV plugin actually installed on a browser during testing. System slowdown is evident as well; however, this has not been consistent in all our test attempts.
Steer clear of twitchtv(dot)net and similar sites banking on the growing popularity of the free online game streaming service.
Other post(s):
Adam Kujawa, our Malware Intelligence Lead, put together a piece about PUPs in general entitled “Encountering the Wild PUP“. You can read the blog and watch the cool video here.
Jovi Umawing