A .Gov Media Player? Not Exactly...

A .Gov Media Player? Not Exactly…

Arcadia looks like a nice place, but it appears they had something a little odd going on with their website recently at

arcadia-fl(dot)gov:

Arcadia popup

The pop-up box is for “VIO Player”, and it states that the download is managed by “Optimum Installer”.

“Optimum Installer is an install manager, which manages the installation of your chosen software. In addition to managing your download and installation, Optimum Installer will offer free popular software that you may be interested in. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows’ Add/Remove Programs.”

The install button directed end-users to the following IP / executable:

184(dot)82(dot)69(dot)92/123/103(dot)exe

However, the link is currently inactive so it’s hard to say for certain what would have happened next.

AWOL exe.

VirusTotal has the executable pegged at 7 / 51, and users of Malwarebytes Anti-Malware will find we detect it as Trojan.Agent.ZT

You can also see some URLs related to the above here.

We notified an email address connected to the site to see what was going on, and the mysterious “should not be there” pop-up has now been removed.

It doesn’t matter whether your website is a .gov or a .net – if there’s a way for someone to exploit it, they will and your visitors could end up paying the price. Thanks to the people over at the Arcadia site for removing the pop-up box so quickly.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.