Monday, November 1, 2010

Malware goes to the movies

This month, I will be giving a talk "Malware goes to the movies" in AppSec DC 2010 (Washington D.C., US) and DeepSec 2010 (Vienna, Austria) conferences.
More details are available at this link.
This talk will examine new types of malware that spread through online videos, music files, and images.

Typically, there are two ways an attacker can trick you to install malware on your computer through videos:
1) URLANDEXIT command
Most Windows media files (WMV, ASF, WMA, etc.) allow embedding of script commands to "enhance viewer's experience." Bad guys abuse one such command called URLANDEXIT that launches a specific webpage from your Media player. They will make the player pop up a "Codec missing" or "License missing" message box on your computer, and trick you into installing a malware masquerading as a plugin.

2) DRM functionality abuse.
The same idea as above is used except a Windows mechanism to retrieve software licenses is used to distribute the payload.

I've implemented a Python tool that allows you to scan video files on your HD for the presence of these abusive commands in the video and music files. It implements a simple pattern recognition for byte sequences of URLANDEXIT command, extracts the URL out of the file, and then uses Web of Trust API to check how trustworthy the webpage is.

The tool is still in alpha stages. But the source code is available right here:
There are two ways of using it:

1) To scan the file on the HD
$ python -f VIRUS-VIDEO.AVI

Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in file: VIRUS-VIDEO.AVI
Positions of ['U', '\x00', 'R', '\x00', 'L', '\x00', 'A', '\x00', 'N', '\x00', 'D', '\x00', 'E', '\x00', 'X', '\x00', 'I', '\x00', 'T', '\x00'] and ['\x00', '\x00', '\x00', '6']
startPos = 1939
endPos = 2017
The extracted URL:
Checking reputation of url:
(Trustworthiness, Reliability)= [5, 42]
Reliability is > 20, so I'll proceed

2) To scan the URL containing a torrent file.
The tool will start downloading the video specified in the torrent, and analyze the incoming stream of data on the fly.

$ python -u

Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in url:
Downloading torrent information from
Downloading: 0.00% complete (down: 0.0 kb/s up: 0.1 kB/s peers: 0). Pieces [ ] None : -1



The significance of the matters and inducement is experienced and enlisted. The motives pf the uk resume writing services reviews and all such conditions. The organizations of the members and all individuals is done and deduced. The pertinent and oriental sequences.

Post a Comment