This document summarizes trends in media malware and discusses case studies of attacks. It notes that media files like videos, music and images are common infection vectors because media is widely consumed online. Fake YouTube videos, malicious torrents, and exploits of media file formats like ASF are described as major attack methods. The document recommends disabling risky media player functions, using tools to detect malicious scripts in files, and verifying the reputation of URLs found in media before interacting with them. Detection of attacks and education of users on safe media practices are emphasized.
3. Why Use Media to Spread
Malware?
• Media is everywhere.
- Internet users in the U.S. alone viewed
14.3 billion videos in December (CNN,
2/6/09).
- At least 7 million people in Britain use
illegal music downloads (Guardian,
5/29/09).
- There are 5.6 million Angelina Jolie
images on Google.
• How many of these are
malicious?
4. Most People Don’t Know Media
Can Spread Viruses
98% 10%
50% 0%
• We’ve polled 500
IT professionals
which of these sites
could be malicious?
• Roughly 50% of
them thought
Youtube movies on
a friend’s blog are
perfectly safe.
• What percent of
average consumers
would think it’s
safe?
6. Media Malware Trends
• Interestingly, attacks are often not
targeted.
• Social engineering and blackhat SEO -
used to entice victim to view the content.
• Rough malware breakdown: 50% videos,
30% music, 20% images.
• Commonly spread through social
websites, news-site imitations, P2P sites.
7. Distribution Channels
• Malware distributed
through social
networking sites
(Facebook,
myspace,
odnoklasniki, etc.)
has a 10% success
rate in terms of
infection versus 1%
success rate via
email.
Total number of malicious programs
targeting social networking sites
8. Breaking News Videos
• During Q1 2010, hackers took
advantage of every major newsworthy
event to lure visitors into infected sites.
E.g., Erin Andrews tape, release of
Ipad, Avatar blockbuster, earthquake in
Haiti, terrorist bombings in Moscow
[Kaspersky Report]
• Out of 100 million blog posts, eSOFT
team uncovered 700,000 malicious
fake YouTube pages (0.7%).
[SC Magazine US, 6/09/10]
9. P2P Video/Audio Files
• Using a custom tool, analyzed all
torrent videos of Ghost Writer (2010)
movie found through Isohunt.
• Before the DVD release, only 10 of 570
videos (1.75%) didn’t contain malware.
• After the DVD release, 450 of 681
(66%) were clean.
10. Image Files
• Malformed image attacks accounted for
10% of web attacks in 2009.
– Often images were hosted on legitimate sites,
but MIME types are forged or PHP nestled in
text comment fields of legitimate GIF or JPG
images. [ScanSafe 2009 report]
– JPEG GDI buffer overflow vulnerabilities
Malicious image files
11. Agenda
• Overview
• Media Malware Trends
Media Attack Vectors
• Case Studies
• Detection and Protection
13. Attack Vectors (cont.)
• For video/music files, social engineering is
used to trick user into accepting to
– ‘download codec’ to play video.
– ‘clicking yes in popup on license terms’ or
‘download license key’.
• For images, often no user interaction is
needed.
• For online Flash videos
– Consent to ‘downloading codec’
14. Agenda
• Overview
• Media Malware Trends
• Media Attack Vectors
Case Studies
• Detection and Protection
15. Case 1: Fake Youtube videos
• Youtube uses Adobe Flash plug-in.
• Flash has the worst security record in 2009.
– Multiple critical vulnerabilities via malicious SWFs (APSB08-11)
– Supports script commands getURL(), navigateToURL() to load
documents from specific URLs.
• Youtube is severely restricted (up-to-date patches,
disabled script commands) so it’s “safe”.
• Can we say the same about a random blog?
• Can a good web designer make a blog video look very
much like a Youtube video?
16. Fake Youtube Videos (cont.)
• Actually, you don’t even
need to be a good web
designer.
• YTFakeCreator allows
you to create fake
Youtube look-alikes,
and attach malicious
payloads.
• Typically, a user is
prompted to download a
‘codec’ (which is really a
malware stub).
19. Fake Youtube videos (cont.)
• A concrete example: Erin Andrews is an ESPN
sportscaster, who was secretly videotaped through hotel
peephole in July 09.
• Shortly thereafter, a site video.report-cnn.com hosting
the tape appeared.
LIVE VIDEO PLAYER
BLOCKED
Your popup blocker has
blocked access to the
Video Player. To view
your video, please launch
the Live Video Player
below.
click
20. Fake Youtube videos (cont.)
• Most of the site is embedded through IFRAMES
from CNN (aka clickjacking) but the malware is
served from mediaplayer.4upd.com.
• The malware has two novel ideas. After clicking
on the link:
– The video actually plays to alleviate suspicions
– Different malware is served for different OS (MACs
get infected with OSX/Jahlav-C trojan. Windows get
infected with a rogue antivirus Mal/EncPK-IF or
Mal/FakeAV-AY).
•!-- LARGE PLAYER HTML CODE --> <div id="cnnVPFlashLarge" style="position: relative;"> <div style="border-style:
solid; border-color: rgb(230, 230, 230); border-width: 1px 1px 0px; width: 574px; height: 372px;"
id="cnnVPFlashLargeContainer"> <object height="372" width="574"> <param name="movie"
value="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin
Andrews Peephole Video"> <param name="allowScriptAccess" value="always"> <embed
src="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin
Andrews Peephole Video" allowscriptaccess="always" height="372" width="574"></embed> </object> </div> <div
id="cnnVPInfoLMy"> <div id="cnnVPInfoLeftCol"> <div style="padding: 8px 10px 0px;" id="cont
22. The hacker created other sites.
• A simple lookup through Maltego reveals
that he created similar sites dedicated to
sex, breaking news, online gambling.
23. Case 2: ASF Exploits
• ASF is a Microsoft proprietary format for
streaming media (.asf, .wma, .wmv)
– Consists of byte sequences, identified by a GUID
marker.
– Has a framework for Digital Rights Management to
download licenses from URLs.
– Script commands (such as URLANDEXIT to
download file from URL) can be embedded in the
stream.
• Many players support it: Windows Media Player,
RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime
add-on, Linux FFmpeg, etc.
• Interestingly, if you rename an ASF file to
.AVI, it will still be interpreted as ASF in
Windows.
24. DRM
• DRM aims to allow
distributor of
audio/video to
control how it’s used.
• Client (aka Media
Player) can request
license from license
server to play the file.
Turns out
request is over
HTTP and
License Server
returns the
prompt message
to the client!!
25. DRM (cont.)
• Multiple examples of abuse
WmvDownloader-A, WmvDownloader-B
• The malware comes as a DRM license
installer and its code is quite obfuscated.
• It could tell user to ‘install codec’, or
‘download a legitimate license’.
27. DRM (cont.)
• Or threaten the user to ‘accept license
terms’.
• Example: http://www.icpp-online.com/
28. URLANDEXIT
• Microsoft says that script commands can
contain instructions that enhance the
playback experience
• URLANDEXIT may open your internet
browser and display a related web page
while the player plays back content.
29. URLANDEXIT (cont.)
• Enter Win32.ASF-Hijacker.A
trojan that searches for MP2,
MP3 and ASF files on local HD
and shares
– Converts MP2 and MP3 to ASF.
– Then injects URLANDEXIT
command into media to a site
isvbr.net hosted in Hong Kong
that serves malware.
– The trojan disables URLANDEXIT
functionality, so user’s media will
play as before, yet he may share
infected media via P2P with other
victims
31. URLANDEXIT (cont.)
• Some of these malware torrents have a
README.TXT.LNK file that’s actually a
malware executable, while the video is
genuine.
• Others’ have a malware video, and a real
README.TXT conveniently tells you to
either download a codec from specific
URL or install their own fully coded player.
32. Ghost Writer Noir
• Viewing a video pops up
a window to download
codec (Trojan-
Dropper.Win32) served
from tpbtrack.com,
microsoftmedicenter.com
33. Case 3: JPEG GDI Exploit
• Back in 2004, Microsoft announced a
problem in their GDI driver that processes
the way JPEG images are displayed.
• Surpisingly, many computers still not
patched.
• There is a similar exploit affecting PNG
images in all Gecko-based browsers
(Mozilla, Firefox, Camino)
34. JPEG GDI (cont.)
• JPEG exploit first appeared on several
Usenet newsgroups that contained erotic
images, images of Angelina Jolie, etc.
• Upon viewing a JPEG file, a buffer
overflow writes a shell code to user’s
computer which allows attacker to
remotely interact with user’s system as if
they were sitting at local console.
38. To disable URLANDEXIT
• Edit the following registry key
HKEY_CURRENT_USERSoftwareMicrosoftMedia
PlayerPreference
- PlayerScriptCommandsEnabled: - disabled as default (since
2003)
- WebScriptCommandsEnabled: - default is 1 (enabled)
- URLAndExitCommandsEnabled: - default is 1 (enabled)
39. To disable DRM auto-downloads
• In Windows Media
Player, disable
“Download usage
rights automatically”.
• Be wary of any
popups you consent
to.
40. To detect GDI JPEG vulnerabilities
• GDI Scan tool will scan your HD for
gdiplus.dll and other files to see if they are
vulnerable.
• Many (but not all) A/Vs already detect
malicious JPEGs.
• Make sure you are up to Service Pack XP
SP2.
41. Detecting malicious ASF files
• Usually, malicious music/video
files will adhere to same structure.
– There’s a real music/video snippet.
– Then at some point, a script command
is used to trigger download of
malware from hacker’s URL.
– The command has a predictable byte
sequence, which is either
URLANDEXIT(…) or <LAINFO>…
</LAINFO> for DRM abuse.
– The rest of the file may be padded to
make its length look plausible.
Real video
Goto(URL)
Padding
Real video
43. Our Tool
• Given a torrent URL, it downloads the torrent
pieces sequentially.
• As it downloads pieces, uses Boyer-Moore string
search for any URLANDEXIT OR LAINFO
commands and extracts the URL.
• It then sends a request to WoT (web of trust)
server to gauge URL’s reputation.
• If URL is trustworthy, or no script commands
present then media file is ranked safe.
• http://code.google.com/p/videosearcher/
44. Our Tool (cont.)
• Sample output
root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading torrent
information from http://dl7.torrentreactor.net/download.php?id=3204949
Opening torrent file...
Number torrent pieces 700
-------------------------
733012295
The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi
Torrent file 0
Torrent file starts at piece 0
Torrent file length 10
-------------------------
Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi
29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208, Pieces 0 1 2 3
4 5 6 7
sequential torrent download....
root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python video_search.py
Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in file: VIRUS-VIDEO.AVI
Positions of ['U', 'x00', 'R', 'x00', 'L', 'x00', 'A', 'x00', 'N', 'x00', 'D', 'x00', 'E', 'x00', 'X', 'x00', 'I', 'x00', 'T',
'x00'] and ['x00', 'x00', 'x00', '6']
startPos = 1939
endPos = 2017
================================================================
The extracted URL: http://freaktorrents.info/locked/3
Checking reputation of url: http://freaktorrents.info/locked/3
(Trustworthiness, Reliability)= [5, 44]
Reliability is > 20, so I'll proceed
Trustworthiness is < 60, so this is a bad site!
45. Entropy of Malicious ASF Files
• Additional way of distinguishing malware
ASF files, would be by computing their
entropy.
• Often padding is totally random or
repetitive fixed string.
• Also script commands
change entropy of video
stream [trustedsource.com]
46. Conclusion
• Staying away from shady or illegal websites
won’t necessarily keep you safe these days
• ‘Missing codec’ trick remains one of the most
widespread and successful social-engineering
tricks.
• Disable Windows Media Player’s URLANDEXIT
command and DRM auto-download behavior.
• Use our VideoSearch Tool to look for malicious
scripts inside ASF files.