SlideShare a Scribd company logo

Malware goes to the movies

Aleksandr Yampolskiy
Aleksandr Yampolskiy

This document summarizes trends in media malware and discusses case studies of attacks. It notes that media files like videos, music and images are common infection vectors because media is widely consumed online. Fake YouTube videos, malicious torrents, and exploits of media file formats like ASF are described as major attack methods. The document recommends disabling risky media player functions, using tools to detect malicious scripts in files, and verifying the reputation of URLs found in media before interacting with them. Detection of attacks and education of users on safe media practices are emphasized.

1 of 47
Malware Goes to the Movies Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance Gilt Groupe
Agenda Overview • Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
Why Use Media to Spread Malware? • Media is everywhere. - Internet users in the U.S. alone viewed 14.3 billion videos in December (CNN, 2/6/09). - At least 7 million people in Britain use illegal music downloads (Guardian, 5/29/09). - There are 5.6 million Angelina Jolie images on Google. • How many of these are malicious?
Most People Don’t Know Media Can Spread Viruses 98% 10% 50% 0% • We’ve polled 500 IT professionals which of these sites could be malicious? • Roughly 50% of them thought Youtube movies on a friend’s blog are perfectly safe. • What percent of average consumers would think it’s safe?
Agenda • Overview Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
Media Malware Trends • Interestingly, attacks are often not targeted. • Social engineering and blackhat SEO - used to entice victim to view the content. • Rough malware breakdown: 50% videos, 30% music, 20% images. • Commonly spread through social websites, news-site imitations, P2P sites.
Distribution Channels • Malware distributed through social networking sites (Facebook, myspace, odnoklasniki, etc.) has a 10% success rate in terms of infection versus 1% success rate via email. Total number of malicious programs targeting social networking sites
Breaking News Videos • During Q1 2010, hackers took advantage of every major newsworthy event to lure visitors into infected sites. E.g., Erin Andrews tape, release of Ipad, Avatar blockbuster, earthquake in Haiti, terrorist bombings in Moscow [Kaspersky Report] • Out of 100 million blog posts, eSOFT team uncovered 700,000 malicious fake YouTube pages (0.7%). [SC Magazine US, 6/09/10]
P2P Video/Audio Files • Using a custom tool, analyzed all torrent videos of Ghost Writer (2010) movie found through Isohunt. • Before the DVD release, only 10 of 570 videos (1.75%) didn’t contain malware. • After the DVD release, 450 of 681 (66%) were clean.
Image Files • Malformed image attacks accounted for 10% of web attacks in 2009. – Often images were hosted on legitimate sites, but MIME types are forged or PHP nestled in text comment fields of legitimate GIF or JPG images. [ScanSafe 2009 report] – JPEG GDI buffer overflow vulnerabilities Malicious image files
Agenda • Overview • Media Malware Trends Media Attack Vectors • Case Studies • Detection and Protection
Attack Vectors URLANDEXIT command DRM functionality abuse Renaming tricks Movie.avi.exe Hiding PHP commands in comments JPEG GDI overflow Renaming tricks angelina.jpg.exe Flash getURL commands Various Adobe vulnerabilities MS Video/Music Hiding PHP commands in comments JPEG GDI overflow Images “Youtube” Videos
Attack Vectors (cont.) • For video/music files, social engineering is used to trick user into accepting to – ‘download codec’ to play video. – ‘clicking yes in popup on license terms’ or ‘download license key’. • For images, often no user interaction is needed. • For online Flash videos – Consent to ‘downloading codec’
Agenda • Overview • Media Malware Trends • Media Attack Vectors Case Studies • Detection and Protection
Case 1: Fake Youtube videos • Youtube uses Adobe Flash plug-in. • Flash has the worst security record in 2009. – Multiple critical vulnerabilities via malicious SWFs (APSB08-11) – Supports script commands getURL(), navigateToURL() to load documents from specific URLs. • Youtube is severely restricted (up-to-date patches, disabled script commands) so it’s “safe”. • Can we say the same about a random blog? • Can a good web designer make a blog video look very much like a Youtube video?
Fake Youtube Videos (cont.) • Actually, you don’t even need to be a good web designer. • YTFakeCreator allows you to create fake Youtube look-alikes, and attach malicious payloads. • Typically, a user is prompted to download a ‘codec’ (which is really a malware stub).
Fake Youtube videos (cont.)
Koobface Virus • Many of these viruses spread through social sites.
Fake Youtube videos (cont.) • A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09. • Shortly thereafter, a site video.report-cnn.com hosting the tape appeared. LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below. click
Fake Youtube videos (cont.) • Most of the site is embedded through IFRAMES from CNN (aka clickjacking) but the malware is served from mediaplayer.4upd.com. • The malware has two novel ideas. After clicking on the link: – The video actually plays to alleviate suspicions – Different malware is served for different OS (MACs get infected with OSX/Jahlav-C trojan. Windows get infected with a rogue antivirus Mal/EncPK-IF or Mal/FakeAV-AY). •!-- LARGE PLAYER HTML CODE --> <div id="cnnVPFlashLarge" style="position: relative;"> <div style="border-style: solid; border-color: rgb(230, 230, 230); border-width: 1px 1px 0px; width: 574px; height: 372px;" id="cnnVPFlashLargeContainer"> <object height="372" width="574"> <param name="movie" value="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video"> <param name="allowScriptAccess" value="always"> <embed src="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video" allowscriptaccess="always" height="372" width="574"></embed> </object> </div> <div id="cnnVPInfoLMy"> <div id="cnnVPInfoLeftCol"> <div style="padding: 8px 10px 0px;" id="cont
Lots of people fell for this!
The hacker created other sites. • A simple lookup through Maltego reveals that he created similar sites dedicated to sex, breaking news, online gambling.
Case 2: ASF Exploits • ASF is a Microsoft proprietary format for streaming media (.asf, .wma, .wmv) – Consists of byte sequences, identified by a GUID marker. – Has a framework for Digital Rights Management to download licenses from URLs. – Script commands (such as URLANDEXIT to download file from URL) can be embedded in the stream. • Many players support it: Windows Media Player, RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime add-on, Linux FFmpeg, etc. • Interestingly, if you rename an ASF file to .AVI, it will still be interpreted as ASF in Windows.
DRM • DRM aims to allow distributor of audio/video to control how it’s used. • Client (aka Media Player) can request license from license server to play the file. Turns out request is over HTTP and License Server returns the prompt message to the client!!
DRM (cont.) • Multiple examples of abuse WmvDownloader-A, WmvDownloader-B • The malware comes as a DRM license installer and its code is quite obfuscated. • It could tell user to ‘install codec’, or ‘download a legitimate license’.
DRM (cont.) • It could tell user to ‘install a missing codec’
DRM (cont.) • Or threaten the user to ‘accept license terms’. • Example: http://www.icpp-online.com/
URLANDEXIT • Microsoft says that script commands can contain instructions that enhance the playback experience • URLANDEXIT may open your internet browser and display a related web page while the player plays back content.
URLANDEXIT (cont.) • Enter Win32.ASF-Hijacker.A trojan that searches for MP2, MP3 and ASF files on local HD and shares – Converts MP2 and MP3 to ASF. – Then injects URLANDEXIT command into media to a site isvbr.net hosted in Hong Kong that serves malware. – The trojan disables URLANDEXIT functionality, so user’s media will play as before, yet he may share infected media via P2P with other victims
URLANDEXIT (cont.) • Alternatively, attackers may create their own malware videos and poison search- engine results.
URLANDEXIT (cont.) • Some of these malware torrents have a README.TXT.LNK file that’s actually a malware executable, while the video is genuine. • Others’ have a malware video, and a real README.TXT conveniently tells you to either download a codec from specific URL or install their own fully coded player.
Ghost Writer Noir • Viewing a video pops up a window to download codec (Trojan- Dropper.Win32) served from tpbtrack.com, microsoftmedicenter.com
Case 3: JPEG GDI Exploit • Back in 2004, Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. • Surpisingly, many computers still not patched. • There is a similar exploit affecting PNG images in all Gecko-based browsers (Mozilla, Firefox, Camino)
JPEG GDI (cont.) • JPEG exploit first appeared on several Usenet newsgroups that contained erotic images, images of Angelina Jolie, etc. • Upon viewing a JPEG file, a buffer overflow writes a shell code to user’s computer which allows attacker to remotely interact with user’s system as if they were sitting at local console.
Exploits are readily available
Agenda • Overview • Media Malware Trends • Media Attack Vectors • Case Studies Detection and Protection
Detection and Protection • Turn off the unused features
To disable URLANDEXIT • Edit the following registry key HKEY_CURRENT_USERSoftwareMicrosoftMedia PlayerPreference - PlayerScriptCommandsEnabled: - disabled as default (since 2003) - WebScriptCommandsEnabled: - default is 1 (enabled) - URLAndExitCommandsEnabled: - default is 1 (enabled)
To disable DRM auto-downloads • In Windows Media Player, disable “Download usage rights automatically”. • Be wary of any popups you consent to.
To detect GDI JPEG vulnerabilities • GDI Scan tool will scan your HD for gdiplus.dll and other files to see if they are vulnerable. • Many (but not all) A/Vs already detect malicious JPEGs. • Make sure you are up to Service Pack XP SP2.
Detecting malicious ASF files • Usually, malicious music/video files will adhere to same structure. – There’s a real music/video snippet. – Then at some point, a script command is used to trigger download of malware from hacker’s URL. – The command has a predictable byte sequence, which is either URLANDEXIT(…) or <LAINFO>… </LAINFO> for DRM abuse. – The rest of the file may be padded to make its length look plausible. Real video Goto(URL) Padding Real video
Detecting malicious ASF files (cont.)
Our Tool • Given a torrent URL, it downloads the torrent pieces sequentially. • As it downloads pieces, uses Boyer-Moore string search for any URLANDEXIT OR LAINFO commands and extracts the URL. • It then sends a request to WoT (web of trust) server to gauge URL’s reputation. • If URL is trustworthy, or no script commands present then media file is ranked safe. • http://code.google.com/p/videosearcher/
Our Tool (cont.) • Sample output root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading torrent information from http://dl7.torrentreactor.net/download.php?id=3204949 Opening torrent file... Number torrent pieces 700 ------------------------- 733012295 The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi Torrent file 0 Torrent file starts at piece 0 Torrent file length 10 ------------------------- Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi 29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208, Pieces 0 1 2 3 4 5 6 7 sequential torrent download.... root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python video_search.py Video searcher v1.0 Copyright Aleksandr Yampolskiy Looking for malware in file: VIRUS-VIDEO.AVI Positions of ['U', 'x00', 'R', 'x00', 'L', 'x00', 'A', 'x00', 'N', 'x00', 'D', 'x00', 'E', 'x00', 'X', 'x00', 'I', 'x00', 'T', 'x00'] and ['x00', 'x00', 'x00', '6'] startPos = 1939 endPos = 2017 ================================================================ The extracted URL: http://freaktorrents.info/locked/3 Checking reputation of url: http://freaktorrents.info/locked/3 (Trustworthiness, Reliability)= [5, 44] Reliability is > 20, so I'll proceed Trustworthiness is < 60, so this is a bad site!
Entropy of Malicious ASF Files • Additional way of distinguishing malware ASF files, would be by computing their entropy. • Often padding is totally random or repetitive fixed string. • Also script commands change entropy of video stream [trustedsource.com]
Conclusion • Staying away from shady or illegal websites won’t necessarily keep you safe these days • ‘Missing codec’ trick remains one of the most widespread and successful social-engineering tricks. • Disable Windows Media Player’s URLANDEXIT command and DRM auto-download behavior. • Use our VideoSearch Tool to look for malicious scripts inside ASF files.
Any Questions?

Recommended

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Virusesmkgspsu
 
Information of Virus
Information of VirusInformation of Virus
Information of Virusjazz_306
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Privacy, Security
Privacy, SecurityPrivacy, Security
Privacy, Securityguestf77c65c
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomVi Tính Hoàng Nam
 
viruses
virusesviruses
viruseskhadija habib
 

Recommended

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Virusesmkgspsu
 
Information of Virus
Information of VirusInformation of Virus
Information of Virusjazz_306
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Privacy, Security
Privacy, SecurityPrivacy, Security
Privacy, Securityguestf77c65c
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomVi Tính Hoàng Nam
 
viruses
virusesviruses
viruseskhadija habib
 
Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of virusesAleksandr Yampolskiy
 
Urbanization
UrbanizationUrbanization
Urbanizationncoggan
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelementAleksandr Yampolskiy
 
Class powerpoint
Class powerpointClass powerpoint
Class powerpointncoggan
 
Search Engine Marketing
Search Engine MarketingSearch Engine Marketing
Search Engine MarketingChristina Hawkins
 
Causes of dropping_out
Causes of dropping_outCauses of dropping_out
Causes of dropping_outisaflo
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemAleksandr Yampolskiy
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsAleksandr Yampolskiy
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
WordPress Security
WordPress Security WordPress Security
WordPress Security Christina Hawkins
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
Social media security challenges
Social media security challengesSocial media security challenges
Social media security challengesAleksandr Yampolskiy
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)Aleksandr Yampolskiy
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-CommerceAleksandr Yampolskiy
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
787
787787
787Uskidz
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezVi Tính Hoàng Nam
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1inwill12
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTjonspav
 

More Related Content

Viewers also liked

Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of virusesAleksandr Yampolskiy
 
Urbanization
UrbanizationUrbanization
Urbanizationncoggan
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelementAleksandr Yampolskiy
 
Class powerpoint
Class powerpointClass powerpoint
Class powerpointncoggan
 
Causes of dropping_out
Causes of dropping_outCauses of dropping_out
Causes of dropping_outisaflo
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemAleksandr Yampolskiy
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsAleksandr Yampolskiy
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About itAleksandr Yampolskiy
 

Viewers also liked (17)

Inoculation strategies for victims of viruses
Inoculation strategies for victims of virusesInoculation strategies for victims of viruses
Inoculation strategies for victims of viruses
 
Urbanization
UrbanizationUrbanization
Urbanization
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
 
Class powerpoint
Class powerpointClass powerpoint
Class powerpoint
 
Search Engine Marketing
Search Engine MarketingSearch Engine Marketing
Search Engine Marketing
 
Causes of dropping_out
Causes of dropping_outCauses of dropping_out
Causes of dropping_out
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
 
Threshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random PermutationsThreshold and Proactive Pseudo-Random Permutations
Threshold and Proactive Pseudo-Random Permutations
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keys
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Social media security challenges
Social media security challengesSocial media security challenges
Social media security challenges
 
Social Engineering and What to do About it
Social Engineering and What to do About itSocial Engineering and What to do About it
Social Engineering and What to do About it
 
Number theory lecture (part 2)
Number theory lecture (part 2)Number theory lecture (part 2)
Number theory lecture (part 2)
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-Commerce
 

Similar to Malware goes to the movies

Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezVi Tính Hoàng Nam
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1inwill12
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTjonspav
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
Video & AI: capabilities and limitations of AI in detecting video manipulations
Video & AI: capabilities and limitations of AI in detecting video manipulationsVideo & AI: capabilities and limitations of AI in detecting video manipulations
Video & AI: capabilities and limitations of AI in detecting video manipulationsVasileiosMezaris
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresAlexander Benoit
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)ITCamp
 
Interactive media guide
Interactive media guideInteractive media guide
Interactive media guidebrownjordan
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of playChris Simmonds
 

Similar to Malware goes to the movies (20)

Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
787
787787
787
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warez
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICT
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
Video & AI: capabilities and limitations of AI in detecting video manipulations
Video & AI: capabilities and limitations of AI in detecting video manipulationsVideo & AI: capabilities and limitations of AI in detecting video manipulations
Video & AI: capabilities and limitations of AI in detecting video manipulations
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
Gk
GkGk
Gk
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Video in html 5
Video in html 5Video in html 5
Video in html 5
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
 
Interactive media guide
Interactive media guideInteractive media guide
Interactive media guide
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of play
 

More from Aleksandr Yampolskiy

"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter BellAleksandr Yampolskiy
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsAleksandr Yampolskiy
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networksAleksandr Yampolskiy
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topologyAleksandr Yampolskiy
 

More from Aleksandr Yampolskiy (8)

"Managing software development" by Peter Bell
"Managing software development" by Peter Bell"Managing software development" by Peter Bell
"Managing software development" by Peter Bell
 
Recruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy StepsRecruiting Great Engineers in Six Easy Steps
Recruiting Great Engineers in Six Easy Steps
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Number theory lecture (part 1)
Number theory lecture (part 1)Number theory lecture (part 1)
Number theory lecture (part 1)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Secure information aggregation in sensor networks
Secure information aggregation in sensor networksSecure information aggregation in sensor networks
Secure information aggregation in sensor networks
 
Price of anarchy is independent of network topology
Price of anarchy is independent of network topologyPrice of anarchy is independent of network topology
Price of anarchy is independent of network topology
 
Business Case Studies
Business Case Studies Business Case Studies
Business Case Studies
 

Malware goes to the movies

  • 1. Malware Goes to the Movies Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance Gilt Groupe
  • 2. Agenda Overview • Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
  • 3. Why Use Media to Spread Malware? • Media is everywhere. - Internet users in the U.S. alone viewed 14.3 billion videos in December (CNN, 2/6/09). - At least 7 million people in Britain use illegal music downloads (Guardian, 5/29/09). - There are 5.6 million Angelina Jolie images on Google. • How many of these are malicious?
  • 4. Most People Don’t Know Media Can Spread Viruses 98% 10% 50% 0% • We’ve polled 500 IT professionals which of these sites could be malicious? • Roughly 50% of them thought Youtube movies on a friend’s blog are perfectly safe. • What percent of average consumers would think it’s safe?
  • 5. Agenda • Overview Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
  • 6. Media Malware Trends • Interestingly, attacks are often not targeted. • Social engineering and blackhat SEO - used to entice victim to view the content. • Rough malware breakdown: 50% videos, 30% music, 20% images. • Commonly spread through social websites, news-site imitations, P2P sites.
  • 7. Distribution Channels • Malware distributed through social networking sites (Facebook, myspace, odnoklasniki, etc.) has a 10% success rate in terms of infection versus 1% success rate via email. Total number of malicious programs targeting social networking sites
  • 8. Breaking News Videos • During Q1 2010, hackers took advantage of every major newsworthy event to lure visitors into infected sites. E.g., Erin Andrews tape, release of Ipad, Avatar blockbuster, earthquake in Haiti, terrorist bombings in Moscow [Kaspersky Report] • Out of 100 million blog posts, eSOFT team uncovered 700,000 malicious fake YouTube pages (0.7%). [SC Magazine US, 6/09/10]
  • 9. P2P Video/Audio Files • Using a custom tool, analyzed all torrent videos of Ghost Writer (2010) movie found through Isohunt. • Before the DVD release, only 10 of 570 videos (1.75%) didn’t contain malware. • After the DVD release, 450 of 681 (66%) were clean.
  • 10. Image Files • Malformed image attacks accounted for 10% of web attacks in 2009. – Often images were hosted on legitimate sites, but MIME types are forged or PHP nestled in text comment fields of legitimate GIF or JPG images. [ScanSafe 2009 report] – JPEG GDI buffer overflow vulnerabilities Malicious image files
  • 11. Agenda • Overview • Media Malware Trends Media Attack Vectors • Case Studies • Detection and Protection
  • 12. Attack Vectors URLANDEXIT command DRM functionality abuse Renaming tricks Movie.avi.exe Hiding PHP commands in comments JPEG GDI overflow Renaming tricks angelina.jpg.exe Flash getURL commands Various Adobe vulnerabilities MS Video/Music Hiding PHP commands in comments JPEG GDI overflow Images “Youtube” Videos
  • 13. Attack Vectors (cont.) • For video/music files, social engineering is used to trick user into accepting to – ‘download codec’ to play video. – ‘clicking yes in popup on license terms’ or ‘download license key’. • For images, often no user interaction is needed. • For online Flash videos – Consent to ‘downloading codec’
  • 14. Agenda • Overview • Media Malware Trends • Media Attack Vectors Case Studies • Detection and Protection
  • 15. Case 1: Fake Youtube videos • Youtube uses Adobe Flash plug-in. • Flash has the worst security record in 2009. – Multiple critical vulnerabilities via malicious SWFs (APSB08-11) – Supports script commands getURL(), navigateToURL() to load documents from specific URLs. • Youtube is severely restricted (up-to-date patches, disabled script commands) so it’s “safe”. • Can we say the same about a random blog? • Can a good web designer make a blog video look very much like a Youtube video?
  • 16. Fake Youtube Videos (cont.) • Actually, you don’t even need to be a good web designer. • YTFakeCreator allows you to create fake Youtube look-alikes, and attach malicious payloads. • Typically, a user is prompted to download a ‘codec’ (which is really a malware stub).
  • 18. Koobface Virus • Many of these viruses spread through social sites.
  • 19. Fake Youtube videos (cont.) • A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09. • Shortly thereafter, a site video.report-cnn.com hosting the tape appeared. LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below. click
  • 20. Fake Youtube videos (cont.) • Most of the site is embedded through IFRAMES from CNN (aka clickjacking) but the malware is served from mediaplayer.4upd.com. • The malware has two novel ideas. After clicking on the link: – The video actually plays to alleviate suspicions – Different malware is served for different OS (MACs get infected with OSX/Jahlav-C trojan. Windows get infected with a rogue antivirus Mal/EncPK-IF or Mal/FakeAV-AY). •!-- LARGE PLAYER HTML CODE --> <div id="cnnVPFlashLarge" style="position: relative;"> <div style="border-style: solid; border-color: rgb(230, 230, 230); border-width: 1px 1px 0px; width: 574px; height: 372px;" id="cnnVPFlashLargeContainer"> <object height="372" width="574"> <param name="movie" value="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video"> <param name="allowScriptAccess" value="always"> <embed src="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video" allowscriptaccess="always" height="372" width="574"></embed> </object> </div> <div id="cnnVPInfoLMy"> <div id="cnnVPInfoLeftCol"> <div style="padding: 8px 10px 0px;" id="cont
  • 21. Lots of people fell for this!
  • 22. The hacker created other sites. • A simple lookup through Maltego reveals that he created similar sites dedicated to sex, breaking news, online gambling.
  • 23. Case 2: ASF Exploits • ASF is a Microsoft proprietary format for streaming media (.asf, .wma, .wmv) – Consists of byte sequences, identified by a GUID marker. – Has a framework for Digital Rights Management to download licenses from URLs. – Script commands (such as URLANDEXIT to download file from URL) can be embedded in the stream. • Many players support it: Windows Media Player, RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime add-on, Linux FFmpeg, etc. • Interestingly, if you rename an ASF file to .AVI, it will still be interpreted as ASF in Windows.
  • 24. DRM • DRM aims to allow distributor of audio/video to control how it’s used. • Client (aka Media Player) can request license from license server to play the file. Turns out request is over HTTP and License Server returns the prompt message to the client!!
  • 25. DRM (cont.) • Multiple examples of abuse WmvDownloader-A, WmvDownloader-B • The malware comes as a DRM license installer and its code is quite obfuscated. • It could tell user to ‘install codec’, or ‘download a legitimate license’.
  • 26. DRM (cont.) • It could tell user to ‘install a missing codec’
  • 27. DRM (cont.) • Or threaten the user to ‘accept license terms’. • Example: http://www.icpp-online.com/
  • 28. URLANDEXIT • Microsoft says that script commands can contain instructions that enhance the playback experience • URLANDEXIT may open your internet browser and display a related web page while the player plays back content.
  • 29. URLANDEXIT (cont.) • Enter Win32.ASF-Hijacker.A trojan that searches for MP2, MP3 and ASF files on local HD and shares – Converts MP2 and MP3 to ASF. – Then injects URLANDEXIT command into media to a site isvbr.net hosted in Hong Kong that serves malware. – The trojan disables URLANDEXIT functionality, so user’s media will play as before, yet he may share infected media via P2P with other victims
  • 30. URLANDEXIT (cont.) • Alternatively, attackers may create their own malware videos and poison search- engine results.
  • 31. URLANDEXIT (cont.) • Some of these malware torrents have a README.TXT.LNK file that’s actually a malware executable, while the video is genuine. • Others’ have a malware video, and a real README.TXT conveniently tells you to either download a codec from specific URL or install their own fully coded player.
  • 32. Ghost Writer Noir • Viewing a video pops up a window to download codec (Trojan- Dropper.Win32) served from tpbtrack.com, microsoftmedicenter.com
  • 33. Case 3: JPEG GDI Exploit • Back in 2004, Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. • Surpisingly, many computers still not patched. • There is a similar exploit affecting PNG images in all Gecko-based browsers (Mozilla, Firefox, Camino)
  • 34. JPEG GDI (cont.) • JPEG exploit first appeared on several Usenet newsgroups that contained erotic images, images of Angelina Jolie, etc. • Upon viewing a JPEG file, a buffer overflow writes a shell code to user’s computer which allows attacker to remotely interact with user’s system as if they were sitting at local console.
  • 35. Exploits are readily available
  • 36. Agenda • Overview • Media Malware Trends • Media Attack Vectors • Case Studies Detection and Protection
  • 37. Detection and Protection • Turn off the unused features
  • 38. To disable URLANDEXIT • Edit the following registry key HKEY_CURRENT_USERSoftwareMicrosoftMedia PlayerPreference - PlayerScriptCommandsEnabled: - disabled as default (since 2003) - WebScriptCommandsEnabled: - default is 1 (enabled) - URLAndExitCommandsEnabled: - default is 1 (enabled)
  • 39. To disable DRM auto-downloads • In Windows Media Player, disable “Download usage rights automatically”. • Be wary of any popups you consent to.
  • 40. To detect GDI JPEG vulnerabilities • GDI Scan tool will scan your HD for gdiplus.dll and other files to see if they are vulnerable. • Many (but not all) A/Vs already detect malicious JPEGs. • Make sure you are up to Service Pack XP SP2.
  • 41. Detecting malicious ASF files • Usually, malicious music/video files will adhere to same structure. – There’s a real music/video snippet. – Then at some point, a script command is used to trigger download of malware from hacker’s URL. – The command has a predictable byte sequence, which is either URLANDEXIT(…) or <LAINFO>… </LAINFO> for DRM abuse. – The rest of the file may be padded to make its length look plausible. Real video Goto(URL) Padding Real video
  • 42. Detecting malicious ASF files (cont.)
  • 43. Our Tool • Given a torrent URL, it downloads the torrent pieces sequentially. • As it downloads pieces, uses Boyer-Moore string search for any URLANDEXIT OR LAINFO commands and extracts the URL. • It then sends a request to WoT (web of trust) server to gauge URL’s reputation. • If URL is trustworthy, or no script commands present then media file is ranked safe. • http://code.google.com/p/videosearcher/
  • 44. Our Tool (cont.) • Sample output root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading torrent information from http://dl7.torrentreactor.net/download.php?id=3204949 Opening torrent file... Number torrent pieces 700 ------------------------- 733012295 The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi Torrent file 0 Torrent file starts at piece 0 Torrent file length 10 ------------------------- Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi 29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208, Pieces 0 1 2 3 4 5 6 7 sequential torrent download.... root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python video_search.py Video searcher v1.0 Copyright Aleksandr Yampolskiy Looking for malware in file: VIRUS-VIDEO.AVI Positions of ['U', 'x00', 'R', 'x00', 'L', 'x00', 'A', 'x00', 'N', 'x00', 'D', 'x00', 'E', 'x00', 'X', 'x00', 'I', 'x00', 'T', 'x00'] and ['x00', 'x00', 'x00', '6'] startPos = 1939 endPos = 2017 ================================================================ The extracted URL: http://freaktorrents.info/locked/3 Checking reputation of url: http://freaktorrents.info/locked/3 (Trustworthiness, Reliability)= [5, 44] Reliability is > 20, so I'll proceed Trustworthiness is < 60, so this is a bad site!
  • 45. Entropy of Malicious ASF Files • Additional way of distinguishing malware ASF files, would be by computing their entropy. • Often padding is totally random or repetitive fixed string. • Also script commands change entropy of video stream [trustedsource.com]
  • 46. Conclusion • Staying away from shady or illegal websites won’t necessarily keep you safe these days • ‘Missing codec’ trick remains one of the most widespread and successful social-engineering tricks. • Disable Windows Media Player’s URLANDEXIT command and DRM auto-download behavior. • Use our VideoSearch Tool to look for malicious scripts inside ASF files.