Malware Goes to the Movies - Briefing


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Malware Goes to the Movies - Briefing

  1. 1. Malware Goes to the Movies Aleksandr Yampolskiy, Ph.D. Web: Twitter: @ayampolskiy
  2. 2. Most People Don’t Know Media Can Spread Viruses 98% 10% 50% 0% <ul><li>We’ve polled 500 IT professionals which of these sites could be malicious ? </li></ul><ul><li>Roughly 50% of them thought Youtube movies on a friend’s blog are perfectly safe. </li></ul><ul><li>What percent of average consumers would think it’s safe? </li></ul>
  3. 3. Media Malware Trends <ul><li>Attacks are usually not targeted. </li></ul><ul><li>Social engineering and blackhat SEO are used to entice victim to view the content. </li></ul><ul><li>Rough malware breakdown: 50% videos, 30% music, 20% images. </li></ul><ul><li>It’s commonly spread through social websites , news-site imitations, P2P sites. </li></ul>
  4. 4. Attack Vectors URLANDEXIT command DRM functionality abuse Renaming tricks Movie.avi.exe Hiding PHP commands in comments JPEG GDI overflow Renaming tricks angelina.jpg.exe Flash getURL commands Various Adobe vulnerabilities Hiding PHP commands in comments JPEG GDI overflow MS Video/Music Images “ Youtube” Videos
  5. 5. Attack Vectors (cont.) <ul><li>For video/music files, social engineering is used to trick user into accepting to </li></ul><ul><ul><li>‘download codec’ to play video. </li></ul></ul><ul><ul><li>‘clicking yes in popup on license terms’ or ‘download license key’. </li></ul></ul><ul><li>For images, often no user interaction is needed. </li></ul><ul><li>For online Flash videos </li></ul><ul><ul><li>Consent to ‘downloading codec’ </li></ul></ul>
  6. 6. Distribution Channels <ul><li>Malware distributed through social networking sites (Facebook, myspace, odnoklasniki, etc.) has a 10% success rate in terms of infection versus 1% success rate via email. </li></ul>Total number of malicious programs targeting social networking sites
  7. 7. Breaking News Videos <ul><li>During Q1 2010, hackers took advantage of every major newsworthy event to lure visitors into infected sites. E.g., Erin Andrews tape, release of Ipad, Avatar blockbuster, earthquake in Haiti, terrorist bombings in Moscow [Kaspersky Report] </li></ul><ul><li>Out of 100 million blog posts, eSOFT team uncovered 700,000 malicious fake YouTube pages (0.7%). </li></ul><ul><li>[SC Magazine US, 6/09/10] </li></ul>
  8. 8. P2P Video/Audio Files <ul><li>Using a custom tool, analyzed all torrent videos of Ghost Writer (2010) movie found through Isohunt. </li></ul><ul><li>Before the DVD release, only 10 of 570 videos (1.75%) didn’t contain malware . </li></ul><ul><li>After the DVD release, 450 of 681 (66%) were clean. </li></ul>
  9. 9. Image Files <ul><li>Malformed image attacks accounted for 10% of web attacks in 2009. </li></ul><ul><ul><li>Often images were hosted on legitimate sites, but MIME types are forged or PHP nestled in text comment fields of legitimate GIF or JPG images. [ScanSafe 2009 report] </li></ul></ul><ul><ul><li>JPEG GDI buffer overflow vulnerabilities </li></ul></ul>Malicious image files
  10. 10. Case 1: Fake Youtube Videos <ul><li>Youtube uses Adobe Flash. </li></ul><ul><ul><li>Multiple critical vulnerabilities via malicious SWFs (APSB08-11) </li></ul></ul><ul><ul><li>Supports script commands getURL(), navigateToURL() to load documents from specific URLs. </li></ul></ul><ul><li>Youtube is severely restricted so it’s “safe”. </li></ul><ul><li>Can we say the same about a random blog ? </li></ul><ul><li>Can a good web designer make a blog video look very much like a Youtube video ? </li></ul>
  11. 11. Case 1: Fake Youtube Videos <ul><li>YTFakeCreator allows you to create fake Youtube look-alikes , and attach malicious payloads. </li></ul><ul><li>Typically, a user is prompted to download a ‘codec ’ (which is really a malware stub). </li></ul>
  12. 12. Fake Youtube videos (cont.) <ul><li>The malware has two novel ideas. After clicking on the link: </li></ul><ul><ul><li>The video actually plays to alleviate suspicions </li></ul></ul><ul><ul><li>Different malware is served for different OS (MACs get infected with OSX/Jahlav-C trojan. Windows get infected with a rogue antivirus Mal/EncPK-IF or Mal/FakeAV-AY). </li></ul></ul>
  13. 13. Case 2: ASF Exploits <ul><li>ASF is a Microsoft proprietary format for streaming media (.asf, .wma, .wmv). </li></ul><ul><ul><li>Has a framework for Digital Rights Management to download licenses. </li></ul></ul><ul><ul><li>Script commands (such as URLANDEXIT to download file from URL) can be embedded in the stream to “enhance user’s experience” </li></ul></ul><ul><li>Many players support it: Windows Media Player, RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime add-on, Linux FFmpeg, etc. </li></ul>
  14. 14. DRM Abuse <ul><li>DRM allows specifying URL of a license server to download content. </li></ul><ul><li>Malware could tell user to ‘install a missing codec ’ </li></ul>
  15. 15. DRM Abuse <ul><li>Or threaten the user to ‘accept license terms’. </li></ul><ul><li>Example: / </li></ul>
  16. 16. URLANDEXIT <ul><li>URLANDEXIT may open your internet browser and display content. </li></ul><ul><li>Attackers may create their own malware videos and poison search-engine results. </li></ul>
  17. 17. URLANDEXIT (cont.) <ul><li>Enter Win32.ASF-Hijacker.A trojan that searches for MP2, MP3 and ASF files on local HD and shares </li></ul><ul><ul><li>Converts MP2 and MP3 to ASF. </li></ul></ul><ul><ul><li>Then injects URLANDEXIT command into media to a site hosted in Hong Kong that serves malware. </li></ul></ul><ul><ul><li>The trojan disables URLANDEXIT functionality, so user’s media will play as before, yet he may share infected media via P2P with other victims </li></ul></ul>
  18. 18. Case 3: JPEG GDI Exploit <ul><li>In 2004, Microsoft announced a problem in their GDI driver. </li></ul><ul><li>Upon viewing a specially crafted JPEG file, a buffer overflow writes a shell code to user’s computer which allows attacker to remotely interact with user’s system as if they were sitting at local console. </li></ul><ul><li>There is a similar exploit affecting PNG images in all Gecko-based browsers (Mozilla, Firefox, Camino) </li></ul>
  19. 19. Detection and Protection <ul><li>Turn off the unused features </li></ul>
  20. 20. Adjust Default Settings <ul><li>To disable URLANDEXIT, set PlayerScriptCommandsEnabled and WebScriptCommandsEnabled to 0 in HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerPreference </li></ul><ul><li>In Windows Media Player, disable “Download usage rights automatically”. </li></ul><ul><li>GDI Scan tool will scan your HD for gdiplus.dll and other files to see if they are vulnerable. </li></ul><ul><li>Make sure you are up to Service Pack XP SP2. </li></ul>
  21. 21. Detecting malicious ASF files <ul><li>Usually, malicious music and video files will have the same structure. </li></ul><ul><li>A real video snippet followed by a script command (URLANDEXIT or LAINFO) to download malware, followed by padding. </li></ul>Real video Goto(URL) Padding Real video
  22. 22. VideoSearch Tool <ul><li>Given a torrent URL, it downloads the torrent pieces sequentially . </li></ul><ul><li>As it downloads pieces, uses Boyer-Moore string search for any URLANDEXIT OR LAINFO commands and extracts the URL. </li></ul><ul><li>It then sends a request to WoT (web of trust) server to gauge URL’s reputation. </li></ul><ul><li>If URL is trustworthy, or no script commands present then media file is ranked safe. </li></ul><ul><li>http:// / </li></ul>
  23. 23. Conclusion <ul><li>Staying away from shady or illegal websites won’t necessarily keep you safe these days </li></ul><ul><li>‘ Missing codec’ trick remains one of the most widespread and successful social-engineering tricks. </li></ul><ul><li>Disable Windows Media Player’s URLANDEXIT command and DRM auto-download behavior. </li></ul><ul><li>Use our VideoSearch Tool to look for malicious scripts inside ASF files. </li></ul>