Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware goes to the movies


Published on

My talk at DeepSec about malicious images, music, and video files and what to do about them.

  • Be the first to comment

Malware goes to the movies

  1. 1. Malware Goes to the Movies Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance Gilt Groupe
  2. 2. Agenda Overview • Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
  3. 3. Why Use Media to Spread Malware? • Media is everywhere. - Internet users in the U.S. alone viewed 14.3 billion videos in December (CNN, 2/6/09). - At least 7 million people in Britain use illegal music downloads (Guardian, 5/29/09). - There are 5.6 million Angelina Jolie images on Google. • How many of these are malicious?
  4. 4. Most People Don’t Know Media Can Spread Viruses 98% 10% 50% 0% • We’ve polled 500 IT professionals which of these sites could be malicious? • Roughly 50% of them thought Youtube movies on a friend’s blog are perfectly safe. • What percent of average consumers would think it’s safe?
  5. 5. Agenda • Overview Media Malware Trends • Media Attack Vectors • Case Studies • Detection and Protection
  6. 6. Media Malware Trends • Interestingly, attacks are often not targeted. • Social engineering and blackhat SEO - used to entice victim to view the content. • Rough malware breakdown: 50% videos, 30% music, 20% images. • Commonly spread through social websites, news-site imitations, P2P sites.
  7. 7. Distribution Channels • Malware distributed through social networking sites (Facebook, myspace, odnoklasniki, etc.) has a 10% success rate in terms of infection versus 1% success rate via email. Total number of malicious programs targeting social networking sites
  8. 8. Breaking News Videos • During Q1 2010, hackers took advantage of every major newsworthy event to lure visitors into infected sites. E.g., Erin Andrews tape, release of Ipad, Avatar blockbuster, earthquake in Haiti, terrorist bombings in Moscow [Kaspersky Report] • Out of 100 million blog posts, eSOFT team uncovered 700,000 malicious fake YouTube pages (0.7%). [SC Magazine US, 6/09/10]
  9. 9. P2P Video/Audio Files • Using a custom tool, analyzed all torrent videos of Ghost Writer (2010) movie found through Isohunt. • Before the DVD release, only 10 of 570 videos (1.75%) didn’t contain malware. • After the DVD release, 450 of 681 (66%) were clean.
  10. 10. Image Files • Malformed image attacks accounted for 10% of web attacks in 2009. – Often images were hosted on legitimate sites, but MIME types are forged or PHP nestled in text comment fields of legitimate GIF or JPG images. [ScanSafe 2009 report] – JPEG GDI buffer overflow vulnerabilities Malicious image files
  11. 11. Agenda • Overview • Media Malware Trends Media Attack Vectors • Case Studies • Detection and Protection
  12. 12. Attack Vectors URLANDEXIT command DRM functionality abuse Renaming tricks Movie.avi.exe Hiding PHP commands in comments JPEG GDI overflow Renaming tricks angelina.jpg.exe Flash getURL commands Various Adobe vulnerabilities MS Video/Music Hiding PHP commands in comments JPEG GDI overflow Images “Youtube” Videos
  13. 13. Attack Vectors (cont.) • For video/music files, social engineering is used to trick user into accepting to – ‘download codec’ to play video. – ‘clicking yes in popup on license terms’ or ‘download license key’. • For images, often no user interaction is needed. • For online Flash videos – Consent to ‘downloading codec’
  14. 14. Agenda • Overview • Media Malware Trends • Media Attack Vectors Case Studies • Detection and Protection
  15. 15. Case 1: Fake Youtube videos • Youtube uses Adobe Flash plug-in. • Flash has the worst security record in 2009. – Multiple critical vulnerabilities via malicious SWFs (APSB08-11) – Supports script commands getURL(), navigateToURL() to load documents from specific URLs. • Youtube is severely restricted (up-to-date patches, disabled script commands) so it’s “safe”. • Can we say the same about a random blog? • Can a good web designer make a blog video look very much like a Youtube video?
  16. 16. Fake Youtube Videos (cont.) • Actually, you don’t even need to be a good web designer. • YTFakeCreator allows you to create fake Youtube look-alikes, and attach malicious payloads. • Typically, a user is prompted to download a ‘codec’ (which is really a malware stub).
  17. 17. Fake Youtube videos (cont.)
  18. 18. Koobface Virus • Many of these viruses spread through social sites.
  19. 19. Fake Youtube videos (cont.) • A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09. • Shortly thereafter, a site hosting the tape appeared. LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below. click
  20. 20. Fake Youtube videos (cont.) • Most of the site is embedded through IFRAMES from CNN (aka clickjacking) but the malware is served from • The malware has two novel ideas. After clicking on the link: – The video actually plays to alleviate suspicions – Different malware is served for different OS (MACs get infected with OSX/Jahlav-C trojan. Windows get infected with a rogue antivirus Mal/EncPK-IF or Mal/FakeAV-AY). •!-- LARGE PLAYER HTML CODE --> <div id="cnnVPFlashLarge" style="position: relative;"> <div style="border-style: solid; border-color: rgb(230, 230, 230); border-width: 1px 1px 0px; width: 574px; height: 372px;" id="cnnVPFlashLargeContainer"> <object height="372" width="574"> <param name="movie" value=" Andrews Peephole Video"> <param name="allowScriptAccess" value="always"> <embed src=" Andrews Peephole Video" allowscriptaccess="always" height="372" width="574"></embed> </object> </div> <div id="cnnVPInfoLMy"> <div id="cnnVPInfoLeftCol"> <div style="padding: 8px 10px 0px;" id="cont
  21. 21. Lots of people fell for this!
  22. 22. The hacker created other sites. • A simple lookup through Maltego reveals that he created similar sites dedicated to sex, breaking news, online gambling.
  23. 23. Case 2: ASF Exploits • ASF is a Microsoft proprietary format for streaming media (.asf, .wma, .wmv) – Consists of byte sequences, identified by a GUID marker. – Has a framework for Digital Rights Management to download licenses from URLs. – Script commands (such as URLANDEXIT to download file from URL) can be embedded in the stream. • Many players support it: Windows Media Player, RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime add-on, Linux FFmpeg, etc. • Interestingly, if you rename an ASF file to .AVI, it will still be interpreted as ASF in Windows.
  24. 24. DRM • DRM aims to allow distributor of audio/video to control how it’s used. • Client (aka Media Player) can request license from license server to play the file. Turns out request is over HTTP and License Server returns the prompt message to the client!!
  25. 25. DRM (cont.) • Multiple examples of abuse WmvDownloader-A, WmvDownloader-B • The malware comes as a DRM license installer and its code is quite obfuscated. • It could tell user to ‘install codec’, or ‘download a legitimate license’.
  26. 26. DRM (cont.) • It could tell user to ‘install a missing codec’
  27. 27. DRM (cont.) • Or threaten the user to ‘accept license terms’. • Example:
  28. 28. URLANDEXIT • Microsoft says that script commands can contain instructions that enhance the playback experience • URLANDEXIT may open your internet browser and display a related web page while the player plays back content.
  29. 29. URLANDEXIT (cont.) • Enter Win32.ASF-Hijacker.A trojan that searches for MP2, MP3 and ASF files on local HD and shares – Converts MP2 and MP3 to ASF. – Then injects URLANDEXIT command into media to a site hosted in Hong Kong that serves malware. – The trojan disables URLANDEXIT functionality, so user’s media will play as before, yet he may share infected media via P2P with other victims
  30. 30. URLANDEXIT (cont.) • Alternatively, attackers may create their own malware videos and poison search- engine results.
  31. 31. URLANDEXIT (cont.) • Some of these malware torrents have a README.TXT.LNK file that’s actually a malware executable, while the video is genuine. • Others’ have a malware video, and a real README.TXT conveniently tells you to either download a codec from specific URL or install their own fully coded player.
  32. 32. Ghost Writer Noir • Viewing a video pops up a window to download codec (Trojan- Dropper.Win32) served from,
  33. 33. Case 3: JPEG GDI Exploit • Back in 2004, Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. • Surpisingly, many computers still not patched. • There is a similar exploit affecting PNG images in all Gecko-based browsers (Mozilla, Firefox, Camino)
  34. 34. JPEG GDI (cont.) • JPEG exploit first appeared on several Usenet newsgroups that contained erotic images, images of Angelina Jolie, etc. • Upon viewing a JPEG file, a buffer overflow writes a shell code to user’s computer which allows attacker to remotely interact with user’s system as if they were sitting at local console.
  35. 35. Exploits are readily available
  36. 36. Agenda • Overview • Media Malware Trends • Media Attack Vectors • Case Studies Detection and Protection
  37. 37. Detection and Protection • Turn off the unused features
  38. 38. To disable URLANDEXIT • Edit the following registry key HKEY_CURRENT_USERSoftwareMicrosoftMedia PlayerPreference - PlayerScriptCommandsEnabled: - disabled as default (since 2003) - WebScriptCommandsEnabled: - default is 1 (enabled) - URLAndExitCommandsEnabled: - default is 1 (enabled)
  39. 39. To disable DRM auto-downloads • In Windows Media Player, disable “Download usage rights automatically”. • Be wary of any popups you consent to.
  40. 40. To detect GDI JPEG vulnerabilities • GDI Scan tool will scan your HD for gdiplus.dll and other files to see if they are vulnerable. • Many (but not all) A/Vs already detect malicious JPEGs. • Make sure you are up to Service Pack XP SP2.
  41. 41. Detecting malicious ASF files • Usually, malicious music/video files will adhere to same structure. – There’s a real music/video snippet. – Then at some point, a script command is used to trigger download of malware from hacker’s URL. – The command has a predictable byte sequence, which is either URLANDEXIT(…) or <LAINFO>… </LAINFO> for DRM abuse. – The rest of the file may be padded to make its length look plausible. Real video Goto(URL) Padding Real video
  42. 42. Detecting malicious ASF files (cont.)
  43. 43. Our Tool • Given a torrent URL, it downloads the torrent pieces sequentially. • As it downloads pieces, uses Boyer-Moore string search for any URLANDEXIT OR LAINFO commands and extracts the URL. • It then sends a request to WoT (web of trust) server to gauge URL’s reputation. • If URL is trustworthy, or no script commands present then media file is ranked safe. •
  44. 44. Our Tool (cont.) • Sample output root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading torrent information from Opening torrent file... Number torrent pieces 700 ------------------------- 733012295 The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi Torrent file 0 Torrent file starts at piece 0 Torrent file length 10 ------------------------- Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi 29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208, Pieces 0 1 2 3 4 5 6 7 sequential torrent download.... root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python Video searcher v1.0 Copyright Aleksandr Yampolskiy Looking for malware in file: VIRUS-VIDEO.AVI Positions of ['U', 'x00', 'R', 'x00', 'L', 'x00', 'A', 'x00', 'N', 'x00', 'D', 'x00', 'E', 'x00', 'X', 'x00', 'I', 'x00', 'T', 'x00'] and ['x00', 'x00', 'x00', '6'] startPos = 1939 endPos = 2017 ================================================================ The extracted URL: Checking reputation of url: (Trustworthiness, Reliability)= [5, 44] Reliability is > 20, so I'll proceed Trustworthiness is < 60, so this is a bad site!
  45. 45. Entropy of Malicious ASF Files • Additional way of distinguishing malware ASF files, would be by computing their entropy. • Often padding is totally random or repetitive fixed string. • Also script commands change entropy of video stream []
  46. 46. Conclusion • Staying away from shady or illegal websites won’t necessarily keep you safe these days • ‘Missing codec’ trick remains one of the most widespread and successful social-engineering tricks. • Disable Windows Media Player’s URLANDEXIT command and DRM auto-download behavior. • Use our VideoSearch Tool to look for malicious scripts inside ASF files.
  47. 47. Any Questions?