Risk

7/10/2008
09:05 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Trojan Attacks Multimedia Files Stored on Hard Drives

Infected audio and video files show no signs of malware, but are lethal when shared with other users

A particularly aggressive Trojan is on the loose that infects multimedia files stored on a user’s hard drive.

“We’ve not seen such a sophisticated Trojan infecting multimedia files before,” says Christoph Alme, lead for the anti-malware team at Secure Computing, which has been studying the Trojan. “We’ve been seeing infected multimedia files for about a month now and [had been] wondering where they came from.”

Like many malware infections, it starts with a visit to a sketchy site -- in this case, a Warez site, where the user downloads what he thinks is a serial key for a copy-protected software package, for example, but instead gets the Trojan that automatically infests all of his multimedia files. When he shares one of those music or video files with another user via a peer-to-peer network, the recipient in turn gets infected by a fake codec: no Warez visit required.

“They lead you to a page under their control when you play back the file, and it has a pop-up telling you that you need to download the ‘codec’ to play the video or audio file,” Alme explains. That "codec" is actually the malware.

The Trojan basically uses legitimate multimedia functions -- no vulnerabilities you can patch -- to do its dirty work. It preys on the Advanced Systems Format (ASF) file feature in MP3 and Windows Media Audio (WMA) music files as well as Windows Media Video (WMV) files, for instance. ASF lets you embed script commands in these file. “The attackers use that to inject their commands into all of your multimedia files,” Alme says.

It also converts MP2 and MP3 files into WMA format so it can infect them as well. “If you have a big MP3 collection, it will be completely converted to WME and WMA and you don’t even notice that on your own system,” he says.

And when the user plays any of the infected files from his hard drive, there’s no indication of the infection.

Secure Computing’s Alme says the Trojan’s main purpose appears to be to spread a password stealer to get user names and passwords.

Meanwhile, Alme says the initial Trojan infection itself isn’t nearly as prevalent as the volume of downstream infected multimedia files. “That’s clearly due to P2P spreading it,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Secure Computing Corp. (Nasdaq: SCUR)

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
    Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
    Yahoo Class-Action Suits Set for Settlement
    Dark Reading Staff 9/17/2018
    RDP Ports Prove Hot Commodities on the Dark Web
    Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: In Russia, application hangs YOU!
    Current Issue
    Flash Poll
    How Data Breaches Affect the Enterprise
    How Data Breaches Affect the Enterprise
    This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-16958
    PUBLISHED: 2018-09-18
    An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is...
    CVE-2018-16959
    PUBLISHED: 2018-09-18
    An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is ...
    CVE-2018-16952
    PUBLISHED: 2018-09-18
    The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password).
    CVE-2018-16953
    PUBLISHED: 2018-09-18
    The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response.
    CVE-2018-16954
    PUBLISHED: 2018-09-18
    An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login.