Archived Blog
07.30.2008 - 5:35 PM
A piece of malware has been discovered that modifies a user's music files so they are vulnerable to further infection. The infection can also spread if such files are shared with others. The malware searches the user's drive for music files and injects (after necessary conversions) a malicious URL, which is loaded upon music playback. This is achieved via the AddScript method provided by the Windows Media Format SDK, which injects a script into a music file with a user-defined command (in this case URLANDEXIT). A quick analysis of how this works and a look at the malicious file can be seen below:
Bookmark This Post:
Click here to download a higher resolution video (.mov)
Now that we have stepped through how the infection works and have verified that some files have been injected, all we have to do is play one of the files to see the attack in action. As seen below in a re-created picture, the user is prompted to download and run a malicious file, which is advertised as a codec:
Users have likely received such messages when they were actually missing a video codec, so it is likely they will think nothing of it and click Run, hence infecting themselves with additional malware.
