Tuesday, March 8, 2011

Films De Mario Salieri Streaming

Try Android 3.0 without buying anything: the official guide to the emulator

If you thought the only malware could hide inside the executable, you were wrong. We present a complete analysis of a "fake MP3," which, when opened ... Many security gurus are aware of the many methods used by crackers and virus writers to infect and take possession of a computer. These include simple file. exe, exploit the browser, a misconfigured firewall, up to the refined techniques of social engineering
. Few however, are aware of a new technique: using an exploit of Digital Rights Management (DRM) to pack an MP3 ad hoc that, when opened, under the pretext of some crazy codec download, start the download code hostile. This article will proceed to the analysis of
TrojanClicker: ASX / Wimad.gen! H , found the net.

infection

The file appears as a regular MP3. Windows Media Player, in an attempt to open it, indicates that the extension MP3 does not match the actual file format.



This should make you suspicious even less astute.
Wishing to continue the analysis of malware, we click It and continue.
In our test we are not even warned of the lack of a codec: Windows Media Player invites us to decide where to send the file to download.


mp3_codec_update.exe Save the file, we ship to
VirusTotal and ThreatExpert , which we detect a malicious toolbar of relative hazard and reported only from 4 antivirus.
also receive the following video:


continue parsing the file. Notifica.png



File Structure early analysis of the file with VirusTotal
, indicates that there is an audio file, but a file .
renamed ASF (
Magic: Microsoft Avviso.png ASF). An ASF file is a generic container for both WMV WMA tracks, can also contain audio
MP3 . So when the file is played through Windows Media Player, the program riconosceun ASF file containing a trace WMA and WMV files modified to download a file.
This is possible because the software reads the header for documents are handled appropriately. This explains the presence of a trace MP3
used only as a pretense and sham.
A confirmation came from analysis of the files with the free and excellent GSpot. The first box (Screen.png Container) is the one that captures more of our attention:

have confirmed our initial assumptions: it is an ASF file ( video / x-ms-asf
), as Gspot also reminds us, can incorporate a variety of formats including Windows Media Audio (WMA) and Windows Media Video (WMV).

Always Gspot in the User Data / Metadata shows us that the audio track is encoded with WMA v2 and the video track using WMV v9 . Here we note that the state of the codec is indeterminate, of course. Analysis of MP3 files with hex editor Determined to find other

information about this file, open it to proceed with
HxD , great hex editor that allows you to view individual bytes (and their relative coding in ASCII). These screenshots are most relevant, we box the significant parts.
The first 16 bytes of the file, 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C are those that identify (as a further confirmation) *. ASF files ( http://www. garykessler.net / library / file_sigs.html )
20ycut1.png
The file was created with Windows Movie Maker (offset 506 - 80F )
20ycut2.png
The file is composed of both a track audio ( 8A5 - 8cc ) and a video track ( 92F - 956 )
20ycut3.png This part of the report only out of curiosity: the link shown is one from which you download the fake codec ( ACC -
B39).

And with this latest analysis of the file, we have clarified all doubts.

Player alternative We performed several tests and came to the conclusion that it is virtually impossible to protect dall'exploit continuing to use Windows Media Player, because this exploit is running on all versions of multimedia home
Microsoft (tested with version 9 to 12 on Windows XP and Windows
ASF.png
7). Using alternative player, however, does not start downloading the file, namely:
Sshot-0.png VLC media player plays video, but will not start any download window and does not appear any message like "missing codec
"
Winamp instead just can not play the file; Sshot-1.png
foobar2000 as Winamp does not play the file;
JetAudio try to play the file, it fails, and tries to reproduce in a loop that appears infinite (a bug in the program); Sshot-2.png
Media Player Classic behaves like VLC (video only).
-defense, then, just set as the default player any other media player .

Antivirus Another trick is to keep use avast! 5 : since the Virustotal scan and experience shows that many users so far is one of the few antivirus that can block real-time download the MP3 file and malware of this family, then for who is in a position to download a large amount of material from the network, potentially harmful, our advice is to be taken into consideration.

    • However, this was useless: it is again proposed to download the virus.
  • If someone can find a software or process to prevent this exploit, please report it in the comments section .
  • source: Megalab
Posted by admin at 9:37 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)