Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Music Files - New Codec injection attacks add danger for Multi-media files

Music Sometimes one bad apple can spoil the entire bunch.  A new injection based codec attack has surfaced which can infect all multi-media files on the hard drive.  For example, a malicious MP3 file can be downloaded and if the special fake codec routine is accepted, it will inject malicious code into every multi-media file that is processed.  Folks should continue to only use trusted sources for music or video.

Infectious Music, Malware-Style
http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files
http://blog.trendmicro.com/infectious-music-malware-style/

QUOTE: A malware that infects multimedia files, modifying them to require the download of a fake codec when played had recently been discovered. It infects widely used multimedia file formats such as MP3, WMA and WMV video files by injecting a malicious code. The said malware is also capable of converting files such as MP2 and MP3 into Windows Media Audio (WMA) format. When a user tries to play an infected file, a pop-up message is displayed, asking the user to download a certain codec in order to play the file. The downloaded codec is of course, nothing else but malware.

But this malware takes it to a new, and more dangerous level; it manipulates a person’s multimedia files and uses it against them. People normally keep thousands of multimedia files on their systems, especially MP3s. If each file is infected by the malware then shared through a P2P network, then the user unknowingly turns into a malware host.

Comments

Alun Jones said:

Asking people to get their media files from trusted sources is one solution - another is to ask people to get their _codecs_ from trusted sources, too.

Obviously, it's a little difficult to say _what_ is a trusted source for either media or codec, but there are likely to be fewer codec sources to vet than there are media sources, you generally won't get into trouble for downloading a codec (unless it's proprietary).

Lesson: don't ever install a codec that came with the media, and where possible, disable any ability your player has to automatically fetch a codec from the media's declared source. Only fetch codecs from the media player's trusted source, or failing that, a trusted third party - but never from where the media tells you to go.

# July 16, 2008 9:59 AM

Chris Quirke said:

Better file type discipline would help, too - IOW, files named as .MP3 should not be "opened" as .WMA or .ASF if that is what the (hidden) internal type info claims them to be.  A file that spoofs the UI type info is suspect, and should be treated as such!

Behind this, is .ASF itself - looks like the same old "by design" stupidity that allows files that are expected to be low-risk "data" to act as autorunning code.

As to "trsuted sources" - these days, one sedom navigates by unique address, and these unique addresses are themselves spoofable at the DNS backbone level.

# August 31, 2008 9:14 PM