A Polish security researcher who is investigating how attackers are using a multimedia Trojan to infect audio and video files on peer-to-peer networks, has created a tool to cure infected files.
Marcin Noga, a security researcher with Hispasec Sistemas, said the multimedia Trojan, which was discovered by antivirus vendors in July, has the ability to dupe antivirus vendors.
The Trojan, dubbed GetCodec, is written to embed itself in Microsoft's Advanced Systems Format (ASF), infecting Windows Media Audio (WMA) and Windows Media Video (WMV) files. When an infected media file is opened, the Windows Media Player is redirected to a malicious site hosting a fake codec and malware.
According to Noga's reverse engineering analysis, the malware makers can change the URL for the coder/decoder (codec) download on the server side, delivering any type of content and updating the file as quickly as antivirus vendors update their signatures. So far, it's been successfully spreading throughout P2P networks and could be a menace in corporate environments, government agencies and schools, Noga said.
"This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates," Noga wrote in a research paper entitled "GetCodec Multimedia Trojan Analysis."
Noga released a multimedia Trojan disinfector that he says could cure infected files.
In an email exchange, Noga said the GetCodec Trojan isn't complicated and appeared to have unfinished code. Currently the Trojan is infecting files at very low levels, he said.
"The author used standard Windows API's and appropriate COM interfeces to search and manipulate data," Noga said. "It didn't contain an anti-debug mechanism or a Virtual Machine detection technique, which I have the 'pleasure' to often see in bank Trojans."
Researchers at Secure Computing Corp. were one of the first to spot the new media Trojan. A similar attack was detected in May when McAfee Inc. discovered infections on more than 360,000 machines.