Researcher disinfects multimedia Trojans

By Robert Westervelt, News Editor 20 Aug 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A Polish security researcher who is investigating how attackers are using a multimedia Trojan to infect audio and video files on peer-to-peer networks, has created a tool to cure infected files.

This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates. Marcin Noga, security researcher, Hispasec Sistemas

Marcin Noga, a security researcher with Hispasec Sistemas, said the multimedia Trojan, which was discovered by antivirus vendors in July, has the ability to dupe antivirus vendors.

The Trojan, dubbed GetCodec, is written to embed itself in Microsoft's Advanced Systems Format (ASF), infecting Windows Media Audio (WMA) and Windows Media Video (WMV) files. When an infected media file is opened, the Windows Media Player is redirected to a malicious site hosting a fake codec and malware.

According to Noga's reverse engineering analysis, the malware makers can change the URL for the coder/decoder (codec) download on the server side, delivering any type of content and updating the file as quickly as antivirus vendors update their signatures. So far, it's been successfully spreading throughout P2P networks and could be a menace in corporate environments, government agencies and schools, Noga said.

"This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates," Noga wrote in a research paper entitled "GetCodec Multimedia Trojan Analysis."

Noga released a multimedia Trojan disinfector that he says could cure infected files.

In an email exchange, Noga said the GetCodec Trojan isn't complicated and appeared to have unfinished code. Currently the Trojan is infecting files at very low levels, he said.

"The author used standard Windows API's and appropriate COM interfeces to search and manipulate data," Noga said. "It didn't contain an anti-debug mechanism or a Virtual Machine detection technique, which I have the 'pleasure' to often see in bank Trojans."

Researchers at Secure Computing Corp. were one of the first to spot the new media Trojan. A similar attack was detected in May when McAfee Inc. discovered infections on more than 360,000 machines.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary