New trojans use DRM

Printable View

Show 40 post(s) from this thread on one page

January 13th, 2005, 03:57 PM
the_JinX

New trojans use DRM

Quote:

PandaLabs has detected the appearance of two new Trojans, Trj/WmvDownloader.A and Trj/WmvDownloader.B, which are spreading through P2P networks in video files. These Trojans take advantage of the new technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content. When a user tries to play a protected Windows media file, this technology demands a valid license. If the license is not stored on the computer, the application will look for it on the Internet, so that the user can acquire it directly or buy it. This new technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

http://www.pandasoftware.com/about/p...x?noticia=5818

All I can say is.. Muhahahahahaah !!

Quote:

Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc.

So a website with an embeded wmv could even infect your Windows XP SP2 WM10 box when you are surfing with FireFox :p
January 13th, 2005, 04:18 PM
gore

Kind of sad when the sex video comes with a Trojan ;) (Think condom company)

lololol Safe sex.

Hahahahahahahahahahaha.

This is funny as ****. So is Xine affected? No? Ah well, back to whatever I was doing.
January 13th, 2005, 04:26 PM
the_JinX

Ehm.. nope.. WM10 only (as far as I know)

The Register makes me think more like the DRM part only leads one to the trojan-ed pages and lets IE bugs do the rest..

Quote:

If the user runs a video file that is infected by one of the "DRM Trojans", they pretend to download the corresponding license from the net. In reality users are redirected to sites that take advantage of Windows vulnerabilities to download spyware, adware, premium-rate diallers and other viruses onto victim's machines.

http://www.theregister.co.uk/2005/01/13/drm_trojan/
January 13th, 2005, 09:16 PM
killerbeesateme

Does anyone have any information on how this actually works? I've been searching google but all i can come up with is news accounts and not any actual information. I know DRM uses WMP to launch a website, but what does it do from there? Is an exe downloaded? Could it be a specially crafted License Key? Perhaps it spawns a website that uses Microsoft vulnerabilities in order to infect the said system? I'm very unfamiliar with DRM systems and I'm curious to know how it actually does it's dirty work. Panda wasn't really any help at all. Even in it's technical specs it basically dumbs it down and says "WmvDown.A creates several files, belonging to the malware it installs in the affected computer." Its a no sh*t sherlock description. Any one have experience with DRM licensing who might be able to shed some information?

Thanks
January 14th, 2005, 01:37 AM
jinxy

It works like this...............You download a file, music/film, what ever. That file is protected with DRM tech. To play that file you must have a license, if you have not got the license WMP will go to a web site that offers you a license to view/listen to that file. WMP then, assuming you purchase, downloads the license file..................................That file could be anything, trojan perhaps.

The flaw is down to the way WMP authenticates the original file and it's supsequent license.
January 14th, 2005, 02:49 AM
Tim_axe

Pretty much what Jinxy says, but I'll address it in somewhat more depth.

Most files have several streams. One is the audio stream, and has all of the music data in whatever compression codec is used. Another can be the video stream, again compressed however it was encoded. These are the most common, as every music file has an audio stream, and every video has to have a video stream, etc. The more uncommon stream encountered, that is used a lot in DRM protected files, is the Script Commands Stream. Basically this is another stream that can do things like display captions for music/video, and force Internet Explorer to open certain URLs. (There is also Meta Data, but that isn't quite a stream. There may be more, but these are the ones I understand.)

The problem is that Windows Media Player uses Internet Explorer as the default browser, and it is even embedded inside of Windows Media Player. If the website it goes to can do nasty stuff to Internet Explorer, disaster is going to happen when WMP goes to it. These media files (and their Scripting Streams and DRM License URL's) tell WMP to open up these kinds of websites.

These streams aren't limited to Windows Media Player, and this isn't the first time these things have happened. WinAmp's own NSV streaming format has similar streams (Scripting Stream), and AOL has made it a pain in the ass to disable them, although it is (was?) possible. Basically WinAmp also embeds Internet Explorer, and that causes problems when Internet Explorer goes to them...
January 14th, 2005, 04:24 PM
the_JinX

Microsoft Corp. says it has no plans to change the way its Windows Media Player handles the download of DRM licenses.

Quote:

"Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources," said Mike Coleman, lead product manager with Microsoft's Windows division.

"If strangers are trying to entice you to open a file, chances are they're setting you up for a bad experience. We need to continue our work on getting people to understand what's going on and get them to develop better download habits," Coleman told eWEEK.com.

http://www.eweek.com/article2/0,1759,1751324,00.asp

Ehm... Yeah, right...
January 14th, 2005, 05:30 PM
killerbeesateme

Thanks for the responses guys, i just have a follow up question, mostly for Tim_Axe, So the main route of infection is kind of akin to the Iframe exploits that hit just awhile ago, except using WMP instead of ad sites as a carrier? I'm mainly wondering if there is a particular file extension to these licenses, and if the "virus", so to speak, is downloading straight .exes or self extracting zips and executing them locally, or if it is taking advantage of already existing explorer holes in order to do its dirty work. another way to put it, is it utilizing Web Pages as its main point of infection, or if it is somehow scripting to download all the individual .exes and executing them? sorry if my question is kind of confusing, but i'm mainly wondering if its the webpage itself doing the dirty work, or if the license process itself is doing the dirty work. an easy example is a CD-R. If it Autoran, would it be a straight execution in the autorun file, or would it be in the launching of an IE window containing some nasty code (very non related subjects but it helps you get my drift) i'm planning on setting up a proof of concept just to see how easy it is to do.
January 14th, 2005, 08:45 PM
the_JinX

there is supposed to be some a proof of concept..
http://www.benedelman.org/news/010205-1.html
I didn't want to try.

I haven't found it and my kaffeine player in kde's konqueror didn't play the video's and neither did mplayer in firefox.
January 14th, 2005, 09:56 PM
muert0

Quote:

Originally posted here by the_JinX
Microsoft Corp. says it has no plans to change the way its Windows Media Player handles the download of DRM licenses.

http://www.eweek.com/article2/0,1759,1751324,00.asp

Ehm... Yeah, right...

http://www.pcworld.com/news/article/0,aid,112045,00.asp
You think if something like this old attack started spawning through this DRM vulneribility they might chnage there tune?

Show 40 post(s) from this thread on one page