Docstoc

Exploiting_Media_For_Fun_and_Profit

Document Sample
Exploiting_Media_For_Fun_and_Profit Powered By Docstoc
					Exploiting Media For Fun and
            Profit
           Aleksandr Yampolskiy, Ph.D.
             Director of Security and
             Compliance, Gilt Groupe
             Agenda
Overview
• Media Malware Trends
• Media Attack Vectors
• Case Studies
• Detection and Protection
         Why Use Media to Spread
               Malware?
• Media is everywhere.
-   Internet users in the U.S. alone
    viewed 14.3 billion videos in
    December (CNN, 2/6/09).
- At least 7 million people in Britain
  use illegal music downloads
  (Guardian, 5/29/09).
- There are 5.6 million Angelina
  Jolie images on Google.

• How many of these are
    malicious?
        Most People Don’t Know
        Media Can Spread Viruses
• We’ve polled
    500 IT
professionals
which of these
sites could be
  malicious?       98         10
 • Roughly 50%
                   %          %
of them thought
Youtube movies
  on a friend’s
    blog are
 perfectly safe.   50         0%
• What percent     %
  of average
  consumers
             Agenda
• Overview
Media Malware Trends
• Media Attack Vectors
• Case Studies
• Detection and Protection
      Media Malware
              Trendsoften not
• Interestingly, attacks are
  targeted.
• Social engineering and blackhat SEO -
  used to entice victim to view the content.
• Rough malware breakdown: 50% videos,
  30% music, 20% images.
• Commonly spread through social
  websites, news-site imitations, P2P sites.
           Distribution
• Malware Channels
  distributed
 through social
 networking sites
 (Facebook,
 myspace,
 odnoklasniki, etc.)
 has a 10% success
 rate in terms of
 infection versus
 1% success rate       Total number of malicious programs
 via email.
                        targeting social networking sites
         Breaking News
                   Videos
• During Q1 2010, hackers took
  advantage of every major
    newsworthy event to lure visitors
    into infected sites. E.g., Erin
    Andrews tape, release of Ipad,
    Avatar blockbuster, earthquake in
    Haiti, terrorist bombings in
    Moscow [Kaspersky Report]
•   Out of 100 million blog posts,
    eSOFT team uncovered 700,000
    malicious     fake YouTube pages
    (0.7%)             [SC Magazine
    US, 6/09/10].
         P2P Video/Audio
•                      Files all
    Using a custom tool, we analyzed
  torrent videos of Ghost Writer
  (2010) movie found through Isohunt.
• Before the DVD release, only 10 of
  570 videos (1.75%) didn’t contain
  malware.
• After the DVD release, 450 of 681
  (66%) were clean.
             Image Files
•   Malformed image attacks accounted
    for 10% of web attacks in 2009.
•   Often images were hosted on
    legitimate sites, but MIME types are
    forged or PHP nestled in text
    comment fields of legitimate GIF or
    JPG images. [ScanSafe 2009 report]
•   JPEG GDI buffer overflow
    vulnerabilities



                                    Malicious image files
             Agenda

• Overview
• Media Malware Trends
Media Attack Vectors
• Case Studies
• Detection and Protection
        Attack Vectors


    MS             Image             “Youtube”
Video/Musi             s
                    Hiding PHP        Videos
     c
 URLANDEXIT        commands in
                    comments
                                     Flash getURL
   command                            commands
     DRM             JPEG GDI
                                     Various Adobe
 functionality       overflow
                                     vulnerabilities
    abuse         Renaming tricks
Renaming tricks   angelina.jpg.exe
 Movie.avi.exe
   Attack Vectors
            (cont.) engineering
• For video/music files, social
    is used to trick user into accepting to
    •   ‘download codec’ to play video.
    •   ‘clicking yes in popup on license
        terms’ or ‘download license key’.
•   For images, often no user interaction is
    needed.
•   For online Flash videos
    •   Consent to ‘downloading codec’
             Agenda

• Overview
• Media Malware Trends
• Media Attack Vectors
Case Studies
• Detection and Protection
     Case 1: Fake Youtube
•
                     videos
    Youtube uses Adobe Flash plug-in.
•   Flash has the worst security record in 2009.
    •   Multiple critical vulnerabilities via malicious SWFs
        (APSB08-11)
    •   Supports script commands getURL(), navigateToURL() to
        load documents from specific URLs.

•   Youtube is severely restricted (up-to-date
    patches, disabled script commands) so it’s “safe”.
•   Can we say the same about a random blog?
•   Can a good web designer make a blog video look
    very much like a Youtube video?
     Fake Youtube Videos
           (cont.)
• Actually, you don’t
  even need to be a
  good web designer.
• YTFakeCreator
  allows you to create
  fake Youtube look-
  alikes, and attach
  malicious payloads.
• Typically, a user is
  prompted to
  download a ‘codec’
  (which is really a
  malware stub).
Fake Youtube videos
      (cont.)
   Koobface Virus
• Many of these viruses spread
  through social sites.
Fake Youtube videos (cont.)
•   A concrete example: Erin Andrews is an ESPN
    sportscaster, who was secretly videotaped through
    hotel peephole in July 09.
•   Shortly thereafter, a site video.report-cnn.com
    hosting the tape appeared.               LIVE VIDEO PLAYER
                                                      BLOCKED
                                               Your popup blocker has
                                                blocked access to the
                                               Video Player. To view
                                              your video, please launch
                                                the Live Video Player
                                                        below.
Fake Youtube videos (cont.)
• Most of the site is embedded through
    IFRAMES from CNN (aka clickjacking) but
    the malware is served from
    mediaplayer.4upd.com.
 •!-- LARGE PLAYER HTML CODE --> <div id="cnnVPFlashLarge" style="position: relative;"> <div
 style="border-style: solid; border-color: rgb(230, 230, 230); border-width: 1px 1px 0px; width: 574px;
 height: 372px;" id="cnnVPFlashLargeContainer"> <object height="372" width="574"> <param name="movie"
 value="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-
 /mediatube.swf?clip=Erin Andrews Peephole Video"> <param name="allowScriptAccess" value="always">
 <embed src="http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-
 /mediatube.swf?clip=Erin Andrews Peephole Video" allowscriptaccess="always" height="372"
 width="574"></embed> </object> </div> <div id="cnnVPInfoLMy"> <div id="cnnVPInfoLeftCol"> <div


• The malware has two novel ideas. After
 style="padding: 8px 10px 0px;" id="cont



   clicking on the link:
  •    The video actually plays to alleviate suspicions
  •    Different malware is served for different OS
       (MACs get infected with OSX/Jahlav-C trojan.
       Windows get infected with a rogue antivirus
       Mal/EncPK-IF or Mal/FakeAV-AY).
Lots of people fell for this!
 The hacker created other
          sites.
• A simple lookup through Maltego reveals
  that he created similar sites dedicated to
  sex, breaking news, online gambling.
          Case 2: ASF
• ASF is a Microsoft proprietary format for
               Exploits
  streaming media (.asf, .wma, .wmv)
    •   Consists of byte sequences, identified by a
        GUID marker.
    •   Has a framework for Digital Rights
        Management to download licenses from URLs.
    •   Script commands (such as URLANDEXIT to
        download file from URL) can be embedded in
        the stream.
•   Many players support it: Windows Media
    Player, RealPlayer, MPlayer, Zune, Flip4Mac,
    Quicktime add-on, Linux FFmpeg, etc.
•   Interestingly, if you rename an ASF file
    to .AVI, it will still be interpreted as ASF
    in Windows.
 • DRM aims toDRM
              allow
   distributor of
   audio/video to
   control how it’s
   used.
 • Client (aka Media
    Player) can request
    license from license
    server to play the
 • Turns out request is over
    file.
  HTTP and License Server
returns the prompt message
          to the client!!
       DRM (cont.)
• Multiple examples of abuse
  WmvDownloader-A,
  WmvDownloader-B
• The malware comes as a DRM
  license installer and its code is quite
  obfuscated.
• It could tell user to ‘install codec’, or
  ‘download a legitimate license’.
                    DRM (cont.)
• It could tell user to ‘install a missing codec’
        DRM (cont.)
• Or threaten the user to ‘accept license
  terms’.
• Example: http://www.icpp-online.com/
    URLANDEXIT
• Microsoft says that script commands
  can contain instructions that enhance
  the playback experience
• URLANDEXIT may open your
  internet browser and display a
  related web page while the player
  plays back content.
        URLANDEXIT
• Enter Win32.ASF-
                  (cont.)
  Hijacker.A trojan that
  searches for MP2, MP3 and
 ASF files on local HD and
 shares
 •   Converts MP2 and MP3 to ASF.
 •   Then injects URLANDEXIT
     command into media to a site
     isvbr.net hosted in Hong Kong
     that serves malware.
 •   The trojan disables
     URLANDEXIT functionality, so
     user’s media will play as
     before, yet he may share
     infected media via P2P with
     other victims
     URLANDEXIT
        (cont.)
• Alternatively, attackers may create
  their own malware videos and poison
  search-engine results.
     URLANDEXIT
             (cont.)torrents
• Some of these malware
  have a README.TXT.LNK file that’s
  actually a malware executable, while
  the video is genuine.
• Others’ have a malware video, and a
  real README.TXT conveniently tells
  you to either download a codec from
  specific URL or install their own
  fully coded player.
   Ghost Writer
• Viewing a video pops   Noir
 up a window to
 download codec
 (Trojan-
 Dropper.Win32)
 served from
 tpbtrack.com,
 microsoftmedicenter.c
 om
Case 3: JPEG GDI Exploit
• Back in 2004, Microsoft announced a
  problem in their GDI driver that
  processes the way JPEG images are
  displayed.
• Surpisingly, many computers still not
  patched.
• There is a similar exploit affecting
  PNG images in all Gecko-based
  browsers (Mozilla, Firefox, Camino)
    JPEG GDI (cont.)
• JPEG exploit first appeared
  on several Usenet newsgroups that
  contained erotic images, images of
  Angelina Jolie, etc.
• Upon viewing a JPEG file, a buffer
  overflow writes a shell code to
  user’s computer which allows
  attacker to remotely interact with
  user’s system as if they were sitting
  at local console.`
Exploits are readily
     available
            Agenda

• Overview
• Media Malware Trends
• Media Attack Vectors
• Case Studies
Detection and Protection
      Detection and
       Protection
• Turn off the unused features
                 To disable
             URLANDEXIT
• Edit the following registry key
  HKEY_CURRENT_USER\Software\Micr
  osoft\MediaPlayer\Preference
  - PlayerScriptCommandsEnabled: - disabled as
  default (since 2003)
  - WebScriptCommandsEnabled: - default is 1
  (enabled)
  - URLAndExitCommandsEnabled: - default is 1
  (enabled)
     To disable DRM auto-
           downloads
• In Windows Media
  Player, disable
  “Download usage
  rights
  automatically”.
• Be wary of any
  popups you consent
  to.
  Detecting malicious ASF
                      files
• Usually, malicious music/video
 files will adhere to same
 structure.
 •   There’s a real music/video snippet.
 •   Then at some point, a script
                                           Real video
     command is used to trigger
     download of malware from
     hacker’s URL.                         Goto(URL)
 •   The command has a predictable         Real video
     byte sequence, which is either
     URLANDEXIT(…) or
                                            Padding
     <LAINFO>…</LAINFO> for DRM
     abuse.
 •   The rest of the file may be padded
     to make its length look plausible.
Detecting malicious ASF files
           (cont.)
• Given a Our URL, it downloads the
          torrent
                  Tool
  torrent pieces sequentially.
• As it downloads pieces, uses Boyer-
  Moore string search for any
  URLANDEXIT OR LAINFO commands
  and extracts the URL.
• It then sends a request to WoT (web
  of trust) server to gauge URL’s
  reputation.
• If URL is trustworthy, or no script
  commands present then media file is
  ranked safe.
• http://code.google.com/p/videosearc
          Our Tool (cont.)
          root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading
          torrent information from http://dl7.torrentreactor.net/download.php?id=3204949
          Opening torrent file...
          Number torrent pieces 700
          -------------------------
          733012295


• Sampl
          The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi
          Torrent file 0
          Torrent file starts at piece 0
          Torrent file length 10
 e        -------------------------
          Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi

 output   29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208,
          Pieces 0 1 2 3 4 5 6 7
          sequential torrent download....

          root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python
          video_search.py
          Video searcher v1.0 Copyright Aleksandr Yampolskiy
          Looking for malware in file: VIRUS-VIDEO.AVI
          Positions of ['U', '\x00', 'R', '\x00', 'L', '\x00', 'A', '\x00', 'N', '\x00', 'D', '\x00', 'E', '\x00', 'X'
          '\x00', 'I', '\x00', 'T', '\x00'] and ['\x00', '\x00', '\x00', '6']
          startPos = 1939
          endPos = 2017
          ================================================================
          The extracted URL: http://freaktorrents.info/locked/3
          Checking reputation of url: http://freaktorrents.info/locked/3

          (Trustworthiness, Reliability)= [5, 44]
          Reliability is > 20, so I'll proceed
          Trustworthiness is < 60, so this is a bad site!
   Entropy of Malicious ASF
             Files
• Additional way of distinguishing malware
  ASF files, would be by computing their
  entropy.
• Often padding is totally random or
  repetitive fixed string.
• Also script commands
change entropy of video
stream [trustedsource.com]
     To detect GDI JPEG
       vulnerabilities
• GDI Scan tool will scan your HD for
  gdiplus.dll and other files to see if
  they are vulnerable.
• Many (but not all) A/Vs already
  detect malicious JPEGs.
• Make sure you are up to Service
  Pack XP SP2.
         Conclusion
• Staying away from shady or illegal
    websites won’t necessarily keep you safe
    these days
•   ‘Missing codec’ trick remains one of the
    most widespread and successful social-
    engineering tricks.
•   Disable Windows Media Player’s
    URLANDEXIT command and DRM auto-
    download behavior.
•   Use our VideoSearch Tool to look for
    malicious scripts inside ASF files.
Questions, Comments,
     Suggestions

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:10/13/2011
language:English
pages:47