Social engineering attacks using DRM protected ASF files

Some of you may have already noticed that we have started to show new information for ASF files in the File details tab, example:

https://www.virustotal.com/en/file/b44378bc5f32700edd97d3f66479d9665194cfef95a2252c70a4237263bdfafd/analysis/

This information includes the content encryption object, the extended content encryption object and script command objects, if any at all.

The Advanced Systems Format (ASF) is Microsoft’s proprietary audio/video container format, this specification defines the structure of the audio/video stream and provides a framework for digital rights management (DRM) of the contained streams. Files using such a format are commonly seen with wmv, wma or mp3 extensions.

The Windows Media Rights Manager allows protection of the media content in such a way that once the user tries to play a file for which there is no valid license, Windows Media Player will display a URL defined by the content provider.

This scheme allows attackers to create evil media files forcing visits to malicious URLs when the crafted file is opened. In the following screenshot we can observe how a wmv file (https://www.virustotal.com/en/file/9c3d364fb2f6e43a8c1d149bfb929bc5fc1ec2a9ae6ca424d87295e65b61e3c4/analysis/) forces the user to visit xvidprox.com, this site deceives the visitor making him think he has to download and install a “required” plugin in order to watch the video, a common social engineering trick.

Parsing the file content encryption headers we find:

Content Encryption Header:
Secret Data: '\xcf\xb8\xba\xf2F2\xd3\xf7Sb\xd9D\xbd5\x936\x8c\xd2Tk\x97\xdb\tT'
Protection Type: DRM
Key ID: gAtyRGxTp0uyKC9AAbf3Gg==
License URL: http://www.microsoft.com/isapi/redir.dll?prd=wmdrm&pver=2&os=win&sbp=newclient

Extended Content Encryption Header:
<WRMHEADER version="2.0.0.0">
<DATA>
 <RID>1</RID>
 <CID>500</CID>
 <LAINFO>http://xvidprox.com/index.html?id=&amp;dlgx=1000&amp;dlgy=600&amp;adv=0</LAINFO>
 <KID>gAtyRGxTp0uyKC9AAbf3Gg==</KID>
 <CHECKSUM>ErLnEFXO!A==</CHECKSUM>
</DATA>
<SIGNATURE>
 <HASHALGORITHM type="SHA"></HASHALGORITHM>
 <SIGNALGORITHM type="MSDRM"></SIGNALGORITHM>
 <VALUE>Trh0AiQYQRBmw3qKi1i4Ox1Lv2FTC!4VFKZoCAJdGwnkPNC8z*bfDA==</VALUE>
</SIGNATURE>
</WRMHEADER>

Needless to say, you will not be able to reproduce the video file (commonly they are small encrypted videos no bigger than 300k and padded with useless data to look like the latest 800MB movie release).

Downloaded file analysis:
https://www.virustotal.com/en/file/5e0b93dfa2aca2463aa022141f079b9bb455d5823f0ab2c9fca8254834bcd47b/analysis/

Let us look at another example of a malicious video sample:
https://www.virustotal.com/en/file/2b75d7be851514dbaf1fa1649f5eee29efc9669ca774bae98944b72356fef4d3/analysis/

Again the ASF headers contain:

Content Encryption Header:
Secret Data: '\xfe\xf0\xfc\x0f\x8c\xf6^\xb9\x8eav\x9f\xfb\x92)\x9d'
Protection Type: DRM
Key ID: ldkokwerodkkkkkk
License URL: http://free-media-player.info/play.cgi?DlgX=800&DlgY=600

Extended Content Encryption Header:
<WRMHEADER version="2.0.0.0">
<DATA>
 <CHECKSUM>KeBODgJtVQ==</CHECKSUM>
 <KID>ldkokwerodkkkkkk</KID>
 <LAINFO>http://free-media-player.info/play.cgi?DlgX=800&DlgY=600</LAINFO>
</DATA>
<SIGNATURE>
 <HASHALGORITHM type="SHA"></HASHALGORITHM>
 <SIGNALGORITHM type="MSDRM"></SIGNALGORITHM>
 <VALUE>2tV2YzlYaZH1LFpq3CEUF+XrNT6+gh++dF3hNEWPONoVWUClPHXGKg==</VALUE>
</SIGNATURE>
</WRMHEADER>

The downloaded file is, once again, clearly malicious:
https://www.virustotal.com/en/file/38eb4c07d967862bbee40010671d111ca76d5e14c3ad23962bc0755ffeaf6fec/analysis/

We successfully tried these videos on Windows Media Player 11 and 12, no user iteration was needed to show the malicious websites, this leads to even more interesting automated exploitation through browser vulnerabilities.

We can find a deeper analysis of this matter in a 2010 post at http://habrahabr.ru/post/89676/ (Russian).

We believe displaying these new file details will further help malware researchers in their fight against the bad guys. Additionally, this attack trend leaves room for new interesting features to be implemented in VirusTotal with regards to the relationships between files. Was this file downloaded from a given site? And if so, was this site used in a media content DRM social engineering attack? Which video file was the initial trigger for the whole infection process? Interesting questions that we will soon be addressing.

Read More

VirusTotal += CyberCrime botnet panels tracker

Xylitol has been extremely kind in letting us enrich VirusTotal's URL scanner with his CyberCrime tracker. CyberCrime is a C&C panel tracker, in other words, it lists the administration interfaces of certain in-the-wild botnets. As such, its URL database is inherently smaller than other datasets integrated in VirusTotal.

Nonetheless, one should not neglect the usefulness of this tracker, very often other malware-related infrastructure will be located in the same host as the botnet administration panel, hence, it can prove itself very useful in finding evil.

https://www.virustotal.com/en/url/ba1cee3c6a157232ac8a61b17ff07694acc970e1bae9ced5c9ef2bfc56ae6ea1/analysis/1367596300/

Thank you Xylitol! Keep up the good work!

Read More

VirusTotal += Virus Tracker

Just after Kaspersky joining VirusTotal's aggregate URL scanner, we are excited to announce that Virus Tracker is also becoming part of our family:

https://www.virustotal.com/en/url/82ddbb7eea25e7ce2ca13aed44cac009d9ff6c463e763d22b8b2043f20bd8a52/analysis/1367576071/

Virus Tracker is a service whose mission:

is to provide detailed infection statistics, C&C information and an automatically updated domain blocklist of various botnets to the security community.

The site is non-profit and focuses on banking trojans and financial malware, some of the botnets they track are: multibanker, sinowal, tinybanker, urlzone, zeus, ramnit, etc. This is fantastic news for the average end-user, since they will have a better view of the most perilous threats directly targeting their money.

Yet another URL scanner, one more and we will be in the forties, thank you Virus Tracker team!

Read More

VirusTotal += Kaspersky URL scanner

We are excited to announce that Kaspersky has just joined the club of URL scanners! As many of you know, VirusTotal does not only check files with antivirus solutions, it can also scan Internet sites making use of different malicious URL datasets and URL scanning engines. This functionality is available at: https://www.virustotal.com/#url

Kaspersky's latest security suites contain a URL scanning module known as kaspersky URL advisor, which is described by the company as:

The URL scanning module, which is called Kaspersky URL Advisor, is managed by the Web Anti-Virus component from Kaspersky Internet Security 2012. This module checks if links located on the web page belong to the list of suspicious and phishing web addresses from anti-virus databases which you get during anti-virus databases update.
Also Kaspersky URL Advisor uses reputation services from Kaspersky Security Network. Using data from the reputation services, Kaspersky Internet Security 2012 marks links in the web browser, thereby informing you about the possible dangers of this or that website even before you follow the link in question.

Part of this functionality has been very generously made available to VirusTotal in order to perform checks of URLs submitted by our users against their dataset.

This is yet one new URL scanner that joins our family hoping to make the Internet a safer place, if you have a malicious URL dataset or some technology that, given a site is capable of producing a maliciousness verdict, do not hesitate to join the battle.

Thank you, Kasperky team, for making this possible!

Read More

VirusTotal += PCAP Analyzer

VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.

PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:

• Record malware network communication when executed in sandboxed environments.
• Record honeyclient browser exploitation traces.
• Log network activity seen by network appliances and IDS.
• etc.

We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:

• Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
• Extracts file metadata with Wireshark.
• Lists DNS resolutions performed.
• Lists HTTP communication.
• Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation). 

Without futher ado, let us paste a couple of examples of this new functionality (refer to the File details tab in order to see all of the aforementioned information):

https://www.virustotal.com/en/file/04a8b5a41cf58c2b9330c07e77949b0f94a632e74e7889f7c99f03e74da0f475/analysis/

https://www.virustotal.com/en/file/04cf54c95b58f15a2d06ad805a49b20233408737eb417190a817fd189bcf2329/analysis/

https://www.virustotal.com/en/file/0763ef06a07c35993775ae4cef433204f2e1127932a5555cfa9658b1b90f7fa3/analysis/

https://www.virustotal.com/en/file/59083bbd0391ed8a491924ea71905a587d71cde8fc4e8a4138a938fa78f2ebfc/analysis/

Read More

VirusTotal += K7GW

We welcome K7GW (K7 Antivirus Gateway) as a new engine working at VirusTotal. In the words of the antivirus company:

"K7GW is a lightweight, faster version of K7's scanner which focuses on more robust generics & heuristics, the core binaries remaining essentially unchanged".

Read More

Passive DNS API

Last week we announced the inclusion of passive DNS data in VirusTotal. Today we are excited to let you know that we have included two new API calls to automatically query this data and build tools and plugins with our dataset:

https://www.virustotal.com/documentation/public-api/#getting-ip-reports
https://www.virustotal.com/documentation/public-api/#getting-domain-reports

When we released the web interface passive DNS search feature many users already wanted to build tools around it:

Now that the API is in production it is absolutely safe to start implementing your ideas, not only do we allow you to do so but also strongly encourage you to take advantage of this API.

As you may have noticed, rather than a dedicated API to retrieve exclusively passive DNS data, they are calls to gather information regarding IP addresses and domains. It has been built this way because we intend to extend the fields present in the returned JSON. As of right now the detected_urls field might be present, this field records the latest URLs detected by at least one URL scanner as malicious and hosted at the queried host. In the near future we would like to include other notions such as:

• What were the latest malware samples that communicated with the given host?
• What were the latest malware samples downloaded from the given host?
• What were the latest malware samples that contained the given host in their strings dump?
• Have we seen a particular exploit kit hosted at the given host?

And many more exciting features that we will keep to ourselves in order to keep you reading our blog :P

Read More