Exploiting Media For Fun and Profit Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe.

Published byJoseph Waters Modified over 10 years ago

Similar presentations

Presentation on theme: "Exploiting Media For Fun and Profit Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe."— Presentation transcript:

1 Exploiting Media For Fun and Profit Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe

2 Agenda  Overview Media Malware Trends Media Attack Vectors Case Studies Detection and Protection

3 Why Use Media to Spread Malware? Media is everywhere. - Internet users in the U.S. alone viewed 14.3 billion videos in December (CNN, 2/6/09). - At least 7 million people in Britain use illegal music downloads (Guardian, 5/29/09). - There are 5.6 million Angelina Jolie images on Google. How many of these are malicious?

4 Most People Don’t Know Media Can Spread Viruses 98 % 10 % 50 % 0% We’ve polled 500 IT professionals which of these sites could be malicious? Roughly 50% of them thought Youtube movies on a friend’s blog are perfectly safe. What percent of average consumers would think it’s safe?

5 Agenda Overview  Media Malware Trends Media Attack Vectors Case Studies Detection and Protection

6 Media Malware Trends Interestingly, attacks are often not targeted. Social engineering and blackhat SEO - used to entice victim to view the content. Rough malware breakdown: 50% videos, 30% music, 20% images. Commonly spread through social websites, news-site imitations, P2P sites.

7 Distribution Channels Malware distributed through social networking sites (Facebook, myspace, odnoklasniki, etc.) has a 10% success rate in terms of infection versus 1% success rate via email. Total number of malicious programs targeting social networking sites

8 Breaking News Videos During Q1 2010, hackers took advantage of every major newsworthy event to lure visitors into infected sites. E.g., Erin Andrews tape, release of Ipad, Avatar blockbuster, earthquake in Haiti, terrorist bombings in Moscow [Kaspersky Report] Out of 100 million blog posts, eSOFT team uncovered 700,000 malicious fake YouTube pages (0.7%) [SC Magazine US, 6/09/10].

9 P2P Video/Audio Files Using a custom tool, we analyzed all torrent videos of Ghost Writer (2010) movie found through Isohunt. Before the DVD release, only 10 of 570 videos (1.75%) didn’t contain malware. After the DVD release, 450 of 681 (66%) were clean.

10 Image Files Malformed image attacks accounted for 10% of web attacks in 2009. Often images were hosted on legitimate sites, but MIME types are forged or PHP nestled in text comment fields of legitimate GIF or JPG images. [ScanSafe 2009 report] JPEG GDI buffer overflow vulnerabilities Malicious image files

11 Agenda Overview Media Malware Trends  Media Attack Vectors Case Studies Detection and Protection

12 Attack Vectors URLANDEXIT command DRM functionality abuse Renaming tricks Movie.avi.exe Hiding PHP commands in comments JPEG GDI overflow Renaming tricks angelina.jpg.exe Flash getURL commands Various Adobe vulnerabilities MS Video/Musi c Hiding PHP commands in comments JPEG GDI overflow Image s “Youtube” Videos

13 Attack Vectors (cont.) For video/music files, social engineering is used to trick user into accepting to ‘download codec’ to play video. ‘clicking yes in popup on license terms’ or ‘download license key’. For images, often no user interaction is needed. For online Flash videos Consent to ‘downloading codec’

14 Agenda Overview Media Malware Trends Media Attack Vectors  Case Studies Detection and Protection

15 Case 1: Fake Youtube videos Youtube uses Adobe Flash plug-in. Flash has the worst security record in 2009. Multiple critical vulnerabilities via malicious SWFs (APSB08-11) Supports script commands getURL(), navigateToURL() to load documents from specific URLs. Youtube is severely restricted (up-to-date patches, disabled script commands) so it’s “safe”. Can we say the same about a random blog? Can a good web designer make a blog video look very much like a Youtube video?

16 Fake Youtube Videos (cont.) Actually, you don’t even need to be a good web designer. YTFakeCreator allows you to create fake Youtube look-alikes, and attach malicious payloads. Typically, a user is prompted to download a ‘codec’ (which is really a malware stub).

17 Fake Youtube videos (cont.)

18 Koobface Virus Many of these viruses spread through social sites.

19 Fake Youtube videos (cont.) A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09. Shortly thereafter, a site video.report-cnn.com hosting the tape appeared. LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below. click

20 Fake Youtube videos (cont.) Most of the site is embedded through IFRAMES from CNN (aka clickjacking) but the malware is served from mediaplayer.4upd.com. The malware has two novel ideas. After clicking on the link: The video actually plays to alleviate suspicions Different malware is served for different OS (MACs get infected with OSX/Jahlav-C trojan. Windows get infected with a rogue antivirus Mal/EncPK-IF or Mal/FakeAV-AY). !-- LARGE PLAYER HTML CODE --> <div style="padding: 8px 10px 0px;" id="conthttp://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video

21 Lots of people fell for this!

22 The hacker created other sites. A simple lookup through Maltego reveals that he created similar sites dedicated to sex, breaking news, online gambling.

23 Case 2: ASF Exploits ASF is a Microsoft proprietary format for streaming media (.asf,.wma,.wmv) Consists of byte sequences, identified by a GUID marker. Has a framework for Digital Rights Management to download licenses from URLs. Script commands (such as URLANDEXIT to download file from URL) can be embedded in the stream. Many players support it: Windows Media Player, RealPlayer, MPlayer, Zune, Flip4Mac, Quicktime add-on, Linux FFmpeg, etc. Interestingly, if you rename an ASF file to.AVI, it will still be interpreted as ASF in Windows.

24 DRM DRM aims to allow distributor of audio/video to control how it’s used. Client (aka Media Player) can request license from license server to play the file. Turns out request is over HTTP and License Server returns the prompt message to the client!!

25 DRM (cont.) Multiple examples of abuse WmvDownloader-A, WmvDownloader-B The malware comes as a DRM license installer and its code is quite obfuscated. It could tell user to ‘install codec’, or ‘download a legitimate license’.

26 DRM (cont.) It could tell user to ‘install a missing codec’

27 DRM (cont.) Or threaten the user to ‘accept license terms’. Example: http://www.icpp-online.com/http://www.icpp-online.com/

28 URLANDEXIT Microsoft says that script commands can contain instructions that enhance the playback experience URLANDEXIT may open your internet browser and display a related web page while the player plays back content.

29 URLANDEXIT (cont.) Enter Win32.ASF-Hijacker.A trojan that searches for MP2, MP3 and ASF files on local HD and shares Converts MP2 and MP3 to ASF. Then injects URLANDEXIT command into media to a site isvbr.net hosted in Hong Kong that serves malware. The trojan disables URLANDEXIT functionality, so user’s media will play as before, yet he may share infected media via P2P with other victims

30 URLANDEXIT (cont.) Alternatively, attackers may create their own malware videos and poison search- engine results.

31 URLANDEXIT (cont.) Some of these malware torrents have a README.TXT.LNK file that’s actually a malware executable, while the video is genuine. Others’ have a malware video, and a real README.TXT conveniently tells you to either download a codec from specific URL or install their own fully coded player.

32 Ghost Writer Noir Viewing a video pops up a window to download codec (Trojan- Dropper.Win32) served from tpbtrack.com, microsoftmedicenter.co m

33 Case 3: JPEG GDI Exploit Back in 2004, Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Surpisingly, many computers still not patched. There is a similar exploit affecting PNG images in all Gecko-based browsers (Mozilla, Firefox, Camino)

34 JPEG GDI (cont.) JPEG exploit first appeared on several Usenet newsgroups that contained erotic images, images of Angelina Jolie, etc. Upon viewing a JPEG file, a buffer overflow writes a shell code to user’s computer which allows attacker to remotely interact with user’s system as if they were sitting at local console.`

35 Exploits are readily available

36 Agenda Overview Media Malware Trends Media Attack Vectors Case Studies  Detection and Protection

37 Detection and Protection Turn off the unused features

38 To disable URLANDEXIT Edit the following registry key HKEY_CURRENT_USER\Software\Microsoft \MediaPlayer\Preference - PlayerScriptCommandsEnabled: - disabled as default (since 2003) - WebScriptCommandsEnabled: - default is 1 (enabled) - URLAndExitCommandsEnabled: - default is 1 (enabled)

39 To disable DRM auto- downloads In Windows Media Player, disable “Download usage rights automatically”. Be wary of any popups you consent to.

40 Detecting malicious ASF files Usually, malicious music/video files will adhere to same structure. There’s a real music/video snippet. Then at some point, a script command is used to trigger download of malware from hacker’s URL. The command has a predictable byte sequence, which is either URLANDEXIT(…) or … for DRM abuse. The rest of the file may be padded to make its length look plausible. Real video Goto(URL) Padding Real video

41 Detecting malicious ASF files (cont.)

42 Our Tool Given a torrent URL, it downloads the torrent pieces sequentially. As it downloads pieces, uses Boyer- Moore string search for any URLANDEXIT OR LAINFO commands and extracts the URL. It then sends a request to WoT (web of trust) server to gauge URL’s reputation. If URL is trustworthy, or no script commands present then media file is ranked safe. http://code.google.com/p/videosearcher/

43 Our Tool (cont.) Sampl e output root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# Downloading torrent information from http://dl7.torrentreactor.net/download.php?id=3204949 Opening torrent file... Number torrent pieces 700 ------------------------- 733012295 The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi Torrent file 0 Torrent file starts at piece 0 Torrent file length 10 ------------------------- Starting download of The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi 29.71% complete (down: 0.0 kb/s up: 0.0 kB/s peers: 0. ) checking. Downloaded pieces 208, Pieces 0 1 2 3 4 5 6 7 sequential torrent download.... root@yampoa-desktop:/home/yampoa/libtorrent-rasterbar-0.14.10/bindings/python# python video_search.py Video searcher v1.0 Copyright Aleksandr Yampolskiy Looking for malware in file: VIRUS-VIDEO.AVI Positions of ['U', '\x00', 'R', '\x00', 'L', '\x00', 'A', '\x00', 'N', '\x00', 'D', '\x00', 'E', '\x00', 'X', '\x00', 'I', '\x00', 'T', '\x00'] and ['\x00', '\x00', '\x00', '6'] startPos = 1939 endPos = 2017 ================================================================ The extracted URL: http://freaktorrents.info/locked/3 Checking reputation of url: http://freaktorrents.info/locked/3http://dl7.torrentreactor.net/download.php?id=3204949http://freaktorrents.info/locked/3 (Trustworthiness, Reliability)= [5, 44] Reliability is > 20, so I'll proceed Trustworthiness is < 60, so this is a bad site!

44 Entropy of Malicious ASF Files Additional way of distinguishing malware ASF files, would be by computing their entropy. Often padding is totally random or repetitive fixed string. Also script commands change entropy of video stream [trustedsource.com]

45 To detect GDI JPEG vulnerabilities GDI Scan tool will scan your HD for gdiplus.dll and other files to see if they are vulnerable. Many (but not all) A/Vs already detect malicious JPEGs. Make sure you are up to Service Pack XP SP2.

46 Conclusion Staying away from shady or illegal websites won’t necessarily keep you safe these days ‘Missing codec’ trick remains one of the most widespread and successful social-engineering tricks. Disable Windows Media Player’s URLANDEXIT command and DRM auto- download behavior. Use our VideoSearch Tool to look for malicious scripts inside ASF files.

47 Questions, Comments, Suggestions

Download ppt "Exploiting Media For Fun and Profit Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe."

Similar presentations

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Computer Software 3 Section A Software Basics CHAPTER PARSONS/OJA

Computer Software 3 Section A Software Basics CHAPTER PARSONS/OJA
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
The Most Dangerous Places on The Web (according to PC World)

The Most Dangerous Places on The Web (according to PC World)
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Computer Security: Protect your PC and Protect Yourself.

1 Computer Security: Protect your PC and Protect Yourself.
Chapter Objectives Explain Web page multimedia issues

Chapter Objectives Explain Web page multimedia issues
ITIS 1210 Introduction to Web-Based Information Systems Chapter 41 How Animation on the Web Works.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 41 How Animation on the Web Works.
How to Expand Your School’s Online Reach using Facebook, Blogs and Twitter.

How to Expand Your School’s Online Reach using Facebook, Blogs and Twitter.
Ads by Google