Threat Researcher

It was almost a year now when a malicious executable was spotted capable of “Trojanizing” clean music and video media files(WMA, WMV, ASF, MP3). This threat became prevalent and in-the-wild; more and more affected user reports it from Q4 of 2008 until early of 2009. 

When I first handled the infected media file  (ASF) , I’ve reference  Microsoft  ASF specification  and created a summary which I’ve decided to publish here. Soon after, I investigated and reversed the malicious executable and constructed my analysis and I thought, this is interesting to share. 

Thanks to Monika for accommodating my proposed article, as well as to Ewa for the succeeding editorial efforts. The article was included in the latest Hakin9 (4/2009) release – you could find the list of topics here.

Hakin9’s circulation is mostly in USA, and I think, less in some countries like UK, Australia, Netherlands and Singapore. So, if you’ll find one in your local book store or magazine stands, I recommend that you grab a copy. 

The legitimate feature that attackers’ misused  is designed for DRM, and guess what? An interesting infected media file progressed its social engineering technique by displaying this (as shown below), but unfortunately in background it connects to remote server that serves malicious executable. Because of it’s clever technique and not-so-popular infection vector, this threat may still proliferate.