Related to recent threat infecting Windows media files, this summary definitely help researcher understand how to dissect ASF file.
But what is ASF file?
The ASF is the file format used by Windows Media. Audio and/or Video content compressed with a wide variety of codecs can be stored in a ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally package with Windows Media Rights Manager. [Defined by Microsoft]
Further explanation from Wikipedia as follows:
- ASF is part of the Windows Media framework.
- The ASF container provides framework for digital rights management in Windows Media Audio (.WMA) and Windows Media Video (.WMV).
- Although the ASF container format can technically include any codec, Microsoft encoding tools (including Windows Media Encoder and Windows Movie Maker) produce ASF/WMA/WMV files using the DirectX Media Objects framework.
Let’s take a closer look on ASF Top-level file structure:
Identifying ASF objects using GUIDS
GUIDs are used to uniquely identify all objects and entities within ASF files.
The following table contains the names and values of top-level ASF object GUIDs.
Name | GUID |
ASF_Header_Object | 75B22630-668E-11CF-A6D9-00AA0062CE6C |
ASF_Data_Object | 75B22636-668E-11CF-A6D9-00AA0062CE6C |
ASF_Simple_Index_Object | 33000890-E5B1-11CF-89F4-00A0C90349CB |
ASF_Index_Object | D6E229D3-35DA-11D1-9034-00A0C90349BE |
ASF_Media_Object_Index_Object | FEB103F8-12AD-4C64-840F-2A1D2F7AD48C |
ASF_Timecode_Index_Object | 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C |
Note: All ASF objects and structures (including data packet headers) are stored in little-endian byte order (the inverse of network byte order).
ASF Object Structure
Let’s take Windows sample music “Beethoven’s Symphony No.9 (Scherzo).wma (which can be found in your %Document and Settings% folder) as an example.
Name | GUID |
ASF_Header_Object | 75B22630-668E-11CF-A6D9-00AA0062CE6C |
ASF_Data_Object | 75B22636-668E-11CF-A6D9-00AA0062CE6C |
ASF_Simple_Index_Object | 33000890-E5B1-11CF-89F4-00A0C90349CB |
Take note of ASF header object size, this indicates the size of the header and this information suggest the offset of next object which is the data object of the file.
Let’s check it…
Name | GUID |
ASF_Header_Object | 75B22630-668E-11CF-A6D9-00AA0062CE6C |
ASF_Data_Object | 75B22636-668E-11CF-A6D9-00AA0062CE6C |
ASF_Simple_Index_Object | 33000890-E5B1-11CF-89F4-00A0C90349CB |
Identifying ASF Codec Used
As explained earlier, ASF is a container and could contain any codec.
Let’s follow the Header Object GUIDs to help us determine which codec is used to our sample file.
Name | GUID |
ASF_File_Properties_Object | 8CABDCA1-A947-11CF-8EE4-00C00C205365 |
ASF_Stream_Properties_Object | B7DC0791-A9B7-11CF-8EE6-00C00C205365 |
ASF_Header_Extension_Object | 5FBF03B5-A92E-11CF-8EE3-00C00C205365 |
ASF_Codec_List_Object | 86D15240-311D-11D0-A3A4-00A0C90348F6 |
ASF_Script_Command_Object | 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 |
ASF_Marker_Object | F487CD01-A951-11CF-8EE6-00C00C205365 |
Codec List Object Definition
The Codec List Object provides user-friendly information about the codecs and formats used to encode the content found in the ASF file. The Codec List Object is represented using the following structure.
Field name | Field type | Size (bits) |
Object ID | GUID | 128 |
Object Size | QWORD | 64 |
Reserved | GUID | 128 |
Codec Entries Count | DWORD | 32 |
Codec Entries | See below | Varies |
Codec Entries are described in the following table.
Field Name | Field Type | Size (bits) |
Type | WORD | 16 |
Codec Name Length | WORD | 16 |
Codec Name | WCHAR | varies |
Codec Description Length | WORD | 16 |
Codec Description | WCHAR | varies |
Codec Information Length | WORD | 16 |
Codec Information | BYTE | varies |
The fields are defined as follows:
Type
Specifies the type of the codec used. Use one of the values in the following table.
Values | Meaning |
0x0001 | Video codec |
0x0002 | Audio codec |
0xFFFF | Unknown codec |
Ok, now we understand ASF file structure, it’s time to check some malicious ASF files.
First things first, let’s investigate the ASF header:
Let’s follow the Header Object GUIDs to help us investigate the ASF header object:
Name | GUID |
ASF_File_Properties_Object | 8CABDCA1-A947-11CF-8EE4-00C00C205365 |
ASF_Stream_Properties_Object | B7DC0791-A9B7-11CF-8EE6-00C00C205365 |
ASF_Header_Extension_Object | 5FBF03B5-A92E-11CF-8EE3-00C00C205365 |
ASF_Codec_List_Object | 86D15240-311D-11D0-A3A4-00A0C90348F6 |
ASF_Script_Command_Object | 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 |
ASF_Marker_Object | F487CD01-A951-11CF-8EE6-00C00C205365 |
Let’s check the next object, which is the ASF script command. The script command object is represented using the following structure.
Field name | Field type | Size (bits) |
Object ID | GUID | 128 |
Object Size | QWORD | 64 |
Reserved | GUID | 128 |
Commands Count | WORD | 16 |
Command Types Count | WORD | 16 |
Command Types | See below | varies |
Commands | See below | varies |
Inside this malicious ASF file contains the following script command object information:
1 – ASF script command object GUID
2 – ASF script command object size which is 72 bytes
3 – ASF script commands count which is 1
4 – ASF script command type count which is 1
5 – ASF script command type length which has 0x0A value
6 – ASF script command type name which is URLANDEXIT 81
The structure of each Command Type entry is shown in the following table.
Field name | Field type | Size (bits) |
Command Type Name Length | WORD | 16 |
Command Type Name | WCHAR | varies |
7 – ASF script command “h t t p : / / I s v b r . n e t ? t = 3 6 “
So, when infected user executes this malicious ASF file (whether .WMA or .WMV), Windows Media Player will read the header object and consequently executes the script command which opens an URL serving malicious codec installer.
As Microsoft explained:
When a content owner creates an audio or a video stream, that content owner can add script commands (such as URL script commands and custom script commands) that are embedded in the stream. When the stream is played back, the script commands can trigger events in an embedded player program, or they can start your
Web browser and then connect to a particular Web page. THIS BEHAVIOR IS BY DESIGN.
Unfortunately, Attackers exploited legitimate feature in ASF file.