Summary of ASF File Specification

Related to recent threat infecting Windows media files, this summary definitely help researcher understand how to dissect ASF file.

But what is ASF file?

The ASF is the file format used by Windows Media. Audio and/or Video content compressed with a wide variety of codecs can be stored in a ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally package with Windows Media Rights Manager. [Defined by Microsoft]

Further explanation from Wikipedia as follows:

  • ASF is part of the Windows Media framework.
  • The ASF container provides framework for digital rights management in Windows Media Audio (.WMA) and Windows Media Video (.WMV).
  • Although the ASF container format can technically include any codec, Microsoft encoding tools (including Windows Media Encoder and Windows Movie Maker) produce ASF/WMA/WMV files using the DirectX Media Objects framework.

Let’s take a closer look on ASF Top-level file structure:

Identifying ASF objects using GUIDS

GUIDs are used to uniquely identify all objects and entities within ASF files.

The following table contains the names and values of top-level ASF object GUIDs.

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB
ASF_Index_Object D6E229D3-35DA-11D1-9034-00A0C90349BE
ASF_Media_Object_Index_Object FEB103F8-12AD-4C64-840F-2A1D2F7AD48C
ASF_Timecode_Index_Object 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C

Note: All ASF objects and structures (including data packet headers) are stored in little-endian byte order (the inverse of network byte order).

ASF Object Structure

Let’s take Windows sample music “Beethoven’s Symphony No.9 (Scherzo).wma (which can be found in your %Document and Settings% folder) as an example.

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB

Take note of ASF header object size, this indicates the size of the header and this information suggest the offset of next object which is the data object of the file.

Let’s check it…

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB

Identifying ASF Codec Used

As explained earlier, ASF is a container and could contain any codec.

Let’s follow the Header Object GUIDs to help us determine which codec is used to our sample file.

Name GUID
ASF_File_Properties_Object 8CABDCA1-A947-11CF-8EE4-00C00C205365
ASF_Stream_Properties_Object B7DC0791-A9B7-11CF-8EE6-00C00C205365
ASF_Header_Extension_Object 5FBF03B5-A92E-11CF-8EE3-00C00C205365
ASF_Codec_List_Object 86D15240-311D-11D0-A3A4-00A0C90348F6
ASF_Script_Command_Object 1EFB1A30-0B62-11D0-A39B-00A0C90348F6
ASF_Marker_Object F487CD01-A951-11CF-8EE6-00C00C205365

Codec List Object Definition

The Codec List Object provides user-friendly information about the codecs and formats used to encode the content found in the ASF file. The Codec List Object is represented using the following structure.

Field name Field type Size (bits)
Object ID GUID 128
Object Size QWORD 64
Reserved GUID 128
Codec Entries Count DWORD 32
Codec Entries See below Varies

Codec Entries are described in the following table.

Field Name Field Type Size (bits)
Type WORD 16
Codec Name Length WORD 16
Codec Name WCHAR varies
Codec Description Length WORD 16
Codec Description WCHAR varies
Codec Information Length WORD 16
Codec Information BYTE varies

The fields are defined as follows:

Type

Specifies the type of the codec used. Use one of the values in the following table.

Values Meaning
0x0001 Video codec
0x0002 Audio codec
0xFFFF Unknown codec

Ok, now we understand ASF file structure, it’s time to check some malicious ASF files.

First things first, let’s investigate the ASF header:

Let’s follow the Header Object GUIDs to help us investigate the ASF header object:

Name GUID
ASF_File_Properties_Object 8CABDCA1-A947-11CF-8EE4-00C00C205365
ASF_Stream_Properties_Object B7DC0791-A9B7-11CF-8EE6-00C00C205365
ASF_Header_Extension_Object 5FBF03B5-A92E-11CF-8EE3-00C00C205365
ASF_Codec_List_Object 86D15240-311D-11D0-A3A4-00A0C90348F6
ASF_Script_Command_Object 1EFB1A30-0B62-11D0-A39B-00A0C90348F6
ASF_Marker_Object F487CD01-A951-11CF-8EE6-00C00C205365

Let’s check the next object, which is the ASF script command.  The script command object is represented using the following structure.

Field name Field type Size (bits)
Object ID GUID 128
Object Size QWORD 64
Reserved GUID 128
Commands Count WORD 16
Command Types Count WORD 16
Command Types See below varies
Commands See below varies

Inside this malicious ASF file contains the following script command object information:

1 – ASF script command object GUID

2 – ASF script command object size which is 72 bytes

3 – ASF script commands count which is 1

4 – ASF script command type count which is 1

5 – ASF script command type length which has 0x0A value

6 – ASF script command type name which is URLANDEXIT 81

The structure of each Command Type entry is shown in the following table.

Field name Field type Size (bits)
Command Type Name Length WORD 16
Command Type Name WCHAR varies

7 – ASF script command “h t t p : / / I s v b r . n e t ? t = 3 6 “

So, when infected user executes this malicious ASF file (whether .WMA or .WMV), Windows Media Player will read the header object and consequently executes the script command which opens an URL serving malicious codec installer.

As Microsoft explained:

When a content owner creates an audio or a video stream, that content owner can add script commands (such as URL script commands and custom script commands) that are embedded in the stream. When the stream is played back, the script commands can trigger events in an embedded player program, or they can start your

Web browser and then connect to a particular Web page. THIS BEHAVIOR IS BY DESIGN.

Unfortunately, Attackers exploited legitimate feature in ASF file.