Home > Emerging Threats, Exploits > Summary of ASF File Specification

Summary of ASF File Specification

Related to recent threat infecting Windows media files, this summary definitely help researcher understand how to dissect ASF file.

But what is ASF file?

The ASF is the file format used by Windows Media. Audio and/or Video content compressed with a wide variety of codecs can be stored in a ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally package with Windows Media Rights Manager. [Defined by Microsoft]

Further explanation from Wikipedia as follows:

  • ASF is part of the Windows Media framework.
  • The ASF container provides framework for digital rights management in Windows Media Audio (.WMA) and Windows Media Video (.WMV).
  • Although the ASF container format can technically include any codec, Microsoft encoding tools (including Windows Media Encoder and Windows Movie Maker) produce ASF/WMA/WMV files using the DirectX Media Objects framework.

Let’s take a closer look on ASF Top-level file structure:

 

Identifying ASF objects using GUIDS

GUIDs are used to uniquely identify all objects and entities within ASF files.

The following table contains the names and values of top-level ASF object GUIDs.

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

ASF_Index_Object

D6E229D3-35DA-11D1-9034-00A0C90349BE

ASF_Media_Object_Index_Object

FEB103F8-12AD-4C64-840F-2A1D2F7AD48C

ASF_Timecode_Index_Object

3CB73FD0-0C4A-4803-953D-EDF7B6228F0C

Note: All ASF objects and structures (including data packet headers) are stored in little-endian byte order (the inverse of network byte order).

ASF Object Structure

Let’s take Windows sample music “Beethoven’s Symphony No.9 (Scherzo).wma (which can be found in your %Document and Settings% folder) as an example.

 

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

 Take note of ASF header object size, this indicates the size of the header and this information suggest the offset of next object which is the data object of the file.

Let’s check it…

 

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

Identifying ASF Codec Used

As explained earlier, ASF is a container and could contain any codec.

Let’s follow the Header Object GUIDs to help us determine which codec is used to our sample file.

Name

GUID

ASF_File_Properties_Object

8CABDCA1-A947-11CF-8EE4-00C00C205365

ASF_Stream_Properties_Object

B7DC0791-A9B7-11CF-8EE6-00C00C205365

ASF_Header_Extension_Object

5FBF03B5-A92E-11CF-8EE3-00C00C205365

ASF_Codec_List_Object

86D15240-311D-11D0-A3A4-00A0C90348F6

ASF_Script_Command_Object

1EFB1A30-0B62-11D0-A39B-00A0C90348F6

ASF_Marker_Object

F487CD01-A951-11CF-8EE6-00C00C205365

Codec List Object Definition

The Codec List Object provides user-friendly information about the codecs and formats used to encode the content found in the ASF file. The Codec List Object is represented using the following structure.

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD

64

Reserved

GUID

128

Codec Entries Count

DWORD

32

Codec Entries

See below

Varies

 

Codec Entries are described in the following table.

Field Name

Field Type

Size (bits)

Type

WORD

16

Codec Name Length

WORD

16

Codec Name

WCHAR

varies

Codec Description Length

WORD

16

Codec Description

WCHAR

varies

Codec Information Length

WORD

16

Codec Information

BYTE

varies

 

The fields are defined as follows:

Type

Specifies the type of the codec used. Use one of the values in the following table.

Values

Meaning

0x0001

Video codec

0x0002

Audio codec

0xFFFF

Unknown codec

Ok, now we understand ASF file structure, it’s time to check some malicious ASF files.

First things first, let’s investigate the ASF header:

Let’s follow the Header Object GUIDs to help us investigate the ASF header object:

Name

GUID

ASF_File_Properties_Object

8CABDCA1-A947-11CF-8EE4-00C00C205365

ASF_Stream_Properties_Object

B7DC0791-A9B7-11CF-8EE6-00C00C205365

ASF_Header_Extension_Object

5FBF03B5-A92E-11CF-8EE3-00C00C205365

ASF_Codec_List_Object

86D15240-311D-11D0-A3A4-00A0C90348F6

ASF_Script_Command_Object

1EFB1A30-0B62-11D0-A39B-00A0C90348F6

ASF_Marker_Object

F487CD01-A951-11CF-8EE6-00C00C205365

 

Let’s check the next object, which is the ASF script command.  The script command object is represented using the following structure.

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD

64

Reserved

GUID

128

Commands Count

WORD

16

Command Types Count

WORD

16

Command Types

See below

varies

Commands

See below

varies

 

Inside this malicious ASF file contains the following script command object information:

 

1 – ASF script command object GUID

2 – ASF script command object size which is 72 bytes

3 – ASF script commands count which is 1

4 – ASF script command type count which is 1

5 – ASF script command type length which has 0x0A value

6 – ASF script command type name which is URLANDEXIT 81

The structure of each Command Type entry is shown in the following table.

Field name

Field type

Size (bits)

Command Type Name Length

WORD

16

Command Type Name

WCHAR

varies

 

7 – ASF script command “h t t p : / / I s v b r . n e t ? t = 3 6 “

 

So, when infected user executes this malicious ASF file (whether .WMA or .WMV), Windows Media Player will read the header object and consequently executes the script command which opens an URL serving malicious codec installer.

As Microsoft explained:

When a content owner creates an audio or a video stream, that content owner can add script commands (such as URL script commands and custom script commands) that are embedded in the stream. When the stream is played back, the script commands can trigger events in an embedded player program, or they can start your

Web browser and then connect to a particular Web page. THIS BEHAVIOR IS BY DESIGN.

Unfortunately, Attackers exploited legitimate feature in ASF file.

  1. Rajkumar Sakthibalan
    October 22, 2008 at 4:46 am

    good writing… good material… thanks…

  2. AT
    November 8, 2010 at 10:02 pm

    FWIW, there is an error in the explanation; towards the bottom on step six, it says the script command type is URLANDEXIT 81, but in fact the command length is only 10 characters, so it should be URLANDEXIT.

    Other than that, thanks. 🙂

  3. Kenneth
    May 18, 2011 at 6:38 am

    Wow. Thank you for the precious information!!! It really helps.

  4. Ratan
    September 29, 2011 at 11:45 am

    Wonderfull .. your presentation skill is too professional and simple to understand… Thanks for wonderful work

  1. October 27, 2008 at 2:32 pm
  2. December 23, 2008 at 9:04 am
  3. August 7, 2009 at 10:24 am
  4. September 24, 2011 at 2:31 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: