Did You know, that ASF (Advanced Systems Format) by design include feature that can be used as drive-by download? No? Then – this post for You.
For legal authorities: I sometimes download video files, to check if I want to buy it. And if I like it after 10 mins of viewing – I automatically book it at amazon. If not – just delete the file.
All links can contain malware, so please if You not specially trained – do not run it on Your machine
This time I used well-known torrent-portal to download another file.
File was downloaded after few hours, weight ~643 Mb,
FileName: Moonrise Kingdom 2012 DVDRip XviD AC3-26K.avi
After few unsuccessful attempts to view this movie under Linux, I checked it with great tool AVIcodec, that allow to verify used codecs and check if something is missing. Since tool work under Windows and reported that codecs is:
Video: Microsoft Windows Media 9
Audio: WMA Version 8
Well, I think – then – why You don’t work then! And suddenly double-clicked on file…
Windows Media Player started, with pop-up window
Nice, so looks like it’s not AVI file, but ASF or WMV..(according to AVIcodec analysis)
If You press Yes – Video starts (Damn You, Linux!!!)
And after 8 seconds of promising video, it stop and start Internet Explorer…
hxxp://sponsor01.info/02/ >> hxxp://free-custom.co.cc/player/get-free.html
And If You click here:
link: hxxp:/bestmpl.co.cc/jm/latestvertions/mpl.html (as You may see – here link is wrong – http:/ instead of http:// – but process still continue.)
Press download here and You forwarded via few obfuscated links to download links:
Size: 318 KB
Packed with UPX
Virustotal result: [26/41] https://www.virustotal.com/file/0a23b816f6f5815656aa95f4facc77d72c57a28781e3c266eebc98529c0370db/analysis/1344264556/
Great. Now we unpack it with PEiD plugin, and unpacked.exe file
Size: 756 Kb
Virustotal: [15/41] https://www.virustotal.com/file/e4a79db1f34f7ca23278739b1865f3bfa0061b9acf1c9163e1fb88b193745e5b/analysis/1344372131/
So, why to crypt?
So, technically we see drive-by download malware, that particularly asks You to download specific file with specific browser. Yes, if You surf with Chrome or FF to malware download website, this is what You got:
Now – how.
From Article of Methusela Cebrian Ferrer You may see, that this behavior is part of ASF. And done by internal routine URLANDEXIT.
Here is how it looks like in hex editor:
Since it proprietary format of Microsoft, I don’t found official manual, how to use this routine to implement this functionality, but found not-official one:
I will finish reverse soon, and update this post with additional details, if any
Meanwhile – cheers!