104

I've downloaded a .wmv file using P2P. Attempting to play it with Media Player Classic (K-Lite Codec Pack) only gave me a green square in the playback window:

enter image description here

I noticed that the video came with a readme file, however; I found the following inside:

This video has been encoded using the latest DivX+ software, if you are having trouble playing this video please try windows media player Media Player should automatically update any out dated codecs

Since the K-Lite Codec Pack is my media software of choice, I decided to visit their site to see if there was an upgrade available. Indeed, the latest version at the moment of writing was released on November 19th 2015 (the version I was using had been installed on my PC at the beginning of November because I'd bought a new hard drive and reinstalled the OS). I've downloaded and installed the update, but nothing changed, I still got the same green square.

Now, this part I am ashamed of; instead of getting suspicious, I did what the file suggested, i.e. ran it in WMP, which indeed suggested that I download some codecs. I let it do it, typed the admin password because my account is a regular one, and then a few interesting things happened.

  1. UAC has been disabled without me doing anything; Windows showed a prompt telling me that I need to reboot to disable it, and when I checked the settings, it has indeed been turned off
  2. Opera Browser has been installed and a shortcut was put on my desktop
  3. NOD32, the AV I'm using, went crazy: two HTTP requests have been blocked and two executables quarantined, logs follow:

Network:

15/11/22 3:35:29 PM http://dl.tiressea.com/download/dwn/kmo422/us/setup_ospd_us.exe Blocked by internal IP blacklist C:\Users\admin\AppData\Local\Temp\beeibedcid.exe desktop\admin 37.59.30.197
15/11/22 3:35:29 PM http://dl.tiressea.com/download/dwn/kmo422/us/setup_ospd_us.exe Blocked by internal IP blacklist C:\Users\admin\AppData\Local\Temp\beeibedcid.exe desktop\admin 37.59.30.197

Local files:

15/11/22 3:35:38 PM Real-time file system protection file C:\Users\admin\AppData\Local\Temp\81448202922\1QVdFL1BTSQ==0.exe a variant of Win32/Adware.ConvertAd.ACN application cleaned by deleting - quarantined desktop\admin Event occurred on a new file created by the application: C:\Users\admin\AppData\Local\Temp\beeibedcid.exe.

15/11/22 3:35:35 PM Real-time file system protection file C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\51L9SWGF\VOPackage1.exe a variant of Win32/Adware.ConvertAd.ACN application cleaned by deleting (after the next restart) - quarantined desktop\admin Event occurred on a new file created by the application: C:\Users\admin\AppData\Local\Temp\beeibedcid.exe.

beeibedcid.exe had been running as a process before I killed it manually using the task manager. Even though ESET didn't touch it, it's no longer in AppData\Local\Temp.

Upon closer inspection, I realized that the prompt WMP opens to allow me to "update my codecs" doesn't look like a WMP component:

enter image description here

The UI differs in certain subtle ways, and the sentence composition/syntax is poor. Undeniably though the most suspicious thing is the domain in the upper left corner, playrr.co; a simple whois lookup reveals that the domain has been registered on November 17th this year - five days ago - and the registrant is WhoisGuard, so the actual registrant clearly wanted to conceal their details.

Note that clicking both "Download Fix" and "Web Help" has the same effect; the following IE download prompt pops up:

enter image description here

I should add that the video I downloaded had been uploaded on 2015-11-22 13:29:23 GMT, roughly an hour before I downloaded it. The OS is Windows 8.1 Pro x64 and the AV is ESET Nod32 AV 7.0.302.0, with the latest signatures.

I'm annoyed at myself because this is a fairly obvious trap, but at the same time I'd never think to check Windows Media Player dialogs for obvious trojan/adware!

  • How does this thing work? It couldn't have possibly affected my Windows Media Player executable before it was played because it's a media file. Is this a recent vulnerability discovered in the software? Because I doubt Microsoft would allow media files to specify a site to download codecs from...
  • No matter what it is, it seems to be a relatively new thing. What can I do to ensure others don't fall for this? I don't think any AV vendor would allow me to submit a .wmv file a few hundred megabytes in size for analysis.

Thanks for your time.

user4520
  • 1,027
  • 2
  • 8
  • 9
  • 5
    `How does this thing work? It couldn't have possibly affected my Windows Media Player executable before it was played because it's a media file.` That's wrong. While unlike that it did something before playing in this case, it's not guaranteed in any way. `Because I doubt Microsoft would allow media files to specify a site to download codecs from` If web sites can specify binarys to run in IE... – deviantfan Nov 22 '15 at 15:51
  • Anyways, yes it's probably a problem in the used software (not necessarily the media player, could be WIndows itself, etc.etc). About the AV thing: Ask them if they want it. About your computer: Don't trust anything anymore, wipe it, and make a clean reinstall. About the future: Don't use any questionable file sources anymore... – deviantfan Nov 22 '15 at 15:53
  • 1
    Without reading other answers I can tell you: maybe. Codecs are bitches to write because they're basically (LL(1)) parsers, state machines, and it's very tempting to be lazy and just use pointers+offsets-read-from-files and such, as we cannot see the source code and anyone with an exploit (who is bad) would want it known that they've done it, all we can do is confirm if it /has/ been exploited before by finding a case for it, the absence of a case is inconclusive. – Alec Teal Nov 22 '15 at 21:27
  • 6
    Analysis of the file linked: https://www.virustotal.com/en/file/b16ace7eeb73201f65d210969656ff0bfb955a34e4ee3719634107d663c0c68d/analysis/1448244669/ –  Nov 23 '15 at 02:40

2 Answers2

111

This video file uses (well, abuses) Windows Media Player's DRM functionalities which allows content providers to embed an URL in their protected content that will be displayed in a Windows Media Player window to allow the user acquire a license to play the content. Its legitimate usage goes like this :

  • user registers on an online music store and downloads some DRM-protected files, which have their actual media content encrypted
  • user opens them in Windows Media Player, it opens a window with the URL specified in the media file, in this case a legitimate URL from the music store which asks for the user's login
  • user enters his credentials, the music store authenticates them and gives WMP the decryption key which is then cached and the file can now be played

In this case, the feature has been abused to display a fake WMP error about missing codecs (it's in reality a webpage, as the domain name in the top bar suggests, and if it was real the window would've been much smaller) to make you click a (fake) button that points to malware masquerading as codecs.

There's some more info about this DRM system on Wikipedia, and it seems to be deprecated in favour of PlayReady. Whether this new iteration will allow such abuse isn't yet known.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 83
    So let me get this straight, WMP allows media files to open and show to its users _any_ website? If yes, well, wow, Microsoft... – user4520 Nov 22 '15 at 19:32
  • 3
    @szczurcio if I remember right, it doesn't open the website right away but displays an error saying you don't have the necessary rights to play the file, with a button to acquire the rights. That button displays the website. – André Borie Nov 22 '15 at 19:38
  • 1
    Windows Media Player DRM sounds like a good idea in theory with respect to anti piracy, any idea why it wasn't adopted more? – Celeritas Nov 22 '15 at 22:56
  • 1
    @Celeritas - Probably because most digital video distribution these days is done via streaming (Netflix, et al) rather than downloaded files. And the share that is downloaded is very probably dominated by iTunes, who aren't going to use Microsoft-made software. – Compro01 Nov 23 '15 at 01:28
  • 52
    @szczurcio: All DRM is inherently malware; why are you so surprised that someone figured out a way to piggyback their own malware on Microsoft's? – Mason Wheeler Nov 23 '15 at 12:48
  • 4
    @Compro01 Interestingly Netflix, Amazon Instant Video and almost all Silverlight-based video streaming service are using the same DRM infrasture as used in this file, so it's actually pretty widely used. – billc.cn Nov 23 '15 at 14:57
  • 4
    Celeritas - DRM completely fails to combat piracy. The only reason it is used at all is because large corporates in the music and video industry still have a lot of power. It makes them money - it does not stop piracy at all! – Rory Alsop Nov 24 '15 at 17:54
  • 1
    @RoryAlsop `It makes them money - it does not stop piracy at all!` how does it make them money then? – Sebi Apr 22 '16 at 14:51
3

The WMV file in question was probably crafted to exploit a vulnerability in Windows Media Player. The explicit request to use Windows Media Player to play it points in that direction. It was probably intended to steer victims away from other players which wouldn't be vulnerable to the exploit.

The vulnerability was then exploited to request download of a malware program disguised as a codec installation package, a popular ploy since users would expect codec installation when playing a media file.

Tilman Schmidt
  • 871
  • 4
  • 7