Home > Security News > Researcher disinfects multimedia Trojans
Security News:
EMAIL THIS LICENSING & REPRINTS

Researcher disinfects multimedia Trojans

By Robert Westervelt, News Editor
20 Aug 2008 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

A Polish security researcher who is investigating how attackers are using a multimedia Trojan to infect audio and video files on peer-to-peer networks, has created a tool to cure infected files.

This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates.
Marcin Noga,
security researcher, Hispasec Sistemas

Marcin Noga, a security researcher with Hispasec Sistemas, said the multimedia Trojan, which was discovered by antivirus vendors in July, has the ability to dupe antivirus vendors.

The Trojan, dubbed GetCodec, is written to embed itself in Microsoft's Advanced Systems Format (ASF), infecting Windows Media Audio (WMA) and Windows Media Video (WMV) files. When an infected media file is opened, the Windows Media Player is redirected to a malicious site hosting a fake codec and malware.

According to Noga's reverse engineering analysis, the malware makers can change the URL for the coder/decoder (codec) download on the server side, delivering any type of content and updating the file as quickly as antivirus vendors update their signatures. So far, it's been successfully spreading throughout P2P networks and could be a menace in corporate environments, government agencies and schools, Noga said.

"This is yet another example of how the combination of technique and social engineering is a nice cocktail when aiming at high propagation rates," Noga wrote in a research paper entitled "GetCodec Multimedia Trojan Analysis."

Noga released a multimedia Trojan disinfector that he says could cure infected files.

In an email exchange, Noga said the GetCodec Trojan isn't complicated and appeared to have unfinished code. Currently the Trojan is infecting files at very low levels, he said.

"The author used standard Windows API's and appropriate COM interfeces to search and manipulate data," Noga said. "It didn't contain an anti-debug mechanism or a Virtual Machine detection technique, which I have the 'pleasure' to often see in bank Trojans."

Researchers at Secure Computing Corp. were one of the first to spot the new media Trojan. A similar attack was detected in May when McAfee Inc. discovered infections on more than 360,000 machines.



Tags: Viruses, Worms and Other MalwareVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts