Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Audio files


  • Please log in to reply
11 replies to this topic

#1 Vmerc

Vmerc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 09:48 AM

I've been helping a co-worker with her home computer (running WinXP SP3) and recently did a full clean up on the system. It had a bootkit and a cavalcade of various malware. After getting it clean and running I implemented a few anti-malware mechanisms including reduced permissions versions of IE, WMP, and FireFox using "Drop My Rights". The standard protections are covered with MSSE, SpyBot(with TeaTimer and immunizations), SuperAntiSpyware, and Malwarebytes. Unfortunately the system is continuing to get reinfected, and I suspect it's because a user is using LimeWire/FrostWire to get music files. Since it's not my place to uninstall a user's software, I need to figure out how to stop infected WMA files or imposter audio files from continuing to infect the system. I thought the reduced rights WMP would do it, but I think the user is still clicking on the file instead of launching through the safe-mode shortcut.

Ideas I have include:

Change all audio file's Run command to point to the safe-mode command line.

Change WMA file's Run command to point to an encoder command line that would recode the WMA to an MP3. (I saw a lot of infected WMA files during the last scan)

How feasible are these ideas? Of course the user would have some inconvenience with the recoding since they would have to open the new MP3 file after, but they would still be able to listen to the music.

Any other tips would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 13 September 2011 - 10:03 AM

Any other tips would be greatly appreciated.


I've developed a tool, LowerMyRgihts.dll, which can be used to lower the rights of WMP any way it is launched.
http://blog.didierstevens.com/2010/10/04/lowermyrights/

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 13 September 2011 - 10:05 AM

And another idea: you can use Software Restriction Policies to restrict execution to programs located in c:\Windows and c:\Program Files.
Any other program (including malware) which is not located in c:\Windows and c:\Program Files will not be allowed to run.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 10:34 AM

I've developed a tool, LowerMyRgihts.dll, which can be used to lower the rights of WMP any way it is launched.
http://blog.didierstevens.com/2010/10/04/lowermyrights/


Do I understand correctly that I need to use the import table instructions to hook the WMP process?

How do I implement this tool to run all the time when WMP is launched?

#5 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 12:37 PM

And another idea: you can use Software Restriction Policies to restrict execution to programs located in c:\Windows and c:\Program Files.
Any other program (including malware) which is not located in c:\Windows and c:\Program Files will not be allowed to run.


That is a very good idea. I could also select folders to blacklist and that would be convenient and secure in this case. I would still have to deal with the apparent infection from actual audio files that contain player exploits. Based on the results of the scanners I used, I am guessing that WMA files are the most commonly infected audio files.

#6 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 12:53 PM

Nevermind. I found the link to the additional dll that you posted on the article. I believe this will work nicely.

Thanks for your help.

#7 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 12:55 PM

So the "edit" function here seems to elude me. I was saying nevermind to my questions about loading into WMP every time.

Thanks.

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 13 September 2011 - 01:53 PM

Do I understand correctly that I need to use the import table instructions to hook the WMP process?


That is one way to do it, but most likely not the best in your situation. Because an update to WMP or a new release would mean that your hook is lost and that you have to do it again.
I believe in your case it's better to use AppInit_DLL registry key, or if you want more control, my LoadDLLViaAppInit tool, which is like a proxy for the AppInit_DLL registry key.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 13 September 2011 - 01:55 PM

Based on the results of the scanners I used, I am guessing that WMA files are the most commonly infected audio files.


You mean that the scanners you used on that PC identified a bunch of WMA files as malware?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 September 2011 - 06:29 PM


Based on the results of the scanners I used, I am guessing that WMA files are the most commonly infected audio files.


You mean that the scanners you used on that PC identified a bunch of WMA files as malware?



Yes that's right. Among hundreds of other files and entries.

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 14 September 2011 - 01:49 AM

Yes that's right. Among hundreds of other files and entries.


Do you still have the results? Can you post the name,of the AV and the name it gave to the malware infecting the WMA file?
Just out of curiosity.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Vmerc

Vmerc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 14 September 2011 - 09:35 PM


Yes that's right. Among hundreds of other files and entries.


Do you still have the results? Can you post the name,of the AV and the name it gave to the malware infecting the WMA file?
Just out of curiosity.


Sorry, if that log was saved I don't have access to the computer right now. If I am asked to clean it off again I'll look for that info.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users