Source :
http://www.integratedmar.com/flod/story.cfm?item=125Attack of the Video codecs
November 16, 2006
As downloading video becomes increasingly popular, so does the downloading of malicious software. TrendLabs has witnessed a spike in the number of threats downloaded through Trojan codec files since March of this year.
At issue are codec files (the files used to support the streaming or transmission of video signals) with .ASX and .ASF extensions. ASF (Advanced Streaming Format) is a media format created by Microsoft. Audio and/or video files compressed with a variety of codecs may be stored in an ASF file format then streamed for viewing. ASX (Advanced Streaming Redirector) files are textual command files that manage the streaming of ASF files.
The infection process begins when a user downloads a purported movie file with the .ASX extension. These ASX files can contain redirection links to malicious sites that host fake ASF content. One example is TROJ_ASXLOAD and its variants TROJ_ASXLOAD.A. It loads a blank ASF file that displays a message that additional codecs must be installed before the video can be viewed.
A "helpful" link is displayed to let the user know where the additional codec can be downloaded.
The additional codec is really a downloader Trojan called TROJ_ADLOAD.EK
The downloader Trojan is installed deep into the system. Its methods can include acting as a Browser Helper Object (BHO) such as a Google, Yahoo, or Earthlink toolbar. It can also use ActiveX to serve up various adware pop-ups.
Additional downloaders may also be installed. TrendLabs has witnessed the installation of TROJ_ZLOB.ANT, which modified the DNS entries on the host computer so that users are redirected to other malicious sites.
TROJ_ZLOB variants, in turn, download other pieces of malicious code from various websites. These can include a fake adware pop-up that shows a fake scan result. The fake result then provides users with a link to a rogue anti-spyware download site.
"We've heard about gangs that are doing spam and other illegal activities," said Jamz Yaneza, Senior Threat Analyst with Trend Micro.
"One of theses gangs is stealing codec information. They've got branches in Italy, the US, and various countries. They use the actual codecs, or the site where you have to go to buy the codec, or they try to sell you rogue anti-spyware by installing spyware on your system. And the rogue anti-spyware is actually spyware, but it gives you a pop-up that says "You've been infected and we can't clean your system until you buy this anti-spyware product. Enter your credit card and personal information now." The user's financial information is stolen when the rogue anti-spyware is purchased."
The increase in threats from ZLOB installations is attributed to a rising number of people becoming aware of video streaming technologies, and to the corresponding rise in the number of hosting sites, such as YouTube and Rocket Boom.
A reason for the particularly large spike experienced during the period from April to August is that is when many TV fans download missed episodes of their favorite shows. The last episode of the season is usually released after April, and the new season starts by October or November.
At the sites of peer-to-peer (P2P) networks from where most downloading takes place, there is almost no moderation of malicious content. (Please see attached graph: Single Instance indicates unique infections; Multiple Instances indicates actual repeated infections from the same user base).
The use of codecs is another issue of downloaded web threats, and is another attempt at gaining illicit profit from unsuspecting users. Aside from the use of codecs, an alternative method used to entice users is phishing emails.
For example, TROJ_SMITFRAUD.A modifies a Windows Dynamic Link Library (DLL) file and downloads a spyware Trojan that monitors network traffic (as #5 above)
"Most of these attacks are codec-based," said Jamz.
"Previously, after you loaded the video you could rename the extension to .AVI or .WMV. But now when you open Windows Media player, it recognizes it and redirects to whatever .ASF and .ASX does. It's all basically fraudulent activity. We'll continue to see these types of threats as more people and countries get online and engage in advanced activities like viewing videos."