Codec invasion

March 31st, 2008

A codec is a program needed to play certain types of media files. You may have come to know them when you downloaded a movie but couldn’t play it because a codec was required. Popular formats such as DivX require certain software for playback. The advantage of codecs is they usually let you play high quality media files while keeping their size much smaller than Windows default WMW format.

Some websites use special codecs to stream video, YouTube uses Flash to stream theirs The major players like Apple or Sony also use proprietary formats.
The problem is we are flooded with tons of file formats, codecs, etc. To watch the latest YouTube video on your ipod, you will need to use special tools to convert the media into something readable.

I guess malware authors saw this as an opportunity to launch their own codecs nicely bundled with nasty Trojans. They focus on pornographic content, a good bait that will work on a large scale.

Hackers trick the user into installing the codec in order to view the video. Once installed the codec will launch its payload: an explosion of pop ups, rootkits, fake anti-spyware programs which bring the machine to a crawl.

Figure 1: after installing a fake codec

A common trick is to use YouTube-like content. Logos, YouTube video player… It makes the user feel more at home and gives them the impression they’re doing something familiar.

Figure 2: YouTube knock-off

Figure 3: a familiar player with a prompt for a codec download

Figure 4: the codec installer which bundles Trojans

Those codecs are created on demand, so to speak. Each time you visit the webpage, a new identifier is created. (Figure 5)

Figure 5: URL changes constantly

In order to avoid signature detection by AV products, the codecs are packed with a different MD5 every time the user will download them. MD5 is a cryptogrpahic function to check the integrity of files.
An MD5 hash consists of 32 hexadecimal characters. (i.e. F57E5CAE3AA7E90BD79D18720FFC6C58)

Figure 6: md5 signatures are different for each codec

A traditional AV product will search for the MD5 and if it doesn’t find it, the file will be allowed to execute. It’s nearly impossible to keep up with the production of new malware samples, and logically it doesn’t really make sense to bloat up a database with millions of MD5s.

That’s where heuristic detection can come in handy. It is not based on precise identification but looks at different aspects of the binary. For example, unusual settings in the headers of a Windows executable may indicate a possible sign of malware. This technique has some drawbacks though because of false positives risks. It is very easy to wrongly identify legitimate files as being bad.

Realtime blocking can help as well, when it blocks a process from doing things that may affect the system. Once again, it requires a lot of fine tuning to avoid false positives.

The best protection against those fake codecs remains being cautious. Your own judgement is better than any antivirus program. If other users utilize your computer, you can also set them up with guest accounts. Such accounts have limited privileges and they act as a shield in front of the Operating System and its core components.

Apple’s Mac is now being targeted as well by the fake video codecs.
It’s not often we see a crossover to a different platform, but this clearly shows how popular it has come to be.

Jerome Segura

This entry was posted on Monday, March 31st, 2008 at 9:13 am and is filed under Fake codecs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Codec invasion

Comments: