Why bother buying a zero-day when casual piracy and old code can p0wn thousands?
Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.
The vector is a reborn social engineering hatchet job not seen in years in which attackers convince users to run executable content through Windows Media Player’s Digital Rights Management (DRM) functionality.
Windows Media Player will throw a DRM warning whenever users do not have the rights to play content, opening a URL through which a licence can be acquired.
Now malware villains are packing popular movies with malicious links so that the DRM warning leads to sites where they’re fooled into downloading trojans masquerading as necessary video codecs.
Malware researchers Amitay Dan of Cybermoon and Avi Turiel of Cyren (@popshark1) say the popular 2016 flick War Dogs was trojanised and served to victims over bittorrent.
“The abuse of this DRM link functionality was first reported over 10 years ago – it resurfaces every few years – but it appears that the threat is little known and is now being used once again,” Turiel says.
“User downloads infected media – in this case War-Dogs-2016-720p-BrRip-x264-SiNNERS … using BitTorrent, but it could come from any download source.”
Users are directed to click a download button which pulls a malware dropper from xvidcodecrepair.com plus real Div-X codecs to provide cover for the infection.
Microsoft warned of the attack vector in 2006 and includes a warning message in the DRM section of the now crusty Windows Media Player that internet tricksters could pull down malicious content under the guise of licences.
Redmond did not, however, remove the DRM facility leaving it a still effective means of popping users.
An academic study last month found 90 percent of users will ignore security warnings if they are slightly distracted, meaning developers should throw messages only when their application has the user’s undivided attention.
The attack showcases just how easy it can sometimes be to compromise users with old exploits.
Exhibit B: the six-year old Stuxnet worm was as of May still the internet’s chier pwning ram, according to Microsoft.
Word macros also remain remarkably effective despite decades of security alerts about allowing the scripts and Microsoft’s efforts to stop them running by default.
Trashed but treasured torrent site ThePirateBay had hosted the malicious bittorrent but has since scrubbed it.
In its place are legitimate BluRay rips of War Dogs with thousands of seeds and likely tens of thousands of downloads. ®