It’s been a common Windows malware trick for years: you download some dubious video, it claims it won’t play unless you install a “codec”, but the file you’re offered is a Trojan or virus. Oops.
You might think you’d never be caught out by something so obvious, but it only takes a moment, you’re not paying attention, and — too late.
It pays to learn a little about how these attacks work, then, because they just might help you spot the danger signs.
The starting point is the video, which will be a fake, a dummy, and not what the name promises. Give it to most media players and they’ll just display errors.
If you’re using a good player then this should be suspicious in itself. Dragging and dropping the video onto a hex editor like HxD may give you some clues.
If the file is all zeroes or repeated text filler, like “XXXPADDINGXXXPADDINGXXX”, then that’s a very good sign that something is drastically wrong.
Some basic understanding of video file structures can help, too. AVI files start with letters “RIFF”, for instance, and you’ll normally see other recognizable words in the first few bytes (the file codec, like XVID, for example) — unless the file is fake.
While this works sometimes, you can’t rely on it, unfortunately. Smart attackers will use real headers with binary garbage for content, and the files will look just like the real thing.
The more devious trick abuses Windows Media Player’s DRM system to persuade you to download a “codec”, or some other component it claims will help you play the movie.
The first sign of trouble will be a recommendation that you play the video in Windows Media Player, because this is somehow better. Total garbage, of course, but this attack only works in Windows Media Player, so the attacker needs to persuade you to use it (assuming you’re not already).
If you fall for this, double-click a hacked WMV file, a window will open which sort-of looks like a Windows Media Player dialog (see the grab for an example). The text will try to persuade you that this will be fixed if you click a button, and download a file, which you’ll obviously think is safe to run. After all, Windows Media Player has prompted you to download it.
The first item to check here is the caption of the dialog. In our example it’s “Media Usage Rights Acquisition”, which means the video is abusing the DRM system — nothing directly to do with any codecs.
This matters because the DRM technology allows videos to contain an embedded URL, and that’s what you’re seeing in the rest of the dialog: it’s a web page, not an official Windows Media Player dialog.
The main clue here is that the web page domain should be displayed immediately below the title bar, and it won’t be microsoft.com or anything even faintly official.
If you’re curious, using HxD should give you the URL within the file (it’ll be inside a <WRMHEADER> tag). We wouldn’t recommend you visit it — too dangerous — but we checked out an example and the Download button essentially ran this.
<a href=”ht*p://www.dropbox.com/s/66buv***p4g99lr/CodecFix2.0.exe?dl=1″ target=”_self” rel=”nofollow”><img src=”down.png” id=”download” ></a>
Even if you click, there are more signs of trouble — you’ll be prompted to save or run the file, the source would be given as Dropbox, so this hardly looks like some official, automatic, Windows-sanctioned process.
Still, the fact that this attack is still being used suggests it works, so be careful, look out for fake dialogs and unexpected downloads, and best of all, don’t use Windows Media Player. Especially if a file recommends it. Try VLC or KMPlayer instead.