Last Updated: 2008-04-29 09:32:42 UTC
by Bojan Zdrnja (Version: 2)
Recently one of our readers, Doug, sent us an ASF file that does something interesting: when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file.
As I don't see this every day, I went to investigate this a bit further. According to Microsoft, the ASF file format (and possibly other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. This information is available at http://msdn2.microsoft.com/en-us/library/aa390699(VS.85).aspx
Now, the malicious ASF file we received opened Internet Explorer with the URL pointing to hxxp://www.fastmp3player.com/affiliates/772465/1/?embedded=false. This web site had a further 302 redirect to hxxp://www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe (both links are still working), which is some adware and is reasonably detected by 20 out of 32 AV programs on VirusTotal.
While the payload is more or less standard, I was more interested in ways of dissecting the ASF file but I didn't manage to find many tools that do this, especially not under Linux operating systems.
One way I identified that allows you to view the script stream in an ASF file is with Windows Media File Editor, a handy utility that comes with Windows Media Encoder.
As you can see below, it correctly identifies the script command, however, a big problem with this utility is that it will actually execute the script command as well, before allowing you to see it (which will start Internet Explorer and end up offering the executable).
While this attack is not sophisticated at all (and there is no real exploit here, just a "feature"), one thing that does keep me worried is the fact that this can be used to launch a browser on machines which are not patched, through Windows Media Player. And this, of course, works with the latest and greatest WMP on Vista.
Last thing – a call to our readers – if you know of a utility that allows nice (and safe) parsing of this let us know.
Steve Basford and Peter Kruse mentioned that it is possible to disable this "feature" in Windows Media Player by modifying certain registry keys:
And change values to:
- PlayerScriptCommandsEnabled: 0 (disabled) - disabled as default
- WebScriptCommandsEnabled: 0 (disabled) - default is 1 (enabled)
- URLAndExitCommandsEnabled: 0 (disabled) - default is 1 (enabled)
A bit more information is available at http://support.microsoft.com/kb/320944 as well. The keys might not exist and, of course, be very careful when changing anything in the registry, but seeing these attacks I think we would definitely recommend for scripts to be disabled.