Geekly Articles each Day
📜 ⬆️ ⬇️

How dangerous is DRM-protection, or Video-virus part 2

image

Recollections

After I read the post about how TipTop could not watch a movie , I immediately remembered a similar incident. Once I opened a regular mp3 file, instead of starting to play, to my surprise, an unknown web page opened. The most interesting thing is that the page was opened in Internet Explorer (despite the fact that another browser was installed by default), and yet on that page, the author of the file could add some special exploit for IE.

At that moment I did not think about the page with the exploit and instead of carefully analyzing the file and understanding what the problem was, I just deleted it. The only thing I thought about when I saw the unusual behavior of the system is that someone rather original spins up his site. Several years have passed, but since then I have not seen such cases. After reading the article about the video virus, I decided that at least this time not to miss the opportunity to find out how safe are some of the most innocent and common files in the world.


')

Video File

And since dear TipTop, I left a comment indicating the link to the file, I did not waste time and quickly downloaded the torrent file. But I was not alone - at the same time with me the same video file was downloaded by about 15 more people who, I thought, also want to analyze it. But now I realized that most likely most of them had other intentions and did not know that today there will be no kin ©.

After the download was completed, knowing that other players cannot play this file, I immediately opened it in Windows Media Player, and the first thing I saw was the message: “Download media usage rights”:
image


After that, a more convincing message appeared offering to download the License-Installer file, which, by the way, was already checked by the antivirus and turned out to be 100% clean:
image


After carefully reviewing the message, I clicked on the 'Download Now' button and, in anticipation of any reaction from the antivirus, I saw a familiar window offering to download the file from license.compress.to server:


And then the first question arose, if the first window shows the server free-license.imgpop.com , then why this wonderful file offers to download the license from the license.compress.to server? To find out what the problem is, I visited both sites, hoping to find something tasty there, but, as was to be expected, I did not find anything there.


DRM protection

After that, the first thing that came to mind was to “launch a sniffer”, but abstained (and did it right) - having decided to open the file in the Hex editor. I opened a file in the Hex-editor that weighed 150 MB and, to my luck, everything was very simple, because already on the 20th line I found this piece of text:
image


It has become much more interesting. Opened the page https: //free-license.imgpop.com/venuf.php? Id = Movie_0001.wmv , which redirected (HTTP / 1.1 302) to the page: https: //free-license.imgpop.com/venuf/index .htm , and there I saw a familiar picture, just a little bigger, and even in the browser:
image


So far everything was going well and wanting to experiment a bit, I decided to change the link from the video file to my own. But, after seeing that after changing the line, even WMP cannot open the file and not knowing what to do, asked Google if it could tell what the line was, WRMHEADER version = '2.0.0.0' , which (among many others) found using a hex editor?
image


The answer was short and clear as daylight - I am dealing with DRM protection of video files. That is, I discovered how using legal and fairly convincing methods, attackers can successfully and with certainty spread malicious files, because: firstly, no antivirus will find that the video file is infected, and secondly, most users trust Microsoft and will definitely launch such files.

Moreover, WMP is not the only player that can open DRM protected files. I did not find a complete list of players, but I can say with confidence that Nero ShowTime supports DRM, only unlike WMP, it reacts more carefully ... only if you confirm license downloading, does the web page open in IE (although it is not a browser default).
image

image


And now the most interesting thing: if you change the file extension from .wmv to .asf or to .wma , nothing changes, that is, the players will still play the media file and most dangerous, in most cases, the .wma files will be opened in Windows Media Player. By the way, I forgot to say, after I opened the video file in the Hex editor, for convenience, I deleted unnecessary bytes and as a result the file size became 5.31KB.


Internet Explorer

Probably many people think that “There is no danger in this! I will not download any licenses! Anyway, where does Internet Explorer, WMP and video files come from? ” At first, I also thought so, because there is a “Cancel” button, but as it turned out, there is a danger and not a small one, and “Cancel” will not save anyone if the file is opened in WMP. And Internet Explorer is the same browser, web browsing software ...

I found information about how to crack DRM-protection, but did not. Firstly, I did not know whether it would be possible to change the link, and secondly, I chose the easier way. Added a line in the hosts file:
127.0.0.1 free-license.imgpop.com

I created the venuf.php file at the root of the local server and opened a video using WMP - after a few seconds the following message appeared:
image


Next, using alert () , I decided to try if it supports JavaScript - as a result I received an empty page. I thought that really didn’t work, but having connected my intuition, I quickly changed the alert () function to document.write () . The result caused a smile: this time the page was not empty, so Windows Media Player supports JavaScript.

Now, the thought that the media player could open web pages, but also supports JavaScript, did not give me rest. Wanting to find out what kind of player this is, he added a line in the venuf.php file:
echo $_SERVER['HTTP_USER_AGENT'];
and even though I have MSIE 8.0 installed, I received the following message:
image


Finally, I decided to test one exploit for MSIE, written in JavaScript, causing a denial of service to the browser. I added an exploit to the page, opened the video file and I did not have time to blink, as Windows states that "Windows Media Player stopped working":
image

image


As you understand, trying to play a video file, WMP forcibly disconnected, which means that it is vulnerable to an MSIE exploit. I checked only one exploit, but that was enough to change my ideas about the security of media files .


Instead of postscript

Having written the last lines of this article, suddenly one idea came to me: download, install and test one of the most popular multimedia players - Winamp . What I did ... And when I tried to play the file, the following message appeared:
image


I was almost sure that everything would be the same as with Nero ShowTime, but curiosity made me click on the 'Yes' button ... Instead of launching IE, I saw the following:
image

image


I did not immediately understand what the problem was, thinking that anything could happen, but after a few seconds, I remembered that the exploit code for MSIE remained in the file venuf.php . Next, using the $ HTTP_USER_AGENT variable, I found out that Winamp uses MSIE 7 Internet Explorer as well as WMP for its own purposes:
image


True, unlike Windows Media Player, Winamp does not warn you from where the license file will be downloaded, but allows you to use the right click and see the source code of the page ... and also for it, the alerts work:
image



Conclusion

At first glance, not everything is as scary as it seems, but I want to draw your attention to the fact that by opening such a file, the user will not be able to stop the launch of the exploit at all, and the antivirus program cannot help, because if this is a new exploit, then most likely, it is not yet added to the antivirus database.

Simply, do not forget that not all users have other audio and video players installed. And also, I do not believe that a user who waited 2 hours (at best) to download a long-awaited file, having seen that it is not playing, will simply delete it, and no “do not open files in this player!” Will not help .


UPD:

Protection

To significantly reduce the risk of possible attacks, I recommend disabling the license for DRM-protected files in WMP. To do this, open the Options (Options) and in the Privacy tab, uncheck the box “ Get licenses automatically for protected content ” (Download free usage right when I play or sync a file):
image


Now, when you open the file, WMP will ask if you really want to open a web page to get a license:
image


Despite the fact that the developers warn about the danger and know that 'web pages may contain elements that may be dangerous for the computer' - they still turned off this option by default. Strange, isn't it?

UPD 2: ( Many thanks to Dragonizer Habrayuzer for the remark )
Although the User Agent is defined as MSIE 7.0, in fact it is not. The fact is that WMP opens web pages in compatibility mode, which means that:
• In the browser version line, the web browser is denoted as MSIE 7.0, not MSIE 8.0;
• Conditional comments and version vectors recognize the web browser as IE 7, not IE 8;

Source: https://habr.com/ru/post/89676/

More articles:


All Articles