Monday, September 18, 2006

Codec bait and switch

Hi folks,

This is a nifty example of social engineering, which is really quite entertaining ... _unless_ you're the one on the receiving end. Here's how it works....

You're surfing the web, and you find a video that you really want to watch, (no, not one of "those" videos... well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/decompressor and is used to reduce otherwise huge video files to a more manageable size. You install the codec, and maybe you see the video, and maybe you don't, but guess what? You've been rootkitted. Now, on one level, that's just the classic bait and switch/trojan horse scenario, but the _details_ are a little different.

I was looking at just such an example today and, being suspicious - as one tends to be in this business - I thought I'd check out why someone would give a codec away for free. So I went to the codec website, started looking around, and found of all things .... a EULA. Buried in the EULA, we find, in spite of all the references to needing a codec for Windows Media Player, the following paragraph....

"SOFTWARE DESCRIPTION This software grants you access to many different video files, provided by the Licensor on its sites. The software is not any kind of Media Player Add-On or plugin, it does not implement any additional compressor/decompressor or any other additional video software. "

Wait.... it's _not_ a compressor/decompressor or a Media Player plugin? That's kind of bold of them. Time to find out what it actually is.

So, I now install it on a Virtual PC, loaded with diagnostic software, to see what it does. Heck.... it doesn't do anything. It just installs. It's not working, because I can't see a video. It hasn't attached itself to Internet Explorer or Windows Explorer. None of my rootkit detectors shows any system anomaly. I see no way for it to get into the execution cycle on reboot. My sniffers don't see any traffic. I can't even find any place to run software.

All I can see is an Uninstall command.

Hmmmmm ..... that makes no sense. So I try again on a native machine .... no Virtual PC involved at all. This time, the rootkit detectors go off like roman candles ... hidden files and processes and registry keys all over the place. Dang! They're reasoning, correctly, that if they're on a virtual pc, they're being studied and won't play nicely. How very perceptive of them.

This shouldn't really be a surprise, because it's been well documented how to tell that you're inside a vpc, but one does rather marvel at their cunning.

But even on a native, non-virtual PC, the video that started all of this process _still_ won't play, so I decide to test what the uninstall does. Here's the entertaining part I was referring to earlier ... It very politely and tidily uninstalls all the extra bits _except_ the rootkit! And you _still_ don't get to see the video!

So how can you tell if a codec is safe, or if it's a rootkit? It turns out that you can't, unless your antivirus software recognizes it before it installs. Once it installs, it's invisible, so even if you get an update, it's probably too late... even the a-v probably won't see it.

Bottom line ... if you have to install a codec to watch a video ... the video probably isn't worth it.



Post a Comment

<< Home