Fake Video Downloads Leading to Virus
A common malware trick with regard to Windows for many years, is downloading some dubious video. And this window would claim that it would only get played if one downloads the codec. So, as soon as you download the file, the entire system gets conquered by the Trojan or virus.
Interestingly, you never realize that you have been caught by something so severe but then it takes a moment for you to realize that you have not paid any attention before it becomes too late. Now it pays one to have a fair knowledge about (i.e. a small) such attacks and how they work, as this would help you to find out the danger signals.
Here, the starting point of the video will be fake and dummy. It won’t be as the name promised. And in such case, most of the media player would display error. If you have a good player, this can raise the suspicion. Dropping and dragging videos to the hex editor like HxD will provide some clues. Now if the file is fully in zero value or there are repeated text fillers like ‘XXPADINGXXPADDINGXXX’, then it is a good sign which can be drastically wrong.
Having a basic understanding of the video file structure can be helpful. The AVI file can start with the letter ‘RIFF’ for instance and you can see another kind of recognizable words in the few bytes unless the file becomes fake. Even though this might work, but at times, you cannot rely on it always. Basically, the smart attackers can use the real headers along with the binary garbage for contents and interestingly the file would seem to be a real thing. What happens here is that more devious trick would abuse the Windows Media Player and its DRM system. This can persuade one to download the ‘codec’ or even another kind of components which claim and help the one to play the movie.
So, now the first sign of trouble would be recommendation which when you play the video in the Windows Media Player would be and it can be somewhat better. Of course, you might feel that it is a total garbage, but this attack would only be available or works in the Windows Media Player. So, what happens is that the attacker needs to persuade you to simply use it. The first item to check here would be the caption of the dialog. And interestingly the Media Usage Rights Acquisition, here means that the video can be abusing the DRM system, and it means that nothing directly will be there in the codecs. Now this simply matters as the DRM technology would allow the videos to have the embedded URL and that is what you might see in most of the dialog. The main clue here means that the web page domain would display and it gets the title bar.