Story

Exploit: Windows Media Player vulnerability

New research from M86 Labs adds further insight on the MIDI exploit first highlighted by Trend Micro last week.

The attack uses the methodology described by Vupen; a non-trivial exploit that works in Internet Explorer 6 to 9. Microsoft fixed this vulnerability in its January patch release.

M86 describes how an infected web page hosted in South Korea loads a malicious MIDI file. The MIDI file is used to download an executable which is itself a downloader. This fetches the ultimate payload; a basic rootkit.

M86 notes that the malware goes to some length to avoid detection. “The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.”  When tested against VirusTotal (which only tests the signature detection element of anti-virus software and not the on-access heuristic detection), only 3 out of the 43 products could detect this malware.