Exploit: Windows Media Player vulnerability

New research from M86 Labs adds further insight on the MIDI exploit first highlighted by Trend Micro last week.

The attack uses the methodology described by Vupen; a non-trivial exploit that works in Internet Explorer 6 to 9. Microsoft fixed this vulnerability in its January patch release.

M86 describes how an infected web page hosted in South Korea loads a malicious MIDI file. The MIDI file is used to download an executable which is itself a downloader. This fetches the ultimate payload; a basic rootkit.

M86 notes that the malware goes to some length to avoid detection. “The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.”  When tested against VirusTotal (which only tests the signature detection element of anti-virus software and not the on-access heuristic detection), only 3 out of the 43 products could detect this malware.


Published by:

CWZ's picture

Reza Rafati

I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

The Netherlands

My website