New research from M86 Labs adds further insight on the MIDI exploit first highlighted by Trend Micro last week.
The attack uses the methodology described by Vupen; a non-trivial exploit that works in Internet Explorer 6 to 9. Microsoft fixed this vulnerability in its January patch release.
M86 describes how an infected web page hosted in South Korea loads a malicious MIDI file. The MIDI file is used to download an executable which is itself a downloader. This fetches the ultimate payload; a basic rootkit.
M86 notes that the malware goes to some length to avoid detection. “The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.” When tested against VirusTotal (which only tests the signature detection element of anti-virus software and not the on-access heuristic detection), only 3 out of the 43 products could detect this malware.