Malevolent MIDI Files Result in Downloading of Rootkit

Trend Micro has recently warned that Web-surfers are being enticed for visiting a malevolent site that cyber-criminals are exploiting to install malicious software, as the site hosts one particularly designed MIDI file along with JavaScript.

The exploitation basically is of vulnerability -CVE-2012-0003 as also for which, the Microsoft bulletin is MS12-004. Further, the vulnerability arises out of Windows Multimedia archive, utilized within WMP (Windows Media Player) and others. And whilst the flaw is exploited for tampering with a MIDI document, it enables an attacker towards triggering memory corruption with which the affected computer can be corrupted from the remote, state security investigators at Trend Micro.

Understandably, the vulnerability gets activated if Windows Multimedia Library within WMP cannot deal with one particularly designed MIDI file; thus, remote hackers become able in running arbitrary code.

Moreover, the investigators discovered that during the attack, the medium of contamination was a vicious HTML that was harbored on the URL known as hxxp://images.{BLOCKED}p.com/mp.html. The HTML that Trend Micro identified as HTML_EXPLT.QYUA, abused the security flaw with the utilization of twin files, which too were harbored on the mentioned URL. These files included one MIDI file that Trend Micro identified as TROJ_MDIEXP.QYUA and one JavaScript the company identified as JS_EXPLT.QYUA.

Incidentally, effective exploitation of the flaw enables in decoding shellcode as well as executing it. Subsequently, the decoded shellcode links up with a website for pulling down a binary that's encrypted, which's cracked or decrypted as also run like a malware namely TROJ_DLOAD.QYUA. Trend Micro states that while its researchers are further examining the Trojan, they've hitherto observed certain severe payload like rootkits.

Essentially, for the attack to work a hackers web-page makes the web-browser install an ActiveX control, which maps with WMP. Subsequently, that ActiveX control must play "baby.mid" an MIDI file that the same Web-server hosts as the malevolent web-page which also has one JavaScript. The JavaScript is the component with which the code is copied within memory operations run mechanically during the MIDI file treatment-induced memory corruption. Consequently, a rootkit gets downloaded and planted.

However, for defending Windows-users from the above attacks, it's recommended that they patch their computer software soon.

Related article: Malevolent RTF Files Drop Trojan Via Abuse of Office Vulnerability

» SPAMfighter News - 2/2/2012