W32/Realor.worm - Infecting Movies for Fun and Profit
Tuesday November 14, 2006 at 7:38 pm CST
Posted by Geok Meng Ong
After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.
Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?
As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.
November 15th, 2006 at 6:35 am
[…] Trackback […]
November 16th, 2006 at 3:47 am
[…] Read McAfee Avert Labs Blog post on this here. […]
November 16th, 2006 at 8:19 am
[…] On Tuesday, antivirus firm McAfee warned Windows users that the company had discovered a worm, dubbed W32/Realor, actively infecting Real Media files. The infected video files do not contain an exploit for the RealOne or Real players, but a hyperlink that points to a malicious Web site. When infected files are opened, the victim is referred to the Web site, which attempts to compromise their computer using a previously patched flaw in Internet Explorer. […]
December 11th, 2006 at 3:06 am
[…] I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs. […]
December 23rd, 2006 at 3:25 am
[…] antivirus firm McAfee warned Windows users that the company had discovered a worm actively infecting Real Media files (.rm). […]
January 28th, 2007 at 7:53 am
[…] W32/Realor.worm - Infecting Movies for Fun and Profit […]
January 28th, 2007 at 8:17 am
[…] W32/Realor.worm - Infecting Movies for Fun and Profit […]
February 13th, 2007 at 5:49 am
[…] Both W32/HLLP.Philis and W32/Fujacks are more than the usual file infectors. These are multi-vector threats, usually including an aggressive downloader that updates itself frequently, can infect both executable and non-executable files over insecure media such as open network shares and USB drives, thus slipping through the cracks of loosely managed IT policies. Once successful, trusted media files can be further infected with malicious code or hyperlinks through PE file infection, web-based exploits over HTML or media files targeted against unpatched and vulnerable applications. […]