Thursday, November 27, 2008

Codec for MP3?? or just a malware..

Last week, someone emailed me a suspicious MP3 file for research. So i decided to test the file on my "research environment".

When i try to play the MP3 file with the default media player(Windows Media Player 9), it prompted that "the file extension does not match the file format" and ask "if i want to try playing it anyway". This prompt makes the file really suspicious. This will normally happen if the MP3 file is corrupted or it was not a media file at all.

I click on "Yes", which is "to try playing it anyway" to see whether it is really a MP3 file. Instead of playing, it opens up the Internet browser and direct me to "".

In this website, it claims that a special codec is required to play the audio file and automatically prompt you to download the "Codec_setup.exe".

With the "Codec_setup.exe" file downloaded, i decided to test it with VirusTotal website. To my surprise, only 13 out of 37 anti virus detected the file as malware. Famous anti virus such as Sophos and Mcafee were not able to detect it.

Thinking that the malicious website or malware file might be removed after a week, i decided to visited the "" website and even downloaded the file again.
The downloaded file might be different from the one previously downloaded, so i compare both files and found that their hash values is different. I also run the new file with VirusTotal. This time, only 5 anti virus detected it.

Downloaded from the website:
Codec_setup.exe - 55KB
MD5: 278F6EF79C58A3F5B2AD0CC83CCA79BD

Downloaded few days later:
Codec_setup.exe - 55KB
MD5: CBAC09DCB8B8323BA3E457BE0E11B092

With these finding, i hope that people can be more careful when receiving media files such as MP3 or AVI. It is not new for malicious media file to trick users to download fake codec, which is actually a malware. This finding also shows how efficient hacker these days. They will constantly update their malware to avoid detection from the anti virus.

I will being running the downloaded malware on my "research enviroment" this few days. Watch out for my finding in my future post.

No comments: