Nifty social engineering
This is an example of nifty social engineering, which is really quite funny… _unless_ you’re the one on the receiving end. Here’s how it works….
You’re surfing the web, and you find a video that you really want to watch, (no, not one of “those” videos… well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/ decompressor and is used to make otherwise huge video files into a more manageable size. You install the codec, and maybe you see the video, and maybe you don’t, but guess what? You’ve been rootkitted! Now, on one level, that’s just the classic bait and switch/ trojan horse scenario, but the _details_ are quite interesting.
I was looking at just such an example today, and I was wondering, suspiciously, why would people give a codec away for free, so I went to the codec website, started looking around, and found of all things …. a EULA. In the EULA, we find that, despite all the references to needing a codec for Windows Media Player, there’s the following paragraph….
“SOFTWARE DESCRIPTION This software grants you access to many different video files, provided by the Licensor on its sites. The software is not any kind of Media Player Add-On or plugin, it does not implement any additional compressor/ decompressor or any other additional video software. ”
Wait…. it’s _not_ a compressor/ decompressor or a Media Player plugin? That’s kind of bold of them.
So, with that in mind, I now install it on a Virtual PC, loaded with diagnostic software to see what it does. Heck…. it doesn’t do anything. It just installs. It’s not working, because I can’t see the video. It hasn’t attached itself to Internet Explorer or Windows Explorer. None of my rootkit detectors show any system anomaly. I see no way for it to get into the execution cycle on reboot. My sniffers don’t see any traffic. I can’t even find any place to run software. All I can see is an Uninstall command.
Hmmmmm ….. that makes no sense, so I try again on a native machine …. no VPC involved at all, and this time the rootkit detectors go off like roman candles… hidden files and processes and registry keys all over the place. Dang! They’re reasoning, correctly, that if they’re on a virtual pc, they’re being studied and won’t play nicely. How perceptive of them. This shouldn’t really be a surprise, because it’s well documented how to tell that you’re inside a vpc, but it is a surprise if only to marvel at their cunning.
But even on a native, non-virtual PC, the video still won’t play, so I decide to test what the uninstall does. Here’s the funny bit I was referring to earlier … It very politely and tidily uninstalls all the extra bits _except_ the rootkit! And you _still_ don’t get to see the video!
So how can you tell if a codec is safe, or if it’s a rootkit? It turns out that you can’t, unless your antivirus software recognizes it before it installs. Once it installs, it’s invisible, so even if you get an update, it’s probably too late… even the av probably won’t see it.
Bottom line … if you have to install a codec to watch a video… the video is probably not worth it.