Nifty social engineering

Hi folks,

This is an example of nifty social engineering, which is really quite funny… _unless_ you’re the one on the receiving end. Here’s how it works….

You’re surfing the web, and you find a video that you really want to watch, (no, not one of “those” videos… well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/ decompressor and is used to make otherwise huge video files into a more manageable size. You install the codec, and maybe you see the video, and maybe you don’t, but guess what? You’ve been rootkitted! Now, on one level, that’s just the classic bait and switch/ trojan horse scenario, but the _details_ are quite interesting.

I was looking at just such an example today, and I was wondering, suspiciously, why would people give a codec away for free, so I went to the codec website, started looking around, and found of all things …. a EULA. In the EULA, we find that, despite all the references to needing a codec for Windows Media Player, there’s the following paragraph….

“SOFTWARE DESCRIPTION This software grants you access to many different video files, provided by the Licensor on its sites. The software is not any kind of Media Player Add-On or plugin, it does not implement any additional compressor/ decompressor or any other additional video software. ”

Wait…. it’s _not_ a compressor/ decompressor or a Media Player plugin? That’s kind of bold of them.

So, with that in mind, I now install it on a Virtual PC, loaded with diagnostic software to see what it does. Heck…. it doesn’t do anything. It just installs. It’s not working, because I can’t see the video. It hasn’t attached itself to Internet Explorer or Windows Explorer. None of my rootkit detectors show any system anomaly. I see no way for it to get into the execution cycle on reboot. My sniffers don’t see any traffic. I can’t even find any place to run software. All I can see is an Uninstall command.

Hmmmmm ….. that makes no sense, so I try again on a native machine …. no VPC involved at all, and this time the rootkit detectors go off like roman candles… hidden files and processes and registry keys all over the place. Dang! They’re reasoning, correctly, that if they’re on a virtual pc, they’re being studied and won’t play nicely. How perceptive of them. This shouldn’t really be a surprise, because it’s well documented how to tell that you’re inside a vpc, but it is a surprise if only to marvel at their cunning.

But even on a native, non-virtual PC, the video still won’t play, so I decide to test what the uninstall does. Here’s the funny bit I was referring to earlier … It very politely and tidily uninstalls all the extra bits _except_ the rootkit! And you _still_ don’t get to see the video!

So how can you tell if a codec is safe, or if it’s a rootkit? It turns out that you can’t, unless your antivirus software recognizes it before it installs. Once it installs, it’s invisible, so even if you get an update, it’s probably too late… even the av probably won’t see it.

Bottom line … if you have to install a codec to watch a video… the video is probably not worth it.


  • Aviram

    Roger, great post!

    I loved the part about the Trojan detecting it’s in a VPC. I’m sure that’s not the first time you saw a Trojan do that – but how common is it nowadays? How soon before malware researchers dump Virtual PCs in favor of a more undetectable mechanism?

  • Moike

    This is another great argument for the average Joe to surf only from a VM. Not only is it easier to back out an infection, but now some infections won’t even activate in the first place.

  • Roger

    Hi Aviram,

    Thanks! No, it’s not the first I’ve seen… as I’m sure you know there are lots that won’t play nicely inside a virtual pc, but it was still a surprise… Mostly, they’re just buggy crap, and when you run them on the native PC, they don’t run properly there either… but this one was properly written, and there was and it was a rootkit.

    Part of what I was trying to convey was how it would have impacted an end user.

    And I _still_ didn’t see the video. :-)


  • Roger

    Moike wrote that it was a great argument for surfing from inside a vpc…. Yup, I agree, and VPCs are so convenient to blow away, but there are two problems with that…

    (1) VPCs are too slow for normal use, but the big problem is
    (2) Eventually, the rootkit writers will figure out how to break out of the VPC! They already burrow into the kernel… it’s just a matter of time.


  • Spamhuntress

    If you need a codec, first go to and see what they recommend for your need.

    It’s just way too easy to get something hinky if you use search engines to find codecs.