Learn How Fake Video Downloads Can Install Malware

For years it has been a common Windows malware trick i.e. if you download some dubious video, then unless you won’t install a “codec” you cannot play that video, because that file may be Trojan or virus Oops.

Usually you will think that you’d never caught out by something, but it is only for a moment and you are not paying attention. You need to pay attention to know how these attacks works, because you can spot the danger signs easily.

Is-Tracy-Morgan-deadIf you play these fake, a dummy, or without original promised name on most of the media players, then you will be displayed with the error message. Those videos maybe played in any good player only. Dropping and dragging the video on a hex editor like HxD may give some clues.

If you see the file with repeated text filler like “XXXPADDINGXXXPADDINGXXX” or zeroes, then it is understood that it has drastically wrong. To identify the video file you need to understand basics i.e. the starting letter of AVI files is “RIFF” and in the first few bytes you will normally see other recognizable words, but this is useful unless the file is fake.

Unfortunately you can’t rely on it while this is working. Real headers with binary garbage will be used by the smart attackers for content and these files will look as if it is real thing. The DRM system of the Windows Media Player is mostly abused by the devious trick, in order to persuade to download a “codec” or some other component it claims you to play the movie.

The first trouble sign will be recommendation that the video is played in Windows Media Player, because this is better. This is total garbage certainly but this attack works only in Windows Media Player, so the attacker needs you to persuade it.

If you have fall on this, then double click on a hacked WMV file, there a window will be opened which will look like a Windows Media Player dialog. You will be persuading by the text that it will be fixed if you click a button and a file will be downloaded, and then you will obviously think safe to sun.

The caption of the dialog should be checked first. Its “Media Usage Rights Acquisition” which means the video is abusing the DRM system and there is nothing to do with any codecs directly.