Hackers Resort to a Fairly Old Trick to Attack Windows Media Player
The saying goes: 'You can't teach an old dog new tricks.' More often than not, this doesn't really apply to hackers. The ever-changing security landscape means that if they are to succeed, they need to constantly improve their tactics and look for new ways of infecting innocent computer users. That said, in some cases, certain techniques can be just as effective now as they were about ten years ago, and naturally enough, the hackers don't mind re-using them. Case in point: Windows Media Player's Digital Rights Management feature.
Before we get to the ways hackers abuse Windows Media Player's DRM, let's say a few words about the feature itself. WMV files come with embedded authorization URLs. When the file is opened with Windows Media Player, DRM pops up and says that users need to go to the authorization URL and either confirm that they have the right to watch the video or pay to obtain it. The purpose of all this is to fight piracy.
Back in 2005, sharing pirated movies over Peer to Peer networks like eMule and KaZaA was rather popular. People who don't want to pay for content weren't the only ones on these networks, though. Every now and then, hackers would drop a WMV file which contained an authorization URL leading to a Trojan. Since the message was coming from a legitimate feature on one of Windows' built-in programs, many people trusted it and got infected.
Microsoft learned about the problem and tried to lower the number of infections by placing a warrant on DRM's pop up. It said "Web pages can contain elements that could be harmful to your computer. It is important to be certain that the content is from a trustworthy source before continuing."
Despite this, almost eleven years after the first attack, the DRM is abused again. And the differences between what researchers saw in 2005 and what they are seeing today are minute.
Experts from Cyren downloaded a file called War-Dogs-2016-720p-BrRip-x264-SiNNERS and tried to play it on Windows Media Player. As soon as they did, the DRM message popped up saying that they don't have the right to watch the movie and that if they want to do it, they need to go to the content provider's website. A click on the Yes button led them to another pop-up, which said that their video codecs are not up-to-date. They were promised that by hitting the Download button, they will get the latest codec from DivX. And that's exactly what they got. When they clicked the button, a file called codecfix.exe was downloaded which retrieved and installed the latest DivX codecs from the developer's website.
Unfortunately, in addition to the legitimate software that let them watch the movie, codefix.exe also downloaded a dropper. Cyren didn't include too many details about the actual type of malware that threatened their system, but it's safe to say that whatever it is, being careful with the files you download and the DRM messages you click on is the most surefire way of avoiding this particular infection.