Windows Media Player Vulnerability Exploited to Push Rootkit Malware

Windows Media Player logoResearchers at TrendMicro have discovered that a [patched] Windows Media Player remote execution flaw is being exploited in the wild in order to serve a malicious Trojan – identified TROJ_DLOAD.QYUA – with rootkit capabilities.

“The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.” Threat Response Engineer Roland Dela Paz wrote on the TrendMicro blog.

In the attack, the victim is taken to a malicious site with an HTML file that calls upon a MIDI file to trigger the exploit and uses JavaScript in order to decode the shellcode embedded within the HTML file.

If the vulnerability is successfully exploited, the shellcode will be decoded and executed and the shellcode will connect to another site to download an encrypted binary.

“This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA.” Dela Paz wrote, “We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.”

The scary thing is that the user won’t know what hit them as the only thing they’ll see is the embedded Windows Media Player streaming the MIDI file on-screen – all of the malicious activity will be quietly carrying on in the background.

Windows Media Player playing malicious MIDI file

Image Credit: TrendMicro

Thankfully, Microsoft included a fix for this vulnerability on the last patch Tuesday, so Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 users are strongly advised to update their system as soon as possible.

Aside from making sure your PC is fully patched with all of the necessary security updates, it’s a good idea to add an extra layer of protection by running antivirus software that offers real-time scanning.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

This entry was posted in Computer Security, malware and tagged , , , , .
Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5