Researchers at TrendMicro have discovered that a [patched] Windows Media Player remote execution flaw is being exploited in the wild in order to serve a malicious Trojan – identified TROJ_DLOAD.QYUA – with rootkit capabilities.
“The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.” Threat Response Engineer Roland Dela Paz wrote on the TrendMicro blog.
If the vulnerability is successfully exploited, the shellcode will be decoded and executed and the shellcode will connect to another site to download an encrypted binary.
“This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA.” Dela Paz wrote, “We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.”
The scary thing is that the user won’t know what hit them as the only thing they’ll see is the embedded Windows Media Player streaming the MIDI file on-screen – all of the malicious activity will be quietly carrying on in the background.
Image Credit: TrendMicro
Thankfully, Microsoft included a fix for this vulnerability on the last patch Tuesday, so Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 users are strongly advised to update their system as soon as possible.
Aside from making sure your PC is fully patched with all of the necessary security updates, it’s a good idea to add an extra layer of protection by running antivirus software that offers real-time scanning.