Users of various file-sharing platforms looking for (illegal) free copies of recently released motion pictures, such as Inception, Robin Hood or Predators, should think twice before hitting the Download button. Chances are that these movie aficionados will receive the nefarious Trojan.Wimad instead of the pirated versions of the hot stuff they’re after.
Ranking sixth in the BitDefender half-yearly malware chart and accounting for 2.68 percent of the total infections worldwide (according to the BitDefender H1 2010 E-Threat Landscape Report, Wimad exploits a feature built into multimedia files which allows a player to search for the appropriate codec when this is not installed.
Cybercriminals thought about making use of this feature in order to sell a piece of adware/fake video player or a rogue antivirus when the unprotected users run in their Windows® Media® Player the maliciously crafted ASF, WMV, (manually renamed) AVIs or any other extension associated with the player.
The formula is quite simple: take an (alleged multimedia) file, alter it, bundle it with the exploitation which Wimad uses and rename it after a blockbuster. Then upload it on sharing platforms and wait for it to be downloaded and played.
Figure 1 – The Wimad “haunted” file is available on P2P torrent Web sites.
Figure 2 – However, the alleged .AVI requires a “special player”.
Meanwhile, set up a Web site for a player or rogue AV, wait for the automatic codec searches to do their trick and ask for money from the gullible users.
Figure 3 – The “special player” is not for free (although I guess a ticket is cheaper than the so-called player).
Figure 4 – On other sharing platforms, splitting the file into multiple archives to avoid detection functions as an interesting evasive maneuver
For the moment, I suggest you think twice before deciding not to buy a ticket and to download recently released movies from the underground. You never know what that file will actually bring you.
Safe surfing everybody!
The technical description referenced in this article is available courtesy of Daniel Chipiristeanu, BitDefender Threats Researcher.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.