malware analysis: free video codec

This malware analysis is amazingly interesting to read. While not too deep, technically, this is the kind of analysis that is not really beyond any typical sysadmin or desktop support person.

A few points on why this is significant.

1) The malware is downloaded via social engineering someone to download a free codec in order to play some video. This is not atypical behavior, in fact, I see this every now and then on legitimate (non-porn) movies and happily go searching for codes or just let it auto-check and install. A typical user will be fooled by this attempt, as could any user searching for the codec randomly (if you need a divx codec, you hit, you don’t randomly search for and install the myriad odd “divx” codecs from mysterious sites).

2) The malware took over the DNS queries of the system and even actively took over browsing targets in IE. It is possible this malware could return commands via DNS responses? It is definitely possible, as the analysis authors mentions (I really like when authors illustrate just how bad things could get with a piece of malware), that false DNS requests can be given. You want Windows Update? No, you want our site to download false Updates with more malware! I’d really like to see some packet captures of the results, if they are abnormal in any way.

3) Just goes to show that if malware can get you to execute a file on your system, that system is no longer your system.