On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog.

We have been closely monitoring the malware landscape for threats related  to leveraging exploits against this new vulnerability. We subsequently developed and released a generic detection for malformed media files, Exploit:Win32/CVE-2009-1537, based on MAPP information provided to us. Also, we have developed detections for the known malicious web pages, as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I. Our security products, such as Windows Live OneCare, Microsoft Security Essentials, and Forefront Client Security can block access to these malformed media files with signature definition update version 1.59.798 or higher.

While we are aware of several distinct files containing these exploits, based on our telemetry, the number of affected customers is very low. For our fellow researchers in other security companies, here are some SHA1 hashes of malformed media files:

SHA1

MD5

2203a2e9a22f8eedb14afbf12af7ce9e70b1abd9

7334880a6ca750db02530fb66ba426ad

9b9e829eeb5215a6d6970a37d42672f5e1504846

40f56aacb823a28c2b70287692c4a338

bcd76e2c4c174b8bf5866cc0dbd2233db809b05d

599c92d7ee4f404ebe1ccf2034bee60f

The known exploits are typical drive-by attack scenario as shown in the following diagram:

Users, upon visiting a specially constructed web page that invokes the vulnerable media plug-in, will encounter exploit shellcode, which further execute and download additional malware to the infected machines.  Intending to bypass antimalware protection, malware binaries are encrypted in the download data stream.

New dog, same old tricks. To wrap up the attack scene, under the cover of the new exploits are the old long-lived online-game password stealers:

PWS:Win32/Wowsteal.AP (drops PWS:Win32/Wowsteal.AP.dll)
TrojanDropper:Win32/Dozmot.C (drops PWS:Win32/Dozmot.C and VirTool:WinNT/Dozmot.A)
TrojanSpy:Win32/Lydra.AE

We recommend you revisit these security tips during your online and gaming adventures. As usual, be cautious when visiting web sites and opening movie files from untrusted sources, and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, install it immediately.

-- Lena Lin, Cristian Craioveanu, Josh Phillips & Patrick Nolan