New Opera v9.51 fixes couple of security issues
A new version of Opera (v9.51) has been released. It fixes couple of security vulnerabilities and some stability issues. One of the fixed issues includes arbitrary code execution but the exploit has not been published yet.
In any case, if you are an Opera user, download the latest version from http://www.opera.com/download/
Detecting scripts in ASF files (part 2)
Back in April, I wrote a diary about an interesting ASF files that had a script stream included (http://isc.sans.org/diary.html?storyid=4355). The script stream caused Windows Media Player to use Internet Explorer to retrieve content from a URL embedded in the script. As you can probably already guess, the URL lead to a web site serving some malware. Some other AV vendors picked this as well.
I asked if some of our readers know of a utility that would allow us to extract script streams from ASF files. Initially I found that there is a utility from Microsoft, Windows Media File Editor, that allows one to list script commands.
One of our readers, James Dean, did a great job and wrote a small utility that allows you to list embedded script commands from command line, without using any GUI tools. This is great for batch analysis of multiple ASF files. You just need to create a directory, put all ASF files into it and run the tool with the directory name as a parameter. Here's one such example with two malicious ASF files:
D:\Work>findasfcommands.exe test
test\weird.mp3
There is one type:
Type Number Type
----------- -------------------------------------
0 URLANDEXIT
There is one command:
Millisecond Type Number Command
----------- ----------- -------------------------------------
3000 0 http://www.fastmp3player.com/affiliates/772465/1/
James kindly sent the source file to us and I compiled it for Windows. You can download the ZIP archive here. MD5 of the ZIP archive is c9e5bba11051cfbc98dfa451442a71e8.
With some modifications this can work on Linux as well – if you have time to modify the code let us know and we'll post the code for Linux as well since a lot of researchers use it.
--
Bojan
Comments