MIDI File Uses Windows Bug to Serve Malware

Security researchers found a dangerous MIDI file that could allow an attacker to remotely execute arbitrary code relying on a vulnerability patched up by Microsoft with the Security Updates they released on January 10, 2012.

Counting on the fact that many users fail to apply the security patches, cybercriminals social engineer unsuspecting users into executing a specially crafted MIDI file that unleashes nasty pieces of malware, some of which possess rootkit capabilities.

Trend Micro experts found a domain that contains three malicious files designed to trigger the Windows vulnerability when the Windows Multimedia Library in Windows Media Player (WMP) fails to handle the MIDI file.

The HTML file that serves the malevolent elements, HTML_EXPLT.QYUA, calls TROJ_MDIEXP.QYUA (the MIDI file) to trigger the exploit and utilizes a JavaScript detected as JS_EXPLT.QYUA to decode the shellcode embedded in the HTML’s body.

Once the security hole is successfully exploited, the shellcode is executed and connects to a site to download an encrypted binary, identified as TROJ_DLOAD.QYUA.

TROJ_DLOAD.QYUA is still being studied, but initial analysis shows that its payload is highly dangerous. It drops RTKT_MDIEXP.QYUA, which has rootkit capabilities, and a Backdoor called BKDR_EAYLA.QYUA.

During this time, the user sees a Media Player that plays the innocent-looking MIDI file called baby.mid.

Internauts who’ve already applied the update that addresses these weaknesses should be safe, but those who haven’t installed the patches from January’s Security Bulletin are advised to do so immediately.

Also, if you find yourself with a Media Player on the screen that plays a suspicious MIDI file, turn off your Internet connection or the computer immediately. Then, run a full system scan with an up-to-date antivirus solution to make sure no traces of malware are still present.

More information on the Microsoft Security Bulletin that patches the vulnerabilities can be found here.