WMP DRM still susceptible to social engineering attacks

Sep 7, 2016 06:39 GMT  ·  By

Ten years after this technique was first observed online and used to spread a simple trojan, malware coders are still abusing it to deliver all sorts of nasties.

More than ten years ago, Windows users were surprised and annoyed to discover that the DRM package in the Windows Media Player could be used to deliver malware to users.

Every time the user tried to play a DRM-protected file in the Windows Media Player, the app would show a popup, asking the user to access an authorization URL that would verify their license, or allow them to buy a license and view the file's content.

Crooks who were distributing pirated movies and songs via KaZaA or eMule discovered that they could lock their files with a DRM popup, but instead of an authorization URL, they would include a link to the malware.

Same technique, same attack vector, ten years later

Fast forward ten years, and according to a report from cyber-security vendor Cyren, this technique is still being used today, being just detected as the source of a recent infection.

This time around, malware authors modified a video file ("War-Dogs-2016-720p-BrRip-x264-SiNNERS") for a pirated movie to ask users to verify their licenses.

When users clicked the "Yes" button to open the authorization URL, they would be greeted by another popup (image below) that used a very convincing message that told users they'd need a newer codec file to view the video file.

Since users today are used with codec upgrades to view video files, the chances are pretty high that a large number of users will end up clicking the download link, downloading the codec (malware) and getting infected.

For its part, Microsoft addressed this attack vector by including a warning in the original DRM popup that read, "Web pages can contain elements that could be harmful to your computer. It is important to be certain that the content is from a trustworthy source before continuing."

Technically, the company couldn't have done more than this, since other modifications would have broken the DRM functionality. Microsoft had to bite the bullet on this attack vector and hope that users were smart enough to detect a social engineering scam when they saw it.

Second popup linking to the malware
Second popup linking to the malware

Photo Gallery (2 Images)

First popup, luring victms to open a malicious URL
Second popup linking to the malware
Open gallery