On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog.
We have been closely monitoring the malware landscape for threats related to leveraging exploits against this new vulnerability. We subsequently developed and released a generic detection for malformed media files, Exploit:Win32/CVE-2009-1537, based on MAPP information provided to us. Also, we have developed detections for the known malicious web pages, as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I. Our security products, such as Windows Live OneCare, Microsoft Security Essentials, and Forefront Client Security can block access to these malformed media files with signature definition update version 1.59.798 or higher.
While we are aware of several distinct files containing these exploits, based on our telemetry, the number of affected customers is very low. For our fellow researchers in other security companies, here are some SHA1 hashes of malformed media files:
The known exploits are typical drive-by attack scenario as shown in the following diagram:
Users, upon visiting a specially constructed web page that invokes the vulnerable media plug-in, will encounter exploit shellcode, which further execute and download additional malware to the infected machines. Intending to bypass antimalware protection, malware binaries are encrypted in the download data stream.
New dog, same old tricks. To wrap up the attack scene, under the cover of the new exploits are the old long-lived online-game password stealers:
We recommend you revisit these security tips during your online and gaming adventures. As usual, be cautious when visiting web sites and opening movie files from untrusted sources, and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, install it immediately.
-- Lena Lin, Cristian Craioveanu, Josh Phillips & Patrick Nolan