Ten Ways to Dodge Cyber-Bullets (Part 10)

[Part 10 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series is also available shortly at http://www.eset.com/download/whitepapers.php as a white paper.]

Don’t be a Crackhead

Don’t use cracked/pirated software. Such programs provide an easy avenue for introducing malware into (or exploiting weaknesses in) a system. The illegal P2P (peer-to-peer) distribution of copyrighted audio and video files is dangerous: some of these are counterfeited or modified so that they can be used directly in the malware distribution process.

Even if a utility seems to come from a trusted and trustworthy source rather than Mrs. Miggins’ Warez Emporium, it pays to verify as best you can that it’s genuine.

Win32/GetCodec.A, which is as common now as it was a year ago, is a type of malware that modifies media files. This Trojan converts all audio files found on a computer to the WMA format and adds a field to the header that includes a URL pointing the user to malicious content, claiming that the fake “codec” has to be downloaded so that the media file can be read. 
WMA/TrojanDownloader.GetCodec.Gen is a downloader which facilitates infection by GetCodec variants like Win32/GetCodec.A.

Passing off a malicious file as a new video codec is a long-standing social engineering technique exploited by many malware authors and distributors. The victim is tricked into running malicious code he believes will do something useful or interesting. While there’s no simple, universal test to indicate whether what appears to be a new codec is a genuine enhancement or a Trojan horse of some sort, we would encourage you to be cautious and skeptical: about any unsolicited invitation to download a new utility. Even if the utility seems to come from a trusted site (see http://www.eset.com/threat-center/blog/?p=828, for example), it pays to verify as best you can that it’s genuine.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/