Can a rogue .wmv file "hijack" Windows Media Player?

This video file uses (well, abuses) Windows Media Player's DRM functionalities which allows content providers to embed an URL in their protected content that will be displayed in a Windows Media Player window to allow the user acquire a license to play the content. Its legitimate usage goes like this :

  • user registers on an online music store and downloads some DRM-protected files, which have their actual media content encrypted
  • user opens them in Windows Media Player, it opens a window with the URL specified in the media file, in this case a legitimate URL from the music store which asks for the user's login
  • user enters his credentials, the music store authenticates them and gives WMP the decryption key which is then cached and the file can now be played

In this case, the feature has been abused to display a fake WMP error about missing codecs (it's in reality a webpage, as the domain name in the top bar suggests, and if it was real the window would've been much smaller) to make you click a (fake) button that points to malware masquerading as codecs.

There's some more info about this DRM system on Wikipedia, and it seems to be deprecated in favour of PlayReady. Whether this new iteration will allow such abuse isn't yet known.


The WMV file in question was probably crafted to exploit a vulnerability in Windows Media Player. The explicit request to use Windows Media Player to play it points in that direction. It was probably intended to steer victims away from other players which wouldn't be vulnerable to the exploit.

The vulnerability was then exploited to request download of a malware program disguised as a codec installation package, a popular ploy since users would expect codec installation when playing a media file.

Tags:

Windows

Virus