In this section

• Home
• Security
• SophosLabs blog
• 2007
• 07

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

3 July 2007 16:25 GMT

SMIL(e), you have been exploited

Web and HTTP protocols are the most common vehicles for delivering exploits and web browsers are the most commonly targeted applications. Most of the exploits we see these days target the process space of Internet Explorer.

Today we have received an interesting submission consisting of an SMIL file. SMIL, pronounced (smile), stands for Synchronized Multimedia Integration Language. It is an XML based language for describing multimedia content such as interactive presentations for displaying in players without a requirement for a scripting language. The most popular player with SMIL support is Real Player.

The received SMIL sample clearly contained shellcode in the text tag attribute system-screen-size .

The shellcode uses simple XOR decryption to obfuscate its functionality. If successfully run, the shellcode uses HTTP to connect to a website in China and download and run a password stealing Trojan targeting the popular Korean online role playing game Lineage. I have added the URL used by the shellcode to the list of URLs blocked by Sophos’s WS1000 Web Security Appliance.

It turns out this is an exploit for a relatively old vulnerability in Real Player discovered in 2005. The fact that it is still used by attackers shows that it is still effective, since many users do not regularly update their programs, especially media players such as Real Player. Recently, a similar vulnerability in Real Player SMIL parser has been disclosed by iDefense so we can expect to see more exploits for Real Player.

Every time we receive a new exploit we try to reproduce the user environment so we can launch the exploit to see if our buffer overflow detection technology protects against it. This time I have managed to successfully reproduce it and the exploit was detected by Sophos Anti-Virus version 7 buffer overflow protection.

Although the exploit is detected by the buffer overflow protection we also released the detection for the SMIL file (Troj/DwnLdr-FVB) since it is best to stop it as soon as possible, even before Sophos’s runtime protection prevents it.

Vanja Svajcer, SophosLabs, UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot