Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
rcmaehl

LiNkInPaRK-NuMB.wav - .WAV files found to be used to spread Monero miners

Recommended Posts

15 hours ago, imreloadin said:

Well to play the song you have to execute it right...

You don't, you could just open it with your audio player of choice... regardless, this is a little misleading - the wav file itself is harmless, it's the loader that actually does the damage.


...is there a question here? ?

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
Posted · Original PosterOP
11 hours ago, Ryan_Vickers said:

The title is a bit misleading.  From what I can tell, this isn't your typical song.mp3.exe trick, it appears to the user as a normal wav but when played can extract and run a hidden included exe.

Yeah. People seem confused. Was trying to make reference to people downloading malware from limewire on accident but it caused more confusion than hilarity ?


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
7 hours ago, WereCatf said:

Incorrect. Playing the WAV-file doesn't cause any code to execute, the WAV-file is just used to hide the most-harmful component in so it's harder for antivirus to detect. You still need to run some separate malicious application, ie. the loader, that then extracts the harmful component from the WAV-file and executes it. As I said, these WAV-files do literally nothing harmful by themselves.

Yes I understand all that quite well.  I know you don't execute files just to open them like txt or wav etc.  Perhaps I didn't explain myself well, I thought all this would be intuitive from where I left off.

 

Edit: actually I'm not sure we're on exactly the same page after all.  For the second part, as far as I know, you don't need to run a malicious player/loader, this file works by taking advantage of a flaw/vulnerability in existing clean players to deliver the payload*.  Perhaps that is a misunderstanding though and it is in fact how you explained it.  If so this seems like much less of a threat though as I don't know who would execute anything that comes along with music they've downloaded, there's just no need.

 

I noticed you also posted wondering about how people get these loaders in the first place and I agree with that uncertainty, which just leads me back to my initial theory.  It would solve that issue and explain why this is even a threat.  But, it is also strange that they haven't made that clear either if it is what's actually going on.

 

*One such way I'd imagine this working, just for the sake of completeness, is a header file containing intentionally corrupted and unexpected values causes a buffer overrun which changes a pointer, causing some of the wav file's "audio" data (actually hidden code) to be loaded into the program's memory space rather than where it would store ordinary data.  At this point, when the program goes to execute what was there, instead of doing what it thought, it will instead run the payload.  I'm not an expert in this kind of thing by any stretch but I think that's quite possible given the right flaws in the player.  I'd imagine in this case it's something rather more sophisticated if that is the case since attacks like this have been known for a long time, but still, just to give an example.

Edited by Ryan_Vickers
so many edits... haven't had my coffee yet lol

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
22 hours ago, VegetableStu said:

holy heck i kinda feel the pressure of screwing up the song. i can't imagine how he has to handle concerts during long tours (also he's a smoker if i remember right)

*Ahem*

was.

5 hours ago, VegetableStu said:

holy crap. i have no words to describe this

Wow, he broke that car window with his head. I wonder who decided to replace it with plate glass instead of tempered.

 

I've kind of re-discovered the Reanimation album, which has some really cool stereo field effects, and looked into getting the surround sound version, but since he's passed everyone just thinks they're worth $40-50 for a DVD. Like it was ever going to be re-released anyways.

 

To the topic at hand, I still really don't understand what crypto is or how it works.


#Muricaparrotgang

Link to post
Share on other sites
1 hour ago, Captain Chaos said:

so ... if you convert it to .flac and then back to .wav, will the mining part still work? 

Would love to get my hands on one of these infected files just to run it through FLAC Frontend and see what happens.

Depending on how they've done it, I can imagine this either working or not.  Based on my comment above, if it works the way I suspect, it will probably not work (and may even fail to convert successfully), but if it works the way werecatf proposed then I see no reason why it wouldn't still be a viable payload since both formats are lossless and therefore you should get out in wav form bit for bit what went into the conversion.

 

With that said, I wouldn't recommend trying this yourself, particularly given how sophisticated it appears to be.  Might be hard to contain or even detect.

 

21 minutes ago, JZStudios said:

To the topic at hand, I still really don't understand what crypto is or how it works.

tbh, that's not really the topic at hand, more of a distant tangent :P  But this video is excellent imo

 


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
23 hours ago, jagdtigger said:

AFAIK vinyl is as analog as you can get. There is no way they could store digital data hidden in it.....

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
12 minutes ago, jagdtigger said:

Nope, CD's store the music as digital data.

Digital data as in 1s and 0s. The data is still etched on to the physical CD.


Intel Xeon E5 1650 v3 @ 3.5GHz 6C:12T / CM212 Evo / Asus X99 Deluxe / 16GB (4x4GB) DDR4 3000 Trident-Z / Samsung 850 Pro 256GB / Intel 335 240GB / WD Red 2 & 3TB / Antec 850w / RTX 2070 / Win10 Pro x64

HP Envy X360 15: Intel Core i5 8250U @ 1.6GHz 4C:8T / 8GB DDR4 / Intel UHD620 + Nvidia GeForce MX150 4GB / Intel 120GB SSD / Win10 Pro x64

 

HP Envy x360 BP series Intel 8th gen

AMD ThreadRipper 2!

5820K & 6800K 3-way SLI mobo support list

 

Link to post
Share on other sites

> Running Cleanup.EXE

> Removing off topic

> Cleanup.EXE has finished

> All needless arguments removed

> No mining software installed <insert sinister laugh >


^^^^ That's my post ^^^^
<-- This is me --- That's your scrollbar -->
vvvv Who's there? vvvv

Link to post
Share on other sites
21 minutes ago, NumLock21 said:

Digital data as in 1s and 0s. The data is still etched on to the physical CD.

it's physical but the bumps represent 1s and 0s.  The data is digital, and by extension the format as well as I'm not aware of any way CDs are even physically capable of holding an analog signal, at least without inventing a new type of burner and player


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
1 hour ago, Ryan_Vickers said:

For the second part, as far as I know, you don't need to run a malicious player/loader, this file works by taking advantage of a flaw/vulnerability in existing clean players to deliver the payload*.  Perhaps that is a misunderstanding though and it is in fact how you explained it.  If so this seems like much less of a threat though as I don't know who would execute anything that comes along with music they've downloaded, there's just no need.

No disrespect meant, but I take it you're not a programmer, or at least particularly experienced at it? In the original source, there's plenty of explanation on how these hidden payloads get extracted and it's pretty clear to someone with some programming background. Those WAV-files are, indeed, only used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function. The danger is in the fact that those loaders themselves are simple enough that they don't raise an antiviruses alarms, they look like pretty bening, small tools for handling some multimedia-tasks.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
30 minutes ago, Ryan_Vickers said:

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.

The emphasis was on "hidden". Yes it is possible but it would be audible....

Link to post
Share on other sites
37 minutes ago, WereCatf said:

No disrespect meant, but I take it you're not a programmer, or at least particularly experienced at it? In the original source, there's plenty of explanation on how these hidden payloads get extracted and it's pretty clear to someone with some programming background. Those WAV-files are, indeed, only used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function. The danger is in the fact that those loaders themselves are simple enough that they don't raise an antiviruses alarms, they look like pretty bening, small tools for handling some multimedia-tasks.

To be honest, I didn't even read the original technical source at first and took cues mainly from the quoted text in the OP, namely:

Quote

Cybersecurity firm BlackBerry Cylance released a research report which suggests that hackers have...conceal[ed] malware into a WAV audio file to hide its malicious code and move past conventional detection methods. The cybersecurity company revealed that each of these WAV files contains a loader component

This seems to directly conflict with what you're saying and tbh even what is in the original source.  But after reading the source, I think I have to agree with your original idea of how they work, though imo they did not go out of their way to make clear the higher level operation of the loader (how it gets executed in the first place, where it comes from, etc.).  That was the stuff which was unclear to me. Edit: still missing things... not my day lol I noticed the part about how the loader is run as a command now so that's cleared up.

 

The article seems to focus mainly on the lower level stuff you mentioned ("how these hidden payloads get extracted", that the wav files are "used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function.", etc.) and I completely understood all that already.

 

Perhaps the misunderstanding comes from the wording used.  Is "loader" a technical term in the industry with a specific meaning?  If so I can understand how this got going.  That would have tipped you off instantly to how this worked, where as to me it was unclear if this necessarily had to be a separate program or if it could be a component of the wav that was triggered in the matter I described previously which then went on to load the rest of the embedded malware.  At any rate I have to just admit that I made a lot of assumptions based off of poorly worded quotes and the sensational nature of this all making me think it was something fancier and more dangerous than it is.  I should have just carefully read the original article and the confusion would have all been avoided.  That's on me.  And just to finish off, I do consider myself something of a programmer actually, though not professionally, but no offence taken.  It would be completely reasonable for you to assume I had read the article before posting, and from that to assume that if I was still confused then there was a issue of skills, but nah I was just stupid and didn't read it lol.


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
7 hours ago, VegetableStu said:

holy crap. i have no words to describe this

lol. It's some very tight music. I would have loved to hear a side project between Morton and Bennington. Benningtons voice is apparently very well suited for metal then with Mortons experience with Lamb Of God that could have been crazy band.


CPU: Intel i7 - 5820k @ 4.5GHz, Cooler: Corsair H80i, Motherboard: MSI X99S Gaming 7, RAM: Corsair Vengeance LPX 32GB DDR4 2666MHz CL16,

GPU: ASUS GTX 980 Strix, Case: Corsair 900D, PSU: Corsair AX860i 860W, Keyboard: Logitech G19, Mouse: Corsair M95, Storage: Intel 730 Series 480GB SSD, WD 1.5TB Black

Display: BenQ XL2730Z 2560x1440 144Hz

Link to post
Share on other sites
19 hours ago, trag1c said:

@AntiTrust I have 24bit 96k flac rips that are like 5 minutes long that are over 100MB each.

 

19 hours ago, Ryan_Vickers said:

Somewhere in the 40s wouldn't be unexpected for an uncompressed format like that, which is not out of the question since FLAC files (losslessly compressed but not by much) are often around the same size.  The code for the malware could easily be well under 1 MB making it unnoticeable against the already large file.

Interesting, I have a bit of experience with FLAC so yeah I would have expected FLAC's to be quite large. But .wav I guess I never associated it with being high quality large file sizes. Also I kind of thought it was a dead format

 

thanks for your replys


i7-8700k @ 4.8Ghz | EVGA CLC 280mm | Aorus Z370 Gaming 5 | 16GB G-Skill DDR4-3000 C15 | EVGA RTX 2080 | Corsair RM650x | NZXT S340 Elite | Zowie XL2730 

Link to post
Share on other sites

Come to think of it ... I happen to own Meteora on CD and ripped it to wav.  so I do have that file in my backups.   Oh crap ...

 

?

 

If they start embedding stuff in songs, that's a whole other level of scary.  I'm already seeing a future where record labels themselves upload albums and songs that ping their servers whenever played.  That way they'd be able to easily identify and extort/sue whoever downloads their music. 

Link to post
Share on other sites
1 hour ago, AntiTrust said:

Interesting, I have a bit of experience with FLAC so yeah I would have expected FLAC's to be quite large. But .wav I guess I never associated it with being high quality large file sizes. Also I kind of thought it was a dead format

 

thanks for your replys

Yeah it can be as good or bad as you want.  Certainly you could encode 8 bit samples at 8000 Hz, or 192 kHz at 24 bit or more.  It is kind of a dead format in the sense that no one uses it for normal music storage the way they do with mp3 and flac, due to complete absence of compression as well as (afaik) complete absence of tag support (a pretty big deal breaker), but like FAT32, it's widely compatible and easy to work with so it may be common in some music editing workflows.


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites

This is why I rip my own cds, so that I can inject my own malware before distributing them.


Resident Mozilla Shill.   Typed on my Ortholinear JJ40 custom keyboard
               __     I am the ASCIIDino.
              / _)
     _.----._/ /      If you can see me you 
    /         /       must put me in your 
 __/ (  | (  |        signature for 24 hours.
/__.-'|_|--|_|        
Link to post
Share on other sites
5 hours ago, Ryan_Vickers said:

Is "loader" a technical term in the industry with a specific meaning? 

I've had a look at the quoted ThreatVector article. It's an interesting read although most of it went over my head. According to Techopedia:

Quote
A loader is a major component of an operating system that ensures all necessary programs and libraries are loaded, which is essential during the startup phase of running a program. It places the libraries and programs into the main memory in order to prepare them for execution.

In these attacks they were using 3 different loaders.

  • The first category of loaders employs steganography to extract executable content from a WAV file. 
    • The WAV file loader has version information relating to Microsoft MediaPlayer
  • The second category of loader uses a rand()-based decoding algorithm to hide PE files.
    • This loader has information relating to Host Process for Windows Tasks
    • File path: d:\source\mining\wavdllplayer\x64\release\wavdllplayer.pdb
  • The third category of loader uses a rand()-based decoding algorithm to hide PE files
    • This loader also contained information relating to Host Process for Windows Task.
    • File path: D:\source\mining\wavPayloadPlayer\x64\Release\wavPayloadPlayer.pdb
    • This also contained Metasploit code for a reverse shell to a specific IP address.

So the exploit was running a Monero miner and then set up a reverse connection for Command and Control; otherwise known as a backdoor?

Scary stuff.

 

I hope this helps someone, we're all here to discuss and learn. ?

 

Link to post
Share on other sites
On 10/18/2019 at 2:36 PM, VegetableStu said:

so for kicks i did Given Up

You don't do Given Up "for kicks", lol. That is a pretty tough one to sing, lots of tone and pitch changes.

 

On 10/18/2019 at 2:36 PM, VegetableStu said:

holy heck i kinda feel the pressure of screwing up the song.

Yup, I would too.

Link to post
Share on other sites
On 10/19/2019 at 2:28 PM, Ryan_Vickers said:

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.

Yep which is what we did sorta with cassette tapes for computers in the 80s - and it is technically how dialup worked since it was just analog audio

 

Actually thinking about it I recall reading in the UK there was sometimes ZX spectrum games being broadcast on FM radio.

And I seem to remember in a similar vein there was a "Retro Computer Album" in vinyl that had a game encoded in it.

 

Completely impractical, but still kinda cool.

Link to post
Share on other sites

Not that original.  I remember getting a macy gray virus back in 2003 on XP. WAV files are still used in professional audio recording.  There's a joke about the difference between an artist and a content creator hiding in there.....

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×