LiNkInPaRK-NuMB.wav - .WAV files found to be used to spread Monero miners

[JZStudios]

22 hours ago, VegetableStu said:

holy heck i kinda feel the pressure of screwing up the song. i can't imagine how he has to handle concerts during long tours (also he's a smoker if i remember right)

*Ahem*

was.

5 hours ago, VegetableStu said:

holy crap. i have no words to describe this

Wow, he broke that car window with his head. I wonder who decided to replace it with plate glass instead of tempered.

 

I've kind of re-discovered the Reanimation album, which has some really cool stereo field effects, and looked into getting the surround sound version, but since he's passed everyone just thinks they're worth $40-50 for a DVD. Like it was ever going to be re-released anyways.

 

To the topic at hand, I still really don't understand what crypto is or how it works.

[vanished]

1 hour ago, Captain Chaos said:

so ... if you convert it to .flac and then back to .wav, will the mining part still work? 

Would love to get my hands on one of these infected files just to run it through FLAC Frontend and see what happens.

Depending on how they've done it, I can imagine this either working or not.  Based on my comment above, if it works the way I suspect, it will probably not work (and may even fail to convert successfully), but if it works the way werecatf proposed then I see no reason why it wouldn't still be a viable payload since both formats are lossless and therefore you should get out in wav form bit for bit what went into the conversion.

 

With that said, I wouldn't recommend trying this yourself, particularly given how sophisticated it appears to be.  Might be hard to contain or even detect.

 

21 minutes ago, JZStudios said:

To the topic at hand, I still really don't understand what crypto is or how it works.

tbh, that's not really the topic at hand, more of a distant tangent   But this video is excellent imo

 

[jagdtigger]

21 hours ago, NumLock21 said:

And so are CDs

Nope, CD's store the music as digital data.

[vanished]

23 hours ago, jagdtigger said:

AFAIK vinyl is as analog as you can get. There is no way they could store digital data hidden in it.....

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.

[NumLock21]

12 minutes ago, jagdtigger said:

Nope, CD's store the music as digital data.

Digital data as in 1s and 0s. The data is still etched on to the physical CD.

[LogicalDrm]

> Running Cleanup.EXE

> Removing off topic

> Cleanup.EXE has finished

> All needless arguments removed

> No mining software installed <insert sinister laugh >

[vanished]

21 minutes ago, NumLock21 said:

Digital data as in 1s and 0s. The data is still etched on to the physical CD.

it's physical but the bumps represent 1s and 0s.  The data is digital, and by extension the format as well as I'm not aware of any way CDs are even physically capable of holding an analog signal, at least without inventing a new type of burner and player

[WereCatf]

1 hour ago, Ryan_Vickers said:

For the second part, as far as I know, you don't need to run a malicious player/loader, this file works by taking advantage of a flaw/vulnerability in existing clean players to deliver the payload*.  Perhaps that is a misunderstanding though and it is in fact how you explained it.  If so this seems like much less of a threat though as I don't know who would execute anything that comes along with music they've downloaded, there's just no need.

No disrespect meant, but I take it you're not a programmer, or at least particularly experienced at it? In the original source, there's plenty of explanation on how these hidden payloads get extracted and it's pretty clear to someone with some programming background. Those WAV-files are, indeed, only used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function. The danger is in the fact that those loaders themselves are simple enough that they don't raise an antiviruses alarms, they look like pretty bening, small tools for handling some multimedia-tasks.

[jagdtigger]

30 minutes ago, Ryan_Vickers said:

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.

The emphasis was on "hidden". Yes it is possible but it would be audible....

[vanished]

37 minutes ago, WereCatf said:

No disrespect meant, but I take it you're not a programmer, or at least particularly experienced at it? In the original source, there's plenty of explanation on how these hidden payloads get extracted and it's pretty clear to someone with some programming background. Those WAV-files are, indeed, only used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function. The danger is in the fact that those loaders themselves are simple enough that they don't raise an antiviruses alarms, they look like pretty bening, small tools for handling some multimedia-tasks.

To be honest, I didn't even read the original technical source at first and took cues mainly from the quoted text in the OP, namely:

Quote

Cybersecurity firm BlackBerry Cylance released a research report which suggests that hackers have...conceal[ed] malware into a WAV audio file to hide its malicious code and move past conventional detection methods. The cybersecurity company revealed that each of these WAV files contains a loader component

This seems to directly conflict with what you're saying and tbh even what is in the original source.  But after reading the source, I think I have to agree with your original idea of how they work, though imo they did not go out of their way to make clear the higher level operation of the loader (how it gets executed in the first place, where it comes from, etc.).  That was the stuff which was unclear to me. Edit: still missing things... not my day lol I noticed the part about how the loader is run as a command now so that's cleared up.

 

The article seems to focus mainly on the lower level stuff you mentioned ("how these hidden payloads get extracted", that the wav files are "used as a means of smuggling the actually hazardous payload to the victim, but they still need a loader to extract and execute them function.", etc.) and I completely understood all that already.

 

Perhaps the misunderstanding comes from the wording used.  Is "loader" a technical term in the industry with a specific meaning?  If so I can understand how this got going.  That would have tipped you off instantly to how this worked, where as to me it was unclear if this necessarily had to be a separate program or if it could be a component of the wav that was triggered in the matter I described previously which then went on to load the rest of the embedded malware.  At any rate I have to just admit that I made a lot of assumptions based off of poorly worded quotes and the sensational nature of this all making me think it was something fancier and more dangerous than it is.  I should have just carefully read the original article and the confusion would have all been avoided.  That's on me.  And just to finish off, I do consider myself something of a programmer actually, though not professionally, but no offence taken.  It would be completely reasonable for you to assume I had read the article before posting, and from that to assume that if I was still confused then there was a issue of skills, but nah I was just stupid and didn't read it lol.

[trag1c]

7 hours ago, VegetableStu said:

holy crap. i have no words to describe this

lol. It's some very tight music. I would have loved to hear a side project between Morton and Bennington. Benningtons voice is apparently very well suited for metal then with Mortons experience with Lamb Of God that could have been crazy band.

[Tech_Dreamer]

if you willingly & voluntarily download a file with a crooked text as that "LiNkInPaRK-NuMB.wav" let alone pirate it , you deserve something even worse virus than a miner.

[AntiTrust]

19 hours ago, trag1c said:

@AntiTrust I have 24bit 96k flac rips that are like 5 minutes long that are over 100MB each.

 

19 hours ago, Ryan_Vickers said:

Somewhere in the 40s wouldn't be unexpected for an uncompressed format like that, which is not out of the question since FLAC files (losslessly compressed but not by much) are often around the same size.  The code for the malware could easily be well under 1 MB making it unnoticeable against the already large file.

Interesting, I have a bit of experience with FLAC so yeah I would have expected FLAC's to be quite large. But .wav I guess I never associated it with being high quality large file sizes. Also I kind of thought it was a dead format

 

thanks for your replys

[dfsdfgfkjsefoiqzemnd]

Come to think of it ... I happen to own Meteora on CD and ripped it to wav.  so I do have that file in my backups.   Oh crap ...

 

 

If they start embedding stuff in songs, that's a whole other level of scary.  I'm already seeing a future where record labels themselves upload albums and songs that ping their servers whenever played.  That way they'd be able to easily identify and extort/sue whoever downloads their music. 

[MrFixitBlankFace]

I thought this topic was spam when I saw the title.

[vanished]

1 hour ago, AntiTrust said:

Interesting, I have a bit of experience with FLAC so yeah I would have expected FLAC's to be quite large. But .wav I guess I never associated it with being high quality large file sizes. Also I kind of thought it was a dead format

 

thanks for your replys

Yeah it can be as good or bad as you want.  Certainly you could encode 8 bit samples at 8000 Hz, or 192 kHz at 24 bit or more.  It is kind of a dead format in the sense that no one uses it for normal music storage the way they do with mp3 and flac, due to complete absence of compression as well as (afaik) complete absence of tag support (a pretty big deal breaker), but like FAT32, it's widely compatible and easy to work with so it may be common in some music editing workflows.

[FezBoy]

This is why I rip my own cds, so that I can inject my own malware before distributing them.

[ZacoAttaco]

5 hours ago, Ryan_Vickers said:

Is "loader" a technical term in the industry with a specific meaning? 

I've had a look at the quoted ThreatVector article. It's an interesting read although most of it went over my head. According to Techopedia:

Quote

A loader is a major component of an operating system that ensures all necessary programs and libraries are loaded, which is essential during the startup phase of running a program. It places the libraries and programs into the main memory in order to prepare them for execution.

In these attacks they were using 3 different loaders.

• The first category of loaders employs steganography to extract executable content from a WAV file. 
  • The WAV file loader has version information relating to Microsoft MediaPlayer
• The second category of loader uses a rand()-based decoding algorithm to hide PE files.
  • This loader has information relating to Host Process for Windows Tasks
  • File path: d:\source\mining\wavdllplayer\x64\release\wavdllplayer.pdb
• The third category of loader uses a rand()-based decoding algorithm to hide PE files
  • This loader also contained information relating to Host Process for Windows Task.
  • File path: D:\source\mining\wavPayloadPlayer\x64\Release\wavPayloadPlayer.pdb
  • This also contained Metasploit code for a reverse shell to a specific IP address.

So the exploit was running a Monero miner and then set up a reverse connection for Command and Control; otherwise known as a backdoor?

Scary stuff.

 

I hope this helps someone, we're all here to discuss and learn. 

 

[Crunchy Dragon]

On 10/18/2019 at 2:36 PM, VegetableStu said:

so for kicks i did Given Up

You don't do Given Up "for kicks", lol. That is a pretty tough one to sing, lots of tone and pitch changes.

 

On 10/18/2019 at 2:36 PM, VegetableStu said:

holy heck i kinda feel the pressure of screwing up the song.

Yup, I would too.

[DeScruff]

On 10/19/2019 at 2:28 PM, Ryan_Vickers said:

It is analog, but you can actually still store digital data in it if you wanted to.  It would be impractical and pointless, but definitely possible.

Yep which is what we did sorta with cassette tapes for computers in the 80s - and it is technically how dialup worked since it was just analog audio

 

Actually thinking about it I recall reading in the UK there was sometimes ZX spectrum games being broadcast on FM radio.

And I seem to remember in a similar vein there was a "Retro Computer Album" in vinyl that had a game encoded in it.

 

Completely impractical, but still kinda cool.

[Animal901]

Not that original.  I remember getting a macy gray virus back in 2003 on XP. WAV files are still used in professional audio recording.  There's a joke about the difference between an artist and a content creator hiding in there.....

[thedude4bides]

On 10/18/2019 at 4:37 PM, NumLock21 said:

And so are CDs, they're pretty secure too

CD's are in fact digital and they're only as secure as the company that makes them.... looking at you, Sony!

[HarryNyquist]

6 minutes ago, thedude4bides said:

CD's are in fact digital and they're only as secure as the company that makes them.... looking at you, Sony!

Oh Sony knows aaaaaaaall about hiding things on CDs.

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal