Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.
Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions.
The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity.
...
Several other utilities have been observed in this campaign include:
RAR archiving tool - helps compress, encrypt, or archive files, likely for exfiltration
System/Network discovery - a way for attackers to learn about the systems or services connected to an infected machine
WMIExec - Microsoft command-line tool that can be used to execute commands on remote computers
NBTScan - an open-source tool that has been observed being used by APT groups for reconnaissance in a compromised network
Nothing has to be corrected but the security of your PC. Because the exploit needs an access to the target computer, nothing comes with VLC itself.
That is not the correct analogy.If I sabotage your car, are you going to complain to the car maker, explaining it allows many people to touch it ?
Again - it is incorrect analogy - either it is deliberate or erroneous. Let me assume an error of judgement and try and explain. (if it is deliberate burying of the head in sand, then obviously, all logical points are moot).More like if somebody planted a bomb under your wife or husband's car, and you'd blame it on the car manufacturer.
Or you bought a car from a drug dealer instead of a brand store of the car manufacturer, and complained that the car was not what you expected.
While I have a feeling that you are trying hard to avoid responsibility - your car bomb example is incorrect as it actually modifies the car by attaching the bomb to the ignition. Something akin to a patched or modified VLC.And FWIW, the metaphorical car bomb is triggered by the car ignition, so the car is very much involved.
Also the official VLC releases don't pick up DLLs from random places (that bug was fixed almost two decades ago), nor do they come with trojan DLL builtins.
If you have a problem with unofficial portable VLC versions, don't install them. We can't prevent third parties making and installing unofficial portable versions.
Code: Select all
How does the loading of modules happen
The first time you load VLC, it will scan the default plugins directories that should contain VLC modules and generate a cache (named the plugins cache) so that the modules can be loaded quickly the next time VLC launches. Modules can be organized into directories (up to 5 layers deep) beneath the plugins directory.
Recent versions of VLC require that the modules follow a specific naming convention or they will not be loaded. Modules must be named in the following format: libmodule_name_plugin.ext where module_name should be the name of your module in lower case, and ext is the system's shared library extension. For example, the http access module is named libaccess_http_plugin.dll on a Windows machine.
When VLC needs a module, it tries to open the module with the highest score that has the required capability and accepts the request.
Currently, a user does not have a mechanism to confirm if a malicious DLL has been introduced into his VLC installation which can potentially be disastrous if the safe looking VLC app is executed.
And you are going to ask vlc to fingerprint the possibly shipped system libraries are well ?
Also - `If you thought about it for 10 seconds` : You would guess that maintaining a central database of file hashes/signatures/checksums is as trivial as maintaining the names of known VLC plugins. I mean, SHA2 is not exactly rocket science in this day and age. Installing legitimate third party plugins (which judging from this very forum, a lot or Windows users actually want) would not be an issue in such a scenario.
Nah, users don't care. They want a "Free as a beer" software, not an "Open source" one.
Finally, of course users have a choice, they may fork VLC or they may choose to go with an app which does not entail the same trust issues of side loading, as well as inability to confirm if a non state actor has compromised the installation.
That was some scope creep - Starting from "No they used a patched VLC" to "They used a unmodified executable but it side loaded malicious DLLs - nothing needs to be fixed" to "it is too difficult to fix" to "go fix it yourself" to "why did you not fix it for the world"!!!Big talk and nothing to show for it.
All your technical argumentd were destroyed. Show us the code and the performance metrics, or this is just political support for the Indian government.
If you thought about it 10 seconds, you'd realise that only loading known plugins would simply call for malicious attackers to blame their DLL after an known VLC plugin.
)One query - just a thought experiment : If you did that, how 'trivial' will it be for third parties to work around that without modifying the VLC app itself (in which case the signatures of the app might change and it might be possible to flag it as compromised).
Do you understand English? I wonder because I never said that this was a patched VLC. The original CIA hack that I already mentioned in my very first answer over months ago was already using additional DLLs rather than modified code.That was some scope creep - Starting from "No they used a patched VLC"
Nobody wrote that. 3 different people pointed out that it is easy to fix, but that the fix lies in the system, not in the application: write-protected directories (as done on BSD or Linux) or read-only filesystem images (as done on macOS)....to "it is too difficult to fix"
That's only fair game when somebody claims to have an easy solution in spite of all evidences.to "go fix it yourself"
That was for your metaphorical car modified by linking its ignition to the bomb. I think you find your own analogies quite difficult to follow. Maybe you should not do analogies going forward if your own end up confusing you.Do you understand English? I wonder because I never said that this was a patched VLC.
Looks like someone did write that, wonder who this was :Nobody wrote that....to "it is too difficult to fix"
What else is difficult to fix in software, if not something that takes considerable engineering and costs a bunch? Time to retake your comprehension tests?what you ask would require considerable engineering that nobody wants to pay for
From the very beginning, this has been about state-actors surreptiously placing a malicious DLL in the victim's folder and the victim having no way of knowing something like this has happened as for all that the user can tell, the VLC app is the same unmodified binary as on the official site. Yet, when this safe looking app runs, it runs the malware without any information or alert or as much as a by your leave.but that the fix lies in the system, not in the application: write-protected directories
Did I not just give you the examples of NSRL databases and manifest files with DLL hash values? Did I also not ask if it would be trivial for third parties to create a work around for that without modifying the core VLC code? You did not answer any of that probably for risk of contradicting yourself. Or, if you did not understand what these were, you could have asked and not leave us questioning your comprehension skills. A trivial solution like maintaining a central whitelist of plugin hashes need not be an easy solution - specifically why I gave the example of the Intel fix. It was a huge cost and effort for the company, but they valued their reputation and their users' trust at a level significantly higher than what you and your organisation are displaying.That's only fair game when somebody claims to have an easy solution in spite of all evidences.
So, again, show us the code or we'll have to continue to assume that you're wrong.
Return to “VLC media player for Windows Troubleshooting”
Users browsing this forum: Google [Bot] and 34 guests