Back in April, I wrote a diary about an interesting ASF files that had a script stream included (http://isc.sans.org/diary.html?storyid=4355). The script stream caused Windows Media Player to use Internet Explorer to retrieve content from a URL embedded in the script. As you can probably already guess, the URL lead to a web site serving some malware. Some other AV vendors picked this as well.

I asked if some of our readers know of a utility that would allow us to extract script streams from ASF files. Initially I found that there is a utility from Microsoft, Windows Media File Editor, that allows one to list script commands.

One of our readers, James Dean, did a great job and wrote a small utility that allows you to list embedded script commands from command line, without using any GUI tools. This is great for batch analysis of multiple ASF files. You just need to create a directory, put all ASF files into it and run the tool with the directory name as a parameter. Here's one such example with two malicious ASF files:

D:\Work>findasfcommands.exe test
test\weird.mp3

     There is one type:

     Type Number  Type
     -----------  -------------------------------------
               0  URLANDEXIT

     There is one command:

     Millisecond  Type Number  Command
     -----------  -----------  -------------------------------------
            3000            0  http://www.fastmp3player.com/affiliates/772465/1/

James kindly sent the source file to us and I compiled it for Windows. You can download the ZIP archive here. MD5 of the ZIP archive is c9e5bba11051cfbc98dfa451442a71e8.

With some modifications this can work on Linux as well – if you have time to modify the code let us know and we'll post the code for Linux as well since a lot of researchers use it.

--
Bojan