Skip to main content

Analysis of a multistage attack embedded in a video file


In 1990s, burglars used to break into house, while the residents were viewing some interesting television shows. This type of attacks happened mainly in the physical world and it was expected that cyber world is free from such crimes. Unfortunately, this is not true. A skilled hacker could compromise a system, while the user is viewing (an interesting) video file. Quite often computer users, use their machines for viewing (interesting) videos. Such users may be naive users or could even be those who work on mission critical systems, like banking, defence, nuclear power-plant, space agencies etc. So playing a video file can lead to high security risk. In this paper, we have analysed video files, for detecting multistage attacks. We found that some video files contain malicious link through which an exploit gets downloaded into the host machine. The contribution of this paper is the discovery of novel attacks that are hidden (by perpetrator) in innocuous video files with the objective of staging a targeted attack in multiple stages. Finally, we propose a new method for detection of such attacks (carried through video files) using API calls.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  • Alazab, M., Venkataraman, S., & Watters, P. (2010a). Towards understanding malware behaviour by the extraction of API calls. In Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second (pp. 52–59). IEEE.

  • Alazab, M., Layton, R., Venkataraman, S., & Watters, P. (2010b). Malware detection based on structural and behavioural features of API calls.

  • Balduzzi, M., Ciangaglini, V., & McArdle, R. (2013). Targeted attacks detection with spunge. In Privacy, Security and Trust (PST), 2013 Eleventh Annual International Conference on (pp. 185–194). IEEE.

  • Bencsáth, B., Pék, G., Buttyán, L., & Felegyhazi, M. (2012). The cousins of stuxnet: duqu, flame, and gauss. Future Internet, 4(4), 971–1003.

    Article  Google Scholar 

  • GREAT (2013). The Icefog APT: a Tale of Cloak and Three Daggers. Kaspersky Lab Global Research and Analysis Team (GREAT).

  • Handurukande, S. B., Kermarrec, A. M., Le Fessant, F., Massoulié, L., & Patarin, S. (2006). Peer sharing behaviour in the edonkey network, and implications for the design of server-less file sharing systems. ACM, 40(4), 359–371.

    Google Scholar 

  • Kurose, J. F. (2005). Computer networking: a top-down approach featuring the internet. Pearson Education India.

  • Lewis, C., Rhoden, B., & Sturton, C. (2007). Using structured random data to precisely fuzz media players. Project Report.

  • Li, F., Lai, A., & Ddl, D. (2011). Evidence of advanced persistent threat: a case study of malware for political espionage. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on (pp. 102–109). IEEE.

  • Ma, W., Duan, P., Liu, S., Gu, G., & Liu, J. C. (2012). Shadow attacks: automatically evading system-call-behavior based malware detection. Journal in Computer Virology, 8(1–2), 1–13.

    Article  Google Scholar 

  • McDonald, G., Murchu, L. O., Doherty, S., & Chien, E. (2013). Stuxnet 0.5: the missing link. Symantec Report.

  • Menn, J. (2012). Key internet operator VeriSign hit by hackers. Reuters (February 2, 2012).

  • Microsoft (2014) Article ID: 828026 - Last review: 20 - Revision: 13.0

  • Mohandas R., Thomas V., & Prashanth P. R. (2013). U.S. Patent No. 8,510,829. Washington, DC: U.S. Patent and Trademark Office.

    Google Scholar 

  • Nath, H. V., & Mehtre, B. M. (2014a). Torrent file 1.

  • Nath, H. V., & Mehtre, B. M., (2014b). Video file 1.

  • Nath, H. V., & Mehtre, B. M., (2014c). RAM file.

  • Nath, H. V., & Mehtre, B. M., (2014d). PCAP file.

  • Nath, H. V., & Mehtre, B. M. (2015a). Torrent file 2.

  • Nath, H. V., & Mehtre, B. M. (2015b). Video file 2.

  • Pouwelse, J., Garbacki, P., Epema, D., & Sips, H. (2005). The bittorrent p2p file-sharing system: measurements and analysis. In Peer-to-Peer Systems IV (pp. 205–216). Springer Berlin Heidelberg.

  • Prosecutors, P. (2012). Messiah spyware infects Middle East targets.

  • Raymond, D., Conti, G., Cross, T., & Fanelli, R. (2013). A control measure framework to limit collateral damage and propagation of cyber weapons. In Cyber Conflict (CyCon), 2013 5th International Conference on (pp. 1–16). IEEE.

  • Sami, A., Yadegari, B., Rahimi, H., Peiravian, N., Hashemi, S., & Hamze, A. (2010). Malware detection based on mining API calls. In Proceedings of the 2010 ACM Symposium on Applied Computing (pp. 1020–1025). ACM.

  • Shyamasundar, R. K. (2013). Security and protection of SCADA: a bigdata algorithmic approach. In Proceedings of the 6th International Conference on Security of Information and Networks (pp. 20–27). ACM.

  • Sood, A. K., & Enbody, R. J. (2013). Targeted cyberattacks: a superset of advanced persistent threats. IEEE Security and Privacy, 11(1), 54–61.

    Google Scholar 

  • Thiel, D. (2008). Exposing vulnerabilities in media software. In Black Hat conference presentation, BlackHat EU.

  • Wang, C., Pang, J., Zhao, R., & Liu, X. (2009). Using API sequence and Bayes algorithm to detect suspicious behavior. In Communication Software and Networks, 2009. ICCSN’09. International Conference on (pp. 544–548). IEEE.

  • Zetter, K. (2010). Google hack attack was ultra sophisticated, new details show. Wired Magazine, 14.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Hiran V. Nath.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Nath, H.V., Mehtre, B.M. Analysis of a multistage attack embedded in a video file. Inf Syst Front 17, 1029–1037 (2015).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Multi-stage attacks
  • Malicious video file
  • Drive-by-download attack
  • APTs
  • Targeted attacks
  • Novel attacks