Slashdot Mirror
Worm Transcodes MP3s To Infect PCs
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.
For those of you who think this is just a troll, or are just unfamiliar with ASF:
It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.
Comment removed based on user account deletion
The buggy format is not MP3. The MP3 files are perfectly safe.
This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.
Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).
But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.
--
make install -not war
Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.
Well, there's spam egg sausage and spam, that's not got much spam in it.
WMA, WMV and ASF are the very same container format. The only difference is the filename extension.
My other account has a 3-digit UID.
Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.
I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation, they want less user interaction, thus MS and everybody else will develop for these wants. I remember when email was just that data!, had to uuencode/uudecode anything binary, Gopher was the the WWW back then, automation has removed that need, but it has also left us all open to attack. If it were not for our need and desires for this automation, we would all still be using MS-DOS or Unix....
I don't agree with your evaluation. As I understands it, the asf contains a download link for the codec. The player Program for the file (most likely windows media player components) initiate the "please download this missing codec" action using the information within the ASF container (link to the trojan/worm).
This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.
This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.
It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.
ASF is the container, WMA is the codec.
WMA can be used to refer to the container, but it's actually an ASF container with a WMA track inside.
That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Technically WMA and WMV are a family of codecs and they use the ASF container format for metadata and DRM.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Open webpage to display cover art, link to the bands tour page, etc. The problem is that it uses IE to open the page no matter what you have your default browser set to and we all know how secure IE is. It can also have an embedded link to a download for a new codec, if you don't have the codec then it will ask you if you want to install it. In this case the codec is a trojan.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
yes you did... here right in the first line of your OP
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".
Momentarily, the need for the construction of new light will no longer exist.
Task manager... if you can kill the viral process... (maybe take a look at the sysinternals suite, particularly I'm thinking AutoRuns, ProcessExplorer and RootkitRevealer might be useful (haven't actually had to use them yet).
Also Regedit... you might be able to remove the viral startup entries... but after you've killed the process or it might just add itself back.
After you've killed the process and removed its startup entries, rebooting might get you a clean environment and you can hopefully delete the infected files. It worked for me when I got infected from a P2P virus (dumbassed thing to do, I know...)
Anyway, hope you don't have to format, that would suck. Maybe my tricks weren't already up your sleeve. If they help, great. If those fail, I'd probably have to fall back to something drastic like booting from a safe disk and running antivirus, or taking out the hard disk and virus scanning it... that's a hasssle, though, and I'd be worried about breaking the OS.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
It's ludicrous to think that, should copyright disappear, the music industry would immediately collapse. The most likely thing that would happen is that instead of signing new artists, they would just cruise the bars of Nashville or Austin, look for new songs, and get a cover band to play it before sending it to all the radio stations. Of course, since record companies have access to better facilities and have a lot more money they can devote to marketing, there is no way an unknown artist would be able to compete against them, internet or not.
If there truly was no need for a music industry, it wouldn't exist in the first place. I'm afraid that, like so many on Slashdot, you're suffering from the delusion that everyone behaves in exactly the same way as you do. You might enjoy browsing a website in search for a new sound that you like, but most people don't. What they want is quality music available anytime they want. They want to be able to turn on the radio and hear good music, not spend an hour separating the wheat from the chaff.
Right now, artist can already operate along the guidelines you suggest. Nobody is forcing them to sign with a major, they can release their songs on the internet and make money playing concerts.
I launched up a VPC session with XP and WMP 9 installed, and verified the same behavior:
Warning that the extension doesn't match the content
Script command execution off by default.
Since WMP 9 is installed with XP SP 2, this suggests that SP 2-3 and Vista should be unaffected in stock state.
My video compression blog
Yes, same file format. It was originally called just .asf, but changed by default in the late 90's, IIRC, to different extensions for video and audio.
This enabled different icons for video and audio files, and easily filter between them so you didn't accidentally try to sync video to an audio-only player.
This is pretty standard practice. .m4a, for example, is a MPEG-4 file with just audio. .f4v is is a MPEG-4 file known to be compatible with Flash.
My video compression blog
I hate to say "I told you so" but... Ok, I don't hate telling you that, but I hate that I was right. Damn it, I'm not a security professional, why could I see this coming but the professionals couldn't?
I've been warning people about using WMA files and Windows Media Player for years, the first I said of it was back when I had my old Quake site, the Springfield Fragfest. A security researcher who played Quake II saw the post, realised that I was right, and we had a rather scary email conversation. I've been preaching about it ever since.
The first time I listened to a WMA file and my browser opened I knew this was coming.
The wrapper isn't even necessary! If you use Windows Media player (WiMP) an MP3 or OGG file can infect you. Here's how.
Say you have a DRMed music file named VIRUS.WMA. You take your DRMed WMA file and have the "drm key" or whatever you call it send the victim to your malicious web site. You simply rename the file to "Outkast_Tribute.MP3" (or other popular tune) and put it in your "share" folder. For bonus points have the file be a recording of you saying "you've been pwned, n00b!" (or better, Maddonna saying "WTF are you doing?") with the same length as the outkast song.
People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.
WiMP will recognise the renamed file, however, and happily run the trojan. Note to Microsoft developers: PLEASE FIX THIS HORRIBLE DESIGN FLAW. Users: DON'T USE WINDOWS MEDIA PLAYER! There are dozens out there.
Mac and Linux users aren't immune to wrapped WMA files unless DRMed files or WMA files won't play. Getting your files legally won't protect you, either, as Sony's rootkit proved. However, you CAN protect yourself.
One way is to put on your tinfoil hat and never play a music file you didn't rip yourself. A better way is, when you get a new music file, simply disable networking temporarily by unplugging the ethernet or shutting off your router, and play the file. If your browser doesn't start, the file is clean. If it starts, delete the file, empty the trash and thank yourself for remembering to do it.
DRM is what allows this exploit to work! This is one more example of why DRM itself is pure evil. All DRM does is inconvinience your honest customers without hampering commercial copyright infringers at all, and gives your customers another way to get infected.
If your company in any way, shape, or form has anything to do with DRM, it's evil. If you personally develop DRM, you know damned well DRM won't work and you are a thief who is conning the stupid evil companies who buy your evil garbage.
Sorry for the rant but I hate seeing evil disguised as good. DRM is evil pure and simple. PLEASE STOP USING DRM!
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
They bands still make far more money from touring than albums sold. To quote Maynard Keenan from Tool:
Seen here.
I included that last bit for the sake of honesty. But the fact is they, and other big bands make more from touring than albums. I believe he also once said that they could simply tour and not do albums at all, and get along fine. But I couldn't find that quote.
Question everything
That's not how it works. When you go to a concert, a promoter has paid for the venue. The promoter basically pays all of the expenses for the venue and promotion and what not, then contracts with the artist to appear at the concert that they've set up.
The artist more often than not will get a fixed fee for this performance with the promoter then pocketing all of the money they've collected from ticket sales minus the expenses of paying the venue, paying the artist the fixed fee, paying the promotional costs, etc.
Another common arrangement is where the artist and promoter negotiate a percentage of ticket sales backed up by a fixed guarantee for the artist in case ticket sales aren't all that. But, for a lot of smaller artists, it's way more common for them to be appearing in that rock club for $1000 and that case of beer left in the dressing room.
That's why if you really want to support the artist, you'll by a shirt or cd or some other merchandise at the concert. That money's usually all theirs, and is the sweetest plum.