Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Transcodes MP3s To Infect PCs

Posted by kdawson on from the just-don't-click dept.

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

8 of 385 comments (clear)

  1. Nothing New... by mariofreak · · Score: 4, Informative

    I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.

    1. Re:Nothing New... by omeomi · · Score: 4, Informative

      It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

      That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

      Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,

      You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

      --
      ZuluPad, the wiki notepad on crack
  2. Re:Nice by pxc · · Score: 5, Informative

    For those of you who think this is just a troll, or are just unfamiliar with ASF:

    Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

    If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

    It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

  3. They're ASF, Not MP3, Files by Doc+Ruby · · Score: 5, Informative

    The buggy format is not MP3. The MP3 files are perfectly safe.

    This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

    Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

    But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

    --

    --
    make install -not war

  4. Re:Microsoft only threat? by UnknowingFool · · Score: 4, Informative

    Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. Re:wow, that's evil by Per+Wigren · · Score: 3, Informative

    WMA, WMV and ASF are the very same container format. The only difference is the filename extension.

    --
    My other account has a 3-digit UID.
  6. Re:wow, that's evil by clone53421 · · Score: 5, Informative

    ASF is the container, WMA is the codec.

    WMA can be used to refer to the container, but it's actually an ASF container with a WMA track inside.

    That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  7. Re:hidden extensions by QRDeNameland · · Score: 4, Informative

    They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".

    --
    Momentarily, the need for the construction of new light will no longer exist.