Slashdot Mirror
Worm Transcodes MP3s To Infect PCs
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
Way to go Microsoft!
Is there anything these morons can't fuck up?
Maybe it's the RIAA that wants us to get rid of all our MP3:s downloaded from various sources?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.
A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.
Don't enable any audio program you use to automatically download codecs. Use third-party trusted codec packs, or better yet, use VLC! As for Joe Schmo internet user, he is just fsked anyway, and probably already has more trojans on his PC than I've ever had on my... um.... usb dongle?
"It's ok, I'm completely secure as long as my iron is off"
You should turn in your geek card for falling for that one! Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.
This is why you separate the executable code from the data.
I want to delete my account but Slashdot doesn't allow it.
My question is how the hell that works? Why is it even possible to do that!?
Data comes in, gets split into an audio stream and a video stream. You look at the magical tags and figure out which decoder to fire up. Feed compressed data into the decoder, get decompressed data out. Pass the video data to the display pipeline, and the audio data to the audio pipeline.
There should be no way to execute anything from those pipelines.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Next up ... how DRM protects you from virus laden mp3s
...apart from the ActiveX and the email program which auto-runs attachements and the music files which can launch the browser and the RPC daemon which can't be firewalled and the universal plug and play daemon which allows "drivers" to travel around networks and....
Defective by design.
No sig today...
Yes, I too remember the days when there was little if any monetary gain to be had from writing a virus or hacking in general.
But those days are gone, there is money to be made... now that it pays to hack, the onslaught will only get worse.
I hate how Windows has hidden file extensions in every version since XP. It's supposed to make the machine more Mac-like and friendlier, but it is a serious security concern.
I try to turn it off on every machine that I'm asked to setup or fix, but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.
Does it make you happy you're so strange?
>Just run your antivirus over your downloads before playing.
Do you really believe this would be effective?
Wouldn't it be more important to run your antivirus on your codecs before installing?
I'll see your senator, and I'll raise you two judges.
Or you could, y'know, stop being a thieving scumbag and support music by buying from the artists.
How do you buy music from artists that are represented by the RIAA? Seems to me that most of the money you spend when buying most of the music the RIAA cares about isn't going to the artist in the first place.
ChuckSchwab here. Okay, good questions, and I've got some good answers. I have to post anon, and won't be able to respond much beyond this post (because some jerks set me to Terrible karma) so I'll try to give the most complete answer I can. Here goes:
You're equating "marketing" with "all the negative connotations I associate with the term 'marketing'". By "marketing" I simply mean being able to present a case to the average person -- THAT HE SEES -- why he should switch, and how he should do it.
Here, corporate financial interest is an issue. It's like this:
Reaching the layman takes MONEY. But if you spend that money and create a complete, self-contained, easy-as-pie package ... so can someone else. They will COPY. They will take your work and undercut you. In the store, they will see "Hey ultra-cool linux conversion kit, which you have been persuaded of the merit of, only $49.99" (actually, $50 because they're ethical). And also, "Hey, exact same thing, that you were convinced of, only $9.99 because we copied those other guys."
And so we see, copyright is criticial to generating the funds necessary to get folks to come over. And those very folks are valuable TO YOU. More Linux folks = more justification to write software for Linux.
This is where I dispute your claim that Linux is useful TO YOU. Where is your Linux photoshop equivalent? Your games?
Yeah, you got the programs that someone got around to. But for other stuff, the newest stuff, the folks with the CASH to hire people WITH A GODDAMN CLUE about interface design, ain't gonna write for Linux -- no people there.
Now, maybe I'm wrong. Maybe every conceivable thing you will ever want to do, you can do right now (or at least have the software to on Linux). But then look at the broader perspective: what about average people, who can't do the stuff, the hacks, the kludges, the troubleshooting, that you find so easy? That you don't even *notice* as being hard to others? Why would *they* switch?
I tried to switch to Linux myself. I'm pretty technically inclined (ignore my troll posts). I ran into inexcusable problems. Not just any problems -- problems that could have been avoided early on with a teensy pinch of care to making it accessible for the masses.
Marketing, in other words.
The Linux community *could* take over the home desktop market. But they refuse. They refuse to recognize the value of each additional person, and get on their knees for anyone who wants to join on. They refuse to write idiot-proof conversion packages and pay to get the knowledge of their existence into people's minds. Because, fundamentally, they don't *want* people to join. It's *their* system. (I can even see in your tone how you'd hate for myspace kiddies to be using Linux, even if it didn't involve that evil corporate marketing.)
All I ask is that you stop being schizophrenic. Either:
-Accept that Linux is 1337, and accept the low marketshare and developer interest.
-TRY to get people to join, and ponder why no one does.
Don't do these half-assed efforts while confounded as to why people aren't joining.
Hope that answers your question. :-)
Not to mention that it was Microsoft's brilliant idea to embed non-audio functionality into an audio file format to begin with. "Hey, let's make it so this audio file can automatically initiate a connection to the Internet! Yeah! That'll be cool!"
That's probably even dumber than putting VBscript in Word documents or Javascript in PDFs.
You would rarely find this kind of stupidity in the open source world because most open source software is driven by sensible engineering and functionality considerations, not by a marketing mentality of adding ever more flashy "features" (i.e. bloated anti-features).
Dear Micosoft (and Adobe): Integration of extraneous functionality is at the root of a lot of your complexity and security problems. Keep separate things separate. Keep it simple.
Wouldn't it be more important to run your antivirus on your codecs before installing?
Even better idea, Install VLC and CCCP and if it wont play with either of those then you probably don't want to watch it anyways.
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
Where did concerts come into this?
GGGP wrote "support music by buying from the artists" which then led to a comparison of alternate methods of supporting the artists, ergo concerts. A legitimate (OT) point, and not a straw man. However, between the venues, concert promoters and TicketBastard, the concert business is ripping off artist almost as badly as the recording labels.
When voting with your dollars, deciding where *not* to spend is every bit as important as where to spend. There is no substitute for doing your homework.
I am not your blowing wind, I am the lightning.
To user mplayer to play your files.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
(Blah, blah blah blah, blah) codec (blah blah, blah. Blah.)
[Allow] or [Cancel]
Have gnu, will travel.