Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Transcodes MP3s To Infect PCs

Posted by kdawson on from the just-don't-click dept.

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

9 of 385 comments (clear)

  1. Re:Richard Stallman Says... by Z00L00K · · Score: 4, Interesting
    The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

    We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

    How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  2. What player? by Blice · · Score: 5, Interesting

    TFA doesn't say what media player is vulnerable to this...

    I have a feeling this exploit doesn't work in VLC.

    A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

    So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

    Disclaimer: I'm not associated with VLC, although I do really like it.

  3. Re:Nice by UnknowingFool · · Score: 3, Interesting

    That explains a lot. A few years ago before youtube was popular, a friend linked a website with a funny clip and as soon as the clip opened, it launched IE. Now I had my firewall set to prompt on IE so nothing happened unless I allowed it. I wondered how it was able to do that. Maybe I'm too set in my old school thinking but I think a media file should not have arbitrary content. Or at least limit what could be used.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  4. Re:Nice by hairyfeet · · Score: 3, Interesting

    This may be a new variation,but believe me,this is a VERY old problem. I have worked in PC repair more years than I can count and I don't know how many times I have gone into a clueless users's "MP3" folder to back up before a wipe only to find after turning on "show file extensions" MP3.EXE,MP3.ASF,MP3.WMA,etc. If someone downloads strictly by name and opens anything they get without doing any kind of virus checks they ARE going to get bit. What we need is the guy from the actors studio in the Geico commercials to go "Stupid users behaving stupidly.....Brilliant!". But as always this is my 02c,YMMV. Oh,and the worst infected were always either on Kazaa,Limewire,or Bearshare. Don't know why,but those three always attracted the really clueless.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  5. Re:They're ASF, Not MP3, Files by qoncept · · Score: 4, Interesting
    The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

    I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

    Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

    --
    Whale
  6. Re:wow, that's evil by clone53421 · · Score: 3, Interesting

    If the OP goes to a concert, the artist doesn't get "/no/" money. Assuming the OP has a limited budget, which would benefit the artist more, buying 5 cds or going to their concert?

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  7. Re:hidden extensions by thePowerOfGrayskull · · Score: 4, Interesting

    If the file handling were based on its actual content instead of a friggin file extension, then this would be a much less serious problem. What bugs me is that after years of infections that can be directly tied to this 'feature', they still haven't changed it.

  8. Details on actual Windows Media behavior by benwaggoner · · Score: 4, Interesting

    The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.

    With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):

    Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:

    "The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."

    So, if a user opened one of these files, they'd have an immediate warning something was up.

    However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).

    And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

    So, current Windows installs appaer to be secure by default against this exploit.

    --

    My video compression blog
  9. Re:wow, that's evil by clone53421 · · Score: 3, Interesting

    Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.

    Fairly good advice, but I'd modify it slightly...

    First, use VLC; if you drag-drop a file into VLC you'll remain pretty safe even if the file is malicious. MPEG/AVI/MP3 files that are under a meg are still likely adverts, but they can't hurt you if you open them with VLC. WMV, WMA, and ASF are also likely adverts, but they can't launch their slew of popup windows if you open them with VLC. Also, VLC won't do anything bad if you drop "awsums0ng.mp3.exe" into it, it'll just say it can't play that. Double-clicking on that file would have been bad.

    As you know, running EXE, COM, SCR, or JS/VBS (Limewire blocks VBS files by default I think) that you download from P2P is dumb. I haven't seen HTA files on P2P, but they're executable so if you happen across one, don't risk those either. In short, Just Don't. (If you have a really kickin' antivirus, you might risk an unverified executable after it's passed the scan, but you're still playing with fire.)

    ZIP/RAR files aren't dangerous themselves, it's the files that may be inside them. If you don't know what that meant, just avoid them altogether. What is inside them should be treated the same as anything else you download: see the previous 2 paragraphs.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.