Slashdot Mirror
Worm Transcodes MP3s To Infect PCs
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.
How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
TFA doesn't say what media player is vulnerable to this...
I have a feeling this exploit doesn't work in VLC.
A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.
So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..
Disclaimer: I'm not associated with VLC, although I do really like it.
I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.
Then I also remembered that I'm not using Windows anymore, so I'm safe after all.
Whale
If the file handling were based on its actual content instead of a friggin file extension, then this would be a much less serious problem. What bugs me is that after years of infections that can be directly tied to this 'feature', they still haven't changed it.
The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.
With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):
Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:
"The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."
So, if a user opened one of these files, they'd have an immediate warning something was up.
However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).
And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.
So, current Windows installs appaer to be secure by default against this exploit.
My video compression blog