Worm Transcodes MP3s To Infect PCs

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

wow, that's evil

[brunascle]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

Re:wow, that's evil

[Z00L00K]

Maybe it's the RIAA that wants us to get rid of all our MP3:s downloaded from various sources?

Re:wow, that's evil

[morgan_greywolf]

Wow, that's evil, even for malware authors.

That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

Re:wow, that's evil

[oahazmatt]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with.

Re:wow, that's evil

[hyperz69]

No, Evil is if it transcodes them to Real Media. Though I don't even think Satan himself could do that to anyone!

Re:wow, that's evil

[Per+Wigren]

WMA, WMV and ASF are the very same container format. The only difference is the filename extension.

Re:wow, that's evil

[flyneye]

I want the RIAA to be DEEPLY investigated,prosecuted with a fair trial and a decent hangin'.
          The music industry is terminal.It's lashing out in its dying breath.
          Just run your antivirus over your downloads before playing.
          Let's just go ahead and keep killing the industry so musicians can have a level playing field and we can do away with the corruption and misdirection to mediocre talent it provides.

Re:wow, that's evil

[DickBreath]

>Just run your antivirus over your downloads before playing.

Do you really believe this would be effective?

Wouldn't it be more important to run your antivirus on your codecs before installing?

Re:wow, that's evil

[clone53421]

ASF is the container, WMA is the codec.

WMA can be used to refer to the container, but it's actually an ASF container with a WMA track inside.

That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

Re:wow, that's evil

[razorh]

Or you could, y'know, stop being a thieving scumbag and support music by buying from the artists.

How do you buy music from artists that are represented by the RIAA? Seems to me that most of the money you spend when buying most of the music the RIAA cares about isn't going to the artist in the first place.

Re:wow, that's evil

[afidel]

Technically WMA and WMV are a family of codecs and they use the ASF container format for metadata and DRM.

Re:wow, that's evil

[sempernoctis]

Worms I can deal with. Defiling my MP3 collection with WMA/ASF? That's harsh.

Re:wow, that's evil

[clone53421]

If the OP goes to a concert, the artist doesn't get "/no/" money. Assuming the OP has a limited budget, which would benefit the artist more, buying 5 cds or going to their concert?

Re:wow, that's evil

[flyneye]

Or we could you know,take music back from the evil empire.Music is sound ,sound is free.Performance is work,work is rewarded monetarily.There is no use for a music "industry" except to rip off everyone from the artist all the way to you.
        Stealing implies ownership.Music exists as energy independent of ownership.Music uses humans as a gateway to this dimension.Humans may be rewarded for acting as gatways not as owners of intangibles.Copyright is such a joke due to it's distortion through legislation that this also counts as an act of revolution permissible constitutionally.
      Get over yourself and quit regurgitating buzz-phrases about "supporting the artists" which has nothing to do with the RIAA as they would have you believe.You are a sucker and not a very good one.

 

Re:wow, that's evil

[pdusen]

Ooh, here's an idea: Pirate music until the industry dies (supporting the artists through concert attendance in the meantime), then when artists go independent, buy their music THEN! That way they make even MORE money! What a novel idea! See: Nine Inch Nails.

Re:wow, that's evil

[damienl451]

Copyright is there because, believe it or not, people respond to incentives. Copyright provides just such a monetary incentive to write or perform new songs. Although as a songwriter or performer you're very likely never to make any real money, in the off-chance that you do make it big, copyright law ensures that part of the revenue that your song generates will go to you and, for instance, help you support your family.

It's ludicrous to think that, should copyright disappear, the music industry would immediately collapse. The most likely thing that would happen is that instead of signing new artists, they would just cruise the bars of Nashville or Austin, look for new songs, and get a cover band to play it before sending it to all the radio stations. Of course, since record companies have access to better facilities and have a lot more money they can devote to marketing, there is no way an unknown artist would be able to compete against them, internet or not.

If there truly was no need for a music industry, it wouldn't exist in the first place. I'm afraid that, like so many on Slashdot, you're suffering from the delusion that everyone behaves in exactly the same way as you do. You might enjoy browsing a website in search for a new sound that you like, but most people don't. What they want is quality music available anytime they want. They want to be able to turn on the radio and hear good music, not spend an hour separating the wheat from the chaff.

Right now, artist can already operate along the guidelines you suggest. Nobody is forcing them to sign with a major, they can release their songs on the internet and make money playing concerts.

Re:wow, that's evil

[MadnessASAP]

Wouldn't it be more important to run your antivirus on your codecs before installing?

Even better idea, Install VLC and CCCP and if it wont play with either of those then you probably don't want to watch it anyways.

Re:wow, that's evil

but hey... who's going to try to change it?

I will, in 10 years after I become batman.

Re:wow, that's evil

[Kiaser+Zohsay]

Where did concerts come into this?

GGGP wrote "support music by buying from the artists" which then led to a comparison of alternate methods of supporting the artists, ergo concerts. A legitimate (OT) point, and not a straw man. However, between the venues, concert promoters and TicketBastard, the concert business is ripping off artist almost as badly as the recording labels.

When voting with your dollars, deciding where *not* to spend is every bit as important as where to spend. There is no substitute for doing your homework.

Re:wow, that's evil

[Kiaser+Zohsay]

At the very least, don't play your MP3's with Windows Media Player.

Word does the same thing, opening files that are named with the wrong type, and not complaining about the mismatch. Rename a .DOC file with a .RTF extension, and double-click it. If RTF is associated with Word, then Word will open your file like a trooper, but won't say a word about the format not matching the name. Now, try opening it with a something that supports .RTF but not .DOC (there are a few out there) and hilarity ensues.

For a long time I have told people "Don't use Internet Explorer unless you absolutely have to, and don't use Outlook under any circumstances." It looks like I need to include WMP in that advice as well.

Re:wow, that's evil

[dna_(c)(tm)(r)]

Why would Microsoft transcode mp3's to Real Media?

Because "WOOSH" sounds better in that format?

Re:wow, that's evil

[mr_mischief]

Well, that trojan has a bug. When you sell short, you sell a stock then buy it. Yes, really.

That's what "short" means -- you don't have all the shares you need to cover the sale, so you're short. A "naked short" means you also don't have the funds set aside to buy and deliver the shares you sold or enough shares of the company in your portfolio to make up the difference.

The idea is that you sell at or just below the current price, expecting the stock to tank. Then you buy the shares before the agreed-upon transfer time for less than you're getting. Basically you're selling borrowed shares for more money than you're paying the guy you borrowed them from, if it works out as planned. If the stock goes up, you end up paying more for the shares than what you sold them for.

Theoretically there's a limit on what you can make and no limit on what you can lose. It's a useful tool in the market, though, if it's used correctly.

I know the explanation is overkill in response to your joke, but it seems many people do get confused with what the term means. I figured now was a teachable moment for people reading your post.

Re:wow, that's evil

[sm62704]

I hate to say "I told you so" but... Ok, I don't hate telling you that, but I hate that I was right. Damn it, I'm not a security professional, why could I see this coming but the professionals couldn't?

I've been warning people about using WMA files and Windows Media Player for years, the first I said of it was back when I had my old Quake site, the Springfield Fragfest. A security researcher who played Quake II saw the post, realised that I was right, and we had a rather scary email conversation. I've been preaching about it ever since.

The first time I listened to a WMA file and my browser opened I knew this was coming.

The wrapper isn't even necessary! If you use Windows Media player (WiMP) an MP3 or OGG file can infect you. Here's how.

Say you have a DRMed music file named VIRUS.WMA. You take your DRMed WMA file and have the "drm key" or whatever you call it send the victim to your malicious web site. You simply rename the file to "Outkast_Tribute.MP3" (or other popular tune) and put it in your "share" folder. For bonus points have the file be a recording of you saying "you've been pwned, n00b!" (or better, Maddonna saying "WTF are you doing?") with the same length as the outkast song.

People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.

WiMP will recognise the renamed file, however, and happily run the trojan. Note to Microsoft developers: PLEASE FIX THIS HORRIBLE DESIGN FLAW. Users: DON'T USE WINDOWS MEDIA PLAYER! There are dozens out there.

Mac and Linux users aren't immune to wrapped WMA files unless DRMed files or WMA files won't play. Getting your files legally won't protect you, either, as Sony's rootkit proved. However, you CAN protect yourself.

One way is to put on your tinfoil hat and never play a music file you didn't rip yourself. A better way is, when you get a new music file, simply disable networking temporarily by unplugging the ethernet or shutting off your router, and play the file. If your browser doesn't start, the file is clean. If it starts, delete the file, empty the trash and thank yourself for remembering to do it.

DRM is what allows this exploit to work! This is one more example of why DRM itself is pure evil. All DRM does is inconvinience your honest customers without hampering commercial copyright infringers at all, and gives your customers another way to get infected.

If your company in any way, shape, or form has anything to do with DRM, it's evil. If you personally develop DRM, you know damned well DRM won't work and you are a thief who is conning the stupid evil companies who buy your evil garbage.

Sorry for the rant but I hate seeing evil disguised as good. DRM is evil pure and simple. PLEASE STOP USING DRM!

Re:wow, that's evil

[clone53421]

Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.

Fairly good advice, but I'd modify it slightly...

First, use VLC; if you drag-drop a file into VLC you'll remain pretty safe even if the file is malicious. MPEG/AVI/MP3 files that are under a meg are still likely adverts, but they can't hurt you if you open them with VLC. WMV, WMA, and ASF are also likely adverts, but they can't launch their slew of popup windows if you open them with VLC. Also, VLC won't do anything bad if you drop "awsums0ng.mp3.exe" into it, it'll just say it can't play that. Double-clicking on that file would have been bad.

As you know, running EXE, COM, SCR, or JS/VBS (Limewire blocks VBS files by default I think) that you download from P2P is dumb. I haven't seen HTA files on P2P, but they're executable so if you happen across one, don't risk those either. In short, Just Don't. (If you have a really kickin' antivirus, you might risk an unverified executable after it's passed the scan, but you're still playing with fire.)

ZIP/RAR files aren't dangerous themselves, it's the files that may be inside them. If you don't know what that meant, just avoid them altogether. What is inside them should be treated the same as anything else you download: see the previous 2 paragraphs.

Re:wow, that's evil

[Thaelon]

They bands still make far more money from touring than albums sold. To quote Maynard Keenan from Tool:

You make a lot more money touring or selling shirts, yeah, but that's when you get to a certain level. That in-between spot is tough.

Seen here.

I included that last bit for the sake of honesty. But the fact is they, and other big bands make more from touring than albums. I believe he also once said that they could simply tour and not do albums at all, and get along fine. But I couldn't find that quote.

Re:wow, that's evil

[Flambergius]

He wasn't planning to sell it, or he wouldn't have let you borrow it.

I think this is the main part of it. Our Farmer Jones, whether he had apples or stock to borrow, is sitting tight on something valuable. He benefits in two ways.

1) You pay him. He's not going to borrow his stuff for free. The exact amount and conditions of the payment can vary greatly, but it'll be there.

2) What you are doing will result in more accurate the price for the stuff the Farmer has. Markets are in large part about setting the correct price for each item. This is often called generating a price signal and it is the main tool for making economic decisions in free-market economies.

Re:wow, that's evil

[adavidw]

That's not how it works. When you go to a concert, a promoter has paid for the venue. The promoter basically pays all of the expenses for the venue and promotion and what not, then contracts with the artist to appear at the concert that they've set up.

The artist more often than not will get a fixed fee for this performance with the promoter then pocketing all of the money they've collected from ticket sales minus the expenses of paying the venue, paying the artist the fixed fee, paying the promotional costs, etc.

Another common arrangement is where the artist and promoter negotiate a percentage of ticket sales backed up by a fixed guarantee for the artist in case ticket sales aren't all that. But, for a lot of smaller artists, it's way more common for them to be appearing in that rock club for $1000 and that case of beer left in the dressing room.

That's why if you really want to support the artist, you'll by a shirt or cd or some other merchandise at the concert. That money's usually all theirs, and is the sweetest plum.

Richard Stallman Says...

If you'd just used OGG, this never would have happened! ;-)

Re:Richard Stallman Says...

[Z00L00K]

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

Re:Richard Stallman Says...

[paradxum]

Yes, I too remember the days when there was little if any monetary gain to be had from writing a virus or hacking in general.

But those days are gone, there is money to be made... now that it pays to hack, the onslaught will only get worse.

Re:Richard Stallman Says...

[clone53421]

Task manager... if you can kill the viral process... (maybe take a look at the sysinternals suite, particularly I'm thinking AutoRuns, ProcessExplorer and RootkitRevealer might be useful (haven't actually had to use them yet).

Also Regedit... you might be able to remove the viral startup entries... but after you've killed the process or it might just add itself back.

After you've killed the process and removed its startup entries, rebooting might get you a clean environment and you can hopefully delete the infected files. It worked for me when I got infected from a P2P virus (dumbassed thing to do, I know...)

Anyway, hope you don't have to format, that would suck. Maybe my tricks weren't already up your sleeve. If they help, great. If those fail, I'd probably have to fall back to something drastic like booting from a safe disk and running antivirus, or taking out the hard disk and virus scanning it... that's a hasssle, though, and I'd be worried about breaking the OS.

Gentlemen,

I must applaud the RIAA on this occasion. I may have mocked their efforts in the past, but this is truly an impressive piece of work, worthy to be called a hack.

Re:Gentlemen,

[thrillseeker]

Next up ... how DRM protects you from virus laden mp3s

Nice

Way to go Microsoft!

Is there anything these morons can't fuck up?

Re:Nice

[pxc]

For those of you who think this is just a troll, or are just unfamiliar with ASF:

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

Re:Nice

[UnknowingFool]

That explains a lot. A few years ago before youtube was popular, a friend linked a website with a funny clip and as soon as the clip opened, it launched IE. Now I had my firewall set to prompt on IE so nothing happened unless I allowed it. I wondered how it was able to do that. Maybe I'm too set in my old school thinking but I think a media file should not have arbitrary content. Or at least limit what could be used.

Re:Nice

[hairyfeet]

This may be a new variation,but believe me,this is a VERY old problem. I have worked in PC repair more years than I can count and I don't know how many times I have gone into a clueless users's "MP3" folder to back up before a wipe only to find after turning on "show file extensions" MP3.EXE,MP3.ASF,MP3.WMA,etc. If someone downloads strictly by name and opens anything they get without doing any kind of virus checks they ARE going to get bit. What we need is the guy from the actors studio in the Geico commercials to go "Stupid users behaving stupidly.....Brilliant!". But as always this is my 02c,YMMV. Oh,and the worst infected were always either on Kazaa,Limewire,or Bearshare. Don't know why,but those three always attracted the really clueless.

Re:Nice

[Trigun]

If there is one thing that is guaranteed in life, it is stupidity. Count on that, and remove the other vectors.
 

Re:Nice

[geogob]

This is really clever. That way of using the file container to get the user to download false codecs.

I wonder if it could work with other wrappers, like AVI, Quicktime, etc. Maybe not in their original state, but with slight modifications that could fool the player.

I wasn't aware of all the capabilities of the ASF wrapper, but that sure was a ticking time bomb.

Nothing New...

[mariofreak]

I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.

Re:Nothing New...

[dreamchaser]

You should turn in your geek card for falling for that one! Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

Re:Nothing New...

[Obfuscant]

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE, whether or not you want to get into an argument about which is the BEST codec or the fastest or the "right" one. "Right" is an opinion and irrelevant.

Re:Nothing New...

[omeomi]

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,

You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

Microsoft only threat?

[UnknowingFool]

Can anyone comment about the possible risk to non Windows machines? Well it appears that IE is affected as well as the ASF format. The Trojans itself appears to be Windows only. Does anyone know if FF or other browsers can be used? Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

Re:Microsoft only threat?

[UnknowingFool]

Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

Re:Microsoft only threat?

[advocate_one]

Nowhere in my post did I mention Linux, OS X, or Unix.

yes you did... here right in the first line of your OP

Can anyone comment about the possible risk to non Windows machines?

Data vs Program

[mlwmohawk]

Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.

A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

Re:Data vs Program

You mean just have it read X bytes of data and stop!? But how would they have supercyberhyperwebbrowsing? I want gimmicks not reliability.

Re:Data vs Program

[Zoltair]

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation, they want less user interaction, thus MS and everybody else will develop for these wants. I remember when email was just that data!, had to uuencode/uudecode anything binary, Gopher was the the WWW back then, automation has removed that need, but it has also left us all open to attack. If it were not for our need and desires for this automation, we would all still be using MS-DOS or Unix....

Re:Data vs Program

[geogob]

I don't agree with your evaluation. As I understands it, the asf contains a download link for the codec. The player Program for the file (most likely windows media player components) initiate the "please download this missing codec" action using the information within the ASF container (link to the trojan/worm).

This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.

This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.

It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.

Re:Data vs Program

[mlwmohawk]

Computer users (yourself included, me too!) have demanded more automation,

Speak for yourself. I don't want "automation" and most of my family and friends get confused by it, "Hey, why is it doing that?" is the typical response.

they want less user interaction, thus MS and everybody else will develop for these wants.

You are confusing "wanting it to work" and "automation." Clicking, or double clicking, on an icon in a window and having the correct player pop up and play the file correctly is what people want. That is, in fact, *all* they want. No one asked for media files that would "automate" anything.

User's don't even understand computers at the level where they could ask for such a thing. If they did, they wouldn't even ask. I submit that much of the push for programmatic content within media is from the *IAA types looking to extend control.

I remember when email was just that data!, had to uuencode/uudecode anything binary

There is no reason why an email message has to contain programmatic content for an email program to be able to properly decode an attachment. That's what MIME types are all about.

What player?

[Blice]

TFA doesn't say what media player is vulnerable to this...

I have a feeling this exploit doesn't work in VLC.

A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

Disclaimer: I'm not associated with VLC, although I do really like it.

Re:What player?

[X0563511]

My question is how the hell that works? Why is it even possible to do that!?

Data comes in, gets split into an audio stream and a video stream. You look at the magical tags and figure out which decoder to fire up. Feed compressed data into the decoder, get decompressed data out. Pass the video data to the display pipeline, and the audio data to the audio pipeline.

There should be no way to execute anything from those pipelines.

Re:What player?

[afidel]

Open webpage to display cover art, link to the bands tour page, etc. The problem is that it uses IE to open the page no matter what you have your default browser set to and we all know how secure IE is. It can also have an embedded link to a download for a new codec, if you don't have the codec then it will ask you if you want to install it. In this case the codec is a trojan.

Comment removed

[account_deleted]

Comment removed based on user account deletion

von Neuman rolls in his grave

[Gothmolly]

This is why you separate the executable code from the data.

For lack of a name, call it the RIAA worm.

[suck_burners_rice]

Hmmm, it sounds like this kind of worm really benefits the RIAA. It works like this: If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you. But if you download a single song, or if you copy a single song from a friend, then BOOM! All of your music becomes totally jacked up. It seems a pretty sophisticated worm/virus concept and the transcoding of mp3s is kind of like an additional "fsck you" from the RIAA.

hmm...

[Taibhsear]

Good thing I only download FLAC and transcode it myself to mp3... I mean, I buy cds straight from the RIAA for $50 a pop so I can bypass those greedy artists... yeah, that's the ticket...

They're ASF, Not MP3, Files

[Doc+Ruby]

The buggy format is not MP3. The MP3 files are perfectly safe.

This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

Re:They're ASF, Not MP3, Files

[Doc+Ruby]

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

This report says that safeguard fails.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?

Re:They're ASF, Not MP3, Files

[qoncept]

The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

No the ultimate evil is if...

[Fallen+Andy]

it *downloads* real player

Re:No the ultimate evil is if...

[saboola]

No, the real evil is buffering.. buffering..

"Windows XP is our most secure OS ever"

[Joce640k]

...apart from the ActiveX and the email program which auto-runs attachements and the music files which can launch the browser and the RPC daemon which can't be firewalled and the universal plug and play daemon which allows "drivers" to travel around networks and....

Defective by design.

Re:ASF?

[BlueParrot]

Being able to make an asf look like an MP3 is...weird

Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.

a) ASF is patented, b) by Microsoft.

[Joce640k]

So ... I think we can deduce which players are vulnerable to this.

hidden extensions

[Kenshin]

I hate how Windows has hidden file extensions in every version since XP. It's supposed to make the machine more Mac-like and friendlier, but it is a serious security concern.

I try to turn it off on every machine that I'm asked to setup or fix, but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.

Re:hidden extensions

[thePowerOfGrayskull]

If the file handling were based on its actual content instead of a friggin file extension, then this would be a much less serious problem. What bugs me is that after years of infections that can be directly tied to this 'feature', they still haven't changed it.

Re:hidden extensions

[QRDeNameland]

They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".

Re:hidden extensions

[madmac63]

This has been a peev of mine for years. The name of a file and the application which should open it by default are two different things. And stupid frikkin' MS filesystems and OS's can't get that through their heads . . . . why they didn't move the "extention" into a directory field (the way the Mac does) associated with the file . . . then you could name it whatever you wanted, and put periods in the the filename, and not have to worry . . . madmac

Re:hidden extensions

[clone53421]

I don't see how that would prevent this exploit. Even if handling was based on content, the system would still say "yup, it's an ASF, I'll just go ahead and launch up Windows Media Player and play it"...

A bit of clarification?

[sootman]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension. [emphasis mine]

So if this is correct, I figure one of two things is happening:
1) It renames the file blah.mp3.asf, but if you have extensions hidden, it will hide the 'asf' and show the 'mp3'
or
2) it is an asf named blah.mp3 but when WMP opens the file, WMP says "Who cares what it's named, I can see that this is an ASF so I will go ahead and play it."

Anyone know which it is?

Re:Dont use untrusted codecs!

[ConceptJunkie]

The irony is that in all these years, I don't think I've ever seen WMP successfully find and install a codec it was missing. I just end up with a message saying it couldn't find the codec that doesn't even tell me which codec it was looking for. Then it turns out this all just another malware attack vector.

In 2000, this problem would have "more of the same" but the fact that this still exists in 2008 is insane. I mean Microsoft publicly admitted their security is awful in 2000, took four years to make a decent attempt to correct things, and yet here we are four years after that...

Thanks, Microsoft. Thanks a lot. You give new meaning to word FAIL on a daily basis.

The ASF container is patented

[tepples]

Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

The ASF container is patented in the United States, home of Microsoft Corporation, Apple Inc., and Slashdot. Microsoft wants to be the only vendor of ASF tools; to this end, it has cease-and-desisted VirtualDub's author from including ASF support. And Microsoft's ASF parser is, predictably, the exploitable one.

Details on actual Windows Media behavior

[benwaggoner]

The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.

With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):

Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:

"The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."

So, if a user opened one of these files, they'd have an immediate warning something was up.

However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).

And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

So, current Windows installs appaer to be secure by default against this exploit.

WMP 9 is good too

[benwaggoner]

I launched up a VPC session with XP and WMP 9 installed, and verified the same behavior:

Warning that the extension doesn't match the content

Script command execution off by default.

Since WMP 9 is installed with XP SP 2, this suggests that SP 2-3 and Vista should be unaffected in stock state.

ASF=WMA=WMV

[benwaggoner]

Yes, same file format. It was originally called just .asf, but changed by default in the late 90's, IIRC, to different extensions for video and audio.

This enabled different icons for video and audio files, and easily filter between them so you didn't accidentally try to sync video to an audio-only player.

This is pretty standard practice. .m4a, for example, is a MPEG-4 file with just audio. .f4v is is a MPEG-4 file known to be compatible with Flash.

Odd that it's taken so long.

[argent]

This kind of thing is why I eventually included WMP among the software I banned back in the late '90s. When I realized the danger of Microsoft's HTML control I banned everything that I could find that used the HTML control on untrusted content. This wasn't really an issue for early versions, but most later versions of Window Media Player were tied into the HTML virus distribution ecosystem. Well, Outlook and Internet Explorer soon proved me right in doing so, but up to now Windows Media seemed to have pretty much dodged the bullet.

Another good reason

[Snaller]

To user mplayer to play your files.

To the non-technically savvy ....

[PPH]

... this goes like:

(Blah, blah blah blah, blah) codec (blah blah, blah. Blah.)

[Allow] or [Cancel]