Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Transcodes MP3s To Infect PCs

Posted by kdawson on from the just-don't-click dept.

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

14 of 385 comments (clear)

  1. wow, that's evil by brunascle · · Score: 5, Funny

    It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

    Wow, that's evil, even for malware authors.

    1. Re:wow, that's evil by morgan_greywolf · · Score: 5, Funny

      Wow, that's evil, even for malware authors.

      That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

      --
      My blog
    2. Re:wow, that's evil by oahazmatt · · Score: 5, Funny

      It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

      Wow, that's evil, even for malware authors.

      That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with.

      --
      Those who believe the Internet is private,
      find their privates are on the Internet.
    3. Re:wow, that's evil by hyperz69 · · Score: 5, Funny

      No, Evil is if it transcodes them to Real Media. Though I don't even think Satan himself could do that to anyone!

    4. Re:wow, that's evil by clone53421 · · Score: 5, Informative

      ASF is the container, WMA is the codec.

      WMA can be used to refer to the container, but it's actually an ASF container with a WMA track inside.

      That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    5. Re:wow, that's evil by dna_(c)(tm)(r) · · Score: 5, Funny

      Why would Microsoft transcode mp3's to Real Media?

      Because "WOOSH" sounds better in that format?

  2. Gentlemen, by Anonymous Coward · · Score: 5, Funny

    I must applaud the RIAA on this occasion. I may have mocked their efforts in the past, but this is truly an impressive piece of work, worthy to be called a hack.

  3. Nice by Anonymous Coward · · Score: 5, Insightful

    Way to go Microsoft!

    Is there anything these morons can't fuck up?

    1. Re:Nice by pxc · · Score: 5, Informative

      For those of you who think this is just a troll, or are just unfamiliar with ASF:

      Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

      If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

      It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

  4. Data vs Program by mlwmohawk · · Score: 5, Insightful

    Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.

    A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

  5. What player? by Blice · · Score: 5, Interesting

    TFA doesn't say what media player is vulnerable to this...

    I have a feeling this exploit doesn't work in VLC.

    A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

    So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

    Disclaimer: I'm not associated with VLC, although I do really like it.

  6. von Neuman rolls in his grave by Gothmolly · · Score: 5, Insightful

    This is why you separate the executable code from the data.

    --
    I want to delete my account but Slashdot doesn't allow it.
  7. They're ASF, Not MP3, Files by Doc+Ruby · · Score: 5, Informative

    The buggy format is not MP3. The MP3 files are perfectly safe.

    This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

    Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

    But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

    --

    --
    make install -not war

  8. No the ultimate evil is if... by Fallen+Andy · · Score: 5, Funny

    it *downloads* real player