Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Worm Transcodes MP3s To Infect PCs

Posted by kdawson on Fri Jul 18, 2008 10:34 AM
from the just-don't-click dept.
Security Media Music
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
+ -
story

Related Stories

Firehose:Worm Transcodes MP3s to Infect PCs by snydeq (1272828)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Worm Transcodes MP3s To Infect PCs 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • wow, that's evil (Score:5, Funny)

    by brunascle (994197) * on Friday July 18 2008, @10:37AM (#24242155)

    It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

    Wow, that's evil, even for malware authors.

  • Gentlemen, (Score:5, Funny)

    by Anonymous Coward on Friday July 18 2008, @10:37AM (#24242171)

    I must applaud the RIAA on this occasion. I may have mocked their efforts in the past, but this is truly an impressive piece of work, worthy to be called a hack.

  • Nice (Score:5, Insightful)

    by Anonymous Coward on Friday July 18 2008, @10:38AM (#24242177)

    Way to go Microsoft!

    Is there anything these morons can't fuck up?

    • Re:Nice (Score:5, Informative)

      by pxc (938367) on Friday July 18 2008, @10:43AM (#24242285)

      For those of you who think this is just a troll, or are just unfamiliar with ASF:

      Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

      If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

      It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

        • I hate how Windows has hidden file extensions in every version since XP. It's supposed to make the machine more Mac-like and friendlier, but it is a serious security concern.

          I try to turn it off on every machine that I'm asked to setup or fix, but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.

          • Re:hidden extensions (Score:5, Informative)

            by QRDeNameland (873957) on Friday July 18 2008, @12:19PM (#24243845)
            They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".

  • Data vs Program (Score:5, Insightful)

    by mlwmohawk (801821) on Friday July 18 2008, @10:46AM (#24242311)

    Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.

    A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

  • What player? (Score:5, Interesting)

    by Blice (1208832) <Lifes@Alrig.ht> on Friday July 18 2008, @10:48AM (#24242351)
    TFA doesn't say what media player is vulnerable to this...

    I have a feeling this exploit doesn't work in VLC.

    A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

    So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

    Disclaimer: I'm not associated with VLC, although I do really like it.

  • von Neuman rolls in his grave (Score:5, Insightful)

    by Gothmolly (148874) on Friday July 18 2008, @10:54AM (#24242433)

    This is why you separate the executable code from the data.

  • They're ASF, Not MP3, Files (Score:5, Informative)

    by Doc Ruby (173196) on Friday July 18 2008, @10:57AM (#24242495) Homepage Journal

    The buggy format is not MP3. The MP3 files are perfectly safe.

    This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

    Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

    But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

    • Re:They're ASF, Not MP3, Files (Score:5, Interesting)

      by qoncept (599709) on Friday July 18 2008, @11:18AM (#24242871) Homepage
      The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

      I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

      Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

  • The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.

    With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):

    Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:

    "The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."

    So, if a user opened one of these files, they'd have an immediate warning something was up.

    However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).

    And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

    So, current Windows installs appaer to be secure by default against this exploit.

    • Re:Richard Stallman Says... (Score:5, Interesting)

      by Z00L00K (682162) on Friday July 18 2008, @10:48AM (#24242337) Homepage
      The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

      We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

      How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

    • Re:Nothing New... (Score:5, Insightful)

      by dreamchaser (49529) on Friday July 18 2008, @10:48AM (#24242345) Homepage Journal

      You should turn in your geek card for falling for that one! Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

          • Re:Nothing New... (Score:5, Informative)

            by omeomi (675045) on Friday July 18 2008, @11:52AM (#24243445) Homepage
            It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

            That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

            Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,

            You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

      • Re:Microsoft only threat? (Score:5, Informative)

        by UnknowingFool (672806) on Friday July 18 2008, @10:58AM (#24242505)
        Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

      • Re:Dont use untrusted codecs! (Score:5, Insightful)

        by ConceptJunkie (24823) on Friday July 18 2008, @12:24PM (#24243931) Homepage Journal

        The irony is that in all these years, I don't think I've ever seen WMP successfully find and install a codec it was missing. I just end up with a message saying it couldn't find the codec that doesn't even tell me which codec it was looking for. Then it turns out this all just another malware attack vector.

        In 2000, this problem would have "more of the same" but the fact that this still exists in 2008 is insane. I mean Microsoft publicly admitted their security is awful in 2000, took four years to make a decent attempt to correct things, and yet here we are four years after that...

        Thanks, Microsoft. Thanks a lot. You give new meaning to word FAIL on a daily basis.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.