Worm Transcodes MP3s To Infect PCs 385
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
Nothing New... (Score:4, Informative)
Re:Nice (Score:5, Informative)
For those of you who think this is just a troll, or are just unfamiliar with ASF:
It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.
Comment removed (Score:3, Informative)
They're ASF, Not MP3, Files (Score:5, Informative)
The buggy format is not MP3. The MP3 files are perfectly safe.
This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.
Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).
But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.
Re:Microsoft only threat? (Score:5, Informative)
Re:wow, that's evil (Score:4, Informative)
WMA, WMV and ASF are the very same container format. The only difference is the filename extension.
Re:ASF? (Score:3, Informative)
Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.
Re:Data vs Program (Score:2, Informative)
Re:They're ASF, Not MP3, Files (Score:3, Informative)
This report says that safeguard fails.
The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?
Re:Nothing New... (Score:3, Informative)
It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.
Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE, whether or not you want to get into an argument about which is the BEST codec or the fastest or the "right" one. "Right" is an opinion and irrelevant.
Re:Data vs Program (Score:2, Informative)
This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.
This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.
It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.
Re:wow, that's evil (Score:5, Informative)
ASF is the container, WMA is the codec.
WMA can be used to refer to the container [wikipedia.org], but it's actually an ASF container with a WMA track inside.
That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?
Re:wow, that's evil (Score:3, Informative)
Re:What player? (Score:3, Informative)
Re:Nothing New... (Score:5, Informative)
That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw
Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,
You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.
Re:Microsoft only threat? (Score:3, Informative)
yes you did... here right in the first line of your OP
Re:hidden extensions (Score:5, Informative)
Re:Richard Stallman Says... (Score:2, Informative)
Task manager... if you can kill the viral process... (maybe take a look at the sysinternals suite [microsoft.com], particularly I'm thinking AutoRuns, ProcessExplorer and RootkitRevealer might be useful (haven't actually had to use them yet).
Also Regedit... you might be able to remove the viral startup entries... but after you've killed the process or it might just add itself back.
After you've killed the process and removed its startup entries, rebooting might get you a clean environment and you can hopefully delete the infected files. It worked for me when I got infected from a P2P virus (dumbassed thing to do, I know...)
Anyway, hope you don't have to format, that would suck. Maybe my tricks weren't already up your sleeve. If they help, great. If those fail, I'd probably have to fall back to something drastic like booting from a safe disk and running antivirus, or taking out the hard disk and virus scanning it... that's a hasssle, though, and I'd be worried about breaking the OS.
Re:wow, that's evil (Score:3, Informative)
It's ludicrous to think that, should copyright disappear, the music industry would immediately collapse. The most likely thing that would happen is that instead of signing new artists, they would just cruise the bars of Nashville or Austin, look for new songs, and get a cover band to play it before sending it to all the radio stations. Of course, since record companies have access to better facilities and have a lot more money they can devote to marketing, there is no way an unknown artist would be able to compete against them, internet or not.
If there truly was no need for a music industry, it wouldn't exist in the first place. I'm afraid that, like so many on Slashdot, you're suffering from the delusion that everyone behaves in exactly the same way as you do. You might enjoy browsing a website in search for a new sound that you like, but most people don't. What they want is quality music available anytime they want. They want to be able to turn on the radio and hear good music, not spend an hour separating the wheat from the chaff.
Right now, artist can already operate along the guidelines you suggest. Nobody is forcing them to sign with a major, they can release their songs on the internet and make money playing concerts.
WMP 9 is good too (Score:3, Informative)
I launched up a VPC session with XP and WMP 9 installed, and verified the same behavior:
Warning that the extension doesn't match the content
Script command execution off by default.
Since WMP 9 is installed with XP SP 2, this suggests that SP 2-3 and Vista should be unaffected in stock state.
ASF=WMA=WMV (Score:3, Informative)
Yes, same file format. It was originally called just .asf, but changed by default in the late 90's, IIRC, to different extensions for video and audio.
This enabled different icons for video and audio files, and easily filter between them so you didn't accidentally try to sync video to an audio-only player.
This is pretty standard practice. .m4a, for example, is a MPEG-4 file with just audio. .f4v is is a MPEG-4 file known to be compatible with Flash.
Re:wow, that's evil (Score:3, Informative)
I hate to say "I told you so" but... Ok, I don't hate telling you that, but I hate that I was right. Damn it, I'm not a security professional, why could I see this coming but the professionals couldn't?
I've been warning people about using WMA files and Windows Media Player for years, the first I said of it was back when I had my old Quake site, the Springfield Fragfest. A security researcher who played Quake II saw the post, realised that I was right, and we had a rather scary email conversation. I've been preaching about it ever since.
The first time I listened to a WMA file and my browser opened I knew this was coming.
The wrapper isn't even necessary! If you use Windows Media player (WiMP) an MP3 or OGG file can infect you. Here's how.
Say you have a DRMed music file named VIRUS.WMA. You take your DRMed WMA file and have the "drm key" or whatever you call it send the victim to your malicious web site. You simply rename the file to "Outkast_Tribute.MP3" (or other popular tune) and put it in your "share" folder. For bonus points have the file be a recording of you saying "you've been pwned, n00b!" (or better, Maddonna saying "WTF are you doing?") with the same length as the outkast song.
People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.
WiMP will recognise the renamed file, however, and happily run the trojan. Note to Microsoft developers: PLEASE FIX THIS HORRIBLE DESIGN FLAW. Users: DON'T USE WINDOWS MEDIA PLAYER! There are dozens out there.
Mac and Linux users aren't immune to wrapped WMA files unless DRMed files or WMA files won't play. Getting your files legally won't protect you, either, as Sony's rootkit [wikipedia.org] proved. However, you CAN protect yourself.
One way is to put on your tinfoil hat and never play a music file you didn't rip yourself. A better way is, when you get a new music file, simply disable networking temporarily by unplugging the ethernet or shutting off your router, and play the file. If your browser doesn't start, the file is clean. If it starts, delete the file, empty the trash and thank yourself for remembering to do it.
DRM is what allows this exploit to work! This is one more example of why DRM itself is pure evil. All DRM does is inconvinience your honest customers without hampering commercial copyright infringers at all, and gives your customers another way to get infected.
If your company in any way, shape, or form has anything to do with DRM, it's evil. If you personally develop DRM, you know damned well DRM won't work and you are a thief who is conning the stupid evil companies who buy your evil garbage.
Sorry for the rant but I hate seeing evil disguised as good. DRM is evil pure and simple. PLEASE STOP USING DRM!
Re:wow, that's evil (Score:3, Informative)
They bands still make far more money from touring than albums sold. To quote Maynard Keenan from Tool:
Seen here [theredalert.com].
I included that last bit for the sake of honesty. But the fact is they, and other big bands make more from touring than albums. I believe he also once said that they could simply tour and not do albums at all, and get along fine. But I couldn't find that quote.
Re:wow, that's evil (Score:3, Informative)
That's not how it works. When you go to a concert, a promoter has paid for the venue. The promoter basically pays all of the expenses for the venue and promotion and what not, then contracts with the artist to appear at the concert that they've set up.
The artist more often than not will get a fixed fee for this performance with the promoter then pocketing all of the money they've collected from ticket sales minus the expenses of paying the venue, paying the artist the fixed fee, paying the promotional costs, etc.
Another common arrangement is where the artist and promoter negotiate a percentage of ticket sales backed up by a fixed guarantee for the artist in case ticket sales aren't all that. But, for a lot of smaller artists, it's way more common for them to be appearing in that rock club for $1000 and that case of beer left in the dressing room.
That's why if you really want to support the artist, you'll by a shirt or cd or some other merchandise at the concert. That money's usually all theirs, and is the sweetest plum.