Worm Transcodes MP3s To Infect PCs

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

Nothing New...

[mariofreak]

I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.

Re:Nice

[pxc]

For those of you who think this is just a troll, or are just unfamiliar with ASF:

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

They're ASF, Not MP3, Files

[Doc Ruby]

The buggy format is not MP3. The MP3 files are perfectly safe.

This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

Re:Microsoft only threat?

[UnknowingFool]

Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

Re:wow, that's evil

[Per Wigren]

WMA, WMV and ASF are the very same container format. The only difference is the filename extension.

Re:ASF?

[BlueParrot]

Being able to make an asf look like an MP3 is...weird

Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.

Re:Data vs Program

[Zoltair]

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation, they want less user interaction, thus MS and everybody else will develop for these wants. I remember when email was just that data!, had to uuencode/uudecode anything binary, Gopher was the the WWW back then, automation has removed that need, but it has also left us all open to attack. If it were not for our need and desires for this automation, we would all still be using MS-DOS or Unix....

Re:They're ASF, Not MP3, Files

[Doc Ruby]

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

This report says that safeguard fails.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?

Re:Nothing New...

[Obfuscant]

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE, whether or not you want to get into an argument about which is the BEST codec or the fastest or the "right" one. "Right" is an opinion and irrelevant.

Re:Data vs Program

[geogob]

I don't agree with your evaluation. As I understands it, the asf contains a download link for the codec. The player Program for the file (most likely windows media player components) initiate the "please download this missing codec" action using the information within the ASF container (link to the trojan/worm).

This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.

This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.

It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.

Re:wow, that's evil

[clone53421]

ASF is the container, WMA is the codec.

WMA can be used to refer to the container [wikipedia.org], but it's actually an ASF container with a WMA track inside.

That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

Re:wow, that's evil

[afidel]

Technically WMA and WMV are a family of codecs and they use the ASF container format for metadata and DRM.

Re:What player?

[afidel]

Open webpage to display cover art, link to the bands tour page, etc. The problem is that it uses IE to open the page no matter what you have your default browser set to and we all know how secure IE is. It can also have an embedded link to a download for a new codec, if you don't have the codec then it will ask you if you want to install it. In this case the codec is a trojan.

Re:Nothing New...

[omeomi]

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

That's actually not true. It's less of an issue with audio file formats, but video file formats can contain video compressed with any number of codecs, and you need the correct codec to play them. For instance, if I can play raw .avi files, but don't have the DivX codec, I can't play DivX encoded .avi files at all. I need the DivX codec.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE,

You are correct that many malware websites use fake codecs to install their malware, but it's just not true that any codec will work for any given file format. Just because you can open the file doesn't mean you have the right codec to view the content. It has nothing to do with the "fastest" or "best" codec. If you don't have the right codec, the video won't play back at all.

Re:Microsoft only threat?

[advocate_one]

Nowhere in my post did I mention Linux, OS X, or Unix.

yes you did... here right in the first line of your OP

Can anyone comment about the possible risk to non Windows machines?

Re:hidden extensions

[QRDeNameland]

They hid file extensions by default in Windows 2000 as well, which is one of the things I would always turn off as ritual when building out a new machine. I always felt there should be an OS install or user account setup option of "User is not an idiot".

Re:Richard Stallman Says...

[clone53421]

Task manager... if you can kill the viral process... (maybe take a look at the sysinternals suite [microsoft.com], particularly I'm thinking AutoRuns, ProcessExplorer and RootkitRevealer might be useful (haven't actually had to use them yet).

Also Regedit... you might be able to remove the viral startup entries... but after you've killed the process or it might just add itself back.

After you've killed the process and removed its startup entries, rebooting might get you a clean environment and you can hopefully delete the infected files. It worked for me when I got infected from a P2P virus (dumbassed thing to do, I know...)

Anyway, hope you don't have to format, that would suck. Maybe my tricks weren't already up your sleeve. If they help, great. If those fail, I'd probably have to fall back to something drastic like booting from a safe disk and running antivirus, or taking out the hard disk and virus scanning it... that's a hasssle, though, and I'd be worried about breaking the OS.

Re:wow, that's evil

[damienl451]

Copyright is there because, believe it or not, people respond to incentives. Copyright provides just such a monetary incentive to write or perform new songs. Although as a songwriter or performer you're very likely never to make any real money, in the off-chance that you do make it big, copyright law ensures that part of the revenue that your song generates will go to you and, for instance, help you support your family.

It's ludicrous to think that, should copyright disappear, the music industry would immediately collapse. The most likely thing that would happen is that instead of signing new artists, they would just cruise the bars of Nashville or Austin, look for new songs, and get a cover band to play it before sending it to all the radio stations. Of course, since record companies have access to better facilities and have a lot more money they can devote to marketing, there is no way an unknown artist would be able to compete against them, internet or not.

If there truly was no need for a music industry, it wouldn't exist in the first place. I'm afraid that, like so many on Slashdot, you're suffering from the delusion that everyone behaves in exactly the same way as you do. You might enjoy browsing a website in search for a new sound that you like, but most people don't. What they want is quality music available anytime they want. They want to be able to turn on the radio and hear good music, not spend an hour separating the wheat from the chaff.

Right now, artist can already operate along the guidelines you suggest. Nobody is forcing them to sign with a major, they can release their songs on the internet and make money playing concerts.

WMP 9 is good too

[benwaggoner]

I launched up a VPC session with XP and WMP 9 installed, and verified the same behavior:

Warning that the extension doesn't match the content

Script command execution off by default.

Since WMP 9 is installed with XP SP 2, this suggests that SP 2-3 and Vista should be unaffected in stock state.

ASF=WMA=WMV

[benwaggoner]

Yes, same file format. It was originally called just .asf, but changed by default in the late 90's, IIRC, to different extensions for video and audio.

This enabled different icons for video and audio files, and easily filter between them so you didn't accidentally try to sync video to an audio-only player.

This is pretty standard practice. .m4a, for example, is a MPEG-4 file with just audio. .f4v is is a MPEG-4 file known to be compatible with Flash.

Re:wow, that's evil

[sm62704]

I hate to say "I told you so" but... Ok, I don't hate telling you that, but I hate that I was right. Damn it, I'm not a security professional, why could I see this coming but the professionals couldn't?

I've been warning people about using WMA files and Windows Media Player for years, the first I said of it was back when I had my old Quake site, the Springfield Fragfest. A security researcher who played Quake II saw the post, realised that I was right, and we had a rather scary email conversation. I've been preaching about it ever since.

The first time I listened to a WMA file and my browser opened I knew this was coming.

The wrapper isn't even necessary! If you use Windows Media player (WiMP) an MP3 or OGG file can infect you. Here's how.

Say you have a DRMed music file named VIRUS.WMA. You take your DRMed WMA file and have the "drm key" or whatever you call it send the victim to your malicious web site. You simply rename the file to "Outkast_Tribute.MP3" (or other popular tune) and put it in your "share" folder. For bonus points have the file be a recording of you saying "you've been pwned, n00b!" (or better, Maddonna saying "WTF are you doing?") with the same length as the outkast song.

People running any other player except WiMP that I tested (and lets hope that Winamp et al haven't "upgraded" the players to allow this infection) will not be vulnerable; I tested several different players (this was several years ago, Winamp was one) and none would open the file renamed like that except WiMP. You get an error message saying it is an unknown format.

WiMP will recognise the renamed file, however, and happily run the trojan. Note to Microsoft developers: PLEASE FIX THIS HORRIBLE DESIGN FLAW. Users: DON'T USE WINDOWS MEDIA PLAYER! There are dozens out there.

Mac and Linux users aren't immune to wrapped WMA files unless DRMed files or WMA files won't play. Getting your files legally won't protect you, either, as Sony's rootkit [wikipedia.org] proved. However, you CAN protect yourself.

One way is to put on your tinfoil hat and never play a music file you didn't rip yourself. A better way is, when you get a new music file, simply disable networking temporarily by unplugging the ethernet or shutting off your router, and play the file. If your browser doesn't start, the file is clean. If it starts, delete the file, empty the trash and thank yourself for remembering to do it.

DRM is what allows this exploit to work! This is one more example of why DRM itself is pure evil. All DRM does is inconvinience your honest customers without hampering commercial copyright infringers at all, and gives your customers another way to get infected.

If your company in any way, shape, or form has anything to do with DRM, it's evil. If you personally develop DRM, you know damned well DRM won't work and you are a thief who is conning the stupid evil companies who buy your evil garbage.

Sorry for the rant but I hate seeing evil disguised as good. DRM is evil pure and simple. PLEASE STOP USING DRM!

Re:wow, that's evil

[Thaelon]

They bands still make far more money from touring than albums sold. To quote Maynard Keenan from Tool:

You make a lot more money touring or selling shirts, yeah, but that's when you get to a certain level. That in-between spot is tough.

Seen here [theredalert.com].

I included that last bit for the sake of honesty. But the fact is they, and other big bands make more from touring than albums. I believe he also once said that they could simply tour and not do albums at all, and get along fine. But I couldn't find that quote.

Re:wow, that's evil

[adavidw]

That's not how it works. When you go to a concert, a promoter has paid for the venue. The promoter basically pays all of the expenses for the venue and promotion and what not, then contracts with the artist to appear at the concert that they've set up.

The artist more often than not will get a fixed fee for this performance with the promoter then pocketing all of the money they've collected from ticket sales minus the expenses of paying the venue, paying the artist the fixed fee, paying the promotional costs, etc.

Another common arrangement is where the artist and promoter negotiate a percentage of ticket sales backed up by a fixed guarantee for the artist in case ticket sales aren't all that. But, for a lot of smaller artists, it's way more common for them to be appearing in that rock club for $1000 and that case of beer left in the dressing room.

That's why if you really want to support the artist, you'll by a shirt or cd or some other merchandise at the concert. That money's usually all theirs, and is the sweetest plum.