Worm Transcodes MP3s To Infect PCs

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

Microsoft only threat?

[UnknowingFool]

Can anyone comment about the possible risk to non Windows machines? Well it appears that IE is affected as well as the ASF format. The Trojans itself appears to be Windows only. Does anyone know if FF or other browsers can be used? Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

Re:Richard Stallman Says...

[Z00L00K]

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

What player?

[Blice]

TFA doesn't say what media player is vulnerable to this...

I have a feeling this exploit doesn't work in VLC.

A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

Disclaimer: I'm not associated with VLC, although I do really like it.

Re:Nice

[UnknowingFool]

That explains a lot. A few years ago before youtube was popular, a friend linked a website with a funny clip and as soon as the clip opened, it launched IE. Now I had my firewall set to prompt on IE so nothing happened unless I allowed it. I wondered how it was able to do that. Maybe I'm too set in my old school thinking but I think a media file should not have arbitrary content. Or at least limit what could be used.

For lack of a name, call it the RIAA worm.

[suck_burners_rice]

Hmmm, it sounds like this kind of worm really benefits the RIAA. It works like this: If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you. But if you download a single song, or if you copy a single song from a friend, then BOOM! All of your music becomes totally jacked up. It seems a pretty sophisticated worm/virus concept and the transcoding of mp3s is kind of like an additional "fsck you" from the RIAA.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:They're ASF, Not MP3, Files

[qoncept]

The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

Re:Richard Stallman Says...

[Anonymous Coward]

I don't know, viruses haven't been so kind for a while now. As an example, ten years ago there was this [mcafee.com] virus from 98' that intended nothing but harm to the infected computer. It would trash the hard drive and attempt to flash the bios to make your computer unbootable. Nowadays the viruses seem to be more about making money than inflicting damage.

A bit of clarification?

[sootman]

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension. [emphasis mine]

So if this is correct, I figure one of two things is happening:
1) It renames the file blah.mp3.asf, but if you have extensions hidden, it will hide the 'asf' and show the 'mp3'
or
2) it is an asf named blah.mp3 but when WMP opens the file, WMP says "Who cares what it's named, I can see that this is an ASF so I will go ahead and play it."

Anyone know which it is?

Re:wow, that's evil

[clone53421]

If the OP goes to a concert, the artist doesn't get "/no/" money. Assuming the OP has a limited budget, which would benefit the artist more, buying 5 cds or going to their concert?

Re:hidden extensions

[thePowerOfGrayskull]

If the file handling were based on its actual content [wikipedia.org] instead of a friggin file extension, then this would be a much less serious problem. What bugs me is that after years of infections that can be directly tied to this 'feature', they still haven't changed it.

Re:wow, that's evil

[flyneye]

Or we could you know,take music back from the evil empire.Music is sound ,sound is free.Performance is work,work is rewarded monetarily.There is no use for a music "industry" except to rip off everyone from the artist all the way to you.
        Stealing implies ownership.Music exists as energy independent of ownership.Music uses humans as a gateway to this dimension.Humans may be rewarded for acting as gatways not as owners of intangibles.Copyright is such a joke due to it's distortion through legislation that this also counts as an act of revolution permissible constitutionally.
      Get over yourself and quit regurgitating buzz-phrases about "supporting the artists" which has nothing to do with the RIAA as they would have you believe.You are a sucker and not a very good one.

 

Re:hidden extensions

[madmac63]

This has been a peev of mine for years. The name of a file and the application which should open it by default are two different things. And stupid frikkin' MS filesystems and OS's can't get that through their heads . . . . why they didn't move the "extention" into a directory field (the way the Mac does) associated with the file . . . then you could name it whatever you wanted, and put periods in the the filename, and not have to worry . . . madmac

Re:wow, that's evil

[pdusen]

Ooh, here's an idea: Pirate music until the industry dies (supporting the artists through concert attendance in the meantime), then when artists go independent, buy their music THEN! That way they make even MORE money! What a novel idea! See: Nine Inch Nails.

The ASF container is patented

[tepples]

Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

The ASF container is patented in the United States, home of Microsoft Corporation, Apple Inc., and Slashdot. Microsoft wants to be the only vendor of ASF tools; to this end, it has cease-and-desisted VirtualDub's author from including ASF support. And Microsoft's ASF parser is, predictably, the exploitable one.

Details on actual Windows Media behavior

[benwaggoner]

The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.

With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):

Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:

"The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."

So, if a user opened one of these files, they'd have an immediate warning something was up.

However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).

And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.

So, current Windows installs appaer to be secure by default against this exploit.

Re:wow, that's evil

[Kiaser Zohsay]

At the very least, don't play your MP3's with Windows Media Player.

Word does the same thing, opening files that are named with the wrong type, and not complaining about the mismatch. Rename a .DOC file with a .RTF extension, and double-click it. If RTF is associated with Word, then Word will open your file like a trooper, but won't say a word about the format not matching the name. Now, try opening it with a something that supports .RTF but not .DOC (there are a few out there) and hilarity ensues.

For a long time I have told people "Don't use Internet Explorer unless you absolutely have to, and don't use Outlook under any circumstances." It looks like I need to include WMP in that advice as well.

Odd that it's taken so long.

[argent]

This kind of thing is why I eventually included WMP among the software I banned back in the late '90s. When I realized the danger of Microsoft's HTML control I banned everything that I could find that used the HTML control on untrusted content. This wasn't really an issue for early versions, but most later versions of Window Media Player were tied into the HTML virus distribution ecosystem. Well, Outlook and Internet Explorer soon proved me right in doing so, but up to now Windows Media seemed to have pretty much dodged the bullet.

Re:wow, that's evil

[mr_mischief]

Well, that trojan has a bug. When you sell short, you sell a stock then buy it. Yes, really. [investorwords.com]

That's what "short" means -- you don't have all the shares you need to cover the sale, so you're short. A "naked short" means you also don't have the funds set aside to buy and deliver the shares you sold or enough shares of the company in your portfolio to make up the difference.

The idea is that you sell at or just below the current price, expecting the stock to tank. Then you buy the shares before the agreed-upon transfer time for less than you're getting. Basically you're selling borrowed shares for more money than you're paying the guy you borrowed them from, if it works out as planned. If the stock goes up, you end up paying more for the shares than what you sold them for.

Theoretically there's a limit on what you can make and no limit on what you can lose. It's a useful tool in the market, though, if it's used correctly.

I know the explanation is overkill in response to your joke, but it seems many people do get confused with what the term means. I figured now was a teachable moment for people reading your post.

Re:wow, that's evil

[clone53421]

Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.

Fairly good advice, but I'd modify it slightly...

First, use VLC; if you drag-drop a file into VLC you'll remain pretty safe even if the file is malicious. MPEG/AVI/MP3 files that are under a meg are still likely adverts, but they can't hurt you if you open them with VLC. WMV, WMA, and ASF are also likely adverts, but they can't launch their slew of popup windows if you open them with VLC. Also, VLC won't do anything bad if you drop "awsums0ng.mp3.exe" into it, it'll just say it can't play that. Double-clicking on that file would have been bad.

As you know, running EXE, COM, SCR, or JS/VBS (Limewire blocks VBS files by default I think) that you download from P2P is dumb. I haven't seen HTA files on P2P, but they're executable so if you happen across one, don't risk those either. In short, Just Don't. (If you have a really kickin' antivirus, you might risk an unverified executable after it's passed the scan, but you're still playing with fire.)

ZIP/RAR files aren't dangerous themselves, it's the files that may be inside them. If you don't know what that meant, just avoid them altogether. What is inside them should be treated the same as anything else you download: see the previous 2 paragraphs.

Re:wow, that's evil

[Flambergius]

He wasn't planning to sell it, or he wouldn't have let you borrow it.

I think this is the main part of it. Our Farmer Jones, whether he had apples or stock to borrow, is sitting tight on something valuable. He benefits in two ways.

1) You pay him. He's not going to borrow his stuff for free. The exact amount and conditions of the payment can vary greatly, but it'll be there.

2) What you are doing will result in more accurate the price for the stuff the Farmer has. Markets are in large part about setting the correct price for each item. This is often called generating a price signal and it is the main tool for making economic decisions in free-market economies.