Worm Transcodes MP3s To Infect PCs 385
snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."
Microsoft only threat? (Score:3, Interesting)
Re:Richard Stallman Says... (Score:5, Interesting)
We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.
How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.
What player? (Score:5, Interesting)
I have a feeling this exploit doesn't work in VLC.
A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.
So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..
Disclaimer: I'm not associated with VLC, although I do really like it.
Re:Nice (Score:4, Interesting)
For lack of a name, call it the RIAA worm. (Score:2, Interesting)
Hmmm, it sounds like this kind of worm really benefits the RIAA. It works like this: If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you. But if you download a single song, or if you copy a single song from a friend, then BOOM! All of your music becomes totally jacked up. It seems a pretty sophisticated worm/virus concept and the transcoding of mp3s is kind of like an additional "fsck you" from the RIAA.
Comment removed (Score:4, Interesting)
Re:They're ASF, Not MP3, Files (Score:5, Interesting)
I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.
Then I also remembered that I'm not using Windows anymore, so I'm safe after all.
Re:Richard Stallman Says... (Score:1, Interesting)
I don't know, viruses haven't been so kind for a while now. As an example, ten years ago there was this [mcafee.com] virus from 98' that intended nothing but harm to the infected computer. It would trash the hard drive and attempt to flash the bios to make your computer unbootable. Nowadays the viruses seem to be more about making money than inflicting damage.
A bit of clarification? (Score:3, Interesting)
It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension. [emphasis mine]
So if this is correct, I figure one of two things is happening:
1) It renames the file blah.mp3.asf, but if you have extensions hidden, it will hide the 'asf' and show the 'mp3'
or
2) it is an asf named blah.mp3 but when WMP opens the file, WMP says "Who cares what it's named, I can see that this is an ASF so I will go ahead and play it."
Anyone know which it is?
Re:wow, that's evil (Score:3, Interesting)
Re:hidden extensions (Score:4, Interesting)
Re:wow, that's evil (Score:3, Interesting)
Or we could you know,take music back from the evil empire.Music is sound ,sound is free.Performance is work,work is rewarded monetarily.There is no use for a music "industry" except to rip off everyone from the artist all the way to you.
Stealing implies ownership.Music exists as energy independent of ownership.Music uses humans as a gateway to this dimension.Humans may be rewarded for acting as gatways not as owners of intangibles.Copyright is such a joke due to it's distortion through legislation that this also counts as an act of revolution permissible constitutionally.
Get over yourself and quit regurgitating buzz-phrases about "supporting the artists" which has nothing to do with the RIAA as they would have you believe.You are a sucker and not a very good one.
Re:hidden extensions (Score:2, Interesting)
Re:wow, that's evil (Score:2, Interesting)
The ASF container is patented (Score:3, Interesting)
Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?
The ASF container is patented in the United States, home of Microsoft Corporation, Apple Inc., and Slashdot. Microsoft wants to be the only vendor of ASF tools; to this end, it has cease-and-desisted VirtualDub's author from including ASF support. And Microsoft's ASF parser is, predictably, the exploitable one.
Details on actual Windows Media behavior (Score:5, Interesting)
The original article is rather overblown by the real-world behavior here. I just whipped out a WMA file with a URL marker, renamed it to .mp3, and tried it to see what would happen.
With Windows Media Player 11 installed (out as an optional update for two years for XP, and default in Vista):
Trying to open up an ASF file with a .mp3 extension prompts a dialog reading:
"The file you are attempting to play has an extension (.mp3) that does not match the file format. Playing the file may result in unexpected behavior."
So, if a user opened one of these files, they'd have an immediate warning something was up.
However, if they play the file, nothing will happen if the player is in the stock state. Script commands don't run unless the user has gone into Tools > Options > Security and checked the "Run script commands if present" (which is off by default).
And if a user somehow got one of these modified files AND has ignored the first dialog AND changed the default security option, all they're going to get is a new web page opening up in the default browser, which would then be subject to other security on the machine.
So, current Windows installs appaer to be secure by default against this exploit.
Re:wow, that's evil (Score:3, Interesting)
At the very least, don't play your MP3's with Windows Media Player.
Word does the same thing, opening files that are named with the wrong type, and not complaining about the mismatch. Rename a .DOC file with a .RTF extension, and double-click it. If RTF is associated with Word, then Word will open your file like a trooper, but won't say a word about the format not matching the name. Now, try opening it with a something that supports .RTF but not .DOC (there are a few out there) and hilarity ensues.
For a long time I have told people "Don't use Internet Explorer unless you absolutely have to, and don't use Outlook under any circumstances." It looks like I need to include WMP in that advice as well.
Odd that it's taken so long. (Score:3, Interesting)
This kind of thing is why I eventually included WMP among the software I banned back in the late '90s. When I realized the danger of Microsoft's HTML control I banned everything that I could find that used the HTML control on untrusted content. This wasn't really an issue for early versions, but most later versions of Window Media Player were tied into the HTML virus distribution ecosystem. Well, Outlook and Internet Explorer soon proved me right in doing so, but up to now Windows Media seemed to have pretty much dodged the bullet.
Re:wow, that's evil (Score:3, Interesting)
Well, that trojan has a bug. When you sell short, you sell a stock then buy it. Yes, really. [investorwords.com]
That's what "short" means -- you don't have all the shares you need to cover the sale, so you're short. A "naked short" means you also don't have the funds set aside to buy and deliver the shares you sold or enough shares of the company in your portfolio to make up the difference.
The idea is that you sell at or just below the current price, expecting the stock to tank. Then you buy the shares before the agreed-upon transfer time for less than you're getting. Basically you're selling borrowed shares for more money than you're paying the guy you borrowed them from, if it works out as planned. If the stock goes up, you end up paying more for the shares than what you sold them for.
Theoretically there's a limit on what you can make and no limit on what you can lose. It's a useful tool in the market, though, if it's used correctly.
I know the explanation is overkill in response to your joke, but it seems many people do get confused with what the term means. I figured now was a teachable moment for people reading your post.
Re:wow, that's evil (Score:3, Interesting)
Also, beware of any MPEG, AVI, or MP3 that is under a meg. And don't be stupid enough to download .zip, .rar, .exe, .scr, .wmv, .wma, .asv, or .asf files off of P2P networks.
Fairly good advice, but I'd modify it slightly...
First, use VLC; if you drag-drop a file into VLC you'll remain pretty safe even if the file is malicious. MPEG/AVI/MP3 files that are under a meg are still likely adverts, but they can't hurt you if you open them with VLC. WMV, WMA, and ASF are also likely adverts, but they can't launch their slew of popup windows if you open them with VLC. Also, VLC won't do anything bad if you drop "awsums0ng.mp3.exe" into it, it'll just say it can't play that. Double-clicking on that file would have been bad.
As you know, running EXE, COM, SCR, or JS/VBS (Limewire blocks VBS files by default I think) that you download from P2P is dumb. I haven't seen HTA files on P2P, but they're executable so if you happen across one, don't risk those either. In short, Just Don't. (If you have a really kickin' antivirus, you might risk an unverified executable after it's passed the scan, but you're still playing with fire.)
ZIP/RAR files aren't dangerous themselves, it's the files that may be inside them. If you don't know what that meant, just avoid them altogether. What is inside them should be treated the same as anything else you download: see the previous 2 paragraphs.
Re:wow, that's evil (Score:3, Interesting)
He wasn't planning to sell it, or he wouldn't have let you borrow it.
I think this is the main part of it. Our Farmer Jones, whether he had apples or stock to borrow, is sitting tight on something valuable. He benefits in two ways.
1) You pay him. He's not going to borrow his stuff for free. The exact amount and conditions of the payment can vary greatly, but it'll be there.
2) What you are doing will result in more accurate the price for the stuff the Farmer has. Markets are in large part about setting the correct price for each item. This is often called generating a price signal and it is the main tool for making economic decisions in free-market economies.