Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worm Transcodes MP3s To Infect PCs

kdawson posted about 6 years ago | from the just-don't-click dept.

Security 385

snydeq writes "Kaspersky Labs has discovered malware that inserts links to malicious Web pages within ASF media files, posing a danger to Windows users who download music files from P2P networks. Infected files launch IE and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC. The malware also has worm-like qualities, according to Secure Computing. It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container, and adds links to further copies of the malware, all without modifying the .MP3 extension."

cancel ×

385 comments

Sorry! There are no comments related to the filter you selected.

wow, that's evil (5, Funny)

brunascle (994197) | about 6 years ago | (#24242155)

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

Re:wow, that's evil (4, Insightful)

Z00L00K (682162) | about 6 years ago | (#24242217)

Maybe it's the RIAA that wants us to get rid of all our MP3:s downloaded from various sources?

Re:wow, that's evil (3, Funny)

flyneye (84093) | about 6 years ago | (#24242831)

I want the RIAA to be DEEPLY investigated,prosecuted with a fair trial and a decent hangin'.
          The music industry is terminal.It's lashing out in its dying breath.
          Just run your antivirus over your downloads before playing.
          Let's just go ahead and keep killing the industry so musicians can have a level playing field and we can do away with the corruption and misdirection to mediocre talent it provides.

Re:wow, that's evil (-1, Troll)

Anonymous Coward | about 6 years ago | (#24242973)

Or you could, y'know, stop being a thieving scumbag and support music by buying from the artists. Instead of downloading music from "mediocre talent", getting your computer hax0r3d and blaming it on the RIAA.

Just a thought.

Re:wow, that's evil (1, Funny)

Anonymous Coward | about 6 years ago | (#24243069)

Just a thought.

Here's one just for you [kovach.co.yu] .

Re:wow, that's evil (3, Insightful)

razorh (853659) | about 6 years ago | (#24243137)

Or you could, y'know, stop being a thieving scumbag and support music by buying from the artists.

How do you buy music from artists that are represented by the RIAA? Seems to me that most of the money you spend when buying most of the music the RIAA cares about isn't going to the artist in the first place.

Re:wow, that's evil (2, Insightful)

DickBreath (207180) | about 6 years ago | (#24242983)

>Just run your antivirus over your downloads before playing.

Do you really believe this would be effective?

Wouldn't it be more important to run your antivirus on your codecs before installing?

Re:wow, that's evil (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#24242273)

you must be a nigger. only a nigger would say something so stupid. now the whole world knows what a nigger you are.

Re:wow, that's evil (5, Funny)

morgan_greywolf (835522) | about 6 years ago | (#24242335)

Wow, that's evil, even for malware authors.

That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

Re:wow, that's evil (1)

szelus (580884) | about 6 years ago | (#24242767)

That's nothing. I heard the next version will automatically go out the Web, sign up for an e-Trade account, and then proceed to buy stocks like GOOG, AAPL, RHAT, etc., and automatically sell them short.

Well, I wish you were kidding...

Re:wow, that's evil (5, Funny)

oahazmatt (868057) | about 6 years ago | (#24242407)

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with.

Re:wow, that's evil (0)

Anonymous Coward | about 6 years ago | (#24242655)

That's nothing. You should see the fix. Your anti-virus program will update its definitions, and if it identifies any of these files prior to download, it makes them appear in a Real Audio format so your never tempted to download them to begin with."

As if the transcode to wma wasn't enough quality degradation. Hell, even if it just encoded losslees to wma, people would clasp their hands tightly over their ears and run for the hills shrieking "Help me! My ears are burning!!"

Re:wow, that's evil (0)

Anonymous Coward | about 6 years ago | (#24242931)

haha! wow. great stuff.

Re:wow, that's evil (5, Funny)

hyperz69 (1226464) | about 6 years ago | (#24242435)

No, Evil is if it transcodes them to Real Media. Though I don't even think Satan himself could do that to anyone!

No the ultimate evil is if... (5, Funny)

Fallen Andy (795676) | about 6 years ago | (#24242729)

it *downloads* real player

Re:wow, that's evil (1)

FlyingBishop (1293238) | about 6 years ago | (#24243057)

Why would Microsoft transcode mp3's to Real Media?

Re:wow, that's evil (1)

millwall (622730) | about 6 years ago | (#24242475)

Well, Kapersky labs tells us that the MP3 files are in fact turned into WMA format and not ASF format [kaspersky.com] :

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension)

Re:wow, that's evil (1)

omeomi (675045) | about 6 years ago | (#24242625)

Well, Kapersky labs tells us that the MP3 files are in fact turned into WMA format and not ASF format

The summary already says that: "It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container"

Re:wow, that's evil (3, Informative)

Per Wigren (5315) | about 6 years ago | (#24242671)

WMA, WMV and ASF are the very same container format. The only difference is the filename extension.

Re:wow, that's evil (5, Informative)

clone53421 (1310749) | about 6 years ago | (#24243053)

ASF is the container, WMA is the codec.

WMA can be used to refer to the container [wikipedia.org] , but it's actually an ASF container with a WMA track inside.

That's confusing, and basically the file extension refers to the codec, not the container. The WMA or WMV files you download are actually ASF files. It's about as logical as having the DIVX extension for AVIs with DIVX encoding, but hey... who's going to try to change it?

Re:wow, that's evil (1)

colmore (56499) | about 6 years ago | (#24242605)

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Dammit. That sounds more interesting than any programming job I've gotten in the last 5 years.

Re:wow, that's evil (1)

Spy der Mann (805235) | about 6 years ago | (#24243091)

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container

Wow, that's evil, even for malware authors.

I think the summary missed a paragraph.

It searches for MP3s, transcodes them to WMA format, wraps them in an ASF container and holds them hostage for One Million Dollars!

Scary Thought (1)

filesiteguy (695431) | about 6 years ago | (#24242159)

Ouch!

Next thing you know the infected MP3 files will be loaded onto and playing on cell phones everywhere and we'll be running from crazied people who are addicted to You Light Up My Life....

and (-1, Troll)

Anonymous Coward | about 6 years ago | (#24242165)

and?

Shall I be amazed?

What's next?
Virus deletes al =.txt files on HD! ........ Wohhhhhh!

No news today?

Richard Stallman Says... (4, Funny)

Anonymous Coward | about 6 years ago | (#24242167)

If you'd just used OGG, this never would have happened! ;-)

Re:Richard Stallman Says... (4, Interesting)

Z00L00K (682162) | about 6 years ago | (#24242337)

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

Re:Richard Stallman Says... (0)

Anonymous Coward | about 6 years ago | (#24242441)

Yeah, pretty harmless. Like Jerusalem and its variants. Harmless.

Like the virus which could actually physically destroy certain hard drives. Harmless.

The damage potential is still very much the same, it's just that we store so much more information on computers now, and viruses have the capability of spreading further.

Re:Richard Stallman Says... (2, Insightful)

paradxum (67051) | about 6 years ago | (#24242821)

Yes, I too remember the days when there was little if any monetary gain to be had from writing a virus or hacking in general.

But those days are gone, there is money to be made... now that it pays to hack, the onslaught will only get worse.

Re:Richard Stallman Says... (1, Interesting)

Anonymous Coward | about 6 years ago | (#24242893)

I don't know, viruses haven't been so kind for a while now. As an example, ten years ago there was this [mcafee.com] virus from 98' that intended nothing but harm to the infected computer. It would trash the hard drive and attempt to flash the bios to make your computer unbootable. Nowadays the viruses seem to be more about making money than inflicting damage.

Re:Richard Stallman Says... (0)

Anonymous Coward | about 6 years ago | (#24242989)

The basic format wouldn't make any difference. The problem is with formats that are incorporating extra features and functionality. If it's MP3 or OGG that's encapsulated is really not an issue.

We are moving into darker and darker times when it comes to malware. It seems to me that they are trying every evil alternative to make us and our computers to zombies.

How to remember the good old days when we could get the "Your computer is now stoned" or an east german ambulance with sound passing over the screen. Pretty annoying but relatively harmless.

This is exactly how i got infected. Its been nightmare. My wife got it downloading stuff from Kazza.

Having so much trouble trying to get it off. Trying every trick in the hot possible cuz Im NOT trying to format.

Re:Richard Stallman Says... (0)

Anonymous Coward | about 6 years ago | (#24242395)

Unfortunately, Ogg Frog [oggfrog.com] hasn't been released yet :(

Re:Richard Stallman Says... (1)

Sfing_ter (99478) | about 6 years ago | (#24243055)

CDEX [sourceforge.net] works beautifully for Winders users. Nice and fast and ogg is one of the default formats.

Re:Richard Stallman Says... (0)

Anonymous Coward | about 6 years ago | (#24242987)

yeah but... stallman is a smelly git. :(

Gentlemen, (5, Funny)

Anonymous Coward | about 6 years ago | (#24242171)

I must applaud the RIAA on this occasion. I may have mocked their efforts in the past, but this is truly an impressive piece of work, worthy to be called a hack.

Re:Gentlemen, (1)

Pvt_Ryan (1102363) | about 6 years ago | (#24242305)

Indeed.

The question that does remain is were they smart enought to protect their personal collections???
*Imagines face of RIAA Admin when he realises that the RIAA network is infected with its own creation*

See what happens if you download illegal songs....

Re:Gentlemen, (1)

HolyCrapSCOsux (700114) | about 6 years ago | (#24242425)

Even if they aren't behind it, some liability should lie with them. They want teenagers (aka internet idiots) to be rabid (insert todays hot band here) fans. Their inpressionable and largely uninformed minds will then succumb to peer pressure to have all the "cool" stuff thier friends have. They blew all their allowance on an iphone, now can't afford to buy CDs. Kazaa to the rescue! Add another PC to the botnet, all because the RIAA wanted to sell another pop act.

Re:Gentlemen, (4, Insightful)

thrillseeker (518224) | about 6 years ago | (#24242645)

Next up ... how DRM protects you from virus laden mp3s

Nice (5, Insightful)

Anonymous Coward | about 6 years ago | (#24242177)

Way to go Microsoft!

Is there anything these morons can't fuck up?

Re:Nice (5, Informative)

pxc (938367) | about 6 years ago | (#24242285)

For those of you who think this is just a troll, or are just unfamiliar with ASF:

Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

Re:Nice (3, Interesting)

UnknowingFool (672806) | about 6 years ago | (#24242393)

That explains a lot. A few years ago before youtube was popular, a friend linked a website with a funny clip and as soon as the clip opened, it launched IE. Now I had my firewall set to prompt on IE so nothing happened unless I allowed it. I wondered how it was able to do that. Maybe I'm too set in my old school thinking but I think a media file should not have arbitrary content. Or at least limit what could be used.

Re:Nice (1)

KlaymenDK (713149) | about 6 years ago | (#24242749)

I think it's fine that a file has arbitrary content.

That the data is able to surreptitiously start network connections? Not so much. At least, the application should have the decency to inform the user before acting on its own.

This is a good example of why don't at all mind not-so-integrated applications, as it means I'm less exposed to this kind of "multimedia experience".

Re:Nice (3, Interesting)

hairyfeet (841228) | about 6 years ago | (#24242471)

This may be a new variation,but believe me,this is a VERY old problem. I have worked in PC repair more years than I can count and I don't know how many times I have gone into a clueless users's "MP3" folder to back up before a wipe only to find after turning on "show file extensions" MP3.EXE,MP3.ASF,MP3.WMA,etc. If someone downloads strictly by name and opens anything they get without doing any kind of virus checks they ARE going to get bit. What we need is the guy from the actors studio in the Geico commercials to go "Stupid users behaving stupidly.....Brilliant!". But as always this is my 02c,YMMV. Oh,and the worst infected were always either on Kazaa,Limewire,or Bearshare. Don't know why,but those three always attracted the really clueless.

hidden extensions (4, Insightful)

Kenshin (43036) | about 6 years ago | (#24242843)

I hate how Windows has hidden file extensions in every version since XP. It's supposed to make the machine more Mac-like and friendlier, but it is a serious security concern.

I try to turn it off on every machine that I'm asked to setup or fix, but occasionally I get someone who deletes the "unfamiliar" file extensions from their files and ends up not being able to open them.

Re:Nice (2, Insightful)

Trigun (685027) | about 6 years ago | (#24242477)

If there is one thing that is guaranteed in life, it is stupidity. Count on that, and remove the other vectors.
 

Re:Nice (-1, Troll)

Anonymous Coward | about 6 years ago | (#24242659)

It's like the ActiveX of multimedia wrapper files. A security nightmare? You bet. Does it still depend on user stupidity? Well, yes.

Unlike oil, user stupidity has nearly infinite supply for the foreseeable future. Ah well, that's Windows for you too. Using Windows is like having sex with a crack whore; even if you use a rubber (AV program) you can still get all sorts of nasty viruses and diseases. And you're still the douchebag who would do a crack whore who's known to be such in the first place.

Re:Nice (2, Insightful)

geogob (569250) | about 6 years ago | (#24242817)

This is really clever. That way of using the file container to get the user to download false codecs.

I wonder if it could work with other wrappers, like AVI, Quicktime, etc. Maybe not in their original state, but with slight modifications that could fool the player.

I wasn't aware of all the capabilities of the ASF wrapper, but that sure was a ticking time bomb.

Re:Nice (0)

Anonymous Coward | about 6 years ago | (#24242977)

Wouldn't the music play while this website is launching? It would be intuitive that a plugin or codec is not necessary to play the audio, as the ASF wrapper would just launch this at the beginning, no?

It's not like DRM in WMP where a user has a dialog box that must receive a DRM response in order to open it..

Nothing New... (4, Informative)

mariofreak (1328373) | about 6 years ago | (#24242239)

I don't think this is anything new... I've been caught out by it before. There was a site that claimed to provide mp3 downloads, made you install a codec that just redirected all your internet requests to their proxy. I wiped the system after that.

Re:Nothing New... (4, Insightful)

dreamchaser (49529) | about 6 years ago | (#24242345)

You should turn in your geek card for falling for that one! Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

Re:Nothing New... (1)

omeomi (675045) | about 6 years ago | (#24242713)

Any site you don't 100% trust that asks you to install a codec for a file format you can play already screams 'malware' in a loud shrill voice.

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

Re:Nothing New... (2, Informative)

Obfuscant (592200) | about 6 years ago | (#24242929)

That's good advice, but just because you can play the file format doesn't mean you have the right codec...

It means you have A codec that works, and all the player cares is that you have A codec that claims to work. If you can play the file format, you have both a working codec and a codec that the player knows about, so the player isn't going to tell you that you need to download another one.

Any WEBSITE that tells you that you need to download a codec when you already have one for that format is screaming MALWARE, whether or not you want to get into an argument about which is the BEST codec or the fastest or the "right" one. "Right" is an opinion and irrelevant.

Re:Nothing New... (1)

Anonymous Monkey (795756) | about 6 years ago | (#24243041)

I thought that was "Exterminate!" that it shouted. You know, those pepper pot guys...Joking aside, I did my share of stupid stuff long long ago. I remember installing snood because some one said it was the best game ever, and then needing to purge my system to get rid of gator and all of it's related slop. Yes, it was extremely stupid and I should have known better (I think I was 17 at the time) but I never made that mistake again. Quite frankly I think you should not get your Geek Card until after you make a few mistakes like that. It's not about making the stupid mistake, but about how you handle it that makes you a geek. End of rant (and btw, I do get that the the above post is part humor and sarcasm)

Microsoft only threat? (2, Interesting)

UnknowingFool (672806) | about 6 years ago | (#24242287)

Can anyone comment about the possible risk to non Windows machines? Well it appears that IE is affected as well as the ASF format. The Trojans itself appears to be Windows only. Does anyone know if FF or other browsers can be used? Also I don't know much about the ASF container but if you run it in another player like iTunes will it still activate?

Re:Microsoft only threat? (0, Flamebait)

ChuckSchwab (813568) | about 6 years ago | (#24242397)

Yeah, sure bro, let's all smugly pat ourselves on the back for dodging the bullet by not using Windows.

Hey, wanna know the SECRET as to why your non-Windows OS is so SUPER secure? You ready for it?

Because no one uses it!

*When* people start using Linux en masse (which will NEVER happen because the Linux commuity doesn't know the first thing about marketing itself or user interface design or making the transition easy), THEN there will be an incentive to actually write viri for Linux.

And then, do you know what'll happen? They WILL find a jagged shard of glass in the Linux kernel, and they WILL fuck you with it.

I guarantee it. (Like that Men's Warehouse guy.)

Re:Microsoft only threat? (4, Informative)

UnknowingFool (672806) | about 6 years ago | (#24242505)

Geez, take a pill. The Trojan appears to have a very complex activation, and I asked for clarification and more detail. The article seemed to state that IE, ASF (Windows Media Player), and Windows were required. What if I'm using FF, WMP, and Windows? How about FF, iTunes, and Windows? How about Safari, iTunes, and Windows? Nowhere in my post did I mention Linux, OS X, or Unix.

Re:Microsoft only threat? (1)

causality (777677) | about 6 years ago | (#24242961)

Jealous much?

*When* people start using Linux en masse (which will NEVER happen because the Linux commuity doesn't know the first thing about marketing itself or user interface design or making the transition easy), THEN there will be an incentive to actually write viri for Linux.

That the Linux community is not a marketing machine is 100% a Good Thing to me. I would probably end up enjoying Linux less if there were a corporate financial interest that competed with the community's current interest in producing useful software (of course if you WANT corporate support you can do that too via Redhat and others, it just isn't necessary with Linux). In a nutshell, that's Windows' biggest problem; the company is run by marketing and not by software engineering. You do realize that the primary purpose of Windows is to make money for Microsoft and its shareholders and that any benefit or usefulness to you is entirely secondary to that primary purpose, right? At fulfilling its primary purpose, Windows has been phenomenally successful. At being useful to me (keywords: "to me"), Windows has been substandard and I am glad to use a better alternative. Linux satisfies my computing needs and it does so whether most other people use Windows or not, so why would I care about marketing? This is a real question, I'd like to see your answer.

Re:Microsoft only threat? (1)

sesshomaru (173381) | about 6 years ago | (#24242611)

Well, I haven't actually looked at one of these yet, but I'm suspecting that the infection vector is Windows Media Player and P2P downloaders that preview things using Windows Media Player.

The rule is that if you are downloading files from a suspect place, it will have malware in it. I once downloaded something that had an impact both in Windows and Linux, it was a somewhat sophisticated design. (Basically, a payload of useless files that were treated as read only both by Windows and my Linux install.)

For MP3s? Well, you could always make MP3 CDs and DVDs out of them and play them one a CD/DVD player with MP3 capability. It won't be able to do anything to them, but it probably won't tell you if it is infected or not. You could also try something like a GeeXBox [geexbox.org] boot disk. Of course, caveat emptor on suspiscious MP3 files, here translated "let the downloader beware."

Re:Microsoft only threat? (1)

UnknowingFool (672806) | about 6 years ago | (#24242771)

The rule is that if you are downloading files from a suspect place, it will have malware in it.

True, but I've read some reports where ordinary websites are being unwittingly hijacked to spread malware. This makes it harder for ordinary users to know what to click on and what not to click on. It used to be you could play a sound file and be assured it was okay. Also hackers was able to inject malware without the visitor downloading anything. Personally, I visited some forums about gaming recently and got a worm even though I didn't download anything. The file format disguised itself as PDF but like I said, I didn't download anything from that site.

Re:Microsoft only threat? (1)

Fishbulb (32296) | about 6 years ago | (#24242737)

I second that. I admit, I have downloaded an mp3 or two from the net (mostly stuff I just can't find in print still since my music tastes are...eccentric). I don't use Windows much, but I do use iTunes on it, and share the mp3s from a server [fireflymediaserver.org] .

But aside from that, I like to know that the files on my systems are clean.

So, yeah, I'd be specifally interested in any utility that could scour a directory of mp3s and tell me if any have such trappings.

Data vs Program (5, Insightful)

mlwmohawk (801821) | about 6 years ago | (#24242311)

Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.

A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

Re:Data vs Program (2, Funny)

Anonymous Coward | about 6 years ago | (#24242675)

You mean just have it read X bytes of data and stop!? But how would they have supercyberhyperwebbrowsing? I want gimmicks not reliability.

Re:Data vs Program (2, Informative)

Zoltair (721973) | about 6 years ago | (#24242863)

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation, they want less user interaction, thus MS and everybody else will develop for these wants. I remember when email was just that data!, had to uuencode/uudecode anything binary, Gopher was the the WWW back then, automation has removed that need, but it has also left us all open to attack. If it were not for our need and desires for this automation, we would all still be using MS-DOS or Unix....

Re:Data vs Program (2, Insightful)

mlwmohawk (801821) | about 6 years ago | (#24243027)

Computer users (yourself included, me too!) have demanded more automation,

Speak for yourself. I don't want "automation" and most of my family and friends get confused by it, "Hey, why is it doing that?" is the typical response.

they want less user interaction, thus MS and everybody else will develop for these wants.

You are confusing "wanting it to work" and "automation." Clicking, or double clicking, on an icon in a window and having the correct player pop up and play the file correctly is what people want. That is, in fact, *all* they want. No one asked for media files that would "automate" anything.

User's don't even understand computers at the level where they could ask for such a thing. If they did, they wouldn't even ask. I submit that much of the push for programmatic content within media is from the *IAA types looking to extend control.

I remember when email was just that data!, had to uuencode/uudecode anything binary

There is no reason why an email message has to contain programmatic content for an email program to be able to properly decode an attachment. That's what MIME types are all about.

Re:Data vs Program (1)

1u3hr (530656) | about 6 years ago | (#24243075)

I am not so sure it is a MS issue, they are developing "by popular demand". Computer users (yourself included, me too!) have demanded more automation

Perhaps you can substantiate how this "popular demand" was determined? By who? When? Where?

Application writers, advertisers and other assholes have wanted to make it easier, and preferably, automatic, for users to install their software. I don't know of any surveys of users on this subject.

Re:Data vs Program (0)

Anonymous Coward | about 6 years ago | (#24242895)

Coming from Windows to a Linux distro, this was actually very confusing to me, but I get what you're saying.

Re:Data vs Program (2, Informative)

geogob (569250) | about 6 years ago | (#24243001)

I don't agree with your evaluation. As I understands it, the asf contains a download link for the codec. The player Program for the file (most likely windows media player components) initiate the "please download this missing codec" action using the information within the ASF container (link to the trojan/worm).

This is the problem right here: Using corruptible information for a system-sensitive operation. WMP should only initiate such a download from a secure and authenticated source on the internet or use its own pre-defined sources, like windows update.

This is a "good" user-friendliness feature for users who don't like to be put in front of a simple "missing codec" cryptic error. But so many user-friendliness feature tend to lead, if badly implemented, to major vulnerabilities through common user-behavior attacks.

It's all "data". The problem is how this data is handles by the system components. More importantly is how unverified (and unverifiable - and potentially corrupted) can be used for system sensitive operations. Worse, how this can be done fooling the user to think it's a normal and appropriate measure. This is a FAIL in user psychology and end user system design.

Re:Data vs Program (1)

Applekid (993327) | about 6 years ago | (#24243067)

A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.

I'm not going to dispute that, I fully agree. In a sense, though, the infected "mp3" file is still just data... it's the codec library that's malicious. It's no different than files wrapped in that damned Zango codec that's basically just malware on top of an existing mpeg-4 decoder.

The splitting of codec versus player I think was a great development that's been pretty much made obsolete by huge storage space, GHz range processors, and codec packs like K-Lite and DefilerPak. My personal (and admittedly antiquainted) view is that a player shouldn't automatically know how to decompress every random, trivial, academic, color-of-the-week compression format and should defer to some kind of library with a plug-in system so you have only the codecs you need.

The problem here is really two-fold:
1) Downloading untrusted, unsigned codecs. It's usually agreed that an open environment is great, but, in an open environment you can't demand codecs be signed by a central, possibly competing, authority. Damned if you do, damned if you don't. The alternative would be not letting the player/library download codecs at all, in which case you'd just have another step to trick users into running malicious code.

2) Playing ".mp3" files that aren't mp3 files. If it doesn't follow the format the extention suggests, should a good player make a reasonable attempt to find out what formats it DOES fit and play it (the "it should just work" philosophy) or should it crash and call the user an idiot? If a player is going to interpret a file with an mp3 extension as a generic file it has to discover its format to play, why bother having extensions at all?

I don't think it's a "leave it to Microsoft to blahblahblah" thing. It's just a thing that came out of having a world where you CAN download code AND data, and that hasn't ever been limited to the Windows world.

Dont use untrusted codecs! (1, Insightful)

carp3_noct3m (1185697) | about 6 years ago | (#24242341)

Don't enable any audio program you use to automatically download codecs. Use third-party trusted codec packs, or better yet, use VLC! As for Joe Schmo internet user, he is just fsked anyway, and probably already has more trojans on his PC than I've ever had on my... um.... usb dongle?

ASF? (0)

ruiner13 (527499) | about 6 years ago | (#24242343)

I've been using/creating websites since 1994, and I don't think I've ever even seen an ASF file for download. I assume it is a windows media format?

Re:ASF? (2, Informative)

MikeURL (890801) | about 6 years ago | (#24242387)

You'll see asf files if you use p2p search engines. They tend to be tricky in that they usually open websites of questionable value. That isn't news.

Being able to make an asf look like an MP3 is...weird. If true then that is going to spread very quickly.

Re:ASF? (2, Informative)

BlueParrot (965239) | about 6 years ago | (#24242769)

Being able to make an asf look like an MP3 is...weird

Not really , name the file: mymusicfile.mp3.asf , Windows does the rest for you.

Re:ASF? (1)

Thelasko (1196535) | about 6 years ago | (#24243121)

Being able to make an asf look like an MP3 is...weird. If true then that is going to spread very quickly.

I suspect as a "feature" built into Windows Media Player to make things "just work" if a .asf file has the extension .mp3 WMP will detect that the file is a .asf file and play it anyway.

What player? (5, Interesting)

Blice (1208832) | about 6 years ago | (#24242351)

TFA doesn't say what media player is vulnerable to this...

I have a feeling this exploit doesn't work in VLC.

A few days ago I played a movie in VLC on a Windows machine and half way through the VLC error log opened and had some interesting things in it. It was trying to place some files into some directories, and then lastly was trying to open a website.

So it wasn't able to do those things, but I can't help shake the feeling that if I had played it in Windows Media Player it would have done some damage. Though it could have also been an exploit for a specific player like Realtime, Xvid, etc..

Disclaimer: I'm not associated with VLC, although I do really like it.

Re:What player? (2, Insightful)

X0563511 (793323) | about 6 years ago | (#24242621)

My question is how the hell that works? Why is it even possible to do that!?

Data comes in, gets split into an audio stream and a video stream. You look at the magical tags and figure out which decoder to fire up. Feed compressed data into the decoder, get decompressed data out. Pass the video data to the display pipeline, and the audio data to the audio pipeline.

There should be no way to execute anything from those pipelines.

a) ASF is patented, b) by Microsoft. (4, Funny)

Joce640k (829181) | about 6 years ago | (#24242787)

So ... I think we can deduce which players are vulnerable to this.

What do you really expect? (-1, Flamebait)

DaveV1.0 (203135) | about 6 years ago | (#24242413)

Really, this should not surprise anyone. When one uses a service to do what is, basically, illegal, one should not be surprised if others use the same service to do something illegal.

One should not be downloading things, especially things that are copyrighted and executables, from P2P networks.

Re:What do you really expect? (1)

HolyCrapSCOsux (700114) | about 6 years ago | (#24242613)

so copyrighted OR executables is good then?
So, kids, its okay to download cox}s}wivme from p2p but not epabad``dd!

Re:What do you really expect? (1)

DaveV1.0 (203135) | about 6 years ago | (#24242789)

Excuse me, I guess I should have put:

One should not be downloading things, especially things that are copyrighted and/or executable, from P2P networks.

Is that better?

Re:What do you really expect? (0)

Anonymous Coward | about 6 years ago | (#24242649)

One should not be downloading things, especially things that are copyrighted and executables, from P2P networks.

Unless those P2P networks are under the full control of corporations, that is [slashdot.org] . You see, if you use the full bandwidth you're paying for all the time, you're a nuisance and should be cut off. But if they can take some of your bandwidth and use it to give vapid teenagers more episodes of The Hills, it's just good business!

Re:What do you really expect? (-1, Flamebait)

DaveV1.0 (203135) | about 6 years ago | (#24242759)

It is not flamebait, you fucking dumbasses. It is the truth.

Re:What do you really expect? (1)

sammyF70 (1154563) | about 6 years ago | (#24242949)

The problem with your logic, is that you forget why ASF/WMV/WMA files are so vulnerable

From wikipedia [wikipedia.org] : "The ASF container provides the framework for digital rights management in Windows Media Audio and Windows Media Video."

So, the problem is not people who download (illegally or not .. think NIN) music/video via P2P or newsgroups, it's the companies pushing for harsher copyrights and stronger DRM. I'll agree that they wouldn't have to, if nobody pirated anything, but their answer is more akin to an atom bomb to get rid of a nest of cockroaches. It will probably NOT kill the roaches, but everybody else will feel the aftermath

von Neuman rolls in his grave (5, Insightful)

Gothmolly (148874) | about 6 years ago | (#24242433)

This is why you separate the executable code from the data.

Re:von Neuman rolls in his grave (1)

zappepcs (820751) | about 6 years ago | (#24242797)

I'm glad you were modded up. Running everything in a sandbox that disappears on reboot, and other methods to keep real data away from what your doing online is the what will make it safe(r). In the case of simply separating user data and system data, such malware still has a chance to truly fsck with you. The need is to keep online malware 'away' from your user data AND system data. To do that, you need to do the equivalent of putting on rubber gloves, mask, protective goggles and going over to your neighbor's house to surf the web.

In general principle, and probably in practice, this is one thing that virtualization can do to improve the average user's environment.

Not as bad as WMVs (0)

Anonymous Coward | about 6 years ago | (#24242449)

I think five years ago, my PC was infected from playing a WMV.

Yes, it was pr0n, yes the file was very tiny and of bad quality.

Basically turned my machine into a bot after I played a file from IRC or eDonkey in Windows Media Player. Even after I cleansed it, it had put itself into all of the WMVs and duped/renamed them funny so I could never pin it down. Basically if I tried playing any Windows Media file on my machine, I was just re-infecting it. On top of that, it hashed the names together to make it hard to pin down where my files were or what was in them ... solution? Complete wipe and reinstall. Lesson learned: never use a media player that is married to the kernel with super user rights.

For lack of a name, call it the RIAA worm. (2, Interesting)

suck_burners_rice (1258684) | about 6 years ago | (#24242459)

Hmmm, it sounds like this kind of worm really benefits the RIAA. It works like this: If all your mp3 files are encoded from your own CDs for legitimate purposes, then nothing will happen to you. But if you download a single song, or if you copy a single song from a friend, then BOOM! All of your music becomes totally jacked up. It seems a pretty sophisticated worm/virus concept and the transcoding of mp3s is kind of like an additional "fsck you" from the RIAA.

hmm... (4, Funny)

Taibhsear (1286214) | about 6 years ago | (#24242481)

Good thing I only download FLAC and transcode it myself to mp3... I mean, I buy cds straight from the RIAA for $50 a pop so I can bypass those greedy artists... yeah, that's the ticket...

They're ASF, Not MP3, Files (5, Informative)

Doc Ruby (173196) | about 6 years ago | (#24242495)

The buggy format is not MP3. The MP3 files are perfectly safe.

This worm transcodes them into ASF files. The ASF files are the threat. The ASF files pretend to be safe MP3s, but they include links that Windows automatically opens. MP3 files don't do that.

Of course, it's really Windows that's buggy (duh). Windows allows the worm to enter and run. Windows lets the unsafe ASF files appear to the operator to be safe MP3. Windows opens the ASF links to the bad sites. Windows then runs whatever the bad sites deliver to the browser (which the user could have just clicked to from another page, without the MP3/ASF worm at all, and just blown their system by Web surfing).

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3. Even though this exploit requires converting the file into something that's not MP3 before it can get started attacking you.

Re:They're ASF, Not MP3, Files (1)

Tim C (15259) | about 6 years ago | (#24242743)

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

Re:They're ASF, Not MP3, Files (2, Informative)

Doc Ruby (173196) | about 6 years ago | (#24242869)

Windows lets the unsafe ASF files appear to the operator to be safe MP3.

The last time I opened a file in Windows Media Player that had an incorrect extension it warned me of the fact, giving me the option of not playing it.

This report says that safeguard fails.

But of course, we can't say that Windows and ASF and IE are the security monsters. We have to blame MP3.

I don't see anything in the summary or article that blames mp3s, so I'm really not sure what you mean by that.

The title of this story is "Worm Transcodes MP3s To Infect PCs, not "Worm Infects PCs with ASFs". How much more clear could that be?

Re:They're ASF, Not MP3, Files (1)

geminidomino (614729) | about 6 years ago | (#24242799)

I'm glad someone else mentioned this. Seriously, how braindead do you have to be to actually think that a file extension means anything as to the format of a file?

Worse, even FOSS is going in this direction (Just tested with Gnome. It doesn't update the icon until you've already tried to click-execute it and it attempts to open a text file named foo.jpg as an image) :(

I'd expect this kind of braindead stupidity from MS, but geez.

Re:They're ASF, Not MP3, Files (4, Interesting)

qoncept (599709) | about 6 years ago | (#24242871)

The original post seems to be pretty carefully worded so as to not imply that mp3s are the problem. Where is anyone blaming mp3s?

I had to reread because after a once through it seemed there was no risk to me, as I don't download wma/asf. Then I realized it said the extension remains the same. Which makes sense -- I know Windows Media Player will open any supported media type by reading the headers, and double clicking on a file with a media extension will open WMP. So there's your problem -- WMP, not Windows.

Then I also remembered that I'm not using Windows anymore, so I'm safe after all.

Re:They're ASF, Not MP3, Files (1)

Thelasko (1196535) | about 6 years ago | (#24242889)

To quote Wikipedia: [wikipedia.org]

Advanced Systems Format (formerly Advanced Streaming Format, Active Streaming Format) is Microsoft's proprietary digital audio/digital video container format, especially meant for streaming media. ASF is part of the Windows Media framework.

Well there's your problem!

Wow... (1)

hyperz69 (1226464) | about 6 years ago | (#24242501)

That has to be one of the most nasty viruses I ever seen. Poor windows users. Though remember, if your ever asked to download a codec AFTER you installed a codec pack... likely it's malware. Even TV Shows are getting nasty DOWNLOAD THIS CODEC treatments. Pirating use to be such honest work too ;\

User intervention (0)

Anonymous Coward | about 6 years ago | (#24242509)

load a page that asks the user to download a codec

While certainly sneaky, it looks like this still requires the user to do something.

"Windows XP is our most secure OS ever" (2, Insightful)

Joce640k (829181) | about 6 years ago | (#24242753)

...apart from the ActiveX and the email program which auto-runs attachements and the music files which can launch the browser and the RPC daemon which can't be firewalled and the universal plug and play daemon which allows "drivers" to travel around networks and....

Defective by design.

Re:"Windows XP is our most secure OS ever" (1)

Spy der Mann (805235) | about 6 years ago | (#24243147)

Wrong. "Defective by design" means crippled by design (DRM). This is "Defectively Designed", which is a very different thing altogether.

GoatWorship Channel On YouTube - ALF sodomy clowns (0)

Anonymous Coward | about 6 years ago | (#24242841)

Check out the goatworship channel on YouTube and youll see stuffed ALF dolls sodomized by tampon holding laughing clowns and musings about Jesus with chaos like you never imagined.. I kid you not! You dont believe me you go see for yourself! Its the craziest thing on YouTube!

mod4 dOwn (-1, Redundant)

Anonymous Coward | about 6 years ago | (#24242969)

sh0rty of a miracle

Education (1)

gx5000 (863863) | about 6 years ago | (#24243135)

"loads a page that asks the user to download a codec"
"While certainly sneaky, it looks like this still requires the user to do something."

User education is the culprit....
A computer is one of those hitech devices that you can use without almost
any education about it...

I mean, are we really reaching for a goof proof system where the user can
be completly in the dark about the inner workings ? LOGO anyone ? typewriter ?

Just use a player that won't download codecs. (1)

base3 (539820) | about 6 years ago | (#24243153)

Media Player Classic or VLC FTW. And as a bonus, they don't call home to the mothership about the MP3s you're playing.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>