Skip to main content

Topic: New trojan infects audio files and spreads if they're shared (Read 117013 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.
  • j7n
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #50
What does downloading of music and the speed of your network have to do with Windows Media Player?
  • Last Edit: 20 July, 2008, 08:07:07 AM by j7n

  • Gabriel
  • [*][*][*][*][*]
  • Developer
New trojan infects audio files and spreads if they're shared
Reply #51

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
At which point the user will type in the admin password and nothing of substance will have been secured.

Of course, if it happens this way, there is an obvious security issue. Installations should always be manual, and not run from another piece of software. A dialog box asking for admin login/password information from within another software seems highly suspicious (well, at least to me).


You're not getting it. Reducing user permissions on a single-user system solves nothing. It's meaningless. It may keep badly written malware out, but it is of no benefit to the state of the art that exists today or in the future.

Then why is it the default setup of OSX and several Unixes? To me this reduces risk a lot, as the computer can then still be cured/inspected from the administrative account. Any other proposition about how to handle that? (for any piece of software, not specifically WMP)

(btw there are not that many computer that should really be "single user", even in homes there are often several people using a single computer)

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #52
(btw there are not that many computer that should really be "single user", even in homes there are often several people using a single computer)

"User Accounts" are a half-assed approach to multiuser environments though, because the idea comes back from times, where HD-space was an issue. They try to seperate apps, from settings and media and do not employ any actual external security (all the security is only OS-internal - as soon as you access the storage from another software, you have full unlimited access). It is this half-assed approach plus stupid stuff like "centralized setting-storages" like registry, which to a large extend is responsible for all the complexity, problems and buerocracy in nowadays OSes.

The truth is that interface-level, app-level and media-level security and multiuser-support doesn't even need hardwired OS support! Check this out:

- All data except of OS and driver stuff is stored in encrypted filesystem images (truecrypt anyone?)
- This includes the user-environment which is just a "portable" application stored in that image (partially possible already).
- It also includes the applications, which are stored in that image, including their settings (portable apps do that already)
- And of course the users media
- multiple of such filesystem images can be mounted at the same time. Thus you can for example also mount an encrypted USB-stick or external HDD and then access it - if you know the PW.
- Thus, the OS doesn't even need to know "who" is currently using the PC. Users manage their privacy and security themselves simply by mounting/unmounting their encrypted images.
- User runs with very low access rights to the OS. Thus, he can do whatever he wants inside his images, but cannot damage the OS..... unless he knows the pass to elevate his rights. Interestingly, although he runs at such low privileges, he isn't constantly bothered with access-limitations, because he only needs to elevate his rights if he wants to do something to the OS.
- The OS automatically forbids any modification of unmounted images, unless one elevates ones access rights (thus, any app-level security breach can only affect the currently mounted images).
- add some mechanism to shield password entering during mounting from app-level keyloggers.

What you get:
- all the security of nowadays systems, and significantly more, without all the hassle
- no setups, package-managers, installations or deinstallations (except of just more comfortable "extractors"). Thus, also none of the downsides associated with those.
- easy backups of your data (just copy the image-file(s) and done!)
- full portability of apps, settings and data - from anywhere to anywhere.
- true privacy.... no centrally logged usage-data, own apps and media are internally and externally unaccessable. No worries about recovery of deleted data (as long as your image-encryption isn't broken)
- various niceties for corporate environments
I am arrogant and I can afford it because I deliver.

  • caligae
  • [*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #53
The truth is that interface-level, app-level and media-level security and multiuser-support doesn't even need hardwired OS support! Check this out:


Some interesting points although I don't agree with all your ideas.

To stay on-topic: Your concept would not have helped very much with the described trojan. Except for affecting only a single user on the system.

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #54
To stay on-topic: Your concept would not have helped very much with the described trojan. Except for affecting only a single user on the system.

Which is impossible to solve without simply not installing software which behaves like WMP. Not even per-application access-restrictions would help here, because the player MUST have access to your audio-media - else it couldn't play it. The only sane solution is to simply not trust untrustworthy applications. The environment may restrict the damage, but there is no way around the simple logic, that if you give an app write-access to certain files, then it can write to them however it likes - if the app is malware-happy, then you shouldn't have given it that access in the first place.
I am arrogant and I can afford it because I deliver.

  • shadowking
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #55
Like gabriel said,  windows illness is because of everyone is admin. Drop access rights of browsers media players etc and 85 % of problems will go away even without an antivirus. The other thing is that there is no package management so you are never really secure.

Vista tries to remedy the issue to an extent. With XP pro try LUA accounts + sudowin and dropmyrights for XP home.
wavpack -b4x4s1c

  • prankstare
  • [*][*]
New trojan infects audio files and spreads if they're shared
Reply #56
Sweet Jesus! That's why I never trust any automated downloading instructions coming from any programs (in this case the missing codec tip). Except those "new version/upgrade" messages, perhaps not even that.


PS: Good point, 2Bdecided. I too agree with you it's not the average user who takes the blame here, or anywhere or anything. The problem really lies under those "demented" minds that think they know something and go make other lives miserable. Well, sometimes they really are brilliant minds in terms of intelligence, knowledge but look at what they use their brains for. It's totally devastating to see how there's so many remarkable minds but taking their knowledge for granted when they could very well be using it for real good things (and am not just talking about softwares, computers, etc). One don't need to know it all but only what they find it's important to them (if I decided to spend my money on a computer just as a 'pastime' hobby - you know, after stressed out from work - is there anything wrong with that? As long as I properly paid for the bloody machine).


Quote
I love the naive geek mentality in this thread that people deserve to be punished for using WMP. I know some true nerds find it impossible to grasp, but some "normal" people actually buy computers to do things beyond maintaining the computer itself!

  • Ojay
  • [*][*]
New trojan infects audio files and spreads if they're shared
Reply #57
This trojan transcodes files? Truly the work of an evil, evil mind...


Yes, and not just one file but the whole audio collection on your hard disk.

Maybe a software tool will be released later that will remove the malicious code ... and will offer the users the opportunity to change the extension of affected files from .mp2/.mp3 to .wma ... and so WMA will be the upcoming standard audio format on the web in one year or two - just let the Trojan spread and spread and spread....  ... and as we all know (also from all the discussions in this thread) - it will do so...

That - finally - will be the boost the WindowsMediaAudio format urgently needs....
  • Last Edit: 21 July, 2008, 08:37:52 AM by Ojay

  • smok3
  • [*][*][*][*][*]
  • Moderator
New trojan infects audio files and spreads if they're shared
Reply #58
i agree about UA in win (xp at least), but i don't get this:

Quote
At which point the user will type in the admin password and nothing of substance will have been secured.


so a user will press play and then for some reason type in an admin pass - yes, i have to be admin to listen to the music?
PANIC: CPU 1: Cache Error (unrecoverable - dcache data) Eframe = 0x90000000208cf3b8
NOTICE - cpu 0 didn't dump TLB, may be hung

  • PatchWorKs
  • [*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #59
Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!


I'll never switch my workstation into a server.

I'm just waiting for the upcoming Haiku and the future ReactOS.

  • smok3
  • [*][*][*][*][*]
  • Moderator
New trojan infects audio files and spreads if they're shared
Reply #60
i wonder when it will be possible to install say adobe video bundle onto react-os, or all this devs expect silly users that are just happy with open-office & firefox in their lives?
PANIC: CPU 1: Cache Error (unrecoverable - dcache data) Eframe = 0x90000000208cf3b8
NOTICE - cpu 0 didn't dump TLB, may be hung

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #61
i wonder when it will be possible to install say adobe video bundle onto react-os, or all this devs expect silly users that are just happy with open-office & firefox in their lives?

I dont understand your question. ROS aims for full binary compatibility. It also clearly states, that it is currently far from that, architecturally incomplete and in alpha-state. So no, ROS-Devs do not expect development to stop in the near future.

As for BeOS.... i find the architecture VERY interesting... but i'm not sure if haiku will be efficient in practice.... at least in the near future...... mostly because of lack of software.
  • Last Edit: 22 July, 2008, 04:39:15 AM by Lyx
I am arrogant and I can afford it because I deliver.

  • shadowking
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #62

Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!


I'll never switch my workstation into a server.

I'm just waiting for the upcoming Haiku and the future ReactOS.


The NT codebase is a server OS and home / pro / server editions are the same beast. Win 9x could be considered the real home edition.
wavpack -b4x4s1c

  • Northpack
  • [*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #63
And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness - they want to use something without understanding it - permanently.... exactly the target audience, which created this kind of "market". And with this noobness, i do not just mean indepth tech knowledge, but more specifically a mindset which is investigative and self-determined - simple observations, asking questions like "is this trustworthy?" and taking consequences. It doesn't take years to get that microsoft products are not trustworthy.... if one does already - for practical reasons - use an MS OS, then at least keep the amount of additional MS apps down. Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice... and where there are slaves, there will be abuse.


I get you point, Lyx, but do you really think that's any new? Regarding computer technology it's just another consequent step in a long determined development. We talk about a mentality which is rooted in the very fundament of western-scientific culture. Remember the greek myth about Prometheus stealing the fire from the Gods and Zeus' revenge in shape of Pandora's box. As man began to utilitize fire instead of just staring at it in awe, he was still sensible enough to cultivate a sense of his outrage. But this sensiblity vanished, at the latest, with the rise of modern scientific self-confidence.
Nowadays, we are proud to know about the nature of fire, but plug our lamps and computers into the socket without generally thinking about how the energy is brought to the wire (now we got Castor to take care of Pandora's box, but he's but a mortal...). And honestly - we can't. The very mode of scientific progress is utilization. Our world is a world of utility and the intrinsic complexity of these utilities, which we inescapably depend on, is ever growing. Alienation is the price to pay for any progress. Now geek's like us gladly pay that price. But not everyone can afford such a privation - and why should they? It's knowledge without any vital importance for them. No one has the capacity to be investigative in all the techniques he daily utilitizes. You can't be an expert on everything. Most people ain't experts on computer technology - yet they are culturally impelled to utilitize it. Technology creates necessity, but people create technology. Thus taking part in the development of technology is a matter of highest responsibility. Great scientist always knew about that. Companys like Microsoft obviously do not. So either you have blame them or, to be fundamental, you have to blame the overall modern scientific mind - but when you do so, you can't point at anyone other, because you are into that mind yourself (well, I don't suppose you're an Indian Yogi, are you? ).
  • Last Edit: 22 July, 2008, 08:23:10 AM by Northpack

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #64
No one has the capacity to be investigative in all the techniques he daily utilitizes. You can't be an expert on everything. Most people ain't experts on computer technology - yet they are culturally impelled to utilitize it.

This is a popular misunderstanding, caused by a typical western tendency to think in one-dimensional extremes (Boolean XOR). With well designed tools, it is not necessary to be an "expert" to use them powerfully and responsible. In the case of applications, i don't need exactly know HOW it works... i just need to understand the overall underlying meanings and relationships associated with them. I.e. knowing the difference between executable code and media. Knowing that whatever i can do, an application can do as well. Understanding basic stuff about trust. Almost no average user understands ANY of those things! I am not saying that only "geeks" should use computers. I am saying that only people who understand the basic overall principles in computing should use computers. Todays average PC users isn't just "not an expert" - he has no fucking clue about anything... he doesn't even know the difference between data stored on the internet, and data stored on his computer! He is simply a slave which obeys commands which the software gives him. He doesn't observe, doesn't think, doesn't understand, doesn't decide... he is a robot executing commands - an application which will do anything which it is told by anyone and anything.... he is literarily the most insecure application ever developed!

- Lyx

P.S.: From a wider POV, this isn't just an issue with western scientific mentality. It's related to the mentality of the entire society: People do not want to make decisions - they just want to function by letting others decide for them. In this case, the application - ANY application - decides for the user. Have you ever seen such a user getting into a conflict, by multiple apps giving the user contradictory commands? They do not investigate which is right... they don't even ask themselves "whom can i trust?".... they just panic and ask "what am i supposed to do?".
  • Last Edit: 22 July, 2008, 09:01:23 AM by Lyx
I am arrogant and I can afford it because I deliver.

  • GeSomeone
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #65
And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness ...

So how should N00bs educate themselves if the word is not spread about what is dangerous and what not? Your remark have a distict "Elite" smell.
In theory, there is no difference between theory and practice. In practice there is.

  • 2Bdecided
  • [*][*][*][*][*]
  • Developer
New trojan infects audio files and spreads if they're shared
Reply #66
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows,  I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.

Still, the point of this thread is to inform. I'm now informed that this is a threat, and will warn everyone I know.

It's another plus point to archiving to optical media - the trojan could attack back-up mp3 files on a spare HDD when it was connected to sync; it would struggle to attack those burnt to DVD-R. Shame - I've more or less given up on DVD-R for backup, and will now have to consider it again.

Cheers,
David.

  • washu
  • [*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #67
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows,  I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.


As far as I'm aware, Windows Media Player can only grab codecs from an approved Microsoft site.  It cannot get codecs from any site directly.  What this trojan does is instruct WMP to open a web browser to the download site.  One more step, but an important distinction.

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #68

And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness ...

So how should N00bs educate themselves if the word is not spread about what is dangerous and what not? Your remark have a distict "Elite" smell.

"Not spreading a specific kind of info on THIS platform" != "Not spreading a specific kind of info on ANY platform"

I dont care how sentences "smell" to you. You are responsible for your interpretations.
I am arrogant and I can afford it because I deliver.

  • Lyx
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #69
Quote
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows, I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.

Ignoring the validity of those statements, there's a useful implied question in this: What to do about this - what are the alternatives?

For videos, i'd say there are at least two app, which are significantly more trustworthy than WMP and which aren't too complicated to use. Both however are not "eye-candy" (no skinned interface).

The first most obvious choice is "Media Player Classic". It uses the codecs on the system and from my experience does not execute active scriptcode in mediafiles. It's interface is also quite easy to use (more easy than WMP i'd say) - but it does not automatically download codecs, nor does it do that manually. It by the way is also capable of playing quicktime and real mediafiles, if you have "quicktime alternative" and "real alternative" installed - though, in my experience the support for those two mediatypes doesn't feel stable (feels like lots of wrapper-hacks).

The second - and in my opinion most interesting alternative, is SMplayer. This is a rather clean and simple frontend to mplayer. The interface is also quite similiar to media player classic. Most settings are also easily accessible. And the best part: It is not dependent on system codecs! It uses its own codecs which - if you add the full package - can play almost everything, INCLUDING quicktime and real stuff! Because of this, there also are no codec conflicts, and you will never need to download codecs (at least not for trustworthy mediafiles). This is a simple and clean mediaplayer which can truely completely replace all other video-mediaplayers on your system. It's two most obvious flaws currently are: If a video crashes, then only the frontend will terminate, leaving a zombie mplayer-process running which needs to be killed via taskmanager. The second main downside is that if you want widescreen stretching of videos (thus, ignoring aspect ratio) then this cannot be done comfortably - you need to add certain switches to the "mplayer commandline options" in the preferences.
I am arrogant and I can afford it because I deliver.

  • 2Bdecided
  • [*][*][*][*][*]
  • Developer
New trojan infects audio files and spreads if they're shared
Reply #70
I use VLC. I'm not a fan of it, it's just the least bad thing I've found.

FWIW I just tried SMPlayer - it can't deinterlace HDV in real time on my PC (VLC, not known for being fast, can do this easily). It can't play back DV AVI files at all - it just crashes (this must be some obscure bug/interaction because I can't imagine them releasing it with broken DV AVI support knowingly, but everything else on my system can play them!). SMplayer is fine with WMV though - better than VLC (on my system).

I'm not saying Window Media Player is "better" than what you've suggested - by my experience illustrates (and confirms!) finding something "better" can turn into a wild goose chase.

(I already have MediaPlayerClassic and use it for DV at home - it respects DV AVI aspect ratios, which not many other programs do).

Cheers,
David.
  • Last Edit: 22 July, 2008, 11:33:06 AM by 2Bdecided

  • j7n
  • [*][*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #71
Actually Media Player Classic also has own codecs for most formats. Each decoder can be enabled independently.

However, MPlayer is the only program that will play Windows Media formats satisfactory (apart from Windows itself).

  • JunkieXL
  • [*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #72
Windows Media Classic works well.  I would recommend you install ffdshow if you plan on using it though... You can use this one simple application to decode just about any media type; both audio and A/V as well as many other very useful features.  I'd recommend everyone check it out.

Sourceforge: ffdshow
JXL

edit: corrected some typos
  • Last Edit: 22 July, 2008, 12:52:17 PM by JunkieXL

  • 2Bdecided
  • [*][*][*][*][*]
  • Developer
New trojan infects audio files and spreads if they're shared
Reply #73
IME relying on ffdshow for "decoding just about any media type" is hardly a crash-free experience. Maybe I'm unlucky!

Cheers,
David.
  • Last Edit: 22 July, 2008, 01:25:14 PM by 2Bdecided

  • JunkieXL
  • [*][*][*][*]
New trojan infects audio files and spreads if they're shared
Reply #74
I use it primarily for h.264 A/V media in conjunction with the modified windows media classic player and it has always worked well for me.
JXL