HydrogenAudio

Hydrogenaudio Forum => Validated News => Topic started by: CiTay on 2008-07-17 22:18:34

Title: New trojan infects audio files and spreads if they're shared
Post by: CiTay on 2008-07-17 22:18:34
A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/ (http://blog.trendmicro.com/infectious-music-malware-style/)
http://www.trustedsource.org/blog/132/Troj...ultimedia-files (http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files)
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-17 22:27:46
Whats so special about that, that it justifies a news entry?

- Microsoft software has long been known support "media" to behave like "applications".
- Microsoft mediaformats have long been used for hijacking WMP for malicious purposes. Its one of the reasons for why i would NEVER use WMP.

The only thing which to me appears to be different here, is that the active code is capable of spreading. But that was just a matter of time to happen. Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP. WMP on the other hand gets more bad press. I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this..... just like almost all email-worms only affect outlook.... and so on..... and so on. Its just the same old story again.
Title: New trojan infects audio files and spreads if they're shared
Post by: CiTay on 2008-07-17 22:35:58
I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this.....


Which most likely has the biggest market share, just like Internet Explorer still has. Despite all the advancements in other players and browsers, the majority of people still don't seem to change the default app from when the OS was installed.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-17 22:43:33
Well, you know the myth about lemmings
Title: New trojan infects audio files and spreads if they're shared
Post by: JunkieXL on 2008-07-17 22:55:40
Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.

WMP aside...anyone that downloads and installs codecs without at least knowing what they are downloading first and from where is a total idiot.  I never allow programs to choose which codecs I use to play back media.  I research it and get the codec bundles off of sites I know to be trustworthy and even then I still scan them and check to make sure they are what they are.

I honestly don't feel that this malware has a very good chance of spreading fast.
JXL
Title: New trojan infects audio files and spreads if they're shared
Post by: CiTay on 2008-07-17 23:02:39
Well, so i thought myself. Until a friend of mine, whom i set up his PC for personally - including installing Antivirus software, Firefox and so forth - installed a different fake codec a while ago, infecting himself with some trojan. He is your average PC user, far from being PC illiterate or stupid. He was just not aware of the dangers when he installed that. I think that outside a minority of users who really know about all the dangers implied with internet use, the vast majority of people have no idea that such a codec download could lead to a trojan infection. They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.
Title: New trojan infects audio files and spreads if they're shared
Post by: ExUser on 2008-07-17 23:09:28
This trojan transcodes files? Truly the work of an evil, evil mind...
Title: New trojan infects audio files and spreads if they're shared
Post by: Gow on 2008-07-18 00:51:50
This trojan transcodes files? Truly the work of an evil, evil mind...


I wholeheartedly agree with this statement and could not have put it better myself.
Title: New trojan infects audio files and spreads if they're shared
Post by: Synthetic Soul on 2008-07-18 06:40:18
They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.
If it pops up when you go to play the file in the trusted Windows Media Player I think users could be forgiven for assuming that WMP was the originator, and would be installing a trusted WMP codec.

This trojan transcodes files? Truly the work of an evil, evil mind...
Yes, those articles failed to mention the main issue here.
Title: New trojan infects audio files and spreads if they're shared
Post by: Martel on 2008-07-18 10:22:51
A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/ (http://blog.trendmicro.com/infectious-music-malware-style/)
http://www.trustedsource.org/blog/132/Troj...ultimedia-files (http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files)

I don't understand the mention about changing default player from Winamp to WMP. You would have to launch the file in WMP for the first time to get the infection (which you probably will not as you have Winamp as default player). So anyone using an alternative media player is immune, unless they tried to play the file back in WMP after their regular player fails.
Title: New trojan infects audio files and spreads if they're shared
Post by: CiTay on 2008-07-18 11:39:31
Some more info on this: http://www.kaspersky.com/news?id=207575664 (http://www.kaspersky.com/news?id=207575664)

So with the help of Trojan-Proxy.Win32.Agent, the infected PC is potentially under full external control, or at least they can eavesdrop on your online banking and other important information.


And here's some infection reports of what could become a true epidemic in popular P2P places. Let's analyze some of these to enter the minds of some unsuspecting users, shall we?

1) http://www.techsupportforum.com/microsoft-...lash-codec.html (http://www.techsupportforum.com/microsoft-support/internet-explorer-forum/267191-flash-codec.html)

This user has an up-to-date AV program that warns him of a trojan horse. He questions wether his Antivirus program is to be trusted and ponders ignoring the warning to get rid of the popups.


2) http://www.technologyquestions.com/technol...ving-virus.html (http://www.technologyquestions.com/technology/windows-media/234743-need-help-removing-virus.html)

Here some users might have only downloaded infected MP3s, but have not yet installed the fake codec themselves (later however, some users report infection of all their MP3 files). One user suggests a solution that gets rid of the popup messages, advertising it as "deleting the problem" (in fact, it leaves all files and the PC infected). Another user further down recommends running an "fmpeg.exe" from an unknown website to clean the MP3s.


3) http://forums.winamp.com/showthread.php?threadid=292924 (http://forums.winamp.com/showthread.php?threadid=292924)

Winamp users complain about the effects of the trojan, at first not knowing the cause. After some deliberation, the same fmpeg.exe is suggested to clean the MP3s, leaving the PC still infected by Trojan-Proxy.Win32.Agent.


I think you can draw your own conclusions from this. For the average user, this issue is pretty complicated to grasp, and most just want to get rid of the popups. The easiest way of which appears for them to be the installation of the "codec". If they become aware of an infection, they use insufficient means to get rid of it.
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-18 13:20:15
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP.

It's problematic to leave out Windows Media when configuring a computer for the average user. There are plenty of websites with streaming in WM format, working only with Explorer and Media Player. I of course would go around these sites myself. But the user doesn't understand why my secure computer does not play his online TV, radio, or social networking site.
Title: New trojan infects audio files and spreads if they're shared
Post by: eofor on 2008-07-18 13:30:00
Quote
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP


Both Quicktime and Winamp have had their share of metadata exploits, so I wouldn't be too harsh on WMP users.
Title: New trojan infects audio files and spreads if they're shared
Post by: 2Bdecided on 2008-07-18 14:55:04
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

I love the naive geek mentality in this thread that people deserve to be punished for using WMP. I know some true nerds find it impossible to grasp, but some "normal" people actually buy computers to do things beyond maintaining the computer itself!


As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

This is what people buy PCs for - to play their music, email friends, watch video etc etc etc. If it crashes around their ears, it's not their fault.

Imagine if we were talking about cars. What if you popped a CD from a friend into the factory fitted stereo, and it spontaneously wrecked every subsequent CD you put in, and made the car crash! Would any sane person be saying "well, it serves these idiots right who rely on the factory fitted stereo - what do they expect?".

It's not a reasonable attitude. I know where the fault lies, and its not with the users.

Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born. I can't imagine her downloading and installing VLC quite as easily as simply opening the attachment I sent her and clicking OK to everything that followed.

Cheers,
David.
Title: New trojan infects audio files and spreads if they're shared
Post by: /mnt on 2008-07-18 15:09:52
OMFG a trojan that transcodes audio files, and set WMP as the default player. That is a really nasty evil pos virus.

Looks like its main target is for the average and computer n00b user, who have that awful something for nothing attitude.
Title: New trojan infects audio files and spreads if they're shared
Post by: noorotic on 2008-07-18 15:27:54
So, how can you tell an mp3 from a wma, say in a hex editor?  There are tag areas and headers, but I can change an .mp3 to .wma and many utilities take the 'word' of the file extension, and go ahead and report bitrate, etc.

I had an incident around the time of Vista SPI, where as I recall, I 'caught' WMP (which I try to keep from launching in spite of it's determination to do so), resizing my cover art in album mp3 folders, and embedding it in the mp3s.  I have mp3s (of cds I own) which are encoded by such as fhg, at 96kbps, and I've never been able to figure this out.  I have used LAME as long as I can remember.  Dylan is a big target.

Is this the trojan?  I always thought it was MS being helpful.  It really has infuriated me.

I use Foobar2000, and it plays them fine.  There is also a folder full of some sort of copies of the album art?  Is this just part of Vista?  It scares me how helpful they can be.  If you want to use WMP, it is probably very nice, but if it cranks, it is going to index every file on your computer and is nearly impossible to shut off. 

AVG reports no problems here.  I cannot find anything with google about actually detecting the thing.  Could it be a hoax?
Title: New trojan infects audio files and spreads if they're shared
Post by: drbeachboy on 2008-07-18 16:20:20
In this Yahoo press release (http://news.yahoo.com/s/pcworld/20080718/tc_pcworld/148603), HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling
Title: New trojan infects audio files and spreads if they're shared
Post by: ExUser on 2008-07-18 16:42:20
In this Yahoo press release (http://news.yahoo.com/s/pcworld/20080718/tc_pcworld/148603), HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling


It really makes me smile to see Hydrogenaudio cited by mainstream press. It's been a long journey, but now it feels like we're getting some recognition, even if the name is misspelled in the article.

I wonder if that's enough to make Hydrogenaudio a credible site by Wikipedia standards? Puts a bit of a different spin on the foobar2000 Votes for Deletion page that was up a while back.

I know this is quite off-topic, but there's really nowhere else I'd trust for information about something like this.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-18 17:19:09
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

Still doesn't make sense. Are we now going to report on every WMP exploit out there? You know, in that case, this website really would frequently have "news" :-)

And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness - they want to use something without understanding it - permanently.... exactly the target audience, which created this kind of "market". And with this noobness, i do not just mean indepth tech knowledge, but more specifically a mindset which is investigative and self-determined - simple observations, asking questions like "is this trustworthy?" and taking consequences. It doesn't take years to get that microsoft products are not trustworthy.... if one does already - for practical reasons - use an MS OS, then at least keep the amount of additional MS apps down. Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice... and where there are slaves, there will be abuse.

All i see here, is something coming full circle.... again.
Title: New trojan infects audio files and spreads if they're shared
Post by: PatchWorKs on 2008-07-18 17:36:15
Hope this will boost up the adoption of OGG/Vorbis... dhehe !
Title: New trojan infects audio files and spreads if they're shared
Post by: JunkieXL on 2008-07-18 17:37:05
In this Yahoo press release (http://news.yahoo.com/s/pcworld/20080718/tc_pcworld/148603), HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

I'm famous biotches! 

Just kidding... 
JXL
Title: New trojan infects audio files and spreads if they're shared
Post by: Gabriel on 2008-07-18 17:54:48
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.
Title: New trojan infects audio files and spreads if they're shared
Post by: Axon on 2008-07-18 18:08:09
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.


This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.
Title: New trojan infects audio files and spreads if they're shared
Post by: greynol on 2008-07-18 18:29:07
The fundamental issue is that the user is compelled to download something from an unreputable source

Not exactly.  No one compelled the user to download an infected media file from a disreputable source.
Title: New trojan infects audio files and spreads if they're shared
Post by: JunkieXL on 2008-07-18 18:45:52
I've used WMP for video playback and I can understand how this would happen to the average user.  People typically "trust" Microsoft  applications and follow the suggestions they provide.  Not really the smartest thing to do, but I can see how it happens.

Microsoft needs to make the codecs available in a safer environment instead of pointing their users to outside 3rd part sources.  For instance...any time there is a codec update with iTunes you are provided with the new codec through a secure source from Apple usually included within the program itself.  WMP player just provides a bunch of links and tries to sell you the codec bundles off of their website or have you upgrade WMP to the pro versions...
JXL

edit: grammar
Title: New trojan infects audio files and spreads if they're shared
Post by: [JAZ] on 2008-07-18 19:06:03
Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers).  Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.


"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.

Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.


About those that say what has this to do with Hydrogenaudio? well...

A) It's about audio files ( i.e. one gets a media file, goes to play with the standard OS media's player and hi-ho, it has a trojan)
B) It not only installs itself in the computer, but also modifies all other media files on that computer with the trojan, transcoding them if necessary to .wma so that the script can be installed, effectively spreading itself.
C) a consequence of C: all the user's audio files get damaged for life. No way to go back (except if they were .wma to begin with, but that's another story).
D)Several P2P download programs include their own player (which in turn is just media player ). This makes it an incredibly ideal target for easy contamination and spreading.

E) Even if you're safe, you don't download things from untrusted sites, and keep control over every aspect of your computer... thousands of zombie PC's may be spamming you E-mails due to this trojan (or worse).

Definitely, i find an audio related forum a pretty good place to talk about this, so that the info is spreaded.

[Edit:typos]
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-18 19:22:02
Quote
' date='Jul 18 2008, 20:06' post='578016']

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers).  Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.

P.S.: To get an idea how important the mindset, experience and understanding of "trust" is:

1. I have no resident virus protection. Though, webdownloads get scanned on-demand by my virus scanner - but it never finds anything.
2. I have no resident spyware protection. I just run spybot and co about one time per month - but it never finds anything.
3. I have no firewall
4. I do not use automatic updates. I instead patch every 3-6 months and do a system backup before.

Yet, my PC hasn't been infected a single time for over 5 YEARS! How is this possible, since i completely ignore all the safety measures, which according to those magazines are so important? Well, overally, i just do three things:

1. I avoid non-trustworthy and bloated apps.
2. Whenever a download is offered to me, i check if its trustworthy - very often, this can even be determined just by its presentation and "attitude".
3. I disabled all windows components and services which i do not need, and practically gagged IE in addition to not using it. What isn't there, cannot have exploits.
Title: New trojan infects audio files and spreads if they're shared
Post by: drbeachboy on 2008-07-18 19:42:40
Quote
' date='Jul 18 2008, 20:06' post='578016']

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers). Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.
In the beginning Bill Gates wanted computers in the hands of every human being and that has damn near come to fruition. Computer users are not elitist anymore. OS's have become so automatic that you don't even have to think anymore; just click and run. People are conditioned to this way of using computers. Innovation and ease of use has made these types of trojans or worms all the more dangerous.
Title: New trojan infects audio files and spreads if they're shared
Post by: Axon on 2008-07-18 19:42:52
Quote
' date='Jul 18 2008, 13:06' post='578016']"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.
I disagree. On a single-user Linux/MacOSX system, normal users are still going to need to jump to superuser on a regular basis for all kinds of reasons. The enterprising malware creator should have no problem breaking out of luser jail if said luser has sudo access or a root password. Also "merely" getting user access still allows the use of the computer for zombie applications, and possibly even keystroke logging too. Long story short, any security violation of userspace, whether in a restricted security environment or root, is pretty catastrophic.

Quote
Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.
Oh? OK, I wasn't aware of that. I just figured it was a codec download prompt.
Title: New trojan infects audio files and spreads if they're shared
Post by: dissociative on 2008-07-18 20:02:08
just another reason more for not to use MP3. if you are smart enough Windows Media speaks by itself, well, shame that there's no Windows XP N edition in America lol!
it seems there's no way to completely remove Windows Media player from windows xp by normal means
Title: New trojan infects audio files and spreads if they're shared
Post by: ExUser on 2008-07-18 20:03:18
just another reason more for not to use MP3.


Musepack forever!
Title: New trojan infects audio files and spreads if they're shared
Post by: Axon on 2008-07-18 20:07:45
Isn't this worth posting on the front page?
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-18 22:52:16
it seems there's no way to completely remove Windows Media player from windows xp by normal means

It depends on what you see as "normal". Try nLite (http://nliteos.com). Nobody can create an N edition or every removed feature. A lite system can be made much faster and more secure, as M$ itself admitted by creating the NT6 "server core" edition.

Quote
To get an idea how important the mindset, experience and understanding of "trust" is:

My situation exactly!

Quote
As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

I am very sorry to hear that. It effectively makes the possible high quality of the BBC streaming completely irrelevant, as you can't get to it. Seriously, tying oneself with the Media Player is comparable to DRM. What's the matter with people today, when a simple file download can't be acomplished without bothering you to install this or that toolbar.

Quote
Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born.

Does it install good codecs? Ffdshow, Haali Media Splitter, etc? I doubt it. It is unfortunate that today in order to ensure "interoperability" one has to use Windows Media.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-18 23:26:37
Why even have all those codecs? There are so many container formats, container-subformats, videocodecs, audiocodecs, transport-protocolls..... if it were drinkable, it would be a barkeepers dream. How did all those weird formats become popular? By exactly those users who want to use something without understanding it.... determined to get what they are commanded to get, without even the option of saying "no, thanks.". This codec-hell only was able to establish itself, by people being "uncritical consumers". Same for various other developments..... so whats the problem if their lazyness now bites them in the ass? I dont see any - if feels entirely justified and fair. The only think which bothers me, is that those developments in some circumstances also hurt responsible users (i.e. outlook worms spamming my inbox) and that it makes the "market" much more difficult to search efficiently (you have to filter out truckloads of crap offers, just to get to the efficient stuff).
Title: New trojan infects audio files and spreads if they're shared
Post by: /mnt on 2008-07-19 00:35:15
Looks like we will be better using AAC or Vorbis 

And christ does Microsoft have alot of property codecs and container formats (AVI + ASF). Their container foramts are that imfamus for containing malicious code, that Linux with GNOME would even sometimes warn you before opening it up with a media player, such as Totem or MPlayer.
Title: New trojan infects audio files and spreads if they're shared
Post by: Gabriel on 2008-07-19 08:18:03
This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
If the thing is a script exploit, then only the user account could be infected, and not the whole computer.
So to me this is really related to users permission, and the way the operating system is set up as default. It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-19 11:02:34
It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).

Unfortunatelly, the way how MS implemented that pisses anyone off, who does not like windows to manage ones software and who does not like "user-profiles". In other words, anyone who wants to stay in control over his harddrive, instead of MS taking over almost the entire PC, except of one little profile folder in which you still have a voice. Don't understand me wrong, i realize that it is dangerous to have the entire system accessable all the time. But i'd rather solve that with access rights, instead of that UAC-crap.
Title: New trojan infects audio files and spreads if they're shared
Post by: valnar on 2008-07-19 14:39:41
I can only see this effecting people that are very computer illiterate or just plain stupid.

Quote
I research it and get the codec bundles


Uh, okay. 
Title: New trojan infects audio files and spreads if they're shared
Post by: Kitsuned on 2008-07-19 16:09:26
I scanned and updated my sister's computer and Kaspersky had caught this trojan when she tried to grab infected files.  She uses WMP.  I'm not sure she even knew it happened.
Title: New trojan infects audio files and spreads if they're shared
Post by: JeffStickney on 2008-07-19 19:19:49
By default WMP automatically installs codecs.  Under tools-options, pick the "player" tab and clear the checkbox that says "download codecs automatically".
Title: New trojan infects audio files and spreads if they're shared
Post by: Axon on 2008-07-19 19:28:06

This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
At which point the user will type in the admin password and nothing of substance will have been secured.

Quote
If the thing is a script exploit, then only the user account could be infected, and not the whole computer.
At which point the installed malware will happily take credit card numbers at its leisure and employ any number of man-in-the-middle attacks to obtain the Admin passowrd, and nothing of substance will have been secured.

You're not getting it. Reducing user permissions on a single-user system solves nothing. It's meaningless. It may keep badly written malware out, but it is of no benefit to the state of the art that exists today or in the future.
Title: New trojan infects audio files and spreads if they're shared
Post by: slks on 2008-07-19 20:37:07
I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.
Title: New trojan infects audio files and spreads if they're shared
Post by: Mr_Rabid_Teddybear on 2008-07-19 23:46:39
Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!



(Maybe a cheap shot, just couldn't resist... Have a nice day all!)
Title: New trojan infects audio files and spreads if they're shared
Post by: JeffStickney on 2008-07-20 00:32:02
I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.


Even if you don't use it DIRECTLY, many programs will automatically call WMP to open certain files. I just checked my browser (firefox) settings and saw that it is set to open MP3 files with windows media player. That coupled with the default setting to automatically download codecs and all you have to do is visit one page with an infected sound embedded. I hope I'm wrong, but I feel most of us are not quite as safe as we think.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-20 00:40:57
This only affects the "modern" version of WMP.... not that other old one (v6 i think), right? Else i maybe should go dirty and just rename it or something.
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-20 01:00:37
The old mplayer2.exe (version 6.4) is also trying to download codecs all the time. But due to my security settings it never succeeds. The program is actually very stupid. It never finds any codec for OGG, and also comes up every time if 24-bit, 32-bit and float files are unplayable. Every sane program would present me an error box instead of accessing the Internet.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-20 01:04:17
Renamed. Thanks for the info!
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-20 01:49:19
But mplayer2 is just a small program loading msdxm.ocx. Renaming or deleting this program does not remove Windows Media Player from the system.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-20 11:04:14
I know. I just want to break the chain, since asume, that stuff like browsers will call mplayer2.exe. I am currently not concerned about apps embedding mplayer, because of my system setup.
Title: New trojan infects audio files and spreads if they're shared
Post by: noorotic on 2008-07-20 11:38:08
Ok, as someone who was using shorten before FLAC existed, or at the very least was a viable codec, and as someone who enjoys very much following the progress of HA, I ask, why ignore a very real question?  Perhaps because the questioner does not have a comment on every topic raised, each time it is raised?

I truly enjoy HA immensely, but primarily as reader.  I do worry, perhaps too much, due to having spent perhaps too much time and effort (and love) collecting music which is largely unavailable, or was at the time I collected it, to the masses.  I find codecs and the social need for a 'personal favorite' very interesting, and metadata fascinating, the embedding of data within data.

Most others here download their collection, I see it in nearly every thread.  I am connected at 24k due to living in a very rural area, where DSL will be arriving Wednesday!  But, I have met countless others in so many places, and made so many friends, doing it this way.

I bow to the more experienced, the more deserving, the more involved.  I was happy to see the report of the forums gaining some visibility, but so many will come with the questions for which no one here seems to have the answers.  It seems to be very philosphically interesting though.

Bob
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-20 13:06:55
What does downloading of music and the speed of your network have to do with Windows Media Player?
Title: New trojan infects audio files and spreads if they're shared
Post by: Gabriel on 2008-07-20 17:57:09

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
At which point the user will type in the admin password and nothing of substance will have been secured.

Of course, if it happens this way, there is an obvious security issue. Installations should always be manual, and not run from another piece of software. A dialog box asking for admin login/password information from within another software seems highly suspicious (well, at least to me).


You're not getting it. Reducing user permissions on a single-user system solves nothing. It's meaningless. It may keep badly written malware out, but it is of no benefit to the state of the art that exists today or in the future.

Then why is it the default setup of OSX and several Unixes? To me this reduces risk a lot, as the computer can then still be cured/inspected from the administrative account. Any other proposition about how to handle that? (for any piece of software, not specifically WMP)

(btw there are not that many computer that should really be "single user", even in homes there are often several people using a single computer)
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-20 19:39:22
(btw there are not that many computer that should really be "single user", even in homes there are often several people using a single computer)

"User Accounts" are a half-assed approach to multiuser environments though, because the idea comes back from times, where HD-space was an issue. They try to seperate apps, from settings and media and do not employ any actual external security (all the security is only OS-internal - as soon as you access the storage from another software, you have full unlimited access). It is this half-assed approach plus stupid stuff like "centralized setting-storages" like registry, which to a large extend is responsible for all the complexity, problems and buerocracy in nowadays OSes.

The truth is that interface-level, app-level and media-level security and multiuser-support doesn't even need hardwired OS support! Check this out:

- All data except of OS and driver stuff is stored in encrypted filesystem images (truecrypt anyone?)
- This includes the user-environment which is just a "portable" application stored in that image (partially possible already).
- It also includes the applications, which are stored in that image, including their settings (portable apps do that already)
- And of course the users media
- multiple of such filesystem images can be mounted at the same time. Thus you can for example also mount an encrypted USB-stick or external HDD and then access it - if you know the PW.
- Thus, the OS doesn't even need to know "who" is currently using the PC. Users manage their privacy and security themselves simply by mounting/unmounting their encrypted images.
- User runs with very low access rights to the OS. Thus, he can do whatever he wants inside his images, but cannot damage the OS..... unless he knows the pass to elevate his rights. Interestingly, although he runs at such low privileges, he isn't constantly bothered with access-limitations, because he only needs to elevate his rights if he wants to do something to the OS.
- The OS automatically forbids any modification of unmounted images, unless one elevates ones access rights (thus, any app-level security breach can only affect the currently mounted images).
- add some mechanism to shield password entering during mounting from app-level keyloggers.

What you get:
- all the security of nowadays systems, and significantly more, without all the hassle
- no setups, package-managers, installations or deinstallations (except of just more comfortable "extractors"). Thus, also none of the downsides associated with those.
- easy backups of your data (just copy the image-file(s) and done!)
- full portability of apps, settings and data - from anywhere to anywhere.
- true privacy.... no centrally logged usage-data, own apps and media are internally and externally unaccessable. No worries about recovery of deleted data (as long as your image-encryption isn't broken)
- various niceties for corporate environments
Title: New trojan infects audio files and spreads if they're shared
Post by: caligae on 2008-07-20 20:07:29
The truth is that interface-level, app-level and media-level security and multiuser-support doesn't even need hardwired OS support! Check this out:


Some interesting points although I don't agree with all your ideas.

To stay on-topic: Your concept would not have helped very much with the described trojan. Except for affecting only a single user on the system.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-20 20:24:02
To stay on-topic: Your concept would not have helped very much with the described trojan. Except for affecting only a single user on the system.

Which is impossible to solve without simply not installing software which behaves like WMP. Not even per-application access-restrictions would help here, because the player MUST have access to your audio-media - else it couldn't play it. The only sane solution is to simply not trust untrustworthy applications. The environment may restrict the damage, but there is no way around the simple logic, that if you give an app write-access to certain files, then it can write to them however it likes - if the app is malware-happy, then you shouldn't have given it that access in the first place.
Title: New trojan infects audio files and spreads if they're shared
Post by: shadowking on 2008-07-21 01:46:42
Like gabriel said,  windows illness is because of everyone is admin. Drop access rights of browsers media players etc and 85 % of problems will go away even without an antivirus. The other thing is that there is no package management so you are never really secure.

Vista tries to remedy the issue to an extent. With XP pro try LUA accounts + sudowin and dropmyrights for XP home.
Title: New trojan infects audio files and spreads if they're shared
Post by: prankstare on 2008-07-21 05:29:41
Sweet Jesus! That's why I never trust any automated downloading instructions coming from any programs (in this case the missing codec tip). Except those "new version/upgrade" messages, perhaps not even that.


PS: Good point, 2Bdecided. I too agree with you it's not the average user who takes the blame here, or anywhere or anything. The problem really lies under those "demented" minds that think they know something and go make other lives miserable. Well, sometimes they really are brilliant minds in terms of intelligence, knowledge but look at what they use their brains for. It's totally devastating to see how there's so many remarkable minds but taking their knowledge for granted when they could very well be using it for real good things (and am not just talking about softwares, computers, etc). One don't need to know it all but only what they find it's important to them (if I decided to spend my money on a computer just as a 'pastime' hobby - you know, after stressed out from work - is there anything wrong with that? As long as I properly paid for the bloody machine).


Quote
I love the naive geek mentality in this thread that people deserve to be punished for using WMP. I know some true nerds find it impossible to grasp, but some "normal" people actually buy computers to do things beyond maintaining the computer itself!
Title: New trojan infects audio files and spreads if they're shared
Post by: Ojay on 2008-07-21 13:34:06
This trojan transcodes files? Truly the work of an evil, evil mind...


Yes, and not just one file but the whole audio collection on your hard disk.

Maybe a software tool will be released later that will remove the malicious code ... and will offer the users the opportunity to change the extension of affected files from .mp2/.mp3 to .wma ... and so WMA will be the upcoming standard audio format on the web in one year or two - just let the Trojan spread and spread and spread....  ... and as we all know (also from all the discussions in this thread) - it will do so...

That - finally - will be the boost the WindowsMediaAudio format urgently needs....
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-21 17:03:47
i agree about UA in win (xp at least), but i don't get this:

Quote
At which point the user will type in the admin password and nothing of substance will have been secured.


so a user will press play and then for some reason type in an admin pass - yes, i have to be admin to listen to the music?
Title: New trojan infects audio files and spreads if they're shared
Post by: PatchWorKs on 2008-07-22 09:00:43
Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!


I'll never switch my workstation into a server.

I'm just waiting for the upcoming Haiku (http://www.haiku-os.org/) and the future ReactOS (http://www.reactos.org/).
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-22 09:21:05
i wonder when it will be possible to install say adobe video bundle onto react-os, or all this devs expect silly users that are just happy with open-office & firefox in their lives?
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-22 09:38:42
i wonder when it will be possible to install say adobe video bundle onto react-os, or all this devs expect silly users that are just happy with open-office & firefox in their lives?

I dont understand your question. ROS aims for full binary compatibility. It also clearly states, that it is currently far from that, architecturally incomplete and in alpha-state. So no, ROS-Devs do not expect development to stop in the near future.

As for BeOS.... i find the architecture VERY interesting... but i'm not sure if haiku will be efficient in practice.... at least in the near future...... mostly because of lack of software.
Title: New trojan infects audio files and spreads if they're shared
Post by: shadowking on 2008-07-22 10:08:11

Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!


I'll never switch my workstation into a server.

I'm just waiting for the upcoming Haiku (http://www.haiku-os.org/) and the future ReactOS (http://www.reactos.org/).


The NT codebase is a server OS and home / pro / server editions are the same beast. Win 9x could be considered the real home edition.
Title: New trojan infects audio files and spreads if they're shared
Post by: Northpack on 2008-07-22 12:59:22
And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness - they want to use something without understanding it - permanently.... exactly the target audience, which created this kind of "market". And with this noobness, i do not just mean indepth tech knowledge, but more specifically a mindset which is investigative and self-determined - simple observations, asking questions like "is this trustworthy?" and taking consequences. It doesn't take years to get that microsoft products are not trustworthy.... if one does already - for practical reasons - use an MS OS, then at least keep the amount of additional MS apps down. Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice... and where there are slaves, there will be abuse.


I get you point, Lyx, but do you really think that's any new? Regarding computer technology it's just another consequent step in a long determined development. We talk about a mentality which is rooted in the very fundament of western-scientific culture. Remember the greek myth about Prometheus stealing the fire from the Gods and Zeus' revenge in shape of Pandora's box. As man began to utilitize fire instead of just staring at it in awe, he was still sensible enough to cultivate a sense of his outrage. But this sensiblity vanished, at the latest, with the rise of modern scientific self-confidence.
Nowadays, we are proud to know about the nature of fire, but plug our lamps and computers into the socket without generally thinking about how the energy is brought to the wire (now we got Castor to take care of Pandora's box, but he's but a mortal...). And honestly - we can't. The very mode of scientific progress is utilization. Our world is a world of utility and the intrinsic complexity of these utilities, which we inescapably depend on, is ever growing. Alienation is the price to pay for any progress. Now geek's like us gladly pay that price. But not everyone can afford such a privation - and why should they? It's knowledge without any vital importance for them. No one has the capacity to be investigative in all the techniques he daily utilitizes. You can't be an expert on everything. Most people ain't experts on computer technology - yet they are culturally impelled to utilitize it. Technology creates necessity, but people create technology. Thus taking part in the development of technology is a matter of highest responsibility. Great scientist always knew about that. Companys like Microsoft obviously do not. So either you have blame them or, to be fundamental, you have to blame the overall modern scientific mind - but when you do so, you can't point at anyone other, because you are into that mind yourself (well, I don't suppose you're an Indian Yogi, are you? ).
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-22 13:46:56
No one has the capacity to be investigative in all the techniques he daily utilitizes. You can't be an expert on everything. Most people ain't experts on computer technology - yet they are culturally impelled to utilitize it.

This is a popular misunderstanding, caused by a typical western tendency to think in one-dimensional extremes (Boolean XOR). With well designed tools, it is not necessary to be an "expert" to use them powerfully and responsible. In the case of applications, i don't need exactly know HOW it works... i just need to understand the overall underlying meanings and relationships associated with them. I.e. knowing the difference between executable code and media. Knowing that whatever i can do, an application can do as well. Understanding basic stuff about trust. Almost no average user understands ANY of those things! I am not saying that only "geeks" should use computers. I am saying that only people who understand the basic overall principles in computing should use computers. Todays average PC users isn't just "not an expert" - he has no fucking clue about anything... he doesn't even know the difference between data stored on the internet, and data stored on his computer! He is simply a slave which obeys commands which the software gives him. He doesn't observe, doesn't think, doesn't understand, doesn't decide... he is a robot executing commands - an application which will do anything which it is told by anyone and anything.... he is literarily the most insecure application ever developed!

- Lyx

P.S.: From a wider POV, this isn't just an issue with western scientific mentality. It's related to the mentality of the entire society: People do not want to make decisions - they just want to function by letting others decide for them. In this case, the application - ANY application - decides for the user. Have you ever seen such a user getting into a conflict, by multiple apps giving the user contradictory commands? They do not investigate which is right... they don't even ask themselves "whom can i trust?".... they just panic and ask "what am i supposed to do?".
Title: New trojan infects audio files and spreads if they're shared
Post by: GeSomeone on 2008-07-22 14:39:26
And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness ...

So how should N00bs educate themselves if the word is not spread about what is dangerous and what not? Your remark have a distict "Elite" smell.
Title: New trojan infects audio files and spreads if they're shared
Post by: 2Bdecided on 2008-07-22 14:47:38
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows,  I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.

Still, the point of this thread is to inform. I'm now informed that this is a threat, and will warn everyone I know.

It's another plus point to archiving to optical media - the trojan could attack back-up mp3 files on a spare HDD when it was connected to sync; it would struggle to attack those burnt to DVD-R. Shame - I've more or less given up on DVD-R for backup, and will now have to consider it again.

Cheers,
David.
Title: New trojan infects audio files and spreads if they're shared
Post by: washu on 2008-07-22 14:56:55
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows,  I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.


As far as I'm aware, Windows Media Player can only grab codecs from an approved Microsoft site.  It cannot get codecs from any site directly.  What this trojan does is instruct WMP to open a web browser to the download site.  One more step, but an important distinction.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-22 15:39:34

And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness ...

So how should N00bs educate themselves if the word is not spread about what is dangerous and what not? Your remark have a distict "Elite" smell.

"Not spreading a specific kind of info on THIS platform" != "Not spreading a specific kind of info on ANY platform"

I dont care how sentences "smell" to you. You are responsible for your interpretations.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-22 16:10:11
Quote
I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows, I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.

Ignoring the validity of those statements, there's a useful implied question in this: What to do about this - what are the alternatives?

For videos, i'd say there are at least two app, which are significantly more trustworthy than WMP and which aren't too complicated to use. Both however are not "eye-candy" (no skinned interface).

The first most obvious choice is "Media Player Classic". It uses the codecs on the system and from my experience does not execute active scriptcode in mediafiles. It's interface is also quite easy to use (more easy than WMP i'd say) - but it does not automatically download codecs, nor does it do that manually. It by the way is also capable of playing quicktime and real mediafiles, if you have "quicktime alternative" and "real alternative" installed - though, in my experience the support for those two mediatypes doesn't feel stable (feels like lots of wrapper-hacks).

The second - and in my opinion most interesting alternative, is SMplayer. This is a rather clean and simple frontend to mplayer. The interface is also quite similiar to media player classic. Most settings are also easily accessible. And the best part: It is not dependent on system codecs! It uses its own codecs which - if you add the full package - can play almost everything, INCLUDING quicktime and real stuff! Because of this, there also are no codec conflicts, and you will never need to download codecs (at least not for trustworthy mediafiles). This is a simple and clean mediaplayer which can truely completely replace all other video-mediaplayers on your system. It's two most obvious flaws currently are: If a video crashes, then only the frontend will terminate, leaving a zombie mplayer-process running which needs to be killed via taskmanager. The second main downside is that if you want widescreen stretching of videos (thus, ignoring aspect ratio) then this cannot be done comfortably - you need to add certain switches to the "mplayer commandline options" in the preferences.
Title: New trojan infects audio files and spreads if they're shared
Post by: 2Bdecided on 2008-07-22 16:30:43
I use VLC. I'm not a fan of it, it's just the least bad thing I've found.

FWIW I just tried SMPlayer - it can't deinterlace HDV in real time on my PC (VLC, not known for being fast, can do this easily). It can't play back DV AVI files at all - it just crashes (this must be some obscure bug/interaction because I can't imagine them releasing it with broken DV AVI support knowingly, but everything else on my system can play them!). SMplayer is fine with WMV though - better than VLC (on my system).

I'm not saying Window Media Player is "better" than what you've suggested - by my experience illustrates (and confirms!) finding something "better" can turn into a wild goose chase.

(I already have MediaPlayerClassic and use it for DV at home - it respects DV AVI aspect ratios, which not many other programs do).

Cheers,
David.
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-22 16:36:18
Actually Media Player Classic also has own codecs for most formats. Each decoder can be enabled independently.

However, MPlayer is the only program that will play Windows Media formats satisfactory (apart from Windows itself).
Title: New trojan infects audio files and spreads if they're shared
Post by: JunkieXL on 2008-07-22 17:50:19
Windows Media Classic works well.  I would recommend you install ffdshow if you plan on using it though... You can use this one simple application to decode just about any media type; both audio and A/V as well as many other very useful features.  I'd recommend everyone check it out.

Sourceforge: ffdshow (http://sourceforge.net/projects/ffdshow)
JXL

edit: corrected some typos
Title: New trojan infects audio files and spreads if they're shared
Post by: 2Bdecided on 2008-07-22 18:24:11
IME relying on ffdshow for "decoding just about any media type" is hardly a crash-free experience. Maybe I'm unlucky!

Cheers,
David.
Title: New trojan infects audio files and spreads if they're shared
Post by: JunkieXL on 2008-07-22 19:25:34
I use it primarily for h.264 A/V media in conjunction with the modified windows media classic player and it has always worked well for me.
JXL
Title: New trojan infects audio files and spreads if they're shared
Post by: simonh on 2008-07-22 21:50:59
Sorry, but this a bit funny. Reminds me of an email I got a few months back, warning me not to open a 'exe' attachment about an undeliverable email.

As Lyx has rightly said, users should be aware of what codecs they are using. If in doubt, thought is needed (i.e. turn brain on temporarily).
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-23 04:03:09
Ffdshow can indeed be used for just about every format. And ffmpeg is the only decoder for certain formats (WM/, Sorenson). But the package has no media splitters (demultiplexers). These must be installed separately.

The updated version: http://ffdshow-tryout.sourceforge.net/ (http://ffdshow-tryout.sourceforge.net/)
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-24 11:01:41
about the windows noobines, not entirely users fault, there is absolutely no good documentation about the OS.

Chapter one should be:
1. how to secure your OS
Title: New trojan infects audio files and spreads if they're shared
Post by: LaserSokrates on 2008-07-24 19:23:14
Chapter one should be:
1. how to secure your OS


Step 1:  Download a real operating system.
Step 2: Install it over your Windows partition.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-24 19:32:36
Step 3: No, i don't need open office and i don't really care about apache and why is my wi-fi not working? Oh yeah somebody will soon compile another kernel that will make that happen..., common (when i really need to play with some 'real oses' i have putty and remote shell account..., but i need to feel a bit masochistic as well.)
edit: some good reading imho http://www.reactos.org/en/about.html (http://www.reactos.org/en/about.html)
Step 4: Back to unreal os,  where some real tools can be run

---

the real error from some real os:
PANIC: CPU 1: Cache Error (unrecoverable - dcache data) Eframe = 0x90000000208cf3b8
NOTICE - cpu 0 didn't dump TLB, may be hung

yeah, that kind of info really makes me happy...
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-24 19:37:04
Windows can be made lean, fast and secure (maybe not NT6, yet). But it indeed involes replacing most parts what the user perceives as "Windows". The media player is just one of them. There is also the graphic viewer (WMF bug anyone?), Exploder, Outlook, SMB/NetBIOS, MovieMaker/Sndrec32.

However if you give up Windows completely you're gonna miss some great software. Foobar, Total Commander, IrfanView, EAC... There were complaints about Vista, where buttons were in the wrong places and a couple applications didn't run. Imagine a completely different system, where nothing you are used to works. What's an operating system without programs, programs that you can operate quickly and efficiently?

Windows help is indeed pretty much useless, I agree.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-24 19:40:15
j7n: now somebody will start with 'wine' 
Title: New trojan infects audio files and spreads if they're shared
Post by: LaserSokrates on 2008-07-24 21:38:52
Well, I claim I too am able to make Windows XP secure, as it involves creating a non- privileged account and installing an anti-virus-scanner. However, this is not default. This and things like this trojan that infects audio files (via WMA) indicate that Windows is flawed by design. Why make a chapter about securing your OS? Why not ship it secure? I don't get it.
What I was just trying to say is: This (trojan) does only work because Windows has a a big flaw.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-24 21:57:58
Quote
Why make a chapter about securing your OS? Why not ship it secure?

both is obviously needed.
Title: New trojan infects audio files and spreads if they're shared
Post by: greynol on 2008-07-24 22:05:31
Is some other OS was king, I suppose more efforts would be made to undermine its security instead of Windows.
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-24 22:14:52
M$' target market is people who don't think. When these people insert a CD-ROM they expect a program launching. And as was said earlier, they trust this program. In NT5 Windows went a step further and offered to play music and videos from that CD-ROM (wasting time to scan it first).

In my opinion a secure OS can't have autoplay enabled. But the user would realize that his CD-ROM suddenly doesn't work! I've heard complaints from users whom I set up computer this way. Of course later USB-stick malware spread, but the computers were immune...

By releasing a secure OS, M$ would have to undo what they worked so carefully to build so far. Software that makes decisions for you.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-24 23:06:57
1. i think that the problem is that there is a large gap between 'chmod 664 oses' and 'my cd won't start oses', that gap OS would nicely cover intermediate user (say a user that wants to write a script or two per month besides clicking around the icons), amiga os comes to my mind....

2. or maybe from a videoguy perspective, say i'am buying more single-task oriented machine, what do i have;

a. win with adobe (+ gazillion small or big OS tools, say avisynth which can save my ass)
b. mac 'that just works'
c. redHat based (overpriced) autodesk smoke* (Why did they pick Red hat, why not opensuse? or ubuntu?)
d. i'am sure there is more
e. non-existant combo of a. b. and c.

3. about silly users, say a user needs to do a decision:

a. i will start gimp and do some really nice photo manipulation, but first i need to spend 3 hours googling to make my graphics card to work properly
b. oh, ok, there is gimp for unreal os as well, and drivers there seem to work just fine
c. i relly like iphone, so the only obvious solution is to be coolish in whole, mac is only logical choice for a real artist.

decisions, decisions...

edit: Darwin would say that the ones with more food will survive, where food is software, what makes things moot is that you have to be sexy as well.
Title: New trojan infects audio files and spreads if they're shared
Post by: Gabriel on 2008-07-25 08:08:29
Well, I claim I too am able to make Windows XP secure, as it involves creating a non- privileged account and installing an anti-virus-scanner. However, this is not default. This and things like this trojan that infects audio files (via WMA) indicate that Windows is flawed by design. Why make a chapter about securing your OS? Why not ship it secure? I don't get it.
What I was just trying to say is: This (trojan) does only work because Windows has a a big flaw.

Actually, Microsoft knows pretty well how to ship a secured-by-default OS, but they decided to not ship the consumer OS this way. On the other hand, server versions like win2k3 are way more secured by default. (but note that the win2k3 default config would be totally innapropriate for the casual user)

(and I fully agree that NT5 can be both secured and useable with the proper configuration, which strangely is not the default config)
Title: New trojan infects audio files and spreads if they're shared
Post by: itisljar on 2008-07-25 10:47:27
As I see it, the problem are the users who think that they know "all" about Windows, but it turns out that they know how to install OS and drivers and run keygens and copy cracks for games. Once you start learning about that thingie you work on, you see that there are many things under the hood. A guy I know lost all his important documents because he encrypted them to be green, therefore important, backuped them to external HDD, and reinstalled windows. You know what happened next. And reading about encrypting wasn't the priority, so he didn't ever backuped his encryption keys.

A lot of users use pirated windows which they don't update regularly - leaving unpached security holes. Combine that with "if you are smart and don't run every file you get in the mail, you don't really need firewall and AV" attitude, the disaster is just waiting to happen. You really don't have to run the file - unpatched IE will do that for you.

Windows can be as secure as you make them - and it is up to user to inform him or hrself how to be more secure. You can't know nothing and expect the things work for you, it just doesn't happen that way.

As for this nastyness - well, that happens when you are running OS with Administrative rights. Don't do that. Inform others that it isn't really needed, except for installing drivers, and then you have secondary logon feature (sudo  ) for administering system.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-25 11:10:47
A lot of users use pirated windows which they don't update regularly - leaving unpached security holes. Combine that with "if you are smart and don't run every file you get in the mail, you don't really need firewall and AV" attitude, the disaster is just waiting to happen. You really don't have to run the file - unpatched IE will do that for you.

Interesting. Please explain to me how IE will run something without me doing anything. (BTW: Since i am "smart", i of course dont have outlook, nor do i use a mail client which uses its engine - same for scripting host, scheduler, addressbook, etc.).
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-25 11:44:20
Quote
it is up to user to inform him or hrself how to be more secure.

calling users stupid won't really help the situation...., it is helpfull as much as this sing:

(http://blog.somestuff.org/images/warning.jpg)
Title: New trojan infects audio files and spreads if they're shared
Post by: LaserSokrates on 2008-07-25 13:26:33
Quote
it is up to user to inform him or hrself how to be more secure.

calling users stupid won't really help the situation...., it is helpfull as much as this sing:

(http://blog.somestuff.org/images/warning.jpg)


IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it. Everyone is "studid" when he/she does something for the first time. But most PC users don't try to change that. The results are topics like this one or the W32.Blaster story. If the first version of that worm hadn't been coded so badly, consequences would have been much worse. Most users didn't even know that this behaviour was caused by a virus, that it could be aborted with shutdown -a, and that a patch from MS, that had been out for quite some time when Blaster was recent, existed.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-25 14:16:02
Probably depends on how one defines "stupidity/intelligence". I wouldn't call "non-experience" stupidity, nor would i call "experience" intelligence. Stupdity/intelligence IMO is the mindset how one approaches issues, how one deals with information, etc....... in this context, i wouldn't call the lack of experience, knowledge and understanding of most users "stupid" but instead the unwilligness to gain enough of those properties to use computers efficiently and self-responsible. Not having the required understanding to use computers, and consequently not using computers, isn't stupid - it's reasonable. But not having that understanding, yet still using them, is.
Title: New trojan infects audio files and spreads if they're shared
Post by: PatchWorKs on 2008-07-27 10:00:39
Step 1:  Download a real operating system.
Step 2: Install it over your Windows partition.


Haiku (http://www.haiku-os.org/), for example.

An open clone of BeOS (http://en.wikipedia.org/wiki/Beos), the OS optimized for digital media work and was written to take advantage of modern hardware facilities such as symmetric multiprocessing by utilizing modular I/O bandwidth, pervasive multithreading, preemptive multitasking and a custom 64-bit journaling file system known as BFS
Title: New trojan infects audio files and spreads if they're shared
Post by: shadowking on 2008-07-27 11:57:11
j7n: now somebody will start with 'wine' 


Well yes. Why miss out ? because EAC, Burrnnn, irfan and Foobar work near flawless under wine. Even if an app doesn't play nice then some VM solution will do it - running windows vm inside your OS of choice. You could even setup some terminal server and have any OS run the apps as a thin client.
Title: New trojan infects audio files and spreads if they're shared
Post by: ggf31416 on 2008-07-27 14:36:10
IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it.


There is a difference between cars and computers. If you make mistakes while driving a car you can kill yourself or kill others but nobody will died if you make a mistake while using a computer.
Title: New trojan infects audio files and spreads if they're shared
Post by: Martel on 2008-07-27 14:37:34
Well yes. Why miss out ? because EAC, Burrnnn, irfan and Foobar work near flawless under wine. Even if an app doesn't play nice then some VM solution will do it - running windows vm inside your OS of choice. You could even setup some terminal server and have any OS run the apps as a thin client.
Well, Foobar 2k might work under Wine but the audio stack the data needs to pass is not as clear as under Windows. If I set 192kHz/24bit resampling to output I don't have much confidence that it reaches the soundcard's DAC without conversion.
There is a difference between cars and computers. If you make mistakes while driving a car you can kill yourself or kill others but nobody will died if you make a mistake while using a computer.
Well, it probably won't cost someone's life but letting your computer zombified in hands of a hacker might cause considerable damage (thousands+ of $$). And the fact that court probably won't make you liable for the damage (it is that nasty virus' fault, right?) doesn't help it either. If you were responsible for what your computer does, it will force people to more responsibility and more caring about their own computer's safety.
The car analogy is not a nonsense.
Title: New trojan infects audio files and spreads if they're shared
Post by: shadowking on 2008-07-27 14:51:03


IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it.


There is a difference between cars and computers. If you make mistakes while driving a car you can kill yourself or kill others but nobody will died if you make a mistake while using a computer.


Actually yes, That myspace mommy who created a fake profile which lead to a teen girls death.
Title: New trojan infects audio files and spreads if they're shared
Post by: Nick.C on 2008-07-27 15:00:03
Actually yes, That myspace mommy who created a fake profile which lead to a teen girls death.
Arguably that was done with malicious intent rather than a user error affecting only their PC.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-27 18:16:30
Quote
most people who buy a PC, a device so powerful so and advanced, and they think they could just use it

a. you are saying that 'advanced' equals 'good'?
b. you are saying that 'advanced' equals 'powerful'?

p.s. And yes, i know that kind of thinking is quite modern/politically correct, but how about your own opinion?
Title: New trojan infects audio files and spreads if they're shared
Post by: Slipstreem on 2008-07-27 22:10:13
I would say that "good" is "easily and safely accessible by the masses" personally. Neither any flavour of Linux nor Windows can satisfy both criteria yet, IMHO.

Cheers, Slipstreem. 
Title: New trojan infects audio files and spreads if they're shared
Post by: Martin F. on 2008-07-29 04:38:13
It's another plus point to archiving to optical media - the trojan could attack back-up mp3 files on a spare HDD when it was connected to sync

One could mount HDDs as read-only, too …

To topic: I always thought codecs would only be downloaded from Microsoft. Does the installation procedure for this trojan differ from regular codec installations? I wouldn’t expect to see a confirmation window like the one displayed here: http://www.trustedsource.org/dynamic/blog_...MediaPlayer.png (http://www.trustedsource.org/dynamic/blog_images/48_20080709-ASFHijacker-MediaPlayer.png)
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-07-29 09:14:11
If the read only status depends only on software, one cannot be completely sure.

The problem with these confirmations is that when there are too many of them, the user would no longer pay attention to what's asked there. Also if the trojan horse was called "Windows critical security update.exe", some users could chose to execute it, because they trust Windows.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-29 09:36:03
i think it is about:

a. aha, apps are stealing extensions again, nothing unusual for windows
b. extensions are (mostly) very important - they define file-type
Title: New trojan infects audio files and spreads if they're shared
Post by: Martel on 2008-07-29 17:07:24
I think that explicit chmod +x would be too much for a normal Windows user. After all those years of double-clicking the .exe files, you could hardly persuade them that this is an improvement.
Title: New trojan infects audio files and spreads if they're shared
Post by: Squeller on 2008-07-29 18:36:11
I think that explicit chmod +x would be too much for a normal Windows user. After all those years of double-clicking the .exe files, you could hardly persuade them that this is an improvement.
You want to express Windows has a very wide user base and Linux does not play a role when it comes to audio? ACK.
Smok3: The extension stealing problem has been much worse in the past IMO. Today, applications generally behave friendlier I think.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-07-29 19:56:13
Technology does not solve human problems - it can only support an already existing human will to change oneself. In other words: Without users being willing to change their mindset, all your tools will be pointless and at worst, just hide problems.
Title: New trojan infects audio files and spreads if they're shared
Post by: smok3 on 2008-07-29 20:40:32
Quote
The extension stealing problem has been much worse in the past IMO. Today, applications generally behave friendlier I think.

I was simulating an 'average user' tinkering.
Title: New trojan infects audio files and spreads if they're shared
Post by: Compact Dick on 2008-08-01 11:56:19
If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.
Title: New trojan infects audio files and spreads if they're shared
Post by: Lyx on 2008-08-01 17:35:06

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

I think you misunderstood him. With hardware-dependent writeprotection, he probably did NOT mean "there is some hardware part in the chain" but instead that the hardware itself (or more specifically the media itself), can directly block access, instead of just saying "please don't do this and that, okay?". If a hardware writeprotection depends on "the software accepting conventions" then it isn't worth its name. Obviously, this can only be achieved if the MEDIA does already manage itself to some degree, so that the media itself can block access, instead of being dependent on the hardware which uses the media.

An example of true media writeprotection, would be physically blocking access to the media.
Title: New trojan infects audio files and spreads if they're shared
Post by: MedO on 2008-08-01 18:18:47

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

The "write protect"-switch on SD/SDHC cards is just the equivalent of the write protection on compact cassettes or floppy disks. The card doesn't know anything about it, the state has to be sensed and respected by the host (I think the host is violating the specs if it doesn't). This is not a hardware protection. If the write protect switch actually cut the "W/R"-Line of the flashrom chip, that would be pretty much foolproof.
Title: New trojan infects audio files and spreads if they're shared
Post by: LaserSokrates on 2008-08-02 16:32:46
About the write-protection issue: on usb-flash-devices, the controller that acually writes the data is in the stick itself. So, a write-protection should be possible.
Title: New trojan infects audio files and spreads if they're shared
Post by: j7n on 2008-08-03 02:25:34
I unsuccessfully tried to hunt down an USB stick with a R/O switch to safely use on other ppl's potentially infected computers. But apparently this type of modification is much less popular than encryption and frontends for portable applications.
Title: New trojan infects audio files and spreads if they're shared
Post by: Light-Fire on 2008-08-03 04:28:59

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.


Because of bad hardware design.
Title: New trojan infects audio files and spreads if they're shared
Post by: dissociative on 2008-08-03 13:39:52
Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.


In those times I sometimes ask myself if there's difference between both categories.
Title: New trojan infects audio files and spreads if they're shared
Post by: Martel on 2008-08-04 15:30:56

Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.


In those times I sometimes ask myself if there's difference between both categories.

Knowledge is a complement to intelligence, not it's substitute.
Title: New trojan infects audio files and spreads if they're shared
Post by: jido on 2008-08-13 12:31:19
IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it. Everyone is "studid" when he/she does something for the first time. But most PC users don't try to change that. The results are topics like this one or the W32.Blaster story. If the first version of that worm hadn't been coded so badly, consequences would have been much worse. Most users didn't even know that this behaviour was caused by a virus, that it could be aborted with shutdown -a, and that a patch from MS, that had been out for quite some time when Blaster was recent, existed.

This is silly. People don't buy a computer to have one more worry at home, they just want to use it for stuff computers can do. Like going on Internet, playing music....

Why should they have to learn anything beyond operating the thing?

Answer: because the operation is deficient. It does things that the user did not really ask for, and does not really understand, like running a script when you try to play a music file.

So there is a paradox: we want machines that do more things than we need, because it gets frustrating otherwise, but we need machines that do only what we want, which is very unlikely in this age of automatic updates and other niceties.
Title: New trojan infects audio files and spreads if they're shared
Post by: Paul Sanders on 2008-09-18 18:37:57
Well, so i thought myself. Until a friend of mine, whom i set up his PC for personally - including installing Antivirus software, Firefox and so forth - installed a different fake codec a while ago, infecting himself with some trojan. He is your average PC user, far from being PC illiterate or stupid. He was just not aware of the dangers when he installed that. I think that outside a minority of users who really know about all the dangers implied with internet use, the vast majority of people have no idea that such a codec download could lead to a trojan infection. They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.

Hear hear!  I think this is one of the more insidious ways of spreading a virus, trojan or whatever it is that I have heard of recently, although I did hear tell of one embedded in an (electronic!) photo frame.  Most people think that MP3 files are totally safe.  Indeed I did, until 5 minutes ago.  You've got me worried now... 

Of course people shouldn't download codecs, active X controls (bletch) or any other form of executable that they don't trust.  But how do they know what to trust?  If WINDOWS Media Player says go for it, most people will do so.  *Everything* (executable) should be digitally signed, but whether this applies to codecs I don't actually know.

Paul Sanders
http://www.alpinesoft.co.uk (http://www.alpinesoft.co.uk)
Title: New trojan infects audio files and spreads if they're shared
Post by: d_headshot on 2009-02-01 07:54:28
How can you tell if you have this worm? I'm sure AVG has it in the virus database but I've scanned my computer and thankfully no obvious trojans exist in my laptop. But incase it isn't recognized by AVG, is there a way to tell if you have this worm?
Title: New trojan infects audio files and spreads if they're shared
Post by: pdq on 2009-02-01 13:08:18
The way that you are infected is when you attempt to play a "mp3" file in WMP and it tells you that you need to install software to play it. If this has never happened to you, or if you did not install software when prompted, then your computer is not infected.

The other clue is that these files actually contain WMA data, and most players will refuse to play them because of the mp3 extension.
Title: New trojan infects audio files and spreads if they're shared
Post by: itisljar on 2009-02-02 00:35:23
Interesting. Please explain to me how IE will run something without me doing anything. (BTW: Since i am "smart", i of course dont have outlook, nor do i use a mail client which uses its engine - same for scripting host, scheduler, addressbook, etc.).


Sorry to answer this lately, forgot about this thread.

Buffer overrun. Many applications uses IE engine to display it's contents, not just Microsoft's. And it doesn't have to be IE to do that, unpatched Firefox, Opera, or just any software that uses internet connection could possibly be vulnerable to some exploit. All you will see is that window informing that software has crashed, send/don't send. When you next start your computer, the whole windows will run in "virtual machine", and you won't know nothing about it.
Or do you think that companies update their software only to add new gadgets? They are (mostly) patching security holes. Some are benign, some are very dangerous. Windows itself isn't the only source of bad software holes.