Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: New trojan infects audio files and spreads if they're shared (Read 137517 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

New trojan infects audio files and spreads if they're shared

Reply #25
Quote from: Lyx on
Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers).  Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Quote from: Axon on
If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.


"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.

Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.


About those that say what has this to do with Hydrogenaudio? well...

A) It's about audio files ( i.e. one gets a media file, goes to play with the standard OS media's player and hi-ho, it has a trojan)
B) It not only installs itself in the computer, but also modifies all other media files on that computer with the trojan, transcoding them if necessary to .wma so that the script can be installed, effectively spreading itself.
C) a consequence of C: all the user's audio files get damaged for life. No way to go back (except if they were .wma to begin with, but that's another story).
D)Several P2P download programs include their own player (which in turn is just media player ). This makes it an incredibly ideal target for easy contamination and spreading.

E) Even if you're safe, you don't download things from untrusted sites, and keep control over every aspect of your computer... thousands of zombie PC's may be spamming you E-mails due to this trojan (or worse).

Definitely, i find an audio related forum a pretty good place to talk about this, so that the info is spreaded.

[Edit:typos]

New trojan infects audio files and spreads if they're shared

Reply #26
Quote
' date='Jul 18 2008, 20:06' post='578016']
Quote from: Lyx on

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers).  Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.

P.S.: To get an idea how important the mindset, experience and understanding of "trust" is:

1. I have no resident virus protection. Though, webdownloads get scanned on-demand by my virus scanner - but it never finds anything.
2. I have no resident spyware protection. I just run spybot and co about one time per month - but it never finds anything.
3. I have no firewall
4. I do not use automatic updates. I instead patch every 3-6 months and do a system backup before.

Yet, my PC hasn't been infected a single time for over 5 YEARS! How is this possible, since i completely ignore all the safety measures, which according to those magazines are so important? Well, overally, i just do three things:

1. I avoid non-trustworthy and bloated apps.
2. Whenever a download is offered to me, i check if its trustworthy - very often, this can even be determined just by its presentation and "attitude".
3. I disabled all windows components and services which i do not need, and practically gagged IE in addition to not using it. What isn't there, cannot have exploits.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #27
Quote from: Lyx on
Quote
' date='Jul 18 2008, 20:06' post='578016']
Quote from: Lyx on

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...


Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers). Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.
In the beginning Bill Gates wanted computers in the hands of every human being and that has damn near come to fruition. Computer users are not elitist anymore. OS's have become so automatic that you don't even have to think anymore; just click and run. People are conditioned to this way of using computers. Innovation and ease of use has made these types of trojans or worms all the more dangerous.
Surf's Up!
"Columnated Ruins Domino"

New trojan infects audio files and spreads if they're shared

Reply #28
Quote
' date='Jul 18 2008, 13:06' post='578016']"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.
I disagree. On a single-user Linux/MacOSX system, normal users are still going to need to jump to superuser on a regular basis for all kinds of reasons. The enterprising malware creator should have no problem breaking out of luser jail if said luser has sudo access or a root password. Also "merely" getting user access still allows the use of the computer for zombie applications, and possibly even keystroke logging too. Long story short, any security violation of userspace, whether in a restricted security environment or root, is pretty catastrophic.

Quote
Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.
Oh? OK, I wasn't aware of that. I just figured it was a codec download prompt.

New trojan infects audio files and spreads if they're shared

Reply #29
just another reason more for not to use MP3. if you are smart enough Windows Media speaks by itself, well, shame that there's no Windows XP N edition in America lol!
it seems there's no way to completely remove Windows Media player from windows xp by normal means

New trojan infects audio files and spreads if they're shared

Reply #31
Isn't this worth posting on the front page?

New trojan infects audio files and spreads if they're shared

Reply #32
Quote from: dissociative on
it seems there's no way to completely remove Windows Media player from windows xp by normal means

It depends on what you see as "normal". Try nLite. Nobody can create an N edition or every removed feature. A lite system can be made much faster and more secure, as M$ itself admitted by creating the NT6 "server core" edition.

Quote
To get an idea how important the mindset, experience and understanding of "trust" is:

My situation exactly!

Quote
As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

I am very sorry to hear that. It effectively makes the possible high quality of the BBC streaming completely irrelevant, as you can't get to it. Seriously, tying oneself with the Media Player is comparable to DRM. What's the matter with people today, when a simple file download can't be acomplished without bothering you to install this or that toolbar.

Quote
Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born.

Does it install good codecs? Ffdshow, Haali Media Splitter, etc? I doubt it. It is unfortunate that today in order to ensure "interoperability" one has to use Windows Media.

New trojan infects audio files and spreads if they're shared

Reply #33
Why even have all those codecs? There are so many container formats, container-subformats, videocodecs, audiocodecs, transport-protocolls..... if it were drinkable, it would be a barkeepers dream. How did all those weird formats become popular? By exactly those users who want to use something without understanding it.... determined to get what they are commanded to get, without even the option of saying "no, thanks.". This codec-hell only was able to establish itself, by people being "uncritical consumers". Same for various other developments..... so whats the problem if their lazyness now bites them in the ass? I dont see any - if feels entirely justified and fair. The only think which bothers me, is that those developments in some circumstances also hurt responsible users (i.e. outlook worms spamming my inbox) and that it makes the "market" much more difficult to search efficiently (you have to filter out truckloads of crap offers, just to get to the efficient stuff).
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #34
Looks like we will be better using AAC or Vorbis 

And christ does Microsoft have alot of property codecs and container formats (AVI + ASF). Their container foramts are that imfamus for containing malicious code, that Linux with GNOME would even sometimes warn you before opening it up with a media player, such as Totem or MPlayer.
"I never thought I'd see this much candy in one mission!"

New trojan infects audio files and spreads if they're shared

Reply #35
Quote from: Axon on
This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
If the thing is a script exploit, then only the user account could be infected, and not the whole computer.
So to me this is really related to users permission, and the way the operating system is set up as default. It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).

New trojan infects audio files and spreads if they're shared

Reply #36
Quote from: Gabriel on
It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).

Unfortunatelly, the way how MS implemented that pisses anyone off, who does not like windows to manage ones software and who does not like "user-profiles". In other words, anyone who wants to stay in control over his harddrive, instead of MS taking over almost the entire PC, except of one little profile folder in which you still have a voice. Don't understand me wrong, i realize that it is dangerous to have the entire system accessable all the time. But i'd rather solve that with access rights, instead of that UAC-crap.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #37
Quote from: JunkieXL on
I can only see this effecting people that are very computer illiterate or just plain stupid.

Quote
I research it and get the codec bundles


Uh, okay. 

New trojan infects audio files and spreads if they're shared

Reply #38
I scanned and updated my sister's computer and Kaspersky had caught this trojan when she tried to grab infected files.  She uses WMP.  I'm not sure she even knew it happened.
foobar 0.9.6.8
FLAC -5
LAME 3.98 -V3

New trojan infects audio files and spreads if they're shared

Reply #39
By default WMP automatically installs codecs.  Under tools-options, pick the "player" tab and clear the checkbox that says "download codecs automatically".

New trojan infects audio files and spreads if they're shared

Reply #40
Quote from: Gabriel on
Quote from: Axon on

This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
At which point the user will type in the admin password and nothing of substance will have been secured.

Quote
If the thing is a script exploit, then only the user account could be infected, and not the whole computer.
At which point the installed malware will happily take credit card numbers at its leisure and employ any number of man-in-the-middle attacks to obtain the Admin passowrd, and nothing of substance will have been secured.

You're not getting it. Reducing user permissions on a single-user system solves nothing. It's meaningless. It may keep badly written malware out, but it is of no benefit to the state of the art that exists today or in the future.

New trojan infects audio files and spreads if they're shared

Reply #41
I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.

New trojan infects audio files and spreads if they're shared

Reply #42
Oh how much simpler my life has become since I switched to Linux. Will never look back...  Tra-la-la-la-la... I sing every day...!



(Maybe a cheap shot, just couldn't resist... Have a nice day all!)
"ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD"
        - Oceania Association of Autonomous Astronauts

New trojan infects audio files and spreads if they're shared

Reply #43
Quote from: slks on
I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.


Even if you don't use it DIRECTLY, many programs will automatically call WMP to open certain files. I just checked my browser (firefox) settings and saw that it is set to open MP3 files with windows media player. That coupled with the default setting to automatically download codecs and all you have to do is visit one page with an infected sound embedded. I hope I'm wrong, but I feel most of us are not quite as safe as we think.

New trojan infects audio files and spreads if they're shared

Reply #44
This only affects the "modern" version of WMP.... not that other old one (v6 i think), right? Else i maybe should go dirty and just rename it or something.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #45
The old mplayer2.exe (version 6.4) is also trying to download codecs all the time. But due to my security settings it never succeeds. The program is actually very stupid. It never finds any codec for OGG, and also comes up every time if 24-bit, 32-bit and float files are unplayable. Every sane program would present me an error box instead of accessing the Internet.

New trojan infects audio files and spreads if they're shared

Reply #46
Renamed. Thanks for the info!
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #47
But mplayer2 is just a small program loading msdxm.ocx. Renaming or deleting this program does not remove Windows Media Player from the system.

New trojan infects audio files and spreads if they're shared

Reply #48
I know. I just want to break the chain, since asume, that stuff like browsers will call mplayer2.exe. I am currently not concerned about apps embedding mplayer, because of my system setup.
I am arrogant and I can afford it because I deliver.

New trojan infects audio files and spreads if they're shared

Reply #49
Ok, as someone who was using shorten before FLAC existed, or at the very least was a viable codec, and as someone who enjoys very much following the progress of HA, I ask, why ignore a very real question?  Perhaps because the questioner does not have a comment on every topic raised, each time it is raised?

I truly enjoy HA immensely, but primarily as reader.  I do worry, perhaps too much, due to having spent perhaps too much time and effort (and love) collecting music which is largely unavailable, or was at the time I collected it, to the masses.  I find codecs and the social need for a 'personal favorite' very interesting, and metadata fascinating, the embedding of data within data.

Most others here download their collection, I see it in nearly every thread.  I am connected at 24k due to living in a very rural area, where DSL will be arriving Wednesday!  But, I have met countless others in so many places, and made so many friends, doing it this way.

I bow to the more experienced, the more deserving, the more involved.  I was happy to see the report of the forums gaining some visibility, but so many will come with the questions for which no one here seems to have the answers.  It seems to be very philosphically interesting though.

Bob