IPB

Welcome Guest ( Log In | Register )

5 Pages V   1 2 3 > »   
Reply to this topicStart new topic
New trojan infects audio files and spreads if they're shared, Worm.Win32.GetCodec.a / TROJ_MEDPINCH.A / Trojan.ASF.Hijacker.gen
CiTay
post Jul 17 2008, 22:18
Post #1


Administrator


Group: Admin
Posts: 2378
Joined: 22-September 01
Member No.: 3



A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/
http://www.trustedsource.org/blog/132/Troj...ultimedia-files
Go to the top of the page
+Quote Post
Lyx
post Jul 17 2008, 22:27
Post #2





Group: Members
Posts: 3353
Joined: 6-July 03
From: Sachsen (DE)
Member No.: 7609



Whats so special about that, that it justifies a news entry?

- Microsoft software has long been known support "media" to behave like "applications".
- Microsoft mediaformats have long been used for hijacking WMP for malicious purposes. Its one of the reasons for why i would NEVER use WMP.

The only thing which to me appears to be different here, is that the active code is capable of spreading. But that was just a matter of time to happen. Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP. WMP on the other hand gets more bad press. I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this..... just like almost all email-worms only affect outlook.... and so on..... and so on. Its just the same old story again.
Go to the top of the page
+Quote Post
CiTay
post Jul 17 2008, 22:35
Post #3


Administrator


Group: Admin
Posts: 2378
Joined: 22-September 01
Member No.: 3



QUOTE (Lyx @ Jul 17 2008, 22:27) *
I like those news - though, it would be nice if it were more emphazed that ONLY MICROSOFT MEDIA PLAYER is affected by this.....


Which most likely has the biggest market share, just like Internet Explorer still has. Despite all the advancements in other players and browsers, the majority of people still don't seem to change the default app from when the OS was installed.
Go to the top of the page
+Quote Post
Lyx
post Jul 17 2008, 22:43
Post #4





Group: Members
Posts: 3353
Joined: 6-July 03
From: Sachsen (DE)
Member No.: 7609



Well, you know the myth about lemmings smile.gif


--------------------
I am arrogant and I can afford it because I deliver.
Go to the top of the page
+Quote Post
JunkieXL
post Jul 17 2008, 22:55
Post #5





Group: Members
Posts: 359
Joined: 3-April 05
Member No.: 21165



Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.

WMP aside...anyone that downloads and installs codecs without at least knowing what they are downloading first and from where is a total idiot. I never allow programs to choose which codecs I use to play back media. I research it and get the codec bundles off of sites I know to be trustworthy and even then I still scan them and check to make sure they are what they are.

I honestly don't feel that this malware has a very good chance of spreading fast.
JXL
Go to the top of the page
+Quote Post
CiTay
post Jul 17 2008, 23:02
Post #6


Administrator


Group: Admin
Posts: 2378
Joined: 22-September 01
Member No.: 3



Well, so i thought myself. Until a friend of mine, whom i set up his PC for personally - including installing Antivirus software, Firefox and so forth - installed a different fake codec a while ago, infecting himself with some trojan. He is your average PC user, far from being PC illiterate or stupid. He was just not aware of the dangers when he installed that. I think that outside a minority of users who really know about all the dangers implied with internet use, the vast majority of people have no idea that such a codec download could lead to a trojan infection. They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.
Go to the top of the page
+Quote Post
Canar
post Jul 17 2008, 23:09
Post #7





Group: Super Moderator
Posts: 3370
Joined: 26-July 02
From: princegeorge.ca
Member No.: 2796



This trojan transcodes files? Truly the work of an evil, evil mind... ph34r.gif


--------------------
You cannot ABX the rustling of jimmies.
No mouse? No problem.
Go to the top of the page
+Quote Post
Gow
post Jul 18 2008, 00:51
Post #8





Group: Members
Posts: 233
Joined: 14-June 06
From: Fort Wayne, IN
Member No.: 31824



QUOTE (Canar @ Jul 17 2008, 18:09) *
This trojan transcodes files? Truly the work of an evil, evil mind... ph34r.gif


I wholeheartedly agree with this statement and could not have put it better myself.


--------------------
Zune 80, Tak -p4 audio library, Lossless=Choice
Go to the top of the page
+Quote Post
Synthetic Soul
post Jul 18 2008, 06:40
Post #9





Group: Super Moderator
Posts: 4887
Joined: 12-August 04
From: Exeter, UK
Member No.: 16217



QUOTE (CiTay @ Jul 17 2008, 23:02) *
They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.
If it pops up when you go to play the file in the trusted Windows Media Player I think users could be forgiven for assuming that WMP was the originator, and would be installing a trusted WMP codec.

QUOTE (Canar @ Jul 17 2008, 23:09) *
This trojan transcodes files? Truly the work of an evil, evil mind... ph34r.gif
biggrin.gif Yes, those articles failed to mention the main issue here.


--------------------
I'm on a horse.
Go to the top of the page
+Quote Post
Martel
post Jul 18 2008, 10:22
Post #10





Group: Members
Posts: 553
Joined: 31-May 04
From: Czech Rep.
Member No.: 14430



QUOTE (CiTay @ Jul 17 2008, 13:18) *
A new trojan horse malware is being reported in the wild that infects MP3, WMA and WMV files. It secretly converts MP3 files to the WMA format while keeping the MP3 file extension and adding a special WMA tag that asks the user to install a supposedly missing audio codec. When the user downloads and installs the fake missing codec, the trojan horse sets a registry key that disables the "missing codec" popup, making it seem as if the installation was successful. Meanwhile, it's silently infecting all those media files it can find on that PC, including converting all MP3s to WMA and adding that special tag. Windows Media Player does not mind the wrong extension and plays them back normally.

When those files are shared, they will display the "missing codec" notice again on other PCs, and if that codec is installed, the infection is spreading once again. If Winamp is installed (which can't play the fake MP3 files which really are WMA), its configuration is changed so that all media files will be played by Windows Media Player again instead.

More info:
http://blog.trendmicro.com/infectious-music-malware-style/
http://www.trustedsource.org/blog/132/Troj...ultimedia-files

I don't understand the mention about changing default player from Winamp to WMP. You would have to launch the file in WMP for the first time to get the infection (which you probably will not as you have Winamp as default player). So anyone using an alternative media player is immune, unless they tried to play the file back in WMP after their regular player fails. biggrin.gif


--------------------
IE4 Rockbox Clip+ AAC@192; HD 668B/HD 518 Xonar DX FB2k FLAC;
Go to the top of the page
+Quote Post
CiTay
post Jul 18 2008, 11:39
Post #11


Administrator


Group: Admin
Posts: 2378
Joined: 22-September 01
Member No.: 3



Some more info on this: http://www.kaspersky.com/news?id=207575664

So with the help of Trojan-Proxy.Win32.Agent, the infected PC is potentially under full external control, or at least they can eavesdrop on your online banking and other important information.


And here's some infection reports of what could become a true epidemic in popular P2P places. Let's analyze some of these to enter the minds of some unsuspecting users, shall we?

1) http://www.techsupportforum.com/microsoft-...lash-codec.html

This user has an up-to-date AV program that warns him of a trojan horse. He questions wether his Antivirus program is to be trusted and ponders ignoring the warning to get rid of the popups.


2) http://www.technologyquestions.com/technol...ving-virus.html

Here some users might have only downloaded infected MP3s, but have not yet installed the fake codec themselves (later however, some users report infection of all their MP3 files). One user suggests a solution that gets rid of the popup messages, advertising it as "deleting the problem" (in fact, it leaves all files and the PC infected). Another user further down recommends running an "fmpeg.exe" from an unknown website to clean the MP3s.


3) http://forums.winamp.com/showthread.php?threadid=292924

Winamp users complain about the effects of the trojan, at first not knowing the cause. After some deliberation, the same fmpeg.exe is suggested to clean the MP3s, leaving the PC still infected by Trojan-Proxy.Win32.Agent.


I think you can draw your own conclusions from this. For the average user, this issue is pretty complicated to grasp, and most just want to get rid of the popups. The easiest way of which appears for them to be the installation of the "codec". If they become aware of an infection, they use insufficient means to get rid of it.
Go to the top of the page
+Quote Post
j7n
post Jul 18 2008, 13:20
Post #12





Group: Members
Posts: 813
Joined: 26-April 04
Member No.: 13720



QUOTE (Lyx @ Jul 18 2008, 00:27) *
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP.

It's problematic to leave out Windows Media when configuring a computer for the average user. There are plenty of websites with streaming in WM format, working only with Explorer and Media Player. I of course would go around these sites myself. But the user doesn't understand why my secure computer does not play his online TV, radio, or social networking site.
Go to the top of the page
+Quote Post
eofor
post Jul 18 2008, 13:30
Post #13





Group: Members
Posts: 187
Joined: 24-March 06
Member No.: 28803



QUOTE
Still, i dont see the problem: WMP users get a justified rude wakeup call for sleeping when they choosed WMP


Both Quicktime and Winamp have had their share of metadata exploits, so I wouldn't be too harsh on WMP users.
Go to the top of the page
+Quote Post
2Bdecided
post Jul 18 2008, 14:55
Post #14


ReplayGain developer


Group: Developer
Posts: 5176
Joined: 5-November 01
From: Yorkshire, UK
Member No.: 409



QUOTE (Lyx @ Jul 17 2008, 22:27) *
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

I love the naive geek mentality in this thread that people deserve to be punished for using WMP. I know some true nerds find it impossible to grasp, but some "normal" people actually buy computers to do things beyond maintaining the computer itself!


As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

This is what people buy PCs for - to play their music, email friends, watch video etc etc etc. If it crashes around their ears, it's not their fault.

Imagine if we were talking about cars. What if you popped a CD from a friend into the factory fitted stereo, and it spontaneously wrecked every subsequent CD you put in, and made the car crash! Would any sane person be saying "well, it serves these idiots right who rely on the factory fitted stereo - what do they expect?".

It's not a reasonable attitude. I know where the fault lies, and its not with the users.

Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born. I can't imagine her downloading and installing VLC quite as easily as simply opening the attachment I sent her and clicking OK to everything that followed.

Cheers,
David.

This post has been edited by 2Bdecided: Jul 18 2008, 14:56
Go to the top of the page
+Quote Post
/mnt
post Jul 18 2008, 15:09
Post #15





Group: Members
Posts: 697
Joined: 22-April 06
Member No.: 29877



OMFG a trojan that transcodes audio files, and set WMP as the default player. That is a really nasty evil pos virus.

Looks like its main target is for the average and computer n00b user, who have that awful something for nothing attitude.

This post has been edited by /mnt: Jul 18 2008, 15:10


--------------------
"I never thought I'd see this much candy in one mission!"
Go to the top of the page
+Quote Post
noorotic
post Jul 18 2008, 15:27
Post #16





Group: Members
Posts: 40
Joined: 22-January 07
From: usa
Member No.: 39911



So, how can you tell an mp3 from a wma, say in a hex editor? There are tag areas and headers, but I can change an .mp3 to .wma and many utilities take the 'word' of the file extension, and go ahead and report bitrate, etc.

I had an incident around the time of Vista SPI, where as I recall, I 'caught' WMP (which I try to keep from launching in spite of it's determination to do so), resizing my cover art in album mp3 folders, and embedding it in the mp3s. I have mp3s (of cds I own) which are encoded by such as fhg, at 96kbps, and I've never been able to figure this out. I have used LAME as long as I can remember. Dylan is a big target.

Is this the trojan? I always thought it was MS being helpful. It really has infuriated me.

I use Foobar2000, and it plays them fine. There is also a folder full of some sort of copies of the album art? Is this just part of Vista? It scares me how helpful they can be. If you want to use WMP, it is probably very nice, but if it cranks, it is going to index every file on your computer and is nearly impossible to shut off.

AVG reports no problems here. I cannot find anything with google about actually detecting the thing. Could it be a hoax?
Go to the top of the page
+Quote Post
drbeachboy
post Jul 18 2008, 16:20
Post #17





Group: Members
Posts: 500
Joined: 22-October 04
From: Southern NJ
Member No.: 17776



In this Yahoo press release, HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling

This post has been edited by drbeachboy: Jul 18 2008, 16:21


--------------------
Surf's Up!
"Columnated Ruins Domino"
Go to the top of the page
+Quote Post
Canar
post Jul 18 2008, 16:42
Post #18





Group: Super Moderator
Posts: 3370
Joined: 26-July 02
From: princegeorge.ca
Member No.: 2796



QUOTE (drbeachboy @ Jul 18 2008, 08:20) *
In this Yahoo press release, HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

Edit: Spelling


It really makes me smile to see Hydrogenaudio cited by mainstream press. It's been a long journey, but now it feels like we're getting some recognition, even if the name is misspelled in the article.

I wonder if that's enough to make Hydrogenaudio a credible site by Wikipedia standards? Puts a bit of a different spin on the foobar2000 Votes for Deletion page that was up a while back.

I know this is quite off-topic, but there's really nowhere else I'd trust for information about something like this.


--------------------
You cannot ABX the rustling of jimmies.
No mouse? No problem.
Go to the top of the page
+Quote Post
Lyx
post Jul 18 2008, 17:19
Post #19





Group: Members
Posts: 3353
Joined: 6-July 03
From: Sachsen (DE)
Member No.: 7609



QUOTE (2Bdecided @ Jul 18 2008, 15:55) *
QUOTE (Lyx @ Jul 17 2008, 22:27) *
Whats so special about that, that it justifies a news entry?
That's a very silly thing to say Lyx. For most normal users, this could be the biggest digital audio news story since they bought an mp3 player.

Still doesn't make sense. Are we now going to report on every WMP exploit out there? You know, in that case, this website really would frequently have "news" :-)

And no, i have no pity for those "poor noobs".... not because they are noobs, but because they are unwilling to do something about their noobness - they want to use something without understanding it - permanently.... exactly the target audience, which created this kind of "market". And with this noobness, i do not just mean indepth tech knowledge, but more specifically a mindset which is investigative and self-determined - simple observations, asking questions like "is this trustworthy?" and taking consequences. It doesn't take years to get that microsoft products are not trustworthy.... if one does already - for practical reasons - use an MS OS, then at least keep the amount of additional MS apps down. Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice... and where there are slaves, there will be abuse.

All i see here, is something coming full circle.... again.

This post has been edited by Lyx: Jul 18 2008, 17:31
Go to the top of the page
+Quote Post
PatchWorKs
post Jul 18 2008, 17:36
Post #20





Group: Members
Posts: 498
Joined: 2-October 01
Member No.: 168



Hope this will boost up the adoption of OGG/Vorbis... dhehe ! shifty.gif

This post has been edited by PatchWorKs: Jul 18 2008, 17:37
Go to the top of the page
+Quote Post
JunkieXL
post Jul 18 2008, 17:37
Post #21





Group: Members
Posts: 359
Joined: 3-April 05
Member No.: 21165



QUOTE (drbeachboy @ Jul 18 2008, 07:20) *
In this Yahoo press release, HA is mentioned as discussing this new trojan horse virus. JXL (JunkieXL) and CiTay are quoted in the article.

I'm famous biotches! tongue.gif

Just kidding... cool.gif
JXL
Go to the top of the page
+Quote Post
Gabriel
post Jul 18 2008, 17:54
Post #22


LAME developer


Group: Developer
Posts: 2950
Joined: 1-October 01
From: Nanterre, France
Member No.: 138



And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.
Go to the top of the page
+Quote Post
Axon
post Jul 18 2008, 18:08
Post #23





Group: Members (Donating)
Posts: 1985
Joined: 4-January 04
From: Austin, TX
Member No.: 10933



QUOTE (Gabriel @ Jul 18 2008, 11:54) *
And that is why a computer should never been operated with Administrator/root privileges, but only as a regular/limited user. Unfortunately, the default setup of most Microsoft operating systems is still to always use the computer with full rights, and I can predict that such a trojan will fool many people.


This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.
Go to the top of the page
+Quote Post
greynol
post Jul 18 2008, 18:29
Post #24





Group: Super Moderator
Posts: 10040
Joined: 1-April 04
From: San Francisco
Member No.: 13167



QUOTE (Axon @ Jul 18 2008, 10:08) *
The fundamental issue is that the user is compelled to download something from an unreputable source

Not exactly. No one compelled the user to download an infected media file from a disreputable source.


--------------------
Your eyes cannot hear.
Go to the top of the page
+Quote Post
JunkieXL
post Jul 18 2008, 18:45
Post #25





Group: Members
Posts: 359
Joined: 3-April 05
Member No.: 21165



I've used WMP for video playback and I can understand how this would happen to the average user. People typically "trust" Microsoft applications and follow the suggestions they provide. Not really the smartest thing to do, but I can see how it happens.

Microsoft needs to make the codecs available in a safer environment instead of pointing their users to outside 3rd part sources. For instance...any time there is a codec update with iTunes you are provided with the new codec through a secure source from Apple usually included within the program itself. WMP player just provides a bunch of links and tries to sell you the codec bundles off of their website or have you upgrade WMP to the pro versions...
JXL

edit: grammar

This post has been edited by JunkieXL: Jul 18 2008, 18:47
Go to the top of the page
+Quote Post

5 Pages V   1 2 3 > » 
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 23rd October 2014 - 12:14