JAN 12: Malicious Trojan infects Windows Media Player - BX's Silicon Valley (Computers, Technology) - Boxden Articles


http://www.boxden.com

A diverse, large, and expanding unique urban community that blog and discuss various aspects of life as the young adult. From music, movie, and video game reviews and discussions, to computers, fitness/health, and latest fashion trends. Its all here, and we are constantly expanding with over 100 new members joining daily!

[Free all expense paid membership to BX] 
PDA

View Full Version : JAN 12: Malicious Trojan infects Windows Media Player

EASTLondon
01-12-2005, 06:56 AM
Robert Jaques,

vnunet.com 11 Jan 2005

Security experts have intercepted two malicious Trojans hidden in video files that download and install spyware, diallers and computer viruses when played in Microsoft Windows Media player.

PandaLabs warned that Trj/WmvDownloader.A and Trj/WmvDownloader.B, are spreading through P2P networks hidden in video files. These Trojans take advantage of technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content.

When a user tries to play a protected Windows media file, this technology demands a valid licence. If the license is not stored on the computer, the application will look for it on the internet, so that the user can acquire it directly or buy it. This technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are protected by licences, supposedly issued by the companies overpeer (for Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B).

If the user runs a video file that is infected by one of these Trojans, the files pretend to download the corresponding licence. However, what they actually do is redirect the user to other internet addresses from which they download adware, spyware, diallers (applications that dial-up high rate toll numbers) and viruses, security experts at PandaLabs said.

Below are some examples of the malicious programs and viruses these Trojans download:

Adware/Funweb
Adware/MydailyHoroscope
Adware/MyWay
Adware/MyWebSearch
Adware/Nsupdate
Adware/PowerScan
Adware/Twain-Tech
Dialler Generic
Dialer.NO
Spyware.AdClicker
Spyware/BetterInet
Spyware/ISTbar
Trj/Downloader.GK

"Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc," PandaLabs warned.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B or the malicious programs and viruses these Trojans try to download, click here (http://www.pandasoftware.com/virus_info/encyclopedia/)

News article link (http://www.vnunet.com/news/1160436)
EASTLondon
01-12-2005, 07:03 AM
From benedelman.org

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there's yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain "rights management" features enabled, it opens the web page specified by the file's creator. This page is intended to help a content providers promote its products -- perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users' PCs. User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won't get these popups. But with older software, confusing and misleading messages can trick users into installing software they don't want and don't need -- potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

recently tested a WindowsMedia video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users' computers. I consider the installation misleading for at least three reasons.

http://www.benedelman.org/spyware/images/video-010105-small.png

(1) The pop-up fails to name the software to be installed or the company providing the software, and it fails to give even a general description of the function of the software.

2) The pop-up claims "You must agree to our terms and conditions" -- falsely suggesting that accepting the installation is necessary to view the requested WindowsMedia video. (It's not.)

3) Even when a user specifically requests more information about the program to be installed, the pop-up does not provide the requested information -- not even in euphemisms or in provisions hidden mid-way through a long license. Clicking the pop-up's hyperlink opens SpiderSearch's Terms and Conditions -- a page that mentions "receiving ads of adult nature" and that disclaims warranty over any third-party software "accessed in conjunction with or through" SpiderSearch, but that does not disclose installation of any third-party software.

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (DirectRevenue).

http://www.benedelman.org/spyware/images/video-programfiles-010105.png

(Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.


Full article link (http://www.benedelman.org/news/010205-1.html)
Kreuz
01-12-2005, 07:54 AM
^^Damn infected by 31 spyware progz. Its a good thing I don't use Windows media player. These spyware creaters are on a next level with this crap.
EASTLondon
01-14-2005, 05:15 AM
By Ryan Naraine eweek.com
January 13, 2005

Microsoft Corp. says it has no plans to change the way its Windows Media Player handles the download of DRM licenses.

Amid reports that malicious hackers are using the anti-piracy mechanism to infect computers with spyware, adware, dialers and computer viruses, Microsoft officials stressed that the latest attack scenario does not exploit a vulnerability in the software.

"Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources," said Mike Coleman, lead product manager with Microsoft's Windows division.

"If strangers are trying to entice you to open a file, chances are they're setting you up for a bad experience. We need to continue our work on getting people to understand what's going on and get them to develop better download

habits," Coleman told eWEEK.com.

Security experts warn that crackers are rigging .wmv files to use the DRM (digital rights management) features of Windows Media Player to browse sites infested with malware.

The WMP software includes an option to "acquire licenses automatically for protected content." When a user tries to play a DRM-protected file, the software triggers an Internet Explorer browser session and walks the user through the installation process.

Ben Edelman, a Harvard University student who tracks the spyware scourge, has published a demonstration of the exploits and warned that users with older versions of Windows will receive "confusing and misleading messages" regarding the DRM licenses.

After attempting to download the DRM license, Edelman said his test computer became infected with 58 folders, 786 files and a whopping 11,915 registry entries. "Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer," he said.

Tom Liston, a researcher who tracks malicious Internet activity for the SANS Internet Storm Center, said the attack scenario puts users at risk even if they use an alternative browser. "You're only as safe as the version of IE installed on your system."

Panda Software said the rigged video files are being distributed on peer-to-peer networks to dump two Trojans—Trj/WmvDownloader.A and Trj/WmvDownloader.B—on PCs.

Microsoft's Coleman said the company takes all security risks seriously and urged Windows users to take advantage of the protections built into Windows XP Service Pack 2.

"Computers with SP2 would block those pop-ups and block the installation of ActiveX controls. So, in addition to increasing risk awareness and promoting best practices, we have built protections into SP2."

Coleman also recommended the use of Microsoft's new anti-spyware software, which is capable of detecting and deleting unwanted programs.

News Article Link (http://www.eweek.com/article2/0,1759,1751248,00.asp)
PŏisonXL
01-15-2005, 02:10 PM
fu*k this..