Re: Adware Installed through WMA Files in Security

Re: Adware Installed through WMA Files in Security http://www.dslreports.com/forum/r12248644 en Thu, 03 Dec 2009 06:04:13 EDT Thu, 03 Dec 2009 06:04:13 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12306418 suzi : I believe we've seen plenty of evidence that seems to contradict Claria's claims.

»www.pcpitstop.com/gator/Survey.asp

»www.pcpitstop.com/gator/Confused.asp

The same for 180Solutions.

»www.benedelman.org/spyware/180-a···ion.html
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,12306418 Thu, 06 Jan 2005 04:21:36 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12304011 eburger68 : Justin:

These adware companies are full of amazing claims and statements. From a MediaPost article today reporting that McAfee has named adware among the "top nuisances of 2004" ( »www.mediapost.com/dtls_dsp_news.···D=285202 ):

said by MediaPost:
McAfee found that most people with adware on their computers downloaded the programs themselves, the company said it uncovered some instances where adware companies exploited holes in people's browsers to install the programs without their knowledge.

Claria spokesman Scott Eagle said that Claria Corp. does not install any ad-serving software without a user's permission, and that the company has safeguards in place to make sure that software is not surreptitiously installed. A spokesman for 180solutions also said the company's policy is to install software only to users who have consented.

After what we've seen installing through this WMP adware, these kinds of statements are nothing short of enraging.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,12304011 Wed, 05 Jan 2005 21:38:35 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12302805 justin : isn't that EULA amazing? proof right there that they don't expect anyone to read it. Proof that the whole show-accept EULA thing is due to be dragged into the 21st century by a smart class-action lawyer.]]> http://www.dslreports.com/forum/remark,12302805 Wed, 05 Jan 2005 19:33:56 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12302457 eburger68 : Ed:

You wrote:

said by edbott

:

wbpdp.balance.gator.com (gee, what a surprise!)

Yup. So much for Claria's "privacy friendly" installation practices. For more info see Ben's latest:

»www.benedelman.org/news/010405-1.html

But Claria has a long history of this consumer-unfriendly nonsense:

»www.benedelman.org/news/112904-1.html

On a related note: the iSearch.com/iDownload.com EULA contained the following clause:

said by iDownload.com:
In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.

This is the same license language that Ben wrote about here:

»www.benedelman.org/news/120704-1.html

I'd normally be pleased as punch to allow these jerks to feast on each other. The problem is that hapless consumers happen to be caught in the middle.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,12302457 Wed, 05 Jan 2005 18:56:19 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12302383 FoMoCo : I'm not suggesting people do this but I deleted the DRM folder a month back for another reason and have had no issues and I use it all the time.
--
When life becomes a drag - floor it - Galaxie 500 ]]> http://www.dslreports.com/forum/remark,12302383 Wed, 05 Jan 2005 18:47:32 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12302210 edbott : On the file I tested, the initial connections were to:

hotsearchbar.com
www.protectedmedia.com
wbpdp.balance.gator.com (gee, what a surprise!)]]> http://www.dslreports.com/forum/remark,12302210 Wed, 05 Jan 2005 18:28:47 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12301335 Transmaster : I like db Poweramp »www.dbpoweramp.com/ it plays everything, you can load what codex's you want MP1 to Ogg Vorbis to MP4 and everything in between. What I really like about is is it comes in sections so you only load what you want. If you just want the player cool, just the converter great, the burner only if you want it. It has the best music file converter I have ever used.

I wonder the above addresses should I enter these into my DSL router in the section the blocks them? or just add them to the blocked list on Spyware Blaster?
--
Real Men use Vacuum tubes, 25 pound filament transformers, and plate voltages no less then 2400 volts...BPL I'm coming to get you ]]> http://www.dslreports.com/forum/remark,12301335 Wed, 05 Jan 2005 17:02:42 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12300881 PatientGuy :

said by WFO

:

LOL..Windows Media Player doesn't even get internet access on my laptop.:D

Same here plus I have Zone Alarm set so IE has to "Always ask for permission" I use Mozilla. ]]> http://www.dslreports.com/forum/remark,12300881 Wed, 05 Jan 2005 16:18:30 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12300612 Doctor Four : I noticed quite a few new entries in the latest MVPS hosts
file when I went to update it before imaging my HDD
last night. I think some of them may be related to the
adware in qauestion as the URLs in the new groups included
xxxtoolbar.com and kanoodle.com, both of which have been
reported to be associated with this threat. (Though
Kanoodle seems to have pulled its ads.)
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/remark,12300612 Wed, 05 Jan 2005 15:49:50 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12298842 anon : I'm using the oringinal wmp 6.4.07.1121 that came with internet explorer 6sp1 for 98se.
Am I affected ? And the options dont show the licence thing.]]> http://www.dslreports.com/forum/remark,12298842 Wed, 05 Jan 2005 12:17:47 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12298796 justin : This is a bit offtopic - but on the general subject of explorer being tied into media streams:

I unsubscribed from Real the day I was tricked into subscribing. I wanted to get BBC streams over the web. Real farms out their subscription service so it can entirely be branded by a 3rd party, in this case, BBC. I was tired and didn't realize the only giveaway - real.com - at the end of the subscription sign up form).

I unsubscribed because I realized it was real, and confirmed that in order to use any of the content you have this nightmare integration of real.com web pages, cookies, windows explorer and windows media player. It was a total garbage dump of redirected clicks, cookies, and pop-up windows full of crap trying to get you to extend your subscription. I felt like I'd wandered into a medieval dungeon and got caught in an iron lady. Spent the in total about 2 hours extricating myself.

Even the unsubscribe page makes you THINK you're going to have to speak to someone on the phone, but in the end, gives you a button and a reason field.

And all I wanted was a decent quality BBC news feed :(

Real made their bed with microsoft and explorer and now they are going down with the same ship. Bad luck to them.]]> http://www.dslreports.com/forum/remark,12298796 Wed, 05 Jan 2005 12:12:55 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12298187 anon : Ok, I am an average internet user who got sucked in and I now have all of the files attached to my computer. How can I get rid of them? They are write-protected. Is there one program (ex. Media player) that I can uninstall that will get rid of them all? My computer is not working properly and AOL is useless now. Thanks.]]> http://www.dslreports.com/forum/remark,12298187 Wed, 05 Jan 2005 10:58:51 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12286565 suzi : I see that Ben has updated his write up to include a screenshot of the icon shortcuts placed on his desktop by the malware from the infected file:

»www.benedelman.org/news/010205-1.html

If I'm not mistaken, that icon, which looks like the same one that was left on my desktop, contains an affiliate ID that passes through LinkShare.

www1. us. dell.com/content/topics/segtopic.aspx/odg_special49?c=us&cs=19&l=en&s=dhs&redirect=1

I've disabled the link to prevent giving any accidental clicks or business to that affiliate.

As Ben said:

quote:
Of course, these merchants may not have intended to support spyware developers. For example, merchants may have approved the affiliates without taking time to investigate the affiliates' practices, or the affiliates' actions may be unauthorized by the merchants.

Nevertheless, the affiliate networks like LinkShare and Commission Junction, as well at the companies like Dell, are making profits from these installations.

It's totally outrageous, IMO, and I have a difficult time believing that the affiliate networks and companies could not stop these practices if they chose to.

:mad:
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,12286565 Tue, 04 Jan 2005 01:28:08 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12275327 Doctor Four :

said by eburger68

:

I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files.

What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not.

That sure as hell sounds like a vector for a Cool Web
Search infection if I ever heard it. I wonder how long
it will be before they start exploiting this particular
loophole?

said by eburger68

:

The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content.

What Microsoft needs to do is release a critical update
that closes that loophole. Another adware possibility
for this would be WMA files from a copy protected CD -
when you play them, ads are launched by IE for related
content.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/remark,12275327 Sun, 02 Jan 2005 18:22:52 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12275224 suzi :

quote:
anyone who is aware of current security practices shouldn't fall for this stuff.

I can agree with that statement, but I think everyone who is concerned about adware and spyware's implications knows that's not the real point. The truth is that there are thousands of uneducated web surfers who *will* fall for this stuff, either because they don't know any better or they just want to click through in a hurry to get to the "goodies". The adware/spyware pushers will use any method to exploit these uneducated web surfers. And the companies, including Dell, profit from this crap.

I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm. I ended up with 11 desktop shortcuts for everything from "Get This Weeks Deals from Dell" to "Get Sex Toys Direct", "Hot Facial xxx Shots", and so on. Not to mention all the other crapware. None of them had EULA's except for the GAIN dash bar. That machine was infected faster than you could take a couple of deep breaths.

It took me nearly 2 hours to clean it up and I know what I'm doing. Image the "normal" user who doesn't have a clue. The computer becomes essentially useless until it's cleaned up.

These practices are just plain wrong, no matter how you look at it, huge security risk or not.

Edited to add: The entire process happened very quickly and I wasn't taking notes. I think I got a warning asking if I wanted to download and install the GAIN dask toolbar and one for the iSeek toolbar. Those are the only 2 I recall out of all the malware I ended up with.

Suzi
aka Spyware Warrior]]> http://www.dslreports.com/forum/remark,12275224 Sun, 02 Jan 2005 18:05:40 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12275073 eburger68 : Ed:

Thanks for posting this summary and for your detailed write-up at your blog site. As will become apparent, I happen to disagree with some of your specific assessments and conclusions, esp. regarding the seriousness of this problem.

You wrote:

said by edbott

:

I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.

Yes, but there are plenty of users out there who will not be running the "latest and greatest." We still need more information about the effect of these files on earlier versions of Internet Explorer and other versions of Windows besides XP SP2. Moreover, even if a properly patched version of Internet Explorer currently prevents complete stealth installations, I have to wonder long will it be before we see IE security exploits that can be combined with the WMA DRM features to bypass the XP SP2 warnings. Past experience with IE suggests not very long, and indeed there is already an unpatched exploit that works on XP SP2 -- see:

»news.com.com/Trojan+horse+threat···709.html
»securityresponse.symantec.com/av···l.a.html

said by edbott

:

The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.

Here I think you draw the wrong conclusions. The fact that the programs in question are digitally signed is absolutely no guarantee of their safety. In fact, the proper conclusion is just the opposite. 95 percent (if not more) of the spyware and adware that we see on the Net is digitally signed, and that fact is damning. As has become blindingly apparent, Versign will issue digital certs to just about anyone, including the worst of the worst who force-install porn dialers on unsuspecting users' computers.

All that digital cert really guarantees is that program was signed by the holder of the cert (whoever that is) and that the program was not altered in transit. It cannot provide users assurances as to the trustworthiness of the holder of the cert, the vendor's privacy practices, or the safety of the program itself.

Finally, as Ben noted in his comment on your blog (see »www.edbott.com/weblog/archives/000340.html ), the installation practices used here hardly "make it clear what you're getting."

said by edbott

:

The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.

This part needs to be emphasized. What we have here is yet another channel for spyware and adware vendors to spring unwanted software on unsuspecting users in completely confusing circumstances. Even though the software is not installed automatically on a properly patched version of Internet Explorer at present, many users will be justifiably confused and think that they must install the program. We already know this happens at web sites that initiate the installation of third-party ActiveX controls. When users encounter this sort of installation prompt in the context of playing what looks to be a DRM-protected media file, it is even more likely that users will come to the erroneous conclusion that the installation is required.

said by edbott

:

You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.

Given that we only just recently discovered this technique for installing adware and spyware, I think it is far too early to declare this problem to be limited primarily to P2P networks. Certainly the first examples of rogue WMA files have been encountered on a P2P network, but as I emphasized in my first post in this thread, I regard the P2P angle to be a red herring.

I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files.

What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not.

said by edbott

:

If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.

Yes, and that's good to hear. But the majority of the world is not running XP SP2. And as your own testing revealed, even XP SP2 users may encounter the ActiveX Security Warning box if they're running WMP 9 because, as you noted, "it appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2" (see »www.edbott.com/weblog/archives/000340.html ). And the minute users encounter that warning box -- which we already know most users find inherently confusing and disorienting even in the context of web pages -- they are at risk for mistakenly installing software they don't want or need, as Ben properly emphasized.

said by edbott

:

If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario.

All of this is good advice, but again many users will not have restricted ActiveX controls in the Internet zone -- they will have accepted the defaults assigned by Microsoft. Moreover, many users will find it too inconvenient to disable ActiveX controls, as doing so can lead to a raft of broken web sites -- a confusing and frustrating experience for non-techies.

said by edbott

:

Clearing the option to acquire software licenses automatically seems to have no effect on this exploit.

Here you raise something else I'm not clear on: PC World recommended unchecking the "Acquire licenses automatically for protected content" box. That's great. But then what? Presumably users then get a prompt to acquire license information when they attempt to play the WMA files. And, of course, most users are simply going to click through the prompt box to get the license information, at which point we're right back where we were with an adware installation being launched. How would users know to do any differently?

Edit: I now understand that on your blog you've essentially confirmed that unchecking "Acquire licenses" doesn't substantially address the problem.

said by edbott

:

I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff.

I'm sorry, but I'm going to have to disagree with you here. I think the potential for abuses with this new method for pushing adware and spyware on users is very serious and shouldn't be pooh-poohed. And we shouldn't in any way be suggesting or hinting that the users are themselves the problem here -- they are not. As Ben emphasized, the problem is the media files.

It is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.

The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content.

Eric L. Howes]]> http://www.dslreports.com/forum/remark,12275073 Sun, 02 Jan 2005 17:43:25 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12274368 edbott : I've been following this story for a couple of days. At Eric's request, I'm posting a summary of what I found here. You can get all the details of my tests, including some screen shots, at my blog, where comments are welcome:

»www.edbott.com/weblog/archives/000340.html

The PC World story contained several errors and some misleading statements.

I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.

The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.

The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.

You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.

If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.

If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario.

Clearing the option to acquire software licenses automatically seems to have no effect on this exploit.

I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff. ]]> http://www.dslreports.com/forum/remark,12274368 Sun, 02 Jan 2005 15:46:01 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12272038 Schouw :

said by eburger68

:

The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.

I've seen similar cases in 2003, so this isn't exactly a new approach. :)
--
Not speaking for Kaspersky Lab]]> http://www.dslreports.com/forum/remark,12272038 Sun, 02 Jan 2005 08:02:41 EDT Re: which programs get installed http://www.dslreports.com/forum/remark,12271896 GercekSeytan : Great link. Thanks much.]]> http://www.dslreports.com/forum/remark,12271896 Sun, 02 Jan 2005 06:43:18 EDT which programs get installed http://www.dslreports.com/forum/remark,12270980 bedelman : Andrew:

That's another great find, as usual.

I took a look at one of these WindowsMedia files, let it install on a test PC, and made a list of what programs I got. 31 programs, 11000+ registry entries. Not a pretty sight.

Write-up and selected screen-shots »www.benedelman.org/news/010205-1.html .

Ben]]> http://www.dslreports.com/forum/remark,12270980 Sun, 02 Jan 2005 01:10:16 EDT RIAA/MPAA Contractor Deploys Malicious Trojans!! http://www.dslreports.com/forum/remark,12260134 antdude : »it.slashdot.org/article.pl?sid=0···2&tid=17

"Overpeer, the organization responsible for seeding many peer to peer networks with damaged, corrupt and fake files has now found a way of hiding spyware and adware inside Windows Media files by using a DRM loophole and is using this technique to further pollute P2P networks."
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.]]> http://www.dslreports.com/forum/remark,12260134 Fri, 31 Dec 2004 15:37:18 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12259883 anon : Hi , we have been tracking Overpeers network poison at Bluetack for a while , long before they were bought out by Loudeye corp last year.

Their garbage files are quite easy to find once you know what to look for , and most people will find them as fake file sources on the larger p2p networks such as fasttrack and emule.

I posted a current list of Overpeer IPs in this thread at spyware warrior, »www.spywarewarrior.com/viewtopic.php?t=8920 , but I'll post them here too for those that are interested in avoiding them. :D

OVERPEER Inc:64.14.37.128-64.14.37.159
OVERPEER Inc:64.14.40.160-64.14.40.191
Overpeer Inc:64.14.50.224-64.14.50.255
OVERPEER Inc:64.14.61.64-64.14.61.95
Overpeer Inc:64.14.63.64-64.14.63.95
Overpeer Inc:64.15.164.128-64.15.164.159
Overpeer Inc:64.15.165.0-64.15.165.255
overpeer:64.15.202.0-64.15.202.255
OVERPEER Inc:64.15.226.96-64.15.226.191
OVERPEER Inc:64.15.227.224-64.15.227.255
OVERPEER:64.15.228.16-64.15.228.191
OVERPEER Inc:64.15.228.224-64.15.228.255
overpeer:64.15.229.32-64.15.229.63
Overpeer Inc:64.15.231.64-64.15.231.95
overpeer:64.15.234.128-64.15.234.159
OVERPEER Inc:64.15.234.224-64.15.234.255
Overpeer Inc:64.15.237.128-64.15.237.159
Overpeer Inc:64.15.238.64-64.15.238.95
Overpeer Inc:64.15.239.96-64.15.239.127
overpeer:64.15.245.0-64.15.245.32
Overpeer Inc:64.15.248.0-64.15.248.255
Overpeer Inc:64.15.250.0-64.15.250.31
Overpeer Inc:64.15.254.192-64.15.254.223
Overpeer Inc:64.37.197.0-64.37.197.255
Overpeer Inc:64.39.36.0-64.39.36.31
Overpeer Inc:64.39.51.0-64.39.51.255
Overpeer Inc:64.41.133.160-64.41.133.191
overpeer:64.58.66.192-64.58.66.223
Overpeer Inc:64.70.90.0-64.70.90.255
overpeer:64.75.4.192-64.75.4.223
overpeer:64.85.76.0-64.85.76.255
overpeer:64.92.128.0-64.92.159.255
overpeer:64.209.193.0-64.209.193.255
Overpeer Inc:64.209.230.200-64.209.230.223
Overpeer Inc:64.209.230.244-64.209.230.247
Overpeer Inc:64.211.224.192-64.211.224.223
Overpeer Inc:66.37.217.0-66.37.217.255
Overpeer Inc:66.119.42.160-66.119.42.191
Overpeer Inc:66.128.66.0-66.128.66.255
Overpeer Inc:66.128.225.128-66.128.225.191
Overpeer Inc:66.128.226.0-66.128.226.255
Overpeer Inc:68.167.223.144-68.167.223.159
protectedmedia.com:69.42.75.213-69.42.75.213
Overpeer Inc:206.132.28.0-206.132.28.255
Overpeer Inc:206.132.30.192-206.132.30.223
Overpeer Inc:208.48.64.0-208.48.64.255
OverpeerInc:208.48.65.64-208.48.65.95
OverpeerInc:208.50.134.0-208.50.134.31
OverpeerInc:208.50.162.0-208.50.162.255
OverpeerInc:208.50.172.0-208.50.172.255
OverpeerInc[Network-Poisoning]:209.67.69.160-209.67.69.191
OverpeerInc-Overpeer Inc.:209.67.79.0-209.67.79.255
OverpeerInc-Overpeer Inc.:209.67.193.160-209.67.193.191
OverpeerInc-Overpeer Inc.:209.67.197.0-209.67.197.255
OverpeerInc:209.143.192.0-209.143.192.255
OverpeerInc:209.143.193.192-209.143.193.223
Overpeer Inc:209.143.226.0-209.143.226.255
Overpeer Inc:209.143.249.0-209.143.249.255
Overpeer Inc:209.185.173.0-209.185.173.255
Overpeer Inc:209.202.129.0-209.202.129.255
Overpeer Inc:209.225.29.128-209.225.29.159
Overpeer Inc:209.225.44.0-209.225.44.255
Overpeer Inc:216.19.128.0-216.19.128.255
Overpeer Inc:216.19.160.0-216.19.175.255
Overpeer Inc:216.33.34.0-216.33.34.255
Overpeer Inc:216.33.203.0-216.33.203.255
Overpeer Inc:216.34.36.32-216.34.36.63
Overpeer Inc:216.34.37.0-216.34.37.255
Overpeer Inc:216.34.42.0-216.34.42.255
Overpeer Inc:216.34.78.0-216.34.78.255
Overpeer Inc:216.34.95.0-216.34.95.255
Overpeer-scum-Network-Poisoning:216.34.106.0-216.34.106.255
Overpeer:216.34.160.0-216.34.162.255
Overpeer:216.34.164.0-216.34.175.255
Overpeer Inc:216.34.222.0-216.34.222.255
Overpeer Inc:216.35.64.160-216.35.64.191
Overpeer Inc:216.35.67.32-216.35.67.63
Overpeer Inc:216.35.70.192-216.35.70.223
Overpeer, Overpeer Inc:216.35.71.0-216.35.71.255
Overpeer:216.35.73.128-216.35.73.159
Overpeer:216.35.74.224-216.35.74.255
Overpeer Inc:216.35.77.64-216.35.77.95
Overpeer Inc:216.35.79.64-216.35.79.96
Overpeer Inc:216.35.83.0-216.35.83.255
Overpeer Inc:216.35.172.0-216.35.172.255
Overpeer Inc:216.35.212.96-216.35.212.127
Overpeer Inc:216.35.217.0-216.35.217.255
Overpeer Inc:216.39.34.0-216.39.34.255
Overpeer Inc:216.39.89.0-216.39.89.255
Overpeer Inc:216.48.66.0-216.48.67.31
Overpeer Inc:216.64.212.0-216.64.212.255
overpeer:216.74.130.0-216.74.131.31
overpeer:216.74.134.128-216.74.134.159
overpeer:216.74.135.160-216.74.135.191
overpeer:216.74.143.64-216.74.143.95
Overpeer Inc:216.74.146.160-216.74.146.191
Overpeer Inc:216.74.150.0-216.74.150.15
Overpeer Inc:216.74.159.64-216.74.159.95
Overpeer Inc:216.74.164.192-216.74.164.223
Overpeer Inc:216.74.169.96-216.74.169.127
Overpeer Inc:216.74.172.0-216.74.172.255
overpeer:216.144.70.0-216.144.70.255
Overpeer Inc:216.144.71.0-216.144.71.255
Overpeer Inc:216.177.72.96-216.177.72.127
Overpeer Inc:216.182.162.64-216.182.162.95
Overpeer Inc:216.182.196.160-216.182.196.191

Attempting to load a Overpeer protected file on your system will also leave one of these in your temp folders:
C:\Documents and Settings\*\Local Settings\Temp\drmtemp1.htm
hxxp://licenses.overpeer.com/simple_license.aspx

Also see www.ondemanddistribution.com :
»www.whois.sc/ondemanddistribution.com

Moore
»www.bluetack.co.uk]]> http://www.dslreports.com/forum/remark,12259883 Fri, 31 Dec 2004 15:02:08 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12259447 eburger68 : Andrew:

Thanks for confirming the substance of this story. Would it be possible to a copy of the WMA file you have? If so, please email me at eburger68@myrealbox.com.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,12259447 Fri, 31 Dec 2004 13:59:31 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12258802 bobince : I can confirm PC World's story. I was recently sent one of these files.

The way it works as far as I can tell is that protectedmedia.com runs clients on the FastTrack network (Kazaa/Grokster/iMesh) offering what look like porn movies. Actually in the examples I've seen they *are* porn movies, but they're generic, not matching what the various filenames it is offered under might imply. It is likely they are also doing this with audio files too, but I haven't found any searches that will bring them up.

The files are rights-protected WMV. The licence-acquiring features in Windows Media Player involve opening up a window with some sort of licensing agreement; this is obtained by fetching the page from the URL embedded in the file, and then displaying it in an IE-engine subwindow. The trick is simply that the pages in this case contain a number of ActiveX drive-by downloaders, with wording that implies that you have to accept the downloads for the licence-acquisition process to work (in reality, the video plays anyway even if you say no). I don't know if this works on XP SP2... I suspect it does, because I believe the new yellow info bar thingy only applies to IE itself, not WMP.

These install a load of usual-suspects parasites that I'm going through at the moment, including ILookup/HotSearchBar and iSearch (Eric: who are also behind the rogue anti-spyware SpywareAvenger, you might want to note).

I just wonder how long this has been going on. As spyware researchers we've got used to tracking down web-based installers and software bundling, but porn on the P2P networks is something we've not been keeping an eye on until now.

In the meantime, I can only recommend Media Player Classic (which is a whole lot nicer than WMP even without the security considerations), and advise avoiding Windows Media files where possible.]]> http://www.dslreports.com/forum/remark,12258802 Fri, 31 Dec 2004 12:37:39 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12254771 jack b : Great info.
Another method to "safely" open these files is with Irfanview.
It'll open just about anything, with the associated plugins.
»www.irfanview.com/
Free.
--
~Help find a cure for cancer~ Proud Member Team Discovery]]> http://www.dslreports.com/forum/remark,12254771 Thu, 30 Dec 2004 22:09:35 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12254461 GercekSeytan : Same thing happening here (WinXP Pro SP2 with all updates).]]> http://www.dslreports.com/forum/remark,12254461 Thu, 30 Dec 2004 21:33:39 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12254266 antdude :
said by Wai_Wai :

Use these music players instead.
Windows Media Player + QuickTime Player + RealPlayer may add too many unnecessary features, add a lot of things to your system, and make them bulky, and so on...

Or if you hate intalling a lot of media player just for the sake of opening their related file associations...

Use the much lighter ones all-in-one media player (for free! :P):
The music player (light and simple), it can replace Windows Media Player:
»www.free-codecs.com/download/Med···ssic.htm

To replace QuickTime, add this plug-in:
»www.free-codecs.com/download/Qui···tive.htm

To replace RealPlayer, add this plug-in:
»www.free-codecs.com/download/Rea···tive.htm

Note: You may experience some minor problems when opening some of RealPayer or QuickTime files. If it was the case, close and re-open the music player and open the files should work again.
I agree with these non-bloated players. They are awesome.

However, I am having problems playing back some QuickTime MOV files that just lock up Media Player Classic v6.4.8.2 (QT Alternative v1.3.9)? It happens on my old P3 1 Ghz system with Windows 2000 SP4 (all updates) and Athlon 64 3200+ machine with Windows XP Professional SP2 (all updates).

Example file: »mp3content03.bcst.yahoo.com/bmfr···48407.mo

VideoLan Client had no problems. I use this one as a backup media player and it works on many OS': »www.videolan.org/
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.]]> http://www.dslreports.com/forum/remark,12254266 Thu, 30 Dec 2004 21:15:15 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12253777 WFO : LOL..Windows Media Player doesn't even get internet access on my laptop.:D]]> http://www.dslreports.com/forum/remark,12253777 Thu, 30 Dec 2004 20:18:48 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12253713 GercekSeytan : At last my paranoia paid off. DRM in off in both IE and in my GP settings.
--
Lord, aint it a shame...in all this comfort...can't take the strain...]]> http://www.dslreports.com/forum/remark,12253713 Thu, 30 Dec 2004 20:11:23 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12253679 Wai_Wai : Use these music players instead.
Windows Media Player + QuickTime Player + RealPlayer may add too many unnecessary features, add a lot of things to your system, and make them bulky, and so on...

Or if you hate intalling a lot of media player just for the sake of opening their related file associations...

Use the much lighter ones all-in-one media player (for free! :P):
The music player (light and simple), it can replace Windows Media Player:
»www.free-codecs.com/download/Med···ssic.htm

To replace QuickTime, add this plug-in:
»www.free-codecs.com/download/Qui···tive.htm

To replace RealPlayer, add this plug-in:
»www.free-codecs.com/download/Rea···tive.htm

Note: You may experience some minor problems when opening some of RealPayer or QuickTime files. If it was the case, close and re-open the music player and open the files should work again.]]> http://www.dslreports.com/forum/remark,12253679 Thu, 30 Dec 2004 20:06:53 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12249311 Doctor Four : I've been tempted to upgrade to WMP10, but after reading
this, I'll pass on it. Thanks a lot, Microsoft. If there's
one annoyance I can't stand (other than spyware/adware),
its applications hijacking file associations. It sounds as
if Microsoft is getting as bad in this area as Real
Networks.

As for the booby-trapped WMA files, how long before legal
downloan (yes, the files should be called that, because
you are in effect only renting them) services start
pulling this crap?
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/remark,12249311 Thu, 30 Dec 2004 11:13:07 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12249166 starfish8 :
said by kpatz :

In Media Player 9, turn on the menu bar if it's off (by clicking the double arrow near the top of the screen). Then click Tools, Options. Go to Privacy tab. Turn off "acquire licenses automatically" here. Heck, uncheck everything on this page while you're there.

I'm still using WMP 9. Is there any reason to think that WMP 10 is more (or less) secure?]]> http://www.dslreports.com/forum/remark,12249166 Thu, 30 Dec 2004 10:56:52 EDT Re: WMA -- Base install http://www.dslreports.com/forum/remark,12248841 mastervirus : I know when I installed WM 10 it asked me and before I even came onto this article I turned it off. Dont ask me why but if microsoft says its a default then I change it immediately.]]> http://www.dslreports.com/forum/remark,12248841 Thu, 30 Dec 2004 10:00:58 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12248671 kpatz : In Media Player 9, turn on the menu bar if it's off (by clicking the double arrow near the top of the screen). Then click Tools, Options. Go to Privacy tab. Turn off "acquire licenses automatically" here. Heck, uncheck everything on this page while you're there.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,12248671 Thu, 30 Dec 2004 09:32:55 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12248644 vic102482 :
said by Portmonkey :

Thanks for the info. I just turned off the "Acquire licenses automatically for protected content".

Lol that should have been done even without this development;).
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!!]]> http://www.dslreports.com/forum/remark,12248644 Thu, 30 Dec 2004 09:29:19 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12248617 kpatz : Yet another reason why DRM = evil. How long before malware writers exploit this vulnerability?]]> http://www.dslreports.com/forum/remark,12248617 Thu, 30 Dec 2004 09:24:16 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12246581 Steely : I had no problem finding that option and there are other ways to access it.]]> http://www.dslreports.com/forum/remark,12246581 Wed, 29 Dec 2004 23:36:15 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12246368 suzi : Thanks for this disturbing information, Eric.

The newest version, Windows Media Player 10, does *not* make it easy to locate the options for the player. It took me a while to find the location. With the player open, click the "now playing" tab, then click the small button below. You won't see options yet - you have to mouseover Plug-ins, then move over to the options tab. There you can essentially neuter the darn thing. It will also attempt to hijack your file associations. After installing this new version, I was temped to uninstall it, go to oldversion.com and download an older, less annoying version.

Edit to correct grammar.
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,12246368 Wed, 29 Dec 2004 23:06:08 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12246297 Dustyn : Wow! :o

Excellent article edburger68... good find! :)

I rarely play WMA's but, it is worth looking into the WMP settings and turning off "acquire licences automatically for protected content".

Scary man.. :p]]> http://www.dslreports.com/forum/remark,12246297 Wed, 29 Dec 2004 22:58:47 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12246043 mers2 : This could be a nightmare if this loophole becomes widely exploited. Even users who know better than to click on links or "yes" on dialog boxes might not think twice about clicking to view a WMA file. Another avenue of education to put forth. Thanks again, Eric for some valuable information.
--
"Think for yourself and let others enjoy the privilege of doing so too." - Voltaire ]]> http://www.dslreports.com/forum/remark,12246043 Wed, 29 Dec 2004 22:30:58 EDT Re: Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12245959 Portmonkey : Thanks for the info. I just turned off the "Acquire licenses automatically for protected content".]]> http://www.dslreports.com/forum/remark,12245959 Wed, 29 Dec 2004 22:20:16 EDT Adware Installed through WMA Files http://www.dslreports.com/forum/remark,12245912 eburger68 : Hi All:

PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:

Risk Your PC's Health for a Song?
»www.pcworld.com/news/article/0,a···6,00.asp

Protect Yourself From Audio Adware
»www.pcworld.com/news/article/0,a···3,00.asp

In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.

Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.

The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.

I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:

* locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting);
* installing spyware prevention utilities such as SpywareBlaster and SpywareGuard;
* installing at least two reputable anti-spyware scanners and keeping them updated;
* keeping your system updated through Windows Update.

In addition to the above, PC World recommends tweaking the settings for Windows Media Player:

said by PC World:
* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off 'Acquire licenses automatically for protected content'. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose 'No.' Changing this setting in Windows Media Player will affect any other players you use that support Microsoft's DRM scheme.

Also, it *appears* that merely switching your default browser to something other than Internet Explorer will not be sufficient to eliminate the threat, as Windows Media Player uses the Internet Explorer engine to open browser windows that function as dialog boxes. Even if you're not actively using Internet Explorer, you should lock it down to prevent its being exploited by rogue WMA files.

If and when more information becomes available, I'll post it to this thread.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,12245912 Wed, 29 Dec 2004 22:14:21 EDT