| reply to eburger68
Re: Adware Installed through WMA Files I can confirm PC World's story. I was recently sent one of these files.
The way it works as far as I can tell is that protectedmedia.com runs clients on the FastTrack network (Kazaa/Grokster/iMesh) offering what look like porn movies. Actually in the examples I've seen they *are* porn movies, but they're generic, not matching what the various filenames it is offered under might imply. It is likely they are also doing this with audio files too, but I haven't found any searches that will bring them up.
The files are rights-protected WMV. The licence-acquiring features in Windows Media Player involve opening up a window with some sort of licensing agreement; this is obtained by fetching the page from the URL embedded in the file, and then displaying it in an IE-engine subwindow. The trick is simply that the pages in this case contain a number of ActiveX drive-by downloaders, with wording that implies that you have to accept the downloads for the licence-acquisition process to work (in reality, the video plays anyway even if you say no). I don't know if this works on XP SP2... I suspect it does, because I believe the new yellow info bar thingy only applies to IE itself, not WMP.
These install a load of usual-suspects parasites that I'm going through at the moment, including ILookup/HotSearchBar and iSearch (Eric: who are also behind the rogue anti-spyware SpywareAvenger, you might want to note).
I just wonder how long this has been going on. As spyware researchers we've got used to tracking down web-based installers and software bundling, but porn on the P2P networks is something we've not been keeping an eye on until now.
In the meantime, I can only recommend Media Player Classic (which is a whole lot nicer than WMP even without the security considerations), and advise avoiding Windows Media files where possible. |
|
1 edit | Andrew:
Thanks for confirming the substance of this story. Would it be possible to a copy of the WMA file you have? If so, please email me at eburger68@myrealbox.com.
Best,
Eric L. Howes |
|
|
|
bedelmanPremium
join:2004-06-20
Cambridge, MA | reply to bobince
which programs get installed Andrew:
That's another great find, as usual.
I took a look at one of these WindowsMedia files, let it install on a test PC, and made a list of what programs I got. 31 programs, 11000+ registry entries. Not a pretty sight.
Write-up and selected screen-shots »www.benedelman.org/news/010205-1.html .
Ben |
|
 GercekSeytanAbsinthe makes the heart grow fonder.Premium
join:2001-10-19 | Great link. Thanks much. |
|
