Re: Adware Installed through WMA Files

Author	All Replies
Schouw Premium join:2003-05-29 Netherlands	reply to eburger68 Re: Adware Installed through WMA Files said by eburger68: The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing. I've seen similar cases in 2003, so this isn't exactly a new approach. -- Not speaking for Kaspersky Lab
Schouw Premium join:2003-05-29 Netherlands	to forum · permalink · 2005-01-02 08:02:41 ·
edbott join:2005-01-02 Scottsdale, AZ	I've been following this story for a couple of days. At Eric's request, I'm posting a summary of what I found here. You can get all the details of my tests, including some screen shots, at my blog, where comments are welcome: »www.edbott.com/weblog/archives/000340.html The PC World story contained several errors and some misleading statements. I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware. The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no. The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware. You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get. If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected. If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario. Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff.
edbott join:2005-01-02 Scottsdale, AZ	to forum · permalink · 2005-01-02 15:46:01 ·
eburger68 Premium,MVM join:2001-04-28 4 edits	Ed: Thanks for posting this summary and for your detailed write-up at your blog site. As will become apparent, I happen to disagree with some of your specific assessments and conclusions, esp. regarding the seriousness of this problem. You wrote: said by edbott: I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware. Yes, but there are plenty of users out there who will not be running the "latest and greatest." We still need more information about the effect of these files on earlier versions of Internet Explorer and other versions of Windows besides XP SP2. Moreover, even if a properly patched version of Internet Explorer currently prevents complete stealth installations, I have to wonder long will it be before we see IE security exploits that can be combined with the WMA DRM features to bypass the XP SP2 warnings. Past experience with IE suggests not very long, and indeed there is already an unpatched exploit that works on XP SP2 -- see: »news.com.com/Trojan+horse+threat···709.html »securityresponse.symantec.com/av···l.a.html said by edbott: The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no. Here I think you draw the wrong conclusions. The fact that the programs in question are digitally signed is absolutely no guarantee of their safety. In fact, the proper conclusion is just the opposite. 95 percent (if not more) of the spyware and adware that we see on the Net is digitally signed, and that fact is damning. As has become blindingly apparent, Versign will issue digital certs to just about anyone, including the worst of the worst who force-install porn dialers on unsuspecting users' computers. All that digital cert really guarantees is that program was signed by the holder of the cert (whoever that is) and that the program was not altered in transit. It cannot provide users assurances as to the trustworthiness of the holder of the cert, the vendor's privacy practices, or the safety of the program itself. Finally, as Ben noted in his comment on your blog (see »www.edbott.com/weblog/archives/000340.html ), the installation practices used here hardly "make it clear what you're getting." said by edbott: The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware. This part needs to be emphasized. What we have here is yet another channel for spyware and adware vendors to spring unwanted software on unsuspecting users in completely confusing circumstances. Even though the software is not installed automatically on a properly patched version of Internet Explorer at present, many users will be justifiably confused and think that they must install the program. We already know this happens at web sites that initiate the installation of third-party ActiveX controls. When users encounter this sort of installation prompt in the context of playing what looks to be a DRM-protected media file, it is even more likely that users will come to the erroneous conclusion that the installation is required. said by edbott: You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get. Given that we only just recently discovered this technique for installing adware and spyware, I think it is far too early to declare this problem to be limited primarily to P2P networks. Certainly the first examples of rogue WMA files have been encountered on a P2P network, but as I emphasized in my first post in this thread, I regard the P2P angle to be a red herring. I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files. What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not. said by edbott: If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected. Yes, and that's good to hear. But the majority of the world is not running XP SP2. And as your own testing revealed, even XP SP2 users may encounter the ActiveX Security Warning box if they're running WMP 9 because, as you noted, "it appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2" (see »www.edbott.com/weblog/archives/000340.html ). And the minute users encounter that warning box -- which we already know most users find inherently confusing and disorienting even in the context of web pages -- they are at risk for mistakenly installing software they don't want or need, as Ben properly emphasized. said by edbott: If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario. All of this is good advice, but again many users will not have restricted ActiveX controls in the Internet zone -- they will have accepted the defaults assigned by Microsoft. Moreover, many users will find it too inconvenient to disable ActiveX controls, as doing so can lead to a raft of broken web sites -- a confusing and frustrating experience for non-techies. said by edbott: Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. Here you raise something else I'm not clear on: PC World recommended unchecking the "Acquire licenses automatically for protected content" box. That's great. But then what? Presumably users then get a prompt to acquire license information when they attempt to play the WMA files. And, of course, most users are simply going to click through the prompt box to get the license information, at which point we're right back where we were with an adware installation being launched. How would users know to do any differently? Edit: I now understand that on your blog you've essentially confirmed that unchecking "Acquire licenses" doesn't substantially address the problem. said by edbott: I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff. I'm sorry, but I'm going to have to disagree with you here. I think the potential for abuses with this new method for pushing adware and spyware on users is very serious and shouldn't be pooh-poohed. And we shouldn't in any way be suggesting or hinting that the users are themselves the problem here -- they are not. As Ben emphasized, the problem is the media files. It is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place. The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content. Eric L. Howes
eburger68 Premium,MVM join:2001-04-28 4 edits	to forum · permalink · 2005-01-02 17:43:25 ·
suzi Premium join:2004-05-01 2 edits	reply to edbott quote: anyone who is aware of current security practices shouldn't fall for this stuff. I can agree with that statement, but I think everyone who is concerned about adware and spyware's implications knows that's not the real point. The truth is that there are thousands of uneducated web surfers who will fall for this stuff, either because they don't know any better or they just want to click through in a hurry to get to the "goodies". The adware/spyware pushers will use any method to exploit these uneducated web surfers. And the companies, including Dell, profit from this crap. I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm. I ended up with 11 desktop shortcuts for everything from "Get This Weeks Deals from Dell" to "Get Sex Toys Direct", "Hot Facial xxx Shots", and so on. Not to mention all the other crapware. None of them had EULA's except for the GAIN dash bar. That machine was infected faster than you could take a couple of deep breaths. It took me nearly 2 hours to clean it up and I know what I'm doing. Image the "normal" user who doesn't have a clue. The computer becomes essentially useless until it's cleaned up. These practices are just plain wrong, no matter how you look at it, huge security risk or not. Edited to add: The entire process happened very quickly and I wasn't taking notes. I think I got a warning asking if I wanted to download and install the GAIN dask toolbar and one for the iSeek toolbar. Those are the only 2 I recall out of all the malware I ended up with. Suzi aka Spyware Warrior
suzi Premium join:2004-05-01 2 edits	to forum · permalink · 2005-01-02 18:05:40 ·
Doctor Four My other vehicle is a TARDIS Premium join:2000-09-05 Dallas, TX	reply to eburger68 said by eburger68: I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files. What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not. That sure as hell sounds like a vector for a Cool Web Search infection if I ever heard it. I wonder how long it will be before they start exploiting this particular loophole? said by eburger68: The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content. What Microsoft needs to do is release a critical update that closes that loophole. Another adware possibility for this would be WMA files from a copy protected CD - when you play them, ads are launched by IE for related content. -- "Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.
	to forum · permalink · 2005-01-02 18:22:52 ·

Broadband Tech > Security > Security > Adware Installed through WMA Files