suzi
Premium
join:2004-05-01
| reply to eburger68
Re: Adware Installed through WMA Files
I believe we've seen plenty of evidence that seems to contradict Claria's claims.
»www.pcpitstop.com/gator/Survey.asp
»www.pcpitstop.com/gator/Confused.asp
The same for 180Solutions.
»www.benedelman.org/spyware/180-a···ion.html
--
aka Suzi, Spyware Warrior |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to eburger68
Justin:
These adware companies are full of amazing claims and statements. From a MediaPost article today reporting that McAfee has named adware among the "top nuisances of 2004" ( »www.mediapost.com/dtls_dsp_news.···D=285202 ):
said by MediaPost:
McAfee found that most people with adware on their computers downloaded the programs themselves, the company said it uncovered some instances where adware companies exploited holes in people's browsers to install the programs without their knowledge.
Claria spokesman Scott Eagle said that Claria Corp. does not install any ad-serving software without a user's permission, and that the company has safeguards in place to make sure that software is not surreptitiously installed. A spokesman for 180solutions also said the company's policy is to install software only to users who have consented.
After what we've seen installing through this WMP adware, these kinds of statements are nothing short of enraging.
Eric L. Howes |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to eburger68
isn't that EULA amazing? proof right there that they don't expect anyone to read it. Proof that the whole show-accept EULA thing is due to be dragged into the 21st century by a smart class-action lawyer. |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to edbott
Ed:
You wrote:
said by edbott  :wbpdp.balance.gator.com (gee, what a surprise!) Yup. So much for Claria's "privacy friendly" installation practices. For more info see Ben's latest:
»www.benedelman.org/news/010405-1.html
But Claria has a long history of this consumer-unfriendly nonsense:
»www.benedelman.org/news/112904-1.html
On a related note: the iSearch.com/iDownload.com EULA contained the following clause:
said by iDownload.com:
In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.
This is the same license language that Ben wrote about here:
»www.benedelman.org/news/120704-1.html
I'd normally be pleased as punch to allow these jerks to feast on each other. The problem is that hapless consumers happen to be caught in the middle.
Best,
Eric L. Howes |
|
FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI
| reply to eburger68
I'm not suggesting people do this but I deleted the DRM folder a month back for another reason and have had no issues and I use it all the time.
--
When life becomes a drag - floor it - Galaxie 500 |
|
edbott
join:2005-01-02
Scottsdale, AZ | reply to Transmaster
On the file I tested, the initial connections were to:
hotsearchbar.com
www.protectedmedia.com
wbpdp.balance.gator.com (gee, what a surprise!) |
|
Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY
 ·Qwest.net
| reply to PatientGuy
I like db Poweramp »www.dbpoweramp.com/ it plays everything, you can load what codex's you want MP1 to Ogg Vorbis to MP4 and everything in between. What I really like about is is it comes in sections so you only load what you want. If you just want the player cool, just the converter great, the burner only if you want it. It has the best music file converter I have ever used.
I wonder the above addresses should I enter these into my DSL router in the section the blocks them? or just add them to the blocked list on Spyware Blaster?
--
Real Men use Vacuum tubes, 25 pound filament transformers, and plate voltages no less then 2400 volts...BPL I'm coming to get you |
|
PatientGuy
I'M Way Deep Into Nothing Special
Premium
join:2000-12-11
Arlington, VA
clubs:
| reply to WFO
said by WFO :LOL..Windows Media Player doesn't even get internet access on my laptop.:D Same here plus I have Zone Alarm set so IE has to "Always ask for permission" I use Mozilla. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to eburger68
I noticed quite a few new entries in the latest MVPS hosts
file when I went to update it before imaging my HDD
last night. I think some of them may be related to the
adware in qauestion as the URLs in the new groups included
xxxtoolbar.com and kanoodle.com, both of which have been
reported to be associated with this threat. (Though
Kanoodle seems to have pulled its ads.)
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. |
|
Message icon
@telus.net | reply to eburger68
I'm using the oringinal wmp 6.4.07.1121 that came with internet explorer 6sp1 for 98se.
Am I affected ? And the options dont show the licence thing. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
1 edit | reply to eburger68
This is a bit offtopic - but on the general subject of explorer being tied into media streams:
I unsubscribed from Real the day I was tricked into subscribing. I wanted to get BBC streams over the web. Real farms out their subscription service so it can entirely be branded by a 3rd party, in this case, BBC. I was tired and didn't realize the only giveaway - real.com - at the end of the subscription sign up form).
I unsubscribed because I realized it was real, and confirmed that in order to use any of the content you have this nightmare integration of real.com web pages, cookies, windows explorer and windows media player. It was a total garbage dump of redirected clicks, cookies, and pop-up windows full of crap trying to get you to extend your subscription. I felt like I'd wandered into a medieval dungeon and got caught in an iron lady. Spent the in total about 2 hours extricating myself.
Even the unsubscribe page makes you THINK you're going to have to speak to someone on the phone, but in the end, gives you a button and a reason field.
And all I wanted was a decent quality BBC news feed 
Real made their bed with microsoft and explorer and now they are going down with the same ship. Bad luck to them. |
|
Laurav
@aol.com
| reply to suzi
Ok, I am an average internet user who got sucked in and I now have all of the files attached to my computer. How can I get rid of them? They are write-protected. Is there one program (ex. Media player) that I can uninstall that will get rid of them all? My computer is not working properly and AOL is useless now. Thanks. |
|
suzi
Premium
join:2004-05-01
2 edits | reply to eburger68
I see that Ben has updated his write up to include a screenshot of the icon shortcuts placed on his desktop by the malware from the infected file:
»www.benedelman.org/news/010205-1.html
If I'm not mistaken, that icon, which looks like the same one that was left on my desktop, contains an affiliate ID that passes through LinkShare.
www1. us. dell.com/content/topics/segtopic.aspx/odg_special49?c=us&cs=19&l=en&s=dhs&redirect=1
I've disabled the link to prevent giving any accidental clicks or business to that affiliate.
As Ben said:
quote:
Of course, these merchants may not have intended to support spyware developers. For example, merchants may have approved the affiliates without taking time to investigate the affiliates' practices, or the affiliates' actions may be unauthorized by the merchants.
Nevertheless, the affiliate networks like LinkShare and Commission Junction, as well at the companies like Dell, are making profits from these installations.
It's totally outrageous, IMO, and I have a difficult time believing that the affiliate networks and companies could not stop these practices if they chose to.
--
aka Suzi, Spyware Warrior |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to eburger68
said by eburger68 :I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files. What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not. That sure as hell sounds like a vector for a Cool Web
Search infection if I ever heard it. I wonder how long
it will be before they start exploiting this particular
loophole?
said by eburger68 :The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content. What Microsoft needs to do is release a critical update
that closes that loophole. Another adware possibility
for this would be WMA files from a copy protected CD -
when you play them, ads are launched by IE for related
content.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. |
|
suzi
Premium
join:2004-05-01
2 edits | reply to edbott
quote:
anyone who is aware of current security practices shouldn't fall for this stuff.
I can agree with that statement, but I think everyone who is concerned about adware and spyware's implications knows that's not the real point. The truth is that there are thousands of uneducated web surfers who *will* fall for this stuff, either because they don't know any better or they just want to click through in a hurry to get to the "goodies". The adware/spyware pushers will use any method to exploit these uneducated web surfers. And the companies, including Dell, profit from this crap.
I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm. I ended up with 11 desktop shortcuts for everything from "Get This Weeks Deals from Dell" to "Get Sex Toys Direct", "Hot Facial xxx Shots", and so on. Not to mention all the other crapware. None of them had EULA's except for the GAIN dash bar. That machine was infected faster than you could take a couple of deep breaths.
It took me nearly 2 hours to clean it up and I know what I'm doing. Image the "normal" user who doesn't have a clue. The computer becomes essentially useless until it's cleaned up.
These practices are just plain wrong, no matter how you look at it, huge security risk or not.
Edited to add: The entire process happened very quickly and I wasn't taking notes. I think I got a warning asking if I wanted to download and install the GAIN dask toolbar and one for the iSeek toolbar. Those are the only 2 I recall out of all the malware I ended up with.
Suzi
aka Spyware Warrior |
|
eburger68
Premium,MVM
join:2001-04-28
4 edits | reply to edbott
Ed:
Thanks for posting this summary and for your detailed write-up at your blog site. As will become apparent, I happen to disagree with some of your specific assessments and conclusions, esp. regarding the seriousness of this problem.
You wrote:
said by edbott :I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware. Yes, but there are plenty of users out there who will not be running the "latest and greatest." We still need more information about the effect of these files on earlier versions of Internet Explorer and other versions of Windows besides XP SP2. Moreover, even if a properly patched version of Internet Explorer currently prevents complete stealth installations, I have to wonder long will it be before we see IE security exploits that can be combined with the WMA DRM features to bypass the XP SP2 warnings. Past experience with IE suggests not very long, and indeed there is already an unpatched exploit that works on XP SP2 -- see:
»news.com.com/Trojan+horse+threat···709.html
»securityresponse.symantec.com/av···l.a.html
said by edbott :The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no. Here I think you draw the wrong conclusions. The fact that the programs in question are digitally signed is absolutely no guarantee of their safety. In fact, the proper conclusion is just the opposite. 95 percent (if not more) of the spyware and adware that we see on the Net is digitally signed, and that fact is damning. As has become blindingly apparent, Versign will issue digital certs to just about anyone, including the worst of the worst who force-install porn dialers on unsuspecting users' computers.
All that digital cert really guarantees is that program was signed by the holder of the cert (whoever that is) and that the program was not altered in transit. It cannot provide users assurances as to the trustworthiness of the holder of the cert, the vendor's privacy practices, or the safety of the program itself.
Finally, as Ben noted in his comment on your blog (see »www.edbott.com/weblog/archives/000340.html ), the installation practices used here hardly "make it clear what you're getting."
said by edbott :The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware. This part needs to be emphasized. What we have here is yet another channel for spyware and adware vendors to spring unwanted software on unsuspecting users in completely confusing circumstances. Even though the software is not installed automatically on a properly patched version of Internet Explorer at present, many users will be justifiably confused and think that they must install the program. We already know this happens at web sites that initiate the installation of third-party ActiveX controls. When users encounter this sort of installation prompt in the context of playing what looks to be a DRM-protected media file, it is even more likely that users will come to the erroneous conclusion that the installation is required.
said by edbott :You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get. Given that we only just recently discovered this technique for installing adware and spyware, I think it is far too early to declare this problem to be limited primarily to P2P networks. Certainly the first examples of rogue WMA files have been encountered on a P2P network, but as I emphasized in my first post in this thread, I regard the P2P angle to be a red herring.
I don't think it will be too long before we start seeing these WMA files outside of P2P networks -- on porn sites offering free "sneak previews," for example, but also on apparently legitimate music sites offering free and legal samples of music available for legitimate download and purchase. Indeed, one can easily spin out a whole raft of potential uses for this particular "feature" of WMA files.
What this does is open a whole new adware channel for web sites and companies looking for new sources of advertising revenue. If you're running a music site, for example, no longer do you have to mar your main web site with sleazy drive-by-downloads -- now you can bundle adware more discretely through the media files offered by the web site. And think how remarkable it is that Overpeer has decided to turn to adware to improve its financial base! Will others start to follow that example? Let's hope not.
said by edbott :If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected. Yes, and that's good to hear. But the majority of the world is not running XP SP2. And as your own testing revealed, even XP SP2 users may encounter the ActiveX Security Warning box if they're running WMP 9 because, as you noted, "it appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2" (see »www.edbott.com/weblog/archives/000340.html ). And the minute users encounter that warning box -- which we already know most users find inherently confusing and disorienting even in the context of web pages -- they are at risk for mistakenly installing software they don't want or need, as Ben properly emphasized.
said by edbott :If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario. All of this is good advice, but again many users will not have restricted ActiveX controls in the Internet zone -- they will have accepted the defaults assigned by Microsoft. Moreover, many users will find it too inconvenient to disable ActiveX controls, as doing so can lead to a raft of broken web sites -- a confusing and frustrating experience for non-techies.
said by edbott :Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. Here you raise something else I'm not clear on: PC World recommended unchecking the "Acquire licenses automatically for protected content" box. That's great. But then what? Presumably users then get a prompt to acquire license information when they attempt to play the WMA files. And, of course, most users are simply going to click through the prompt box to get the license information, at which point we're right back where we were with an adware installation being launched. How would users know to do any differently?
Edit: I now understand that on your blog you've essentially confirmed that unchecking "Acquire licenses" doesn't substantially address the problem.
said by edbott :I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff. I'm sorry, but I'm going to have to disagree with you here. I think the potential for abuses with this new method for pushing adware and spyware on users is very serious and shouldn't be pooh-poohed. And we shouldn't in any way be suggesting or hinting that the users are themselves the problem here -- they are not. As Ben emphasized, the problem is the media files.
It is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.
The real story here is Microsoft's poor implementation of DRM. Indeed, the truly cynical could now point out that the standard, illegal MP3 files that populate P2P networks are in some ways more secure than Microsoft's DRM-enabled WMA files. And that's a sad commentary on the industry's efforts to persuade consumers to accept DRM-enabled content.
Eric L. Howes |
|
edbott
join:2005-01-02
Scottsdale, AZ
| reply to Schouw
I've been following this story for a couple of days. At Eric's request, I'm posting a summary of what I found here. You can get all the details of my tests, including some screen shots, at my blog, where comments are welcome:
»www.edbott.com/weblog/archives/000340.html
The PC World story contained several errors and some misleading statements.
I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.
The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.
You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.
If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.
If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario.
Clearing the option to acquire software licenses automatically seems to have no effect on this exploit.
I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff. |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to eburger68
said by eburger68 :The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing. I've seen similar cases in 2003, so this isn't exactly a new approach. 
--
Not speaking for Kaspersky Lab |
|
GercekSeytan
Rockin' with Raki
Premium
join:2001-10-19
Turkey |  reply to bedelman
Re: which programs get installed
Great link. Thanks much. |
|
bedelman
Premium
join:2004-06-20
Cambridge, MA
| reply to bobince
Andrew:
That's another great find, as usual.
I took a look at one of these WindowsMedia files, let it install on a test PC, and made a list of what programs I got. 31 programs, 11000+ registry entries. Not a pretty sight.
Write-up and selected screen-shots »www.benedelman.org/news/010205-1.html .
Ben |
|
