How does it work?
I haven't seen anyone mention how the redirect to download PLAY_MP3.exe is performed. The post you link to as well as the mcafee write up doesn't explain the mechanics. Anyone have any clues?
Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks. Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the …
So just check where the cash is going and arrest them. I think it cannot be easier...
Or just let it be. If somebody's stupid enough to install that crap - let them watch adverts as punishment. As long of course it doesn't download any more crap onto infected box. That would be a good punishment for all stupid people. Also nice money earner for all Win support people ;)
Listen to me AV makers!!!
Actually, I expected this attack to come from the studios themselves. Not in the form of a virus, but in the form of tagged or watermarked files that would instantly identify themselves as stolen on a simple scan.
Keep in mind, when you're stealing files through these services, you have NO IDEA what you're getting. I used a service many many years ago to download MP3s of files I had CDs for, but that were too scratched up to rip properly. I dowloaded a few hundred files, and in the end deleted nearly all of them. Many were cracked files that beeped loudly in the middle, many were live cuts of poor quality, some even the wrong songs, others had lead-in and lead-out issues. It was a MESS!
I invested in a CD refinishing system, cleaned all my disks, and ripped them.
I have NO illegal files on my machine. I do rip music from some digital music stations for songs I don't justify paying for, but that's not (currently) illegal. I have over 12,000 songs according to itunes, and every one was legally purchased on physical media and ripped, paid for online, or streamed from a free music source.
To all you kiddies out there that por through torrents to get all the free stuff you can, first of all sooner or later you're going to get nailed by a virus like this or worse, second, you'll ned up starting all over from scratch regularly since likely you have no backup for your hundreds of GBs of data...
are you not prompted by windows that play_mp3.exe is attempting to execute and given the option to cancel it? If you're stupid enough to think "Ooh yes - I'll run this unrequested software to play a file that I've just downloaded from an unknown source" then no amount of security/anti virus solutions will ever save you.
Actually I think you're wrong there. although you haven't exactly stolen the music, you didn't buy it in its digital format, you purchased the right to listen to it in cd format. I believe you're allowed to burn a copy on another cd, but the whole crux across mp3 players is the fact that the original rights (And current if I'm not mistaken) do not allow you to convert the format with which you originally purchased your music (in your case, cd). see http://www.telegraph.co.uk/news/uknews/1532681/Why-you-are-breaking-the-law-every-time-you-copy-a-CD-to-your-iPod.html
of course they won't prosecute you for doing that, but it remains that alas you cannot state you have no illegal files on your machine, since if you purchased the cd's and not a digital copy, all your music is still by law illegal.....
or maybe i got the wrong end of the stick. Of course you're still above freetards, or you have way too much money from their point of view, either is arguable. I buy a lot of music, but it comes down to I like hearing music before I pay money for it, since i don't want to buy something that sounds rubbish. If I like it, I pay for it. If I don't, I bin it. Only do this for a couple of albums a year but since there's no way to hear a full album through and through without paying for it I guess I have a problem.
How can an MP3 file redirect the user to download an EXE? An MP3 file is just a bundle of data, and the OS will start a separate program to play the file when it is launched. This stuff isn't rocket science. Are we talking about a Windows Media Player vulnerability? Or a misleadingly labeled file, which users are too lazy to check?
The McAfee blog post neglects to make any explanation, and thus makes the company seem rather clueless. Parroting their nonsense verbatim, without even questioning their competence, makes the Reg seem like just another news outlet without a clue about tech. Come on guys, surely you can do better than this!
Near the end of the linked article (after the list of file names) it says:
"If users agree to download and run PLAY_MP3.exe "
If that is really how it works, then it is hardly a new vulnerability - and the users would have to be *really* stupid - so that growth that rapid would seem unlikely.
So I would guess it's something else. But as you say it's not explained.
Good question, Ben Shurey. It turns out that this is the usual case of misreporting. The downloaded media files in question are not actually MP3 or MPEG files, they are actually disguised Windows Media files containing a script, and they have to be played by our old insecure friend Windows Media Player in order to be activated. They they prompt the user to download the application PLAY_MP3.EXE, which they will do only if they are an idiot.
Sounds like you should have found a better source for your MP3s. "I found this newspaper in the street and its total crap, I can hardly read it! I'm not going to get another newspaper again!" seems to me :)
Most of the "kiddies" I know use a strict off site backup procedure (giving files to friends) :)
I guess you must not live in the US or Canada as taping music off any radio station is a violation of the law, as is recording tv shows, movies, or games onto a set-top dvd-recorder or vcr.
If someone downloads music, movies or whatever software they want then get hit with a virus fair enough, but don't get on your high horst talking about how holier than though you are when you admit to copying songs off digital radio.
Linux is still the best.
Well Michael C aren't you the perfect person?
You now have no illegal files on your PC but think you have the right to preach to others about tihngs you illegally did a "While" ago.
Why don't you crawl away and preach to others who give a phuck about your little sermons. Why do you think anyone is interested in what you have/don't have on your PC?
If I was the RIAA I would track you down and sue the be-jesus outta you.
I have downloaded hunderds of tracks on P2P and have never had the problems you mention. Maybe you are better suited to playing Solitaire rather than attempting big boys stuff as you clearly are inadequate.
Let's face it, if it was called ClickOnMeAndGetAVirus.mp3.exe they would still click on it.
Ways need to be found to prevent the clueless gullibles from having to deal with this kind of stuff. Seriously. We don't put our grannies in lions cages, do we?
I use Apple Macs (as I can't be arsed with all this security jive) and tell all the clueless gullibles I come into contact with to do the same but often they are guided by other clueless gullibles and end up as members of the BotNet army, or worse.
There should be clear guidelines for this. If you have no technical interest or capability, don't keep up with the latest in Windows security news, can't be bothered to keep updating and scanning and paying subscriptions and yet are gullible and curious about porn, gossip, celebs, music, etc. then do NOT buy a Windows PC. The same is especially true for all the poor clueless gullibles that are running ripped-off Windows and so don't even have access to the Windows Updates.
Unfortunately it seems that the do NOT is usually a DO...
Shouldn't there be a government warning on Windows boxes?
WARNING! USE OF THIS SOFTWARE WILL LEAVE YOU VULNERABLE TO INTERNET CRIMINALS AND DODGY FIRMS. USE AT YOUR OWN RISK.
In most modern nations it is considered to be part of the role of the state to ensure that a minimum level of health is maintained in the general population. This is not just a human right, but also ensures that the workforce is fit for their jobs and minimises the wider social burden of ill health. At the moment, computer health and safety is in the same position as human health and safety two hundred years ago. It's the role of the individual to take care of themselves. However, with electronic fraud on the increase, and with costly attacks on websites etc, I wonder if a case can be made that the provision of PC healthcare should be partially the responsibility of the state.
The issue of P2P is similar to that of STDs or hard drugs. As P2P becomes increasingly criminalised, the ability of the AV companies to deal with viruses that originate on P2P networks will be reduced, and the harm done by the nasties will increase. As businesses find their networks devestated and data security compromised by new viruses brought in from home by users on their mp3 players or downloaded through the Tor system, the social burden of P2P prohibition will balloon. It may even reach the point where the cost to society of free downloads through an open and legal P2P network is LESS than the cost to society of a smaller but much more widely trojan and virus ridden underground P2P network.
In the long term, the more we become dependent on personal computing as a society, the more important proper home PC healthcare is. Just as in real life, we have to weigh up the good health and security of the global IT infrastructue with the costs this will entail and the immorality some people may feel liberalisation encourages. There are many examples of industry-harming and/or unpopular social changes that were brought either directly or indirectly for H&S reasons; eg, child labour laws, Unionisation, the compensation culture, seatbelts, public smoking bans, free condoms from the NHS, etc etc. Will the IT world follow suit?
Try not to break your arm when you fall a great distance off your horse ;-)
The comparison of the benefits of saving music from streams as opposed to torrents etc is ridiculous and unfounded.
You get those streamed songs for free. The artist doesn't benefit, the wider sharing community don't benefit - if anything you're wasting valuable bandwidth!
As a mad torrent seeder and leecher, I think it's worth noting I buy 5 times the number of DVDs, CDs and vinyls than any of my non-sharing friends would purchase. Seagate also profit greatly from my purchase of NAS stations and external backup systems!
What a daft argument - sharing is caring - vast difference between pirates and sharers!
Mine's the one with built-in earphones and mp3 flash drives...
"To all you kiddies out there that por through torrents to get all the free stuff you can, first of all sooner or later you're going to get nailed by a virus like this or worse, second, you'll ned up starting all over from scratch regularly since likely you have no backup for your hundreds of GBs of data..."
Point 1: Loads of rubbish - easy to avoid the crap if you have half a clue
Point 2: Rubbish. HDDs can be easily backed up, as many times as wanted, and have as good as/better shelflife than physical CDs.
However I am so glad you're perfect.
All references to this virus seem to end up back at McAfee and their description of the virus outbreak leaves something to be desired.
They say once you attempt to load one of the dodgy mp3 files you are 'directed to download' a bit of malware.
'Directed' how?
Is this exploiting an OS or application flaw to execute code from the mp3 file and show a popup or something?, is it just a case of filenames with executeable suffixes hidden by Windoze (FFS who at M$ came up with that idea?) or is it simply a voice on the mp3 saying "please download our malware dumbass"?
An exe file is not an mp3. Even the jaded hacks at El Reg should agree with that. It's like claiming a file titled "Free Porn.txt" has pictures in it. Only my grandmother might fall for that. Actually, no, she wouldn't fall for it. Mcafee is carefully positioning itself as the security tool for idiots. I wonder what they'd do if a real virus came along. Probably wet their nickers.
"I guess you must not live in the US or Canada as taping music off any radio station is a violation of the law"
Um... as far as I remember, it isn't. VCR taping and radio taping is perfectly covered by fair-use rights law, which was fought back in the 80's when VCRs became popular.
Trouble is when you try to rip CD to mp3, or copy your legally-owned DVD. Thats where DMCA steps in.
"They are actually disguised Windows Media files containing a script."
Hm... this is a recurring theme in so-called data file exploits, isn't it? Started with Word templates posing as documents, continued as Windows Metafiles posing as JPEG images, and now Windows Media scripts posing as MP3s.
Need I go into how to prevent getting exploited before the fact again? No? Good.
Back when the WMF fiasco happened, a certain site I hang out on banned all images from their forum. I suppose next they'll ban all MP3 links. Go on, tell your webmaster to ban MP3 links... I have my laugh track (in MP3 format of course) standing by.
It is not strictly lawful to read someone's newspaper over their shoulder. But you wouldn't expect the newspaper to take peeps to court to make them buy their own copy.
Really, since the issue lately has been copyright fair use, we should talk fairness. I think it's fair to make backups of any media I have bought. Wikipedia claim fair use of hundreds of thousands of images, and everyone keeps quiet. Just like a university would claim fair use over their banks of photocopiers next to the library.
You know, I should really be in charge.
"To those who claim that duplication is the line at which the law comes into play... I thought it was actually *technically* illegal to play a radio in a work / public place, no?"
Well, no. If you are using music in a retail establishment like a store, restaurant, or bar, you are required to pay a royalty and be licenced by the appropriate music licencing agencies. (ASCAP etc in the U.S.; SOCAN in Canada)
If you use someone's music without permission, and without paying the appropriate royalties, then yes, I guess you could call it "illegal", but then again it's also illegal to operate a business without a Business licence, to build your restaurant without a building permit, and to hire staff without paying minimum wage.
(Paris, who sheds a tear for musicians who go unpaid and unloved)
Nick,
With statements like "I use Apple Macs (as I can't be arsed with all this security jive) and tell all the clueless gullibles I come into contact with to do the same" and "If you have no technical interest or capability, don't keep up with the latest in Windows security news, can't be bothered to keep updating and scanning and paying subscriptions and yet are gullible and curious about porn, gossip, celebs, music, etc. then do NOT buy a Windows PC", how are we supposed to interpret your comment?
It really seems that you believe the Mac is the best computer for an idiot.
I don't think that was the intent of your comment, but it came off as such to at least me and A.C.
Just my $0.02
AJames is pretty much correct.
It's a little known fact that WMV files can contain 3 types of data stream: audio, video, script. The script stream can contain captions and URLs. Scripting adds bookmarks to the media file at specified timecodes, and when the player "runs over" the bookmarks when the movie plays, it triggers the action.
The virus writer has probably created a WMV with a script stream containing a URL to the virus executable, which Media Player will happily offer to download and execute. IIRC Windows Media Player is also happy to play WMV files that have MP3 extensions, without reporting this anomaly to the user. Thanks, BillG!
I never thought that you would post Politicaly Correct stuff, but would just tell it like it is :)
Windows looks at the file and if it can not play it then looks at file info, if the file is fake and says that it needs a codec to play it then windows media player asks the user if downloading it is ok :(
Windows also hides the file extentions of cretain file types as its default setting, such as .exe and .scr :(
Paris because even blonds where a condom when needed
I imagine that loads of people don't even have the chance to see the virus at all, since Operating Systems are all to eager to hide file extensions for us. In some situations the dialog box might have just said something to the effect of "PLAY_MP3? Yes/No" That isn't helpful to anyone at all.
And I highly doubt that this trojan /just/ displays ads. Trojan writers realized a long time ago that it was fun to download 400 friends as soon as they have a foothold on a machine. That more or less renders a computer useless, and provided me with a nice stream of income to fix them for a few years.
But yeah if you pay just a tiny bit of attention when stealing your files, it isn't exactly hard to pull off. I personally do all of my downloading on my Slackware file server, then automatically scan completed downloads with ClamAV. That combined with a little common sense allows me to safely avoid wasting the resources to run a virus scanner on my last Windows computer.
And to whomever said hard drives couldn't be backed up... Magnetic storage is quite cheap, and they make these things called Redundant Arrays... If you're just worried about the quoted 'Hundreds of GB' then you really have no problems at all. I believe that my ~4.5 TB (after raid5 losses) is rather trustworthy. Probably more so than the equivalent stored on fragile and low-density optical media. I'd have to keep an entire room just to store the stuff, and then I wouldn't have a chance in hell of keeping it organized or finding things that I wanted.
Honestly even if I liked recent music and had money to buy CDs, getting out to a music store, dealing with their employees and other customers, and then ripping the CD is far too much of a pain in the ass. It takes me all of about 90 seconds to find and download a decently high quality mp3 version of an album, so anything else just isn't worth the effort.
And I don't know how new this is... I've seen wmv/wma files on sketchy P2P years ago that tried to open a link to download an executable when it finished playing. It might not have been a trojan, because I didn't check, but I highly doubt that it was something good. I figured that MS would have taken some steps to prevent abuse of that particular 'feature' by now.
In the early parts of the 20th century, America saw a decline in morals and blamed alcohol for it. Virtually overnight, the sale and consumption of alcohol was made illegal and the Government (and the Moral Minority) patted itself on the back and closed the books on alcohol. But making something non-legal does not abolish it - people started trading alcohol "under the table" and it wasn't long before dedicated distribution methods (the "speakeasy") popped up and catered to the demanding market. Eventually, the criminal element saw that a lot of money could be made through manipulating these "speakeasy"s and took them over, helping finance their other activities (such as gambling, etc). The Government, aghast at having offered such a playground to the criminal element, tried unsuccessfully to stop people from buying and drinking alcohol by making more laws and making the sentences harder. It didn't work. Eventually, pressured by both its inability to stem the tide of underground boozing and the backlash of the general public, the Government repealed the Prohibition Act. Unfortunately, it was too late - Organised Crime was here to stay in the "civilised" world.
Nice little history lesson, innit?
Tell you what - let's change a few words and see what we get:
In the later parts of the 20th century, MPAA/RIAA saw a decline in sales and blamed file-sharing for it. Virtually overnight, the creation and distribution of media files was made illegal and the Government (and the MPAA/RIAA) patted itself on the back and closed the books on file-sharing. But making something non-legal does not abolish it - people started trading media-files "under the table" and it wasn't long before dedicated distribution methods (P2P networks) popped up and catered to the demanding market. Eventually, the criminal element saw that a lot of money could be made through manipulating these P2P networks and took them over, helping finance their other activities (such as drugs, etc). The Government, aghast at having offered such a playground to the criminal element, tried unsuccessfully to stop people from creating and spreading media-files by making more laws and making the sentences harder. It didn't work. Eventually, pressured by both its inability to stem the tide of underground sharing and the backlash of the general public, the Government repealed the DRM Act. Unfortunately, it was too late - Organised Crime was here to stay in the "virtual" world.
Yeah, yeah, I know - there's no such thing as the DRM Act. Replace it with your local equivalent.
The point is: alcohol was made illegal and that didn't work. Eventually, a better set of *distribution and consumption* rules and methods were created and those worked much better thankyouverymuch. Unfortunately, by then it was too late to get the criminal element out of the equation.
It seems the same mistakes are now being made with regards to media-files - instead of working out a better "distribution and consumption" set of rules and methods, we have the MP3 version of the Prohibition. Care to take bets on how this one will run its course?
Especially when you have no clue. Downloaded files unusable? Most of them are only good for preview purpose. Most of them end up in the bin. Right. But most "freetards" you seem to dislike so much use them as such, so what's your point? You're ripping radio casts. ILLEGAL. Plain, genuine, illegality. You see the bad sound quality as a proof that the filesharing crowd is stupid because it doesn't prevent you from buying the CD. You infringe copyright from other, better sources that allows you not to buy the CD. You're a freetard, Michael C. and the worst kind. Sorry to break your self-proudness an silly dreams.
Bad day for the freetards, some of you seem to think. I think more like "yet another warning about Micro$haft vulnerabilities". So it's actually a very, very good day for everyone, freetards and non-freetards, MS users or not -those with at least half a brain, that is.
I have a vague feeling that DRM is to blame to the success of this outbreak. DRM sometimes requires an application to run alongside that mp3 to authorize the computer and/or decode the mp3, people have come accustomed to running said applications to play the mp3s. Most of these people who run this 'exe' file are not technically inclined and don't know when to draw the line between DRM and a virus nowadays.
We now have a situation where people no longer CAN know the difference if an MP3 will play without this exe because of what the studios and corporates with their own DRM have caused.
Soon enough if DRM is allowed to continue going out of control like this, we will get situations where nobody, not even the IT people will know when some "DRM player", "DRM system authorizer", etc is really a virus. Refer to the Sony rootkit incident for example, people didn't know that sony was installing something akin or worse(?) than a virus with this system until it was months into the situation.
Do we really know what Windows Media player does behind the scenes nowadays? Do we really know what iTunes/Quicktime does behind the scenes nowadays? Do we really know what ANY DRM-enabled player does behind the scenes nowadays? I wager not, and of course, the source code cannot be released for review due to the fact corporates forbid it as it would release their "trade secrets", which there are laws protecting.
Until DRM is totally eliminated, this problem will just escalate.
and yet I carry on and don't give a crap. While I'll never have time to go through all the 150gb of MP3s that I've downloaded, I've never come across one infected with a virus or spoiled in some other way.
@Michael C - it's good for a man to know his limitations, and obviously coping with the technicalities of bittorrent downloading is one of yours. I'd like to thank you for sponsoring the music industry so that I can carry on enjoying unlimited music and software for free.
Paris because she probably knows a thing or two about nasty viruses.
hey mike, just had to throw in my tuppence worth on that crock you wrote. most points have already been addressed, but the last paragraph is something i have to come back on...
"To all you kiddies out there that por through torrents to get all the free stuff you can"
well i download a fair bit of stuff from torrents but i ain't a kiddie, either from the perspective of age or technical knowledge...
"first of all sooner or later you're going to get nailed by a virus like this or worse"
as a professional reverse engineer and malware researcher i doubt this is gonna happen... but thanks for your concern
"second, you'll ned up starting all over from scratch regularly since likely you have no backup for your hundreds of GBs of data..."
again cheers for the kind thoughts, but you'll be relieved to know that i have a very thorough system of backups across my machines that ensure that i have at least two and even sometimes three copies of all my data! including all my music and films:o)
Re: And to whomever said hard drives couldn't be backed up... Magnetic storage is quite cheap, and they make these things called Redundant Arrays...
No, you don't use redundant arrays for backups!
RAID arrays are used for fault tolerance. Backups should be held on a different storage devices, not the RAID array.
The issue is if the RAID array becomes infected, or somebody deletes files, then all hard drives in the array will be affected.
funny thing this guilt.
no matter what one does some politically correct anal representitive will say that it is illigal or amoral and will try to pass some screwy law to screw the majority that does not like them in first place... so by this defenition alone we are all guilty. the entertainment industry gestapo screams at us and prosecutes us for listening to music or for watching movies that they produce. goverment screams threatens us for not paying taxes for which they spent like there is no tomorow on worthless crap that no one really needs except for neccesary basics. churches or religious zelots threaten cajole along with screaming at us for not being moral enough by their so called standards(i wonder if goat/sheep sacrifice at midnight counts as an amoral while praying to l ron hubbard ?). i know i missed a few add more if you want.but unfortunetly i have no guilt complex whatsover when it comes to ripping music watching what i want annoy government when possible and piss off any and all religious nutters for my personal enjoyment( some of them have very funny looks when you go against them my fav is when they start ot twitch and foam at the mouth). i do all that so i can annoy these so called politicaly correct anal cavaties with small brains and big multiple orafices that spew crap over everything in range with ever higher efficiency. any how that is my two cents...
i read the blog it seems to be a pre eliminary evaluation as to what it does.we will know soon enough all the details as with everything it will take time and some skull work( some of us seem to forget that part). so critisizing it for being in lacking info is just saying i am a rotten kid and cannot wait for that candy gimmie gimmie gimme or i will throw a tantrum.(if you cannot wait do the work yourself)
as for comment about registered p2p usually kill infected uploads its load of rubbish. i personally had seen files that had been infested with malware, trojans, viruses sit there on trackers for months or longer even after they had been flagged.
as for the comments from both macs linux windows users keep this in mind no matter what os or kit you are using it will be exploited at some point no matter what you say or do even if you follow strict or very strict use policies you are not invincible you are not god/s.
You see I think that it wold be fairer to say that the retards are having a bad day. The Free bit has little to do with it in this case, IMO.
If you can't tell an executable from an MP3 then what do you expect? If you fall for that then you'd probably open a dodgy file if it was emailed to you, or whatever.