eburger68
Premium,MVM
join:2001-04-28
edit:
December 29th, @10:33PM
| Adware Installed through WMA Files
Hi All:
PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:
Risk Your PC's Health for a Song?
»www.pcworld.com/news/article/0,a···6,00.asp
Protect Yourself From Audio Adware
»www.pcworld.com/news/article/0,a···3,00.asp
In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.
Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.
The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.
I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:
* locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting);
* installing spyware prevention utilities such as SpywareBlaster and SpywareGuard;
* installing at least two reputable anti-spyware scanners and keeping them updated;
* keeping your system updated through Windows Update.
In addition to the above, PC World recommends tweaking the settings for Windows Media Player:
said by PC World:
* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off 'Acquire licenses automatically for protected content'. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose 'No.' Changing this setting in Windows Media Player will affect any other players you use that support Microsoft's DRM scheme.
Also, it *appears* that merely switching your default browser to something other than Internet Explorer will not be sufficient to eliminate the threat, as Windows Media Player uses the Internet Explorer engine to open browser windows that function as dialog boxes. Even if you're not actively using Internet Explorer, you should lock it down to prevent its being exploited by rogue WMA files.
If and when more information becomes available, I'll post it to this thread.
Best,
Eric L. Howes |
|
Portmonkey
I'm Your Boogie Man
Premium
join:2004-04-09
Southern IL |  Thanks for the info. I just turned off the "Acquire licenses automatically for protected content". |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T DSL Service
| reply to eburger68
This could be a nightmare if this loophole becomes widely exploited. Even users who know better than to click on links or "yes" on dialog boxes might not think twice about clicking to view a WMA file. Another avenue of education to put forth. Thanks again, Eric for some valuable information.
--
"Think for yourself and let others enjoy the privilege of doing so too." - Voltaire |
|
Dustyn
Premium
join:2003-02-26
Ontario, CAN
edit:
December 29th, @10:59PM
| reply to eburger68
Wow! 
Excellent article edburger68... good find! 
I rarely play WMA's but, it is worth looking into the WMP settings and turning off "acquire licences automatically for protected content".
Scary man..  |
|
suzi
Premium
join:2004-05-01
edit:
December 29th, @11:07PM
| reply to eburger68
Thanks for this disturbing information, Eric.
The newest version, Windows Media Player 10, does *not* make it easy to locate the options for the player. It took me a while to find the location. With the player open, click the "now playing" tab, then click the small button below. You won't see options yet - you have to mouseover Plug-ins, then move over to the options tab. There you can essentially neuter the darn thing. It will also attempt to hijack your file associations. After installing this new version, I was temped to uninstall it, go to oldversion.com and download an older, less annoying version.
Edit to correct grammar.
--
aka Suzi, Spyware Warrior |
|
Steely
I used to have OOL
Premium
join:2000-10-15
Princeton Junction, NJ
edit:
December 29th, @11:36PM
| I had no problem finding that option and there are other ways to access it. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to eburger68
Yet another reason why DRM = evil. How long before malware writers exploit this vulnerability? |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
 ·Verizon FIOS
| reply to Portmonkey
said by Portmonkey  :Thanks for the info. I just turned off the "Acquire licenses automatically for protected content". Lol that should have been done even without this development;).
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| In Media Player 9, turn on the menu bar if it's off (by clicking the double arrow near the top of the screen). Then click Tools, Options. Go to Privacy tab. Turn off "acquire licenses automatically" here. Heck, uncheck everything on this page while you're there.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
mastervirus5
Premium
join:2004-07-05
North Charleston, SC
clubs: | Re: WMA -- Base install
I know when I installed WM 10 it asked me and before I even came onto this article I turned it off. Dont ask me why but if microsoft says its a default then I change it immediately. |
|
starfish8
join:2004-06-30
| reply to kpatz
Re: Adware Installed through WMA Files
said by kpatz :In Media Player 9, turn on the menu bar if it's off (by clicking the double arrow near the top of the screen). Then click Tools, Options. Go to Privacy tab. Turn off "acquire licenses automatically" here. Heck, uncheck everything on this page while you're there. I'm still using WMP 9. Is there any reason to think that WMP 10 is more (or less) secure? |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
 ·RoadRunner Cable
·AT&T Yahoo
| reply to suzi
I've been tempted to upgrade to WMP10, but after reading
this, I'll pass on it. Thanks a lot, Microsoft. If there's
one annoyance I can't stand (other than spyware/adware),
its applications hijacking file associations. It sounds as
if Microsoft is getting as bad in this area as Real
Networks.
As for the booby-trapped WMA files, how long before legal
downloan (yes, the files should be called that, because
you are in effect only renting them) services start
pulling this crap?
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. |
|
Wai_Wai
A Guy Who Enjoys Thumb-Up
join:2004-07-30
edit:
December 30th, @08:09PM
| Use these music players instead.
Windows Media Player + QuickTime Player + RealPlayer may add too many unnecessary features, add a lot of things to your system, and make them bulky, and so on...
Or if you hate intalling a lot of media player just for the sake of opening their related file associations...
Use the much lighter ones all-in-one media player (for free! :P):
The music player (light and simple), it can replace Windows Media Player:
»www.free-codecs.com/download/Med···ssic.htm
To replace QuickTime, add this plug-in:
»www.free-codecs.com/download/Qui···tive.htm
To replace RealPlayer, add this plug-in:
»www.free-codecs.com/download/Rea···tive.htm
Note: You may experience some minor problems when opening some of RealPayer or QuickTime files. If it was the case, close and re-open the music player and open the files should work again. |
|
GercekSeytan
Rockin' with Raki
join:2001-10-19
Turkey | reply to eburger68
At last my paranoia paid off. DRM in off in both IE and in my GP settings.
--
Lord, aint it a shame...in all this comfort...can't take the strain... |
|
WFO
Premium
join:2001-08-27
San Ramon, CA | reply to eburger68
LOL..Windows Media Player doesn't even get internet access on my laptop.:D |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| reply to Wai_Wai
said by Wai_Wai :Use these music players instead. Windows Media Player + QuickTime Player + RealPlayer may add too many unnecessary features, add a lot of things to your system, and make them bulky, and so on... Or if you hate intalling a lot of media player just for the sake of opening their related file associations... Use the much lighter ones all-in-one media player (for free! :P): The music player (light and simple), it can replace Windows Media Player: » www.free-codecs.com/download/Med···ssic.htmTo replace QuickTime, add this plug-in: » www.free-codecs.com/download/Qui···tive.htmTo replace RealPlayer, add this plug-in: » www.free-codecs.com/download/Rea···tive.htmNote: You may experience some minor problems when opening some of RealPayer or QuickTime files. If it was the case, close and re-open the music player and open the files should work again. I agree with these non-bloated players. They are awesome.
However, I am having problems playing back some QuickTime MOV files that just lock up Media Player Classic v6.4.8.2 (QT Alternative v1.3.9)? It happens on my old P3 1 Ghz system with Windows 2000 SP4 (all updates) and Athlon 64 3200+ machine with Windows XP Professional SP2 (all updates).
Example file: »mp3content03.bcst.yahoo.com/bmfr···48407.mo
VideoLan Client had no problems. I use this one as a backup media player and it works on many OS': »www.videolan.org/
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
GercekSeytan
Rockin' with Raki
join:2001-10-19
Turkey | Same thing happening here (WinXP Pro SP2 with all updates). |
|
jack b
Big House
Premium,MVM
join:2000-09-08
Up the River
clubs:
·Optimum Online
·Verizon FIOS
| reply to eburger68
Great info.
Another method to "safely" open these files is with Irfanview.
It'll open just about anything, with the associated plugins.
»www.irfanview.com/
Free.
--
~Help find a cure for cancer~Proud Member Team Discovery |
|
bobince
join:2002-04-19
DE
| reply to eburger68
I can confirm PC World's story. I was recently sent one of these files.
The way it works as far as I can tell is that protectedmedia.com runs clients on the FastTrack network (Kazaa/Grokster/iMesh) offering what look like porn movies. Actually in the examples I've seen they *are* porn movies, but they're generic, not matching what the various filenames it is offered under might imply. It is likely they are also doing this with audio files too, but I haven't found any searches that will bring them up.
The files are rights-protected WMV. The licence-acquiring features in Windows Media Player involve opening up a window with some sort of licensing agreement; this is obtained by fetching the page from the URL embedded in the file, and then displaying it in an IE-engine subwindow. The trick is simply that the pages in this case contain a number of ActiveX drive-by downloaders, with wording that implies that you have to accept the downloads for the licence-acquisition process to work (in reality, the video plays anyway even if you say no). I don't know if this works on XP SP2... I suspect it does, because I believe the new yellow info bar thingy only applies to IE itself, not WMP.
These install a load of usual-suspects parasites that I'm going through at the moment, including ILookup/HotSearchBar and iSearch (Eric: who are also behind the rogue anti-spyware SpywareAvenger, you might want to note).
I just wonder how long this has been going on. As spyware researchers we've got used to tracking down web-based installers and software bundling, but porn on the P2P networks is something we've not been keeping an eye on until now.
In the meantime, I can only recommend Media Player Classic (which is a whole lot nicer than WMP even without the security considerations), and advise avoiding Windows Media files where possible. |
|
eburger68
Premium,MVM
join:2001-04-28
edit:
December 31st, @01:59PM
| Andrew:
Thanks for confirming the substance of this story. Would it be possible to a copy of the WMA file you have? If so, please email me at eburger68@myrealbox.com.
Best,
Eric L. Howes |
|
