Broadband Tech > Security > Security > WMP Adware: A Case Study in Deception

WMP Adware: A Case Study in Deception

WMP "Security Upgrade"

"License Acquisition"

"Ultra Web Host LLC"

"Required Media Player Version 9 Browser Update"

said by Microsoft:

---

Security Upgrade
Owners of secure content may also require you to upgrade some of the DRM components on your computer before accessing their content. When you attempt to play such content, Windows Media Player will notify you that a DRM Upgrade is required and then ask for your consent before the DRM Upgrade is downloaded (third party playback software may do the same). If you decline the upgrade, you will not be able to access content that requires the DRM Upgrade; however, you will still be able to access unprotected content and secure content that does not require the upgrade. If you accept the upgrade, Windows Media Player will connect to an Internet site operated by Microsoft and will send a unique identifier along with a Windows Media Player security file. This unique identifier does not contain any personal identifiable information. Microsoft will then replace the security file with a customized version of the file that contains your unique identifier. This increases the level of protection provided by DRM.

---

said by SpiderSearch.com:

---

By downloading our Free Porn Software you agree to receive ads of adult nature.

---

said by iDownload.com/iSearch.com:

---

2. Functionality - Software delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. iSearch is able to provide you with Software free of charge as a result of your agreement to download and use Software, and accept the advertising and promotional messages it delivers.

By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it's partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.

In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.

---

said by Suzi:

---

I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm. I ended up with 11 desktop shortcuts for everything from "Get This Weeks Deals from Dell" to "Get Sex Toys Direct", "Hot Facial xxx Shots", and so on. Not to mention all the other crapware. None of them had EULA's except for the GAIN dash bar. That machine was infected faster than you could take a couple of deep breaths.

It took me nearly 2 hours to clean it up and I know what I'm doing. Image the "normal" user who doesn't have a clue. The computer becomes essentially useless until it's cleaned up.

---

Hi All:

I thought I'd provide a handy run-down of links to information on the WMP Adware story elsewhere on the web:

PC World stories:
»www.pcworld.com/news/article/0,a···6,00.asp
»www.pcworld.com/news/article/0,a···3,00.asp

DSLR discussion threads:
»Adware Installed through WMA Files
»WMP Adware: A Case Study in Deception

DSLR news topic:
»Spyware Hidden in WMA Files

Write-up by Ben Edelman:
»www.benedelman.org/news/010205-1.html

Write-ups by Ed Bott:
»www.edbott.com/weblog/archives/000334.html
»www.edbott.com/weblog/archives/000340.html
»www.edbott.com/weblog/archives/000341.html
»www.edbott.com/weblog/archives/000342.html

Spyware Warrior blog entries:
»netrn.net/spywareblog/archives/2···a-files/
»netrn.net/spywareblog/archives/2···a-files/
»netrn.net/spywareblog/archives/2···edelman/

Spyware Warrior discussion:
»spywarewarrior.com/viewtopic.php?t=8920

Other blog entries:
»techdirt.com/articles/20041230/0···_F.shtml
»www.boingboing.net/2004/12/30/wi···ici.html
»p2pnet.net/story/3421

Slashdot discussion:
»it.slashdot.org/article.pl?sid=0···2&tid=17

Best,

Eric L. Howes

reply to eburger68
Thank you for this fine fine report. It is as interesting as it would be scary for an ordinary user if faced with deluge of requests and popups (and most would succumb long before you did).
Add the desire to view the file, mix that with bona fide file from MS and user will think that anything after it is kosher.

Cudni
--
Whether you think that you can, or that you can't, you are usually right.
Help yourself so God can help you..it does exactly what it says on the sig

Excellent work, Eric.

Just for the record, I am not trying to minimize this. My statement that this is not "new and horrifying" simply reflects the reality that these are the exact same techniques that purveyors of crapware have been using from Web sites for years. The ActiveX dialog boxes you show here are identical in every respect to those that users see when they visit Web pages that push the same software. This is merely a new variation on an old theme.

The reason that spyware and viruses are epidemic is that older versions of Windows make it easy for people to push this crap, and as you correctly note, the confusing interfaces make it easy for naive users to be fooled by basic social engineering.

The bigger problem is finding a way to protect users of older Windows versions from agreeing to this stuff, regardless of where it comes from. If you fix the ActiveX problem in IE, you fix it here. It worked in Windows XP SP2, and there needs to be an equally effective way to make that protection work for users of older operating systems.

Ed Bott
»www.edbott.com/weblog

Eric, have you reported your findings to Microsoft?

I have sent a report to security@microsoft.com. If you actually want a patch to get written, that's an important step. I'll let you know if I hear back. You might want to send your findings as well.

As I've said since Day One, I believe that this is a security flaw and that Microsoft needs to issue a patch to Windows Media Player 9 and release it as a Critical Update. That's a far cry from an "attempt to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts."

reply to eburger68
Scary stuff, to be sure.

I've flat-out refused to install any of that DRM junk from the beginning. Looks like I have even more reason to do so now.

reply to edbott
Ed:

You wrote:

said by Ed Bott:

---

The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.

---

said by Ed Bott:

---

But really, isn't that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? ... But how likely is it that the type of user Suzi is describing will download and install that patch?

---

I have a detailed response here:

»www.edbott.com/weblog/archives/000351.html

Quick summary:

My initial response was skeptical, and accurately so. The PC World article said, "PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware." [emphasis added]. The clear implication was that simply playing a music or video file will install a program on your machine. That turned out not to be true, as you and I have both shown.

My remarks about digital signatures were not intended to justify the purveyors of this garbage or to imply that signed programs are somehow safe. My remarks were aimed at the readers of this forum and my Web site, who are already well informed about spyware and viruses and would be deeply suspicious of these dialog boxes. I was shocked at how honest the license agreements were in describing the crappy things these programs would do. I don't expect a sophisticated, suspicious user to be fooled by this stuff. I also don't expect a naive user to read license agreements ever.

As for "blaming the user," I stand by the remark I made. You are demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try to educate the masses, many people simply don't install patches after they're released. I get virus-infected e-mail messages every day, and my mail server blocks many more. In most cases those viruses can be prevented by a patch that were released three or four years ago. If someone hasn't installed a Critical Update from 2001, why would they install a new one to fix this vulnerability when it's available?

Ed:

I'm happy to let readers peruse your several comments on this issue and make up their own minds as to whether they were appropriate or not.

There are, however, two minor points that you make that I want to repond to:

I should have put "honest" in quotes. How many more ways do I have to say these people are sleazy scumbags?

The one license agreement says it will pop up porn ads on my computer. The other says it will do a whole paragraph's worth of awful things, including installing more spyware. I'm not sure which program is doing the installation of the 31 extras, because I didn't actually allow my test machine to be taken over.

And the fact that it was in the license agreement doesn't make it right or acceptable or "honest." My point is that someone who is suspicious will find plenty of reasons not to click Install; someone who is naive may well be fooled by the social engineering techniques.

reply to eburger68
Quit looking at pr0n

reply to edbott
Ed:

You wrote:

reply to SimpleOne
Wow 10 out of 10!!!! this is the kind of info' which keeps me coming back for all of these years.

reply to eburger68
Nice info Thanks;)

reply to eburger68
I'm not the only one who interpreted the PC World story as meaning that the Windows Media files in question actually contained spyware code.

Techdirt wrote:

Overpeer, a subsidiary of Loudeye, has been caught hiding adware and spyware within Windows Media files. [emphasis in original]

According to PCWorld and TechDirt, Windows DRM contains a flaw that allows for attakcers [sic] to create music files that contain trojans that attack your computer when you play them. [emphasis added]

reply to eburger68
Thanks for the detailed analysis. Scary stuff.

Hopefully, the new California Spyware law can slow them a bit.

said by suzi:

---

I ended up with 11 desktop shortcuts for everything from "Get This Weeks Deals from Dell" to ...

---

reply to edbott
Ed:

You wrote:

>> In retrospect, it all looks like a high-tech game of "telephone."

reply to eburger68
Maybe you all have seen something similar from WMP. I posted the following to grc.spyware on 12/4/2004 and repost for the purposes of reiteration and experience sharing. And as one who has noticed some strange activity from WMP even when playing files I created with my own video camera I wanted to see who else experienced this. This is getting so that even one with fifteen years in the “industry” can’t tell what the hell is going on. I sometimes want to move to an isolated island with only Margarita serving me Margaritas!

#[include]
What is Microsoft Windows Media Player (v.10) doing pinging all
of these sites every time I open a local video file? All I did
was open a local file and then I noticed that the Firewall log
would burst with the lines seen below.

Why is WMP pinging these sites every time I open a local video
file (even if it is one I shot myself not that it matters)?

What exactly is being transmitted and received?

Why is the details of this not in the help files?

Behavior seems the same every time: I open the .WMV or .AVI
file which auto launches Microsoft Windows Media Player.

I could not make out what was in the data traffic I reviewed in the capture file from the packet sniffer (netmon)

I am not a spring-chicken here either. I’ve been a computer
tech and network admin for many years, and I remember when there
was just UUCP. I also currently perform basic network and system
security at my day job, so my curiosity is doubled. I saw this on
my home system can only fret what is going on in the corporate
network.

Enquiring minds just want to know.

Firewall Log Sample for the few seconds in which I started one local .WMV or .AVI file....

2004/12/04 20:46:02 TCP from 192.168.1.10:2321 to www.go.microsoft.akadns.net (207.46.248.122):80
2004/12/04 20:46:02 TCP from 192.168.1.10:2322 to entimg-origin.msn.com (207.68.181.118):80
2004/12/04 20:46:02 TCP from 192.168.1.10:2324 to locator.metadata.windowsmedia.com.akadns.net(207.46.196.121):80
2004/12/04 20:46:02 TCP from 192.168.1.10:2325 to www.go.microsoft.akadns.net (207.46.248.122):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2326 to sms.napster.com (63.241.55.113):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2327 to cinemanow.com (147.208.188.228):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2328 to 63.236.14.35 (63.236.14.35):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2329 to downloads.walmart.com (161.170.254.27):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2330 to www.xmradio.com (216.251.231.128):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2331 to courttv.com (209.73.26.183):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2332 to 209.133.113.22 (209.133.113.22):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2333 to moontax.vo.llnwd.net (69.28.159.7):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2334 to 63.240.84.86 (63.240.84.86):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2335 to a1321.cb.akamai.net (66.93.87.72):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2336 to music.msn.com (207.68.180.245):80
2004/12/04 20:46:03 TCP from 192.168.1.10:2337 to downloads.walmart.com (161.170.254.27):80

Those are the online stores available with WMP 10, music and video and radio. If you choose View, Online Stores you will see virtually all of the companies on that list.