Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks. Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the …
How does it work?
I haven't seen anyone mention how the redirect to download PLAY_MP3.exe is performed. The post you link to as well as the mcafee write up doesn't explain the mechanics. Anyone have any clues?
dear, oh dear, oh dear!
Are the poor little 'Freetards' having a bad day?
Hard to resist a little snigger.
So I won't!
Hyuk hyuk hyuk hyuk hyuk hyuk hyuk!
Maybe it was planted by one of the music companies? Who knows?
So just check where the cash is going and arrest them. I think it cannot be easier...
Or just let it be. If somebody's stupid enough to install that crap - let them watch adverts as punishment. As long of course it doesn't download any more crap onto infected box. That would be a good punishment for all stupid people. Also nice money earner for all Win support people ;)
Listen to me AV makers!!!
It was only a matter of time
Actually, I expected this attack to come from the studios themselves. Not in the form of a virus, but in the form of tagged or watermarked files that would instantly identify themselves as stolen on a simple scan.
Keep in mind, when you're stealing files through these services, you have NO IDEA what you're getting. I used a service many many years ago to download MP3s of files I had CDs for, but that were too scratched up to rip properly. I dowloaded a few hundred files, and in the end deleted nearly all of them. Many were cracked files that beeped loudly in the middle, many were live cuts of poor quality, some even the wrong songs, others had lead-in and lead-out issues. It was a MESS!
I invested in a CD refinishing system, cleaned all my disks, and ripped them.
I have NO illegal files on my machine. I do rip music from some digital music stations for songs I don't justify paying for, but that's not (currently) illegal. I have over 12,000 songs according to itunes, and every one was legally purchased on physical media and ripped, paid for online, or streamed from a free music source.
To all you kiddies out there that por through torrents to get all the free stuff you can, first of all sooner or later you're going to get nailed by a virus like this or worse, second, you'll ned up starting all over from scratch regularly since likely you have no backup for your hundreds of GBs of data...
The eternal /. question - does it run Linux?
Correct me if I'm wrong but..
are you not prompted by windows that play_mp3.exe is attempting to execute and given the option to cancel it? If you're stupid enough to think "Ooh yes - I'll run this unrequested software to play a file that I've just downloaded from an unknown source" then no amount of security/anti virus solutions will ever save you.
I thought Phorm Inc had been a tad quiet :D
@ Michael C
Actually I think you're wrong there. although you haven't exactly stolen the music, you didn't buy it in its digital format, you purchased the right to listen to it in cd format. I believe you're allowed to burn a copy on another cd, but the whole crux across mp3 players is the fact that the original rights (And current if I'm not mistaken) do not allow you to convert the format with which you originally purchased your music (in your case, cd). see http://www.telegraph.co.uk/news/uknews/1532681/Why-you-are-breaking-the-law-every-time-you-copy-a-CD-to-your-iPod.html
of course they won't prosecute you for doing that, but it remains that alas you cannot state you have no illegal files on your machine, since if you purchased the cd's and not a digital copy, all your music is still by law illegal.....
or maybe i got the wrong end of the stick. Of course you're still above freetards, or you have way too much money from their point of view, either is arguable. I buy a lot of music, but it comes down to I like hearing music before I pay money for it, since i don't want to buy something that sounds rubbish. If I like it, I pay for it. If I don't, I bin it. Only do this for a couple of albums a year but since there's no way to hear a full album through and through without paying for it I guess I have a problem.
The extension is .exe
Whoever thinks it's an .mp3 deserves all the spam they get.
Half an article?
How can an MP3 file redirect the user to download an EXE? An MP3 file is just a bundle of data, and the OS will start a separate program to play the file when it is launched. This stuff isn't rocket science. Are we talking about a Windows Media Player vulnerability? Or a misleadingly labeled file, which users are too lazy to check?
The McAfee blog post neglects to make any explanation, and thus makes the company seem rather clueless. Parroting their nonsense verbatim, without even questioning their competence, makes the Reg seem like just another news outlet without a clue about tech. Come on guys, surely you can do better than this!
>> I do rip music from some digital music stations for songs I don't justify paying for,
>> but that's not (currently) illegal
If it is done without copyright holder's permission then it is illegal in UK
@ Ben Shurey
Near the end of the linked article (after the list of file names) it says:
"If users agree to download and run PLAY_MP3.exe "
If that is really how it works, then it is hardly a new vulnerability - and the users would have to be *really* stupid - so that growth that rapid would seem unlikely.
So I would guess it's something else. But as you say it's not explained.
is this about files that are named
Re: it was only a matter of time
Michael is right, if you use Limewire or e-Donkey who knows what you'll get.
That's why everyone should download via registration-only bittorrent sites or newsgroups, where bogus files will be quickly flagged and deleted!
"I invested in a CD refinishing system, cleaned all my disks, and ripped them"
What cd polisher did you use? never seen/used any that are of any use.
How it works
Good question, Ben Shurey. It turns out that this is the usual case of misreporting. The downloaded media files in question are not actually MP3 or MPEG files, they are actually disguised Windows Media files containing a script, and they have to be played by our old insecure friend Windows Media Player in order to be activated. They they prompt the user to download the application PLAY_MP3.EXE, which they will do only if they are an idiot.
Sounds like you should have found a better source for your MP3s. "I found this newspaper in the street and its total crap, I can hardly read it! I'm not going to get another newspaper again!" seems to me :)
Most of the "kiddies" I know use a strict off site backup procedure (giving files to friends) :)
I don't think that "user stupidity" constitutes as a new vulnerability.
And @ Andrew: I guess you're right. This .exe can be added to the list of things that don't run on Linux.
I guess you must not live in the US or Canada as taping music off any radio station is a violation of the law, as is recording tv shows, movies, or games onto a set-top dvd-recorder or vcr.
If someone downloads music, movies or whatever software they want then get hit with a virus fair enough, but don't get on your high horst talking about how holier than though you are when you admit to copying songs off digital radio.
Linux is still the best.
> download the application PLAY_MP3.EXE, which they will do
> only if they are an idiot.
And your point is? There is, after all no shortage of those, otherwise I wouldn't be getting all this spam in my inbox advertising things that would only be bought from such people by an i.....
Michael C....The Perfect Person
Well Michael C aren't you the perfect person?
You now have no illegal files on your PC but think you have the right to preach to others about tihngs you illegally did a "While" ago.
Why don't you crawl away and preach to others who give a phuck about your little sermons. Why do you think anyone is interested in what you have/don't have on your PC?
If I was the RIAA I would track you down and sue the be-jesus outta you.
I have downloaded hunderds of tracks on P2P and have never had the problems you mention. Maybe you are better suited to playing Solitaire rather than attempting big boys stuff as you clearly are inadequate.
Sad Windows Users
Let's face it, if it was called ClickOnMeAndGetAVirus.mp3.exe they would still click on it.
Ways need to be found to prevent the clueless gullibles from having to deal with this kind of stuff. Seriously. We don't put our grannies in lions cages, do we?
I use Apple Macs (as I can't be arsed with all this security jive) and tell all the clueless gullibles I come into contact with to do the same but often they are guided by other clueless gullibles and end up as members of the BotNet army, or worse.
There should be clear guidelines for this. If you have no technical interest or capability, don't keep up with the latest in Windows security news, can't be bothered to keep updating and scanning and paying subscriptions and yet are gullible and curious about porn, gossip, celebs, music, etc. then do NOT buy a Windows PC. The same is especially true for all the poor clueless gullibles that are running ripped-off Windows and so don't even have access to the Windows Updates.
Unfortunately it seems that the do NOT is usually a DO...
Shouldn't there be a government warning on Windows boxes?
WARNING! USE OF THIS SOFTWARE WILL LEAVE YOU VULNERABLE TO INTERNET CRIMINALS AND DODGY FIRMS. USE AT YOUR OWN RISK.
In most modern nations it is considered to be part of the role of the state to ensure that a minimum level of health is maintained in the general population. This is not just a human right, but also ensures that the workforce is fit for their jobs and minimises the wider social burden of ill health. At the moment, computer health and safety is in the same position as human health and safety two hundred years ago. It's the role of the individual to take care of themselves. However, with electronic fraud on the increase, and with costly attacks on websites etc, I wonder if a case can be made that the provision of PC healthcare should be partially the responsibility of the state.
The issue of P2P is similar to that of STDs or hard drugs. As P2P becomes increasingly criminalised, the ability of the AV companies to deal with viruses that originate on P2P networks will be reduced, and the harm done by the nasties will increase. As businesses find their networks devestated and data security compromised by new viruses brought in from home by users on their mp3 players or downloaded through the Tor system, the social burden of P2P prohibition will balloon. It may even reach the point where the cost to society of free downloads through an open and legal P2P network is LESS than the cost to society of a smaller but much more widely trojan and virus ridden underground P2P network.
In the long term, the more we become dependent on personal computing as a society, the more important proper home PC healthcare is. Just as in real life, we have to weigh up the good health and security of the global IT infrastructue with the costs this will entail and the immorality some people may feel liberalisation encourages. There are many examples of industry-harming and/or unpopular social changes that were brought either directly or indirectly for H&S reasons; eg, child labour laws, Unionisation, the compensation culture, seatbelts, public smoking bans, free condoms from the NHS, etc etc. Will the IT world follow suit?
@ Michael C
Try not to break your arm when you fall a great distance off your horse ;-)
The comparison of the benefits of saving music from streams as opposed to torrents etc is ridiculous and unfounded.
You get those streamed songs for free. The artist doesn't benefit, the wider sharing community don't benefit - if anything you're wasting valuable bandwidth!
As a mad torrent seeder and leecher, I think it's worth noting I buy 5 times the number of DVDs, CDs and vinyls than any of my non-sharing friends would purchase. Seagate also profit greatly from my purchase of NAS stations and external backup systems!
What a daft argument - sharing is caring - vast difference between pirates and sharers!
Mine's the one with built-in earphones and mp3 flash drives...
"To all you kiddies out there that por through torrents to get all the free stuff you can, first of all sooner or later you're going to get nailed by a virus like this or worse, second, you'll ned up starting all over from scratch regularly since likely you have no backup for your hundreds of GBs of data..."
Point 1: Loads of rubbish - easy to avoid the crap if you have half a clue
Point 2: Rubbish. HDDs can be easily backed up, as many times as wanted, and have as good as/better shelflife than physical CDs.
However I am so glad you're perfect.
All references to this virus seem to end up back at McAfee and their description of the virus outbreak leaves something to be desired.
They say once you attempt to load one of the dodgy mp3 files you are 'directed to download' a bit of malware.
Is this exploiting an OS or application flaw to execute code from the mp3 file and show a popup or something?, is it just a case of filenames with executeable suffixes hidden by Windoze (FFS who at M$ came up with that idea?) or is it simply a voice on the mp3 saying "please download our malware dumbass"?
@dervheid and Michael C
Your mothers must be really proud! You good 'law-BITING' citizens you!
The AV companies are funding virus writers so that they can continue to justify their outragious fees.
Paris, 'cos she's the role model for integrity in the US.
Acording to Nick Pettefar, if you are a clueless idiot, you belong on a Mac. Hum... Dear Nick, you just make my day!
so its an mp3 that uses a vulnerability in WMP to run a script instead of play music and the script fetches PLAY_MP3.EXE?
Security for idiots.
An exe file is not an mp3. Even the jaded hacks at El Reg should agree with that. It's like claiming a file titled "Free Porn.txt" has pictures in it. Only my grandmother might fall for that. Actually, no, she wouldn't fall for it. Mcafee is carefully positioning itself as the security tool for idiots. I wonder what they'd do if a real virus came along. Probably wet their nickers.
@ Michael C
Well done mate! thats apprx 10k you spent on music, bet you've got a certificate from Simon Cowell to go with with your smuggy hue.
Your reading skills leave something to be desired, dear Anonymous Coward.
Fair rights use
"I guess you must not live in the US or Canada as taping music off any radio station is a violation of the law"
Um... as far as I remember, it isn't. VCR taping and radio taping is perfectly covered by fair-use rights law, which was fought back in the 80's when VCRs became popular.
Trouble is when you try to rip CD to mp3, or copy your legally-owned DVD. Thats where DMCA steps in.
@the dark lord
that's what Crossover Office is useful for:
Linux: Even compatible with Windows malware!
mine is the one with the kernel image...
To those who claim that duplication is the line at which the law comes into play... I thought it was actually *technically* illegal to play a radio in a work / public place, no?
And to Michael C:
"To all you kiddies out there"
Sounds like JPG / WMF all over again
"They are actually disguised Windows Media files containing a script."
Hm... this is a recurring theme in so-called data file exploits, isn't it? Started with Word templates posing as documents, continued as Windows Metafiles posing as JPEG images, and now Windows Media scripts posing as MP3s.
Need I go into how to prevent getting exploited before the fact again? No? Good.
Back when the WMF fiasco happened, a certain site I hang out on banned all images from their forum. I suppose next they'll ban all MP3 links. Go on, tell your webmaster to ban MP3 links... I have my laugh track (in MP3 format of course) standing by.
@Michael C and dervheid
The freetards are a sensitive bunch aren't they? Keep up the good work :-)
Since we are now talking legality..
It is not strictly lawful to read someone's newspaper over their shoulder. But you wouldn't expect the newspaper to take peeps to court to make them buy their own copy.
Really, since the issue lately has been copyright fair use, we should talk fairness. I think it's fair to make backups of any media I have bought. Wikipedia claim fair use of hundreds of thousands of images, and everyone keeps quiet. Just like a university would claim fair use over their banks of photocopiers next to the library.
You know, I should really be in charge.
"To those who claim that duplication is the line at which the law comes into play... I thought it was actually *technically* illegal to play a radio in a work / public place, no?"
Well, no. If you are using music in a retail establishment like a store, restaurant, or bar, you are required to pay a royalty and be licenced by the appropriate music licencing agencies. (ASCAP etc in the U.S.; SOCAN in Canada)
If you use someone's music without permission, and without paying the appropriate royalties, then yes, I guess you could call it "illegal", but then again it's also illegal to operate a business without a Business licence, to build your restaurant without a building permit, and to hire staff without paying minimum wage.
(Paris, who sheds a tear for musicians who go unpaid and unloved)
I read it the same way
With statements like "I use Apple Macs (as I can't be arsed with all this security jive) and tell all the clueless gullibles I come into contact with to do the same" and "If you have no technical interest or capability, don't keep up with the latest in Windows security news, can't be bothered to keep updating and scanning and paying subscriptions and yet are gullible and curious about porn, gossip, celebs, music, etc. then do NOT buy a Windows PC", how are we supposed to interpret your comment?
It really seems that you believe the Mac is the best computer for an idiot.
I don't think that was the intent of your comment, but it came off as such to at least me and A.C.
Just my $0.02
Re: How it works
AJames is pretty much correct.
It's a little known fact that WMV files can contain 3 types of data stream: audio, video, script. The script stream can contain captions and URLs. Scripting adds bookmarks to the media file at specified timecodes, and when the player "runs over" the bookmarks when the movie plays, it triggers the action.
The virus writer has probably created a WMV with a script stream containing a URL to the virus executable, which Media Player will happily offer to download and execute. IIRC Windows Media Player is also happy to play WMV files that have MP3 extensions, without reporting this anomaly to the user. Thanks, BillG!
I never thought that you would post Politicaly Correct stuff, but would just tell it like it is :)
Windows looks at the file and if it can not play it then looks at file info, if the file is fake and says that it needs a codec to play it then windows media player asks the user if downloading it is ok :(
Windows also hides the file extentions of cretain file types as its default setting, such as .exe and .scr :(
Paris because even blonds where a condom when needed
I imagine that loads of people don't even have the chance to see the virus at all, since Operating Systems are all to eager to hide file extensions for us. In some situations the dialog box might have just said something to the effect of "PLAY_MP3? Yes/No" That isn't helpful to anyone at all.
And I highly doubt that this trojan /just/ displays ads. Trojan writers realized a long time ago that it was fun to download 400 friends as soon as they have a foothold on a machine. That more or less renders a computer useless, and provided me with a nice stream of income to fix them for a few years.
But yeah if you pay just a tiny bit of attention when stealing your files, it isn't exactly hard to pull off. I personally do all of my downloading on my Slackware file server, then automatically scan completed downloads with ClamAV. That combined with a little common sense allows me to safely avoid wasting the resources to run a virus scanner on my last Windows computer.
And to whomever said hard drives couldn't be backed up... Magnetic storage is quite cheap, and they make these things called Redundant Arrays... If you're just worried about the quoted 'Hundreds of GB' then you really have no problems at all. I believe that my ~4.5 TB (after raid5 losses) is rather trustworthy. Probably more so than the equivalent stored on fragile and low-density optical media. I'd have to keep an entire room just to store the stuff, and then I wouldn't have a chance in hell of keeping it organized or finding things that I wanted.
Honestly even if I liked recent music and had money to buy CDs, getting out to a music store, dealing with their employees and other customers, and then ripping the CD is far too much of a pain in the ass. It takes me all of about 90 seconds to find and download a decently high quality mp3 version of an album, so anything else just isn't worth the effort.
And I don't know how new this is... I've seen wmv/wma files on sketchy P2P years ago that tried to open a link to download an executable when it finished playing. It might not have been a trojan, because I didn't check, but I highly doubt that it was something good. I figured that MS would have taken some steps to prevent abuse of that particular 'feature' by now.
Re: The extension is .exe
Extension? What extension? What do extensions have to do with computers??
"The issue of P2P is similar to that of STDs or hard drugs."
No it fucking isn't. Don't be stupid.
WMV can contain scripts?
I had no clue about that. Does not sound very wise, but then again...
I hate Microsoft when I learn such things...
In the early parts of the 20th century, America saw a decline in morals and blamed alcohol for it. Virtually overnight, the sale and consumption of alcohol was made illegal and the Government (and the Moral Minority) patted itself on the back and closed the books on alcohol. But making something non-legal does not abolish it - people started trading alcohol "under the table" and it wasn't long before dedicated distribution methods (the "speakeasy") popped up and catered to the demanding market. Eventually, the criminal element saw that a lot of money could be made through manipulating these "speakeasy"s and took them over, helping finance their other activities (such as gambling, etc). The Government, aghast at having offered such a playground to the criminal element, tried unsuccessfully to stop people from buying and drinking alcohol by making more laws and making the sentences harder. It didn't work. Eventually, pressured by both its inability to stem the tide of underground boozing and the backlash of the general public, the Government repealed the Prohibition Act. Unfortunately, it was too late - Organised Crime was here to stay in the "civilised" world.
Nice little history lesson, innit?
Tell you what - let's change a few words and see what we get:
In the later parts of the 20th century, MPAA/RIAA saw a decline in sales and blamed file-sharing for it. Virtually overnight, the creation and distribution of media files was made illegal and the Government (and the MPAA/RIAA) patted itself on the back and closed the books on file-sharing. But making something non-legal does not abolish it - people started trading media-files "under the table" and it wasn't long before dedicated distribution methods (P2P networks) popped up and catered to the demanding market. Eventually, the criminal element saw that a lot of money could be made through manipulating these P2P networks and took them over, helping finance their other activities (such as drugs, etc). The Government, aghast at having offered such a playground to the criminal element, tried unsuccessfully to stop people from creating and spreading media-files by making more laws and making the sentences harder. It didn't work. Eventually, pressured by both its inability to stem the tide of underground sharing and the backlash of the general public, the Government repealed the DRM Act. Unfortunately, it was too late - Organised Crime was here to stay in the "virtual" world.
Yeah, yeah, I know - there's no such thing as the DRM Act. Replace it with your local equivalent.
The point is: alcohol was made illegal and that didn't work. Eventually, a better set of *distribution and consumption* rules and methods were created and those worked much better thankyouverymuch. Unfortunately, by then it was too late to get the criminal element out of the equation.
It seems the same mistakes are now being made with regards to media-files - instead of working out a better "distribution and consumption" set of rules and methods, we have the MP3 version of the Prohibition. Care to take bets on how this one will run its course?
Maul the freetards! (Michael C and others)
Especially when you have no clue. Downloaded files unusable? Most of them are only good for preview purpose. Most of them end up in the bin. Right. But most "freetards" you seem to dislike so much use them as such, so what's your point? You're ripping radio casts. ILLEGAL. Plain, genuine, illegality. You see the bad sound quality as a proof that the filesharing crowd is stupid because it doesn't prevent you from buying the CD. You infringe copyright from other, better sources that allows you not to buy the CD. You're a freetard, Michael C. and the worst kind. Sorry to break your self-proudness an silly dreams.
Bad day for the freetards, some of you seem to think. I think more like "yet another warning about Micro$haft vulnerabilities". So it's actually a very, very good day for everyone, freetards and non-freetards, MS users or not -those with at least half a brain, that is.
- Analysis iPhone 6: The final straw for Android makers eaten alive by the data parasite?
- First Crack Man buys iPHONE 6 and DROPS IT to SMASH on PURPOSE
- First Fondle Reg journo battles Sydney iPHONE queue, FONDLES BIG 'UN
- TOR users become FBI's No.1 hacking target after legal power grab
- Analysis Why Oracle CEO Larry Ellison had to go ... Except he hasn't