New trojan infects audio files and spreads if they're shared, Worm.Win32.GetCodec.a / TROJ_MEDPINCH.A / Trojan.ASF.Hijacker.gen Options

[[JAZ]]

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...

Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers). Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.

Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.


About those that say what has this to do with Hydrogenaudio? well...

A) It's about audio files ( i.e. one gets a media file, goes to play with the standard OS media's player and hi-ho, it has a trojan)
B) It not only installs itself in the computer, but also modifies all other media files on that computer with the trojan, transcoding them if necessary to .wma so that the script can be installed, effectively spreading itself.
C) a consequence of C: all the user's audio files get damaged for life. No way to go back (except if they were .wma to begin with, but that's another story).
D)Several P2P download programs include their own player (which in turn is just media player ). This makes it an incredibly ideal target for easy contamination and spreading.

E) Even if you're safe, you don't download things from untrusted sites, and keep control over every aspect of your computer... thousands of zombie PC's may be spamming you E-mails due to this trojan (or worse).

Definitely, i find an audio related forum a pretty good place to talk about this, so that the info is spreaded.

[Edit:typos]

This post has been edited by [JAZ]: Jul 18 2008, 19:14

[Lyx]

' date='Jul 18 2008, 20:06' post='578016']

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...

Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers). Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.

P.S.: To get an idea how important the mindset, experience and understanding of "trust" is:

1. I have no resident virus protection. Though, webdownloads get scanned on-demand by my virus scanner - but it never finds anything.
2. I have no resident spyware protection. I just run spybot and co about one time per month - but it never finds anything.
3. I have no firewall
4. I do not use automatic updates. I instead patch every 3-6 months and do a system backup before.

Yet, my PC hasn't been infected a single time for over 5 YEARS! How is this possible, since i completely ignore all the safety measures, which according to those magazines are so important? Well, overally, i just do three things:

1. I avoid non-trustworthy and bloated apps.
2. Whenever a download is offered to me, i check if its trustworthy - very often, this can even be determined just by its presentation and "attitude".
3. I disabled all windows components and services which i do not need, and practically gagged IE in addition to not using it. What isn't there, cannot have exploits.

This post has been edited by Lyx: Jul 18 2008, 19:42

[drbeachboy]

' date='Jul 18 2008, 20:06' post='578016']

Computers are not for everyone, because they are powerful and networked.... without the required responsibility, you get a marked of slaves-by-choice...

Do you realize that a computer is no longer "a box with a screen and a keyboard that runs applications"? Do you see how this could affect easily in a few years most portable players? (since everything is evolving into small computers). Computers may not be for everyone due to the extensive things that they can do, but undoubtely, computers will be everywhere if they aren't there already.

Yes, i am aware about this, but do not think that something insane becomes sane, just because it is widespread.... more like the opposite.

In the beginning Bill Gates wanted computers in the hands of every human being and that has damn near come to fruition. Computer users are not elitist anymore. OS's have become so automatic that you don't even have to think anymore; just click and run. People are conditioned to this way of using computers. Innovation and ease of use has made these types of trojans or worms all the more dangerous.

[Axon]

' date='Jul 18 2008, 13:06' post='578016']"slightly"? For one, this attack could *at most* affect a single user account (and his data). On Windows, usually guarantees that the whole pc is infected.

I disagree. On a single-user Linux/MacOSX system, normal users are still going to need to jump to superuser on a regular basis for all kinds of reasons. The enterprising malware creator should have no problem breaking out of luser jail if said luser has sudo access or a root password. Also "merely" getting user access still allows the use of the computer for zombie applications, and possibly even keystroke logging too. Long story short, any security violation of userspace, whether in a restricted security environment or root, is pretty catastrophic.

Also, disabling MS's codec autodownload wouldn't help a bit for this virus, since it doesn't really download a codec (precisely because codecs are downloaded from microsoft!), but instead run a script (which is executed by Media Player, which indeed can be disabled in configuration, and actually something i've always done), which does the download and installs it.

Oh? OK, I wasn't aware of that. I just figured it was a codec download prompt.

[dissociative]

just another reason more for not to use MP3. if you are smart enough Windows Media speaks by itself, well, shame that there's no Windows XP N edition in America lol!
it seems there's no way to completely remove Windows Media player from windows xp by normal means

This post has been edited by dissociative: Jul 18 2008, 20:09

[Canar]

just another reason more for not to use MP3.

Musepack forever!

[Axon]

Isn't this worth posting on the front page?

[j7n]

it seems there's no way to completely remove Windows Media player from windows xp by normal means

It depends on what you see as "normal". Try nLite. Nobody can create an N edition or every removed feature. A lite system can be made much faster and more secure, as M$ itself admitted by creating the NT6 "server core" edition.

To get an idea how important the mindset, experience and understanding of "trust" is:

My situation exactly!

As an example, I would say one of the biggest new uses of PC in the UK recently is the BBC iPlayer. Its success is phenomenal, and threatens to bring ISPs to their knees - try using the high quality version without WMP!

I am very sorry to hear that. It effectively makes the possible high quality of the BBC streaming completely irrelevant, as you can't get to it. Seriously, tying oneself with the Media Player is comparable to DRM. What's the matter with people today, when a simple file download can't be acomplished without bothering you to install this or that toolbar.

Mind you, that nice codec download functionality in WMP (from at least 6.4 onwards) is very useful for "normal" users. It's how my Mum-in-law managed to watch the first videos of our son on the same day he was born.

Does it install good codecs? Ffdshow, Haali Media Splitter, etc? I doubt it. It is unfortunate that today in order to ensure "interoperability" one has to use Windows Media.

This post has been edited by j7n: Jul 18 2008, 23:15

[Lyx]

Why even have all those codecs? There are so many container formats, container-subformats, videocodecs, audiocodecs, transport-protocolls..... if it were drinkable, it would be a barkeepers dream. How did all those weird formats become popular? By exactly those users who want to use something without understanding it.... determined to get what they are commanded to get, without even the option of saying "no, thanks.". This codec-hell only was able to establish itself, by people being "uncritical consumers". Same for various other developments..... so whats the problem if their lazyness now bites them in the ass? I dont see any - if feels entirely justified and fair. The only think which bothers me, is that those developments in some circumstances also hurt responsible users (i.e. outlook worms spamming my inbox) and that it makes the "market" much more difficult to search efficiently (you have to filter out truckloads of crap offers, just to get to the efficient stuff).

[/mnt]

Looks like we will be better using AAC or Vorbis

And christ does Microsoft have alot of property codecs and container formats (AVI + ASF). Their container foramts are that imfamus for containing malicious code, that Linux with GNOME would even sometimes warn you before opening it up with a media player, such as Totem or MPlayer.

This post has been edited by /mnt: Jul 19 2008, 00:36

[Gabriel]

This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.
If the thing is a script exploit, then only the user account could be infected, and not the whole computer.
So to me this is really related to users permission, and the way the operating system is set up as default. It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).

[Lyx]

It seems that OSX got it right, but Microsoft home/desktop OS have it wrong by default untill Vista (in which it seems that Microsoft is trying to move to a more correct default setup regarding basic security).

Unfortunatelly, the way how MS implemented that pisses anyone off, who does not like windows to manage ones software and who does not like "user-profiles". In other words, anyone who wants to stay in control over his harddrive, instead of MS taking over almost the entire PC, except of one little profile folder in which you still have a voice. Don't understand me wrong, i realize that it is dangerous to have the entire system accessable all the time. But i'd rather solve that with access rights, instead of that UAC-crap.

[valnar]

I can only see this effecting people that are very computer illiterate or just plain stupid.

I research it and get the codec bundles

Uh, okay.

[Kitsuned]

I scanned and updated my sister's computer and Kaspersky had caught this trojan when she tried to grab infected files. She uses WMP. I'm not sure she even knew it happened.

[JeffStickney]

By default WMP automatically installs codecs. Under tools-options, pick the "player" tab and clear the checkbox that says "download codecs automatically".

[Axon]

This has nothing to do with user permissions or even the OS. The fundamental issue is that the user is compelled to download something from an unreputable source, and the installation process is made absolutely trivial. If WMP were ported to Linux and run by non-root the exact same issues would pop up, except that perhaps gaining root access becomes slightly harder for the malware.

Disabling MS's codec autodownload is the obvious and straightforward solution, and/or making all codec downloads occur from a centralized location.

I am sorry, but I think this is really related to user permissions. A limited user can not install any codec on a Windows box, the process just fails and the shell (explorer) tells the user that he doesnt' have enough privileges to do this.

At which point the user will type in the admin password and nothing of substance will have been secured.

If the thing is a script exploit, then only the user account could be infected, and not the whole computer.

At which point the installed malware will happily take credit card numbers at its leisure and employ any number of man-in-the-middle attacks to obtain the Admin passowrd, and nothing of substance will have been secured.

You're not getting it. Reducing user permissions on a single-user system solves nothing. It's meaningless. It may keep badly written malware out, but it is of no benefit to the state of the art that exists today or in the future.

[slks]

I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.

[Mr_Rabid_Teddybe...]

Oh how much simpler my life has become since I switched to Linux. Will never look back... Tra-la-la-la-la... I sing every day...!



(Maybe a cheap shot, just couldn't resist... Have a nice day all!)

[JeffStickney]

I don't think this is new, I remember reading about it a couple of years ago. Maybe the transcoding MP3s to WMA part is new. But whatever the case, I don't have to worry since I don't use Windows Media Player.

Even if you don't use it DIRECTLY, many programs will automatically call WMP to open certain files. I just checked my browser (firefox) settings and saw that it is set to open MP3 files with windows media player. That coupled with the default setting to automatically download codecs and all you have to do is visit one page with an infected sound embedded. I hope I'm wrong, but I feel most of us are not quite as safe as we think.

[Lyx]

This only affects the "modern" version of WMP.... not that other old one (v6 i think), right? Else i maybe should go dirty and just rename it or something.

This post has been edited by Lyx: Jul 20 2008, 00:41

[j7n]

The old mplayer2.exe (version 6.4) is also trying to download codecs all the time. But due to my security settings it never succeeds. The program is actually very stupid. It never finds any codec for OGG, and also comes up every time if 24-bit, 32-bit and float files are unplayable. Every sane program would present me an error box instead of accessing the Internet.

[Lyx]

Renamed. Thanks for the info!

[j7n]

But mplayer2 is just a small program loading msdxm.ocx. Renaming or deleting this program does not remove Windows Media Player from the system.

[Lyx]

I know. I just want to break the chain, since asume, that stuff like browsers will call mplayer2.exe. I am currently not concerned about apps embedding mplayer, because of my system setup.

[noorotic]

Ok, as someone who was using shorten before FLAC existed, or at the very least was a viable codec, and as someone who enjoys very much following the progress of HA, I ask, why ignore a very real question? Perhaps because the questioner does not have a comment on every topic raised, each time it is raised?

I truly enjoy HA immensely, but primarily as reader. I do worry, perhaps too much, due to having spent perhaps too much time and effort (and love) collecting music which is largely unavailable, or was at the time I collected it, to the masses. I find codecs and the social need for a 'personal favorite' very interesting, and metadata fascinating, the embedding of data within data.

Most others here download their collection, I see it in nearly every thread. I am connected at 24k due to living in a very rural area, where DSL will be arriving Wednesday! But, I have met countless others in so many places, and made so many friends, doing it this way.

I bow to the more experienced, the more deserving, the more involved. I was happy to see the report of the forums gaining some visibility, but so many will come with the questions for which no one here seems to have the answers. It seems to be very philosphically interesting though.

Bob