New trojan infects audio files and spreads if they're shared, Worm.Win32.GetCodec.a / TROJ_MEDPINCH.A / Trojan.ASF.Hijacker.gen Options

[Slipstreem]

I would say that "good" is "easily and safely accessible by the masses" personally. Neither any flavour of Linux nor Windows can satisfy both criteria yet, IMHO.

Cheers, Slipstreem.

[Martin F.]

It's another plus point to archiving to optical media - the trojan could attack back-up mp3 files on a spare HDD when it was connected to sync

One could mount HDDs as read-only, too …

To topic: I always thought codecs would only be downloaded from Microsoft. Does the installation procedure for this trojan differ from regular codec installations? I wouldn’t expect to see a confirmation window like the one displayed here: http://www.trustedsource.org/dynamic/blog_...MediaPlayer.png

[j7n]

If the read only status depends only on software, one cannot be completely sure.

The problem with these confirmations is that when there are too many of them, the user would no longer pay attention to what's asked there. Also if the trojan horse was called "Windows critical security update.exe", some users could chose to execute it, because they trust Windows.

[smok3]

i think it is about:

a. aha, apps are stealing extensions again, nothing unusual for windows
b. extensions are (mostly) very important - they define file-type

[Martel]

I think that explicit chmod +x would be too much for a normal Windows user. After all those years of double-clicking the .exe files, you could hardly persuade them that this is an improvement.

[Squeller]

I think that explicit chmod +x would be too much for a normal Windows user. After all those years of double-clicking the .exe files, you could hardly persuade them that this is an improvement.

You want to express Windows has a very wide user base and Linux does not play a role when it comes to audio? ACK.
Smok3: The extension stealing problem has been much worse in the past IMO. Today, applications generally behave friendlier I think.

This post has been edited by Squeller: Jul 29 2008, 18:37

[Lyx]

Technology does not solve human problems - it can only support an already existing human will to change oneself. In other words: Without users being willing to change their mindset, all your tools will be pointless and at worst, just hide problems.

[smok3]

The extension stealing problem has been much worse in the past IMO. Today, applications generally behave friendlier I think.

I was simulating an 'average user' tinkering.

[Compact Dick]

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

[Lyx]

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

I think you misunderstood him. With hardware-dependent writeprotection, he probably did NOT mean "there is some hardware part in the chain" but instead that the hardware itself (or more specifically the media itself), can directly block access, instead of just saying "please don't do this and that, okay?". If a hardware writeprotection depends on "the software accepting conventions" then it isn't worth its name. Obviously, this can only be achieved if the MEDIA does already manage itself to some degree, so that the media itself can block access, instead of being dependent on the hardware which uses the media.

An example of true media writeprotection, would be physically blocking access to the media.

This post has been edited by Lyx: Aug 1 2008, 17:37

[MedO]

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

The "write protect"-switch on SD/SDHC cards is just the equivalent of the write protection on compact cassettes or floppy disks. The card doesn't know anything about it, the state has to be sensed and respected by the host (I think the host is violating the specs if it doesn't). This is not a hardware protection. If the write protect switch actually cut the "W/R"-Line of the flashrom chip, that would be pretty much foolproof.

This post has been edited by MedO: Aug 1 2008, 18:19

[LaserSokrates]

About the write-protection issue: on usb-flash-devices, the controller that acually writes the data is in the stick itself. So, a write-protection should be possible.

[j7n]

I unsuccessfully tried to hunt down an USB stick with a R/O switch to safely use on other ppl's potentially infected computers. But apparently this type of modification is much less popular than encryption and frontends for portable applications.

[Light-Fire]

If the read only status depends only on software, one cannot be completely sure.

Even hardware-based write-protection is not foolproof. For example, CHDK [custom Canon firmware] can write to an SD/SDHC card even with the write-protect switch enabled.

Because of bad hardware design.

[dissociative]

Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.

In those times I sometimes ask myself if there's difference between both categories.

[Martel]

Based on the behaviour you reported for this malware, I can only see this effecting people that are very computer illiterate or just plain stupid.

In those times I sometimes ask myself if there's difference between both categories.

Knowledge is a complement to intelligence, not it's substitute.

[jido]

IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it. Everyone is "studid" when he/she does something for the first time. But most PC users don't try to change that. The results are topics like this one or the W32.Blaster story. If the first version of that worm hadn't been coded so badly, consequences would have been much worse. Most users didn't even know that this behaviour was caused by a virus, that it could be aborted with shutdown -a, and that a patch from MS, that had been out for quite some time when Blaster was recent, existed.

This is silly. People don't buy a computer to have one more worry at home, they just want to use it for stuff computers can do. Like going on Internet, playing music....

Why should they have to learn anything beyond operating the thing?

Answer: because the operation is deficient. It does things that the user did not really ask for, and does not really understand, like running a script when you try to play a music file.

So there is a paradox: we want machines that do more things than we need, because it gets frustrating otherwise, but we need machines that do only what we want, which is very unlikely in this age of automatic updates and other niceties.

[Paul Sanders]

Well, so i thought myself. Until a friend of mine, whom i set up his PC for personally - including installing Antivirus software, Firefox and so forth - installed a different fake codec a while ago, infecting himself with some trojan. He is your average PC user, far from being PC illiterate or stupid. He was just not aware of the dangers when he installed that. I think that outside a minority of users who really know about all the dangers implied with internet use, the vast majority of people have no idea that such a codec download could lead to a trojan infection. They probably think it's just another notice, like a new Java version, flash player, or whatever else pops up these days.

Hear hear! I think this is one of the more insidious ways of spreading a virus, trojan or whatever it is that I have heard of recently, although I did hear tell of one embedded in an (electronic!) photo frame. Most people think that MP3 files are totally safe. Indeed I did, until 5 minutes ago. You've got me worried now...

Of course people shouldn't download codecs, active X controls (bletch) or any other form of executable that they don't trust. But how do they know what to trust? If WINDOWS Media Player says go for it, most people will do so. *Everything* (executable) should be digitally signed, but whether this applies to codecs I don't actually know.

Paul Sanders
http://www.alpinesoft.co.uk

This post has been edited by Paul Sanders (AlpineSoft): Sep 18 2008, 18:41

[d_headshot]

How can you tell if you have this worm? I'm sure AVG has it in the virus database but I've scanned my computer and thankfully no obvious trojans exist in my laptop. But incase it isn't recognized by AVG, is there a way to tell if you have this worm?

[pdq]

The way that you are infected is when you attempt to play a "mp3" file in WMP and it tells you that you need to install software to play it. If this has never happened to you, or if you did not install software when prompted, then your computer is not infected.

The other clue is that these files actually contain WMA data, and most players will refuse to play them because of the mp3 extension.

[hlloyge]

Interesting. Please explain to me how IE will run something without me doing anything. (BTW: Since i am "smart", i of course dont have outlook, nor do i use a mail client which uses its engine - same for scripting host, scheduler, addressbook, etc.).

Sorry to answer this lately, forgot about this thread.

Buffer overrun. Many applications uses IE engine to display it's contents, not just Microsoft's. And it doesn't have to be IE to do that, unpatched Firefox, Opera, or just any software that uses internet connection could possibly be vulnerable to some exploit. All you will see is that window informing that software has crashed, send/don't send. When you next start your computer, the whole windows will run in "virtual machine", and you won't know nothing about it.
Or do you think that companies update their software only to add new gadgets? They are (mostly) patching security holes. Some are benign, some are very dangerous. Windows itself isn't the only source of bad software holes.