| View previous topic :: View next topic |
| Author |
Message |
TeMerc
Warrior VIP
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 9360
Location: Phx. AZ.
|
 Posted: Fri Dec 31, 2004 8:55 am Post subject: Adware Installed Via WMA Files |
 |
|
From DSLR, by Eric Howes:
| Quote: |
Hi All:
PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:
Risk Your PC's Health for a Song?
http://www.pcworld.com/news/article/0,aid,119016,00.asp
Protect Yourself From Audio Adware
http://www.pcworld.com/news/article/0,aid,119063,00.asp
In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.
Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.
The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.
I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:
* locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting);
* installing spyware prevention utilities such as SpywareBlaster and SpywareGuard;
* installing at least two reputable anti-spyware scanners and keeping them updated;
* keeping your system updated through Windows Update.
In addition to the above, PC World recommends tweaking the settings for Windows Media Player:
said by PC World:
--------------------------------------------------------------------------------
* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off 'Acquire licenses automatically for protected content'. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose 'No.' Changing this setting in Windows Media Player will affect any other players you use that support Microsoft's DRM scheme. |
Full read:
http://www.dslreports.com/forum/remark,12245912~mode=flat
From Suzis Blog:
http://netrn.net/spywareblog/archives/2004/12/29/adware-installed-through-windows-media-files/
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
 |
Moore
Moderator
Joined: 31 May 2004
Last Visit: 14 Mar 2009
Posts: 795
Location: °°.Right.Here.°°
|
| Posted: Fri Dec 31, 2004 11:24 am Post subject: |
|
|
Yeah this is one company who need to be avoided.. bought out by Loudeye Corporation in 2004 , used by ondemanddistribution.com and from protected media.com it seems.
http://www.overpeer.com/news.asp
I like to call what they do network poisoning.. now it seems they have broadened their schemes 
We have a growing blocklist of Overpeer IPs at Bluetack , which can be found in the anti-p2p list here , to be used in blocking with a firewall.
To give you an idea of just how widespread they are , heres a look at their current IPs we have so far.. 
OVERPEER Inc:64.14.37.128-64.14.37.159
OVERPEER Inc:64.14.40.160-64.14.40.191
Overpeer Inc:64.14.50.224-64.14.50.255
OVERPEER Inc:64.14.61.64-64.14.61.95
Overpeer Inc:64.14.63.64-64.14.63.95
Overpeer Inc:64.15.164.128-64.15.164.159
Overpeer Inc:64.15.165.0-64.15.165.255
overpeer:64.15.202.0-64.15.202.255
OVERPEER Inc:64.15.226.96-64.15.226.191
OVERPEER Inc:64.15.227.224-64.15.227.255
OVERPEER:64.15.228.16-64.15.228.191
OVERPEER Inc:64.15.228.224-64.15.228.255
overpeer:64.15.229.32-64.15.229.63
Overpeer Inc:64.15.231.64-64.15.231.95
overpeer:64.15.234.128-64.15.234.159
OVERPEER Inc:64.15.234.224-64.15.234.255
Overpeer Inc:64.15.237.128-64.15.237.159
Overpeer Inc:64.15.238.64-64.15.238.95
Overpeer Inc:64.15.239.96-64.15.239.127
overpeer:64.15.245.0-64.15.245.32
Overpeer Inc:64.15.248.0-64.15.248.255
Overpeer Inc:64.15.250.0-64.15.250.31
Overpeer Inc:64.15.254.192-64.15.254.223
Overpeer Inc:64.37.197.0-64.37.197.255
Overpeer Inc:64.39.36.0-64.39.36.31
Overpeer Inc:64.39.51.0-64.39.51.255
Overpeer Inc:64.41.133.160-64.41.133.191
overpeer:64.58.66.192-64.58.66.223
Overpeer Inc:64.70.90.0-64.70.90.255
overpeer:64.75.4.192-64.75.4.223
overpeer:64.85.76.0-64.85.76.255
overpeer:64.92.128.0-64.92.159.255
overpeer:64.209.193.0-64.209.193.255
Overpeer Inc:64.209.230.200-64.209.230.223
Overpeer Inc:64.209.230.244-64.209.230.247
Overpeer Inc:64.211.224.192-64.211.224.223
Overpeer Inc:66.37.217.0-66.37.217.255
Overpeer Inc:66.119.42.160-66.119.42.191
Overpeer Inc:66.128.66.0-66.128.66.255
Overpeer Inc:66.128.225.128-66.128.225.191
Overpeer Inc:66.128.226.0-66.128.226.255
Overpeer Inc:68.167.223.144-68.167.223.159
Overpeer Inc:206.132.28.0-206.132.28.255
Overpeer Inc:206.132.30.192-206.132.30.223
Overpeer Inc:208.48.64.0-208.48.64.255
OverpeerInc:208.48.65.64-208.48.65.95
OverpeerInc:208.50.134.0-208.50.134.31
OverpeerInc:208.50.162.0-208.50.162.255
OverpeerInc:208.50.172.0-208.50.172.255
OverpeerInc[Network-Poisoning]:209.67.69.160-209.67.69.191
OverpeerInc-Overpeer Inc.:209.67.79.0-209.67.79.255
OverpeerInc-Overpeer Inc.:209.67.193.160-209.67.193.191
OverpeerInc-Overpeer Inc.:209.67.197.0-209.67.197.255
OverpeerInc:209.143.192.0-209.143.192.255
OverpeerInc:209.143.193.192-209.143.193.223
Overpeer Inc:209.143.226.0-209.143.226.255
Overpeer Inc:209.143.249.0-209.143.249.255
Overpeer Inc:209.185.173.0-209.185.173.255
Overpeer Inc:209.202.129.0-209.202.129.255
Overpeer Inc:209.225.29.128-209.225.29.159
Overpeer Inc:209.225.44.0-209.225.44.255
Overpeer Inc:216.19.128.0-216.19.128.255
Overpeer Inc:216.19.160.0-216.19.175.255
Overpeer Inc:216.33.34.0-216.33.34.255
Overpeer Inc:216.33.203.0-216.33.203.255
Overpeer Inc:216.34.36.32-216.34.36.63
Overpeer Inc:216.34.37.0-216.34.37.255
Overpeer Inc:216.34.42.0-216.34.42.255
Overpeer Inc:216.34.78.0-216.34.78.255
Overpeer Inc:216.34.95.0-216.34.95.255
Overpeer-scum-Network-Poisoning:216.34.106.0-216.34.106.255
Overpeer:216.34.160.0-216.34.162.255
Overpeer:216.34.164.0-216.34.175.255
Overpeer Inc:216.34.222.0-216.34.222.255
Overpeer Inc:216.35.64.160-216.35.64.191
Overpeer Inc:216.35.67.32-216.35.67.63
Overpeer Inc:216.35.70.192-216.35.70.223
Overpeer, Overpeer Inc:216.35.71.0-216.35.71.255
Overpeer:216.35.73.128-216.35.73.159
Overpeer:216.35.74.224-216.35.74.255
Overpeer Inc:216.35.77.64-216.35.77.95
Overpeer Inc:216.35.79.64-216.35.79.96
Overpeer Inc:216.35.83.0-216.35.83.255
Overpeer Inc:216.35.172.0-216.35.172.255
Overpeer Inc:216.35.212.96-216.35.212.127
Overpeer Inc:216.35.217.0-216.35.217.255
Overpeer Inc:216.39.34.0-216.39.34.255
Overpeer Inc:216.39.89.0-216.39.89.255
Overpeer Inc:216.48.66.0-216.48.67.31
Overpeer Inc:216.64.212.0-216.64.212.255
overpeer:216.74.130.0-216.74.131.31
overpeer:216.74.134.128-216.74.134.159
overpeer:216.74.135.160-216.74.135.191
overpeer:216.74.143.64-216.74.143.95
Overpeer Inc:216.74.146.160-216.74.146.191
Overpeer Inc:216.74.150.0-216.74.150.15
Overpeer Inc:216.74.159.64-216.74.159.95
Overpeer Inc:216.74.164.192-216.74.164.223
Overpeer Inc:216.74.169.96-216.74.169.127
Overpeer Inc:216.74.172.0-216.74.172.255
overpeer:216.144.70.0-216.144.70.255
Overpeer Inc:216.144.71.0-216.144.71.255
Overpeer Inc:216.177.72.96-216.177.72.127
Overpeer Inc:216.182.162.64-216.182.162.95
Overpeer Inc:216.182.196.160-216.182.196.191
_________________
| Blockpost | Blocklist Pro Internet Security | BLM | Hosts | |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 08 Feb 2010
Posts: 10682
Location: sunny California
|
| Posted: Fri Dec 31, 2004 11:42 am Post subject: |
|
|
Whoa - Moore, that's interesting. I'd like to know exactly what adware companies are using this method of distributing their unwanted goodies.
_________________
Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. 
Last edited by suzi on Sat Jan 01, 2005 11:46 pm; edited 1 time in total |
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 14 Mar 2009
Posts: 795
Location: °°.Right.Here.°°
|
| Posted: Fri Dec 31, 2004 12:34 pm Post subject: |
|
|
This is the first I've heard of them being used to hit people with malware , but if its true, its not much of a surprise to me.
If I can find anything I'll be sure to post it.
---------------------------------------------------------------
http://p2pnet.net/story/3421
| Quote: |
PC World says a reader alerted it to an ad-laden Windows Media Audio file, titled ‘Alicia Keys Fallin' Songs In A Minor 4.wma.
"We then found two other WMA files and two Windows Media Video files that had been similarly modified," it says, going on that it figured out that each media file loaded a page served by Overpeer and that each of those pages led to the creation of several Internet Explorer windows, "each containing a different ad or adware". |
----------------------------------------------------------------
_________________
| Blockpost | Blocklist Pro Internet Security | BLM | Hosts | |
|
| Back to top |
|
|
Chao284
Warrior
Joined: 06 Sep 2004
Last Visit: 08 Feb 2010
Posts: 218
|
| Posted: Fri Dec 31, 2004 6:04 pm Post subject: |
|
|
| Well it is a good thing they still have not targeted MP3's yet, given that adware has becomming a problem then any thing, I just hope it does not become a new threat in all of this. |
|
| Back to top |
|
|
bobince
SWW Distinguished Expert
Joined: 24 Nov 2004
Last Visit: 31 Aug 2009
Posts: 320
|
| Posted: Sat Jan 01, 2005 7:03 am Post subject: |
|
|
Chao: they can't target MP3s. It's only Windows Media (WMA/WMV/ASX/etc) that has the ability to launch potentially-malicious web sites as a licensing procedure.
> I'd like to know exactly what adware companies are using this method of distributing their unwanted goodies.
On the ideafoundry.net side of things (protectedmedia.com - instantdrm.com - tagteamdrm.com - dncstudios.com) I've seen ILookup/WinHot (HotSearchBar), Pugi/ISearch and ISTbar/YourSearchBar. [edit: and InternetOptimizer] [edit 2: and WinUpdates]
I'm not sure whether there actually is a link between these sites and Overpeer though. I can't see it so far; they may just be two parties doing the same trick for different reasons. I'll have to wander the seedy streets of FastTrack a big longer I guess... |
|
| Back to top |
|
|
MadameX
Site Admin
Joined: 12 Jul 2004
Last Visit: 27 Apr 2008
Posts: 1489
|
| Posted: Sat Jan 01, 2005 10:04 am Post subject: |
|
|
| bobince wrote: |
| Chao: they can't target MP3s. It's only Windows Media (WMA/WMV/ASX/etc) that has the ability to launch potentially-malicious web sites as a licensing procedure. |
Don't underestimate their desire or ability to do so.
If there is a way, they'll find it for sure!
Deb
_________________
CARMA |
|
| Back to top |
|
|
bobince
SWW Distinguished Expert
Joined: 24 Nov 2004
Last Visit: 31 Aug 2009
Posts: 320
|
| Posted: Sat Jan 01, 2005 1:55 pm Post subject: |
|
|
| X: I can think of one way they could probably do it that they haven't tried yet: simply taking a .wma file and renaming it to .mp3! WMP would happily load it as a WMA without telling the user it wasn't the filetype they expected. |
|
| Back to top |
|
|
3162
Honorary Site Admin
Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 6540
|
| Posted: Sat Jan 01, 2005 2:51 pm Post subject: |
|
|
bobince,
shhhhhh!
I swear the barstewards read Forums like SWW, see how we hack out the fixes and then rewrite the infections to add more nastiness to them.
_________________
Proud member of the Chest Zipper Club! |
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 14 Mar 2009
Posts: 795
Location: °°.Right.Here.°°
|
| Posted: Sat Jan 01, 2005 10:27 pm Post subject: |
|
|
Looks like they want to pack everything and the kitchen sink into these files:
http://www.benedelman.org/news/010205-1.html
| Quote: |
| On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (DirectRevenue). (Most product names are as detected by Lavasoft Ad-Aware.) All in all, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer. |
_________________
| Blockpost | Blocklist Pro Internet Security | BLM | Hosts | |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 4080
Location: Illegitimus non carborundum
|
| Posted: Sat Jan 01, 2005 11:08 pm Post subject: |
|
|
| 3162 wrote: |
bobince,
shhhhhh!
I swear the barstewards read Forums like SWW, see how we hack out the fixes and then rewrite the infections to add more nastiness to them. |
yes they do exactly that!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
TeMerc
Warrior VIP
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 9360
Location: Phx. AZ.
|
| Posted: Sat Jan 01, 2005 11:24 pm Post subject: FROM BEN EDLEMAN |
|
|
OK, well it seems Ben Edleman has been busy, installing these things, have a look and see how it works.
| Quote: |
Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there's yet another problem to add to the list: Will a media file try to install spyware?
When Windows Media Player encounters a file with certain "rights management" features enabled, it opens the web page specified by the file's creator. This page is intended to help a content providers promote its products -- perhaps other music by the same artist or label. But the specified web page can show deceptive messages, including pop-ups that try to install software on users' PCs. User with all the latest software -- Windows XP Service Pack 2 plus Windows Media Player 10 -- won't get these popups. But on older version of Windows, the net effect can be confusing and misleading messages that trick users into installing software they don't want and don't need -- potentially so many programs that otherwise-satisfactory computers become slow and unreliable.
I recently tested a WindowsMedia video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users' computers. I consider the installation misleading for at least three reasons. |
Full read:
http://www.benedelman.org/news/010205-1.html
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
nl255
Newbie
Joined: 02 Jan 2005
Last Visit: 02 Jan 2005
Posts: 1
|
| Posted: Sun Jan 02, 2005 1:33 pm Post subject: |
|
|
| Is there a full analysis of the attempted spyware installation, including what security holes if any are used? It would be interesting to see if they try to use any exploits, or if they just nag you to install the spyware. If anyone has the hashes (md4 for edonkey, not sure about the other networks) of an overpeer infected file, I would be willing to test it in vmware (with non-persistant disks, of course) to see exactly what happens. |
|
| Back to top |
|
|
Moore
Moderator
Joined: 31 May 2004
Last Visit: 14 Mar 2009
Posts: 795
Location: °°.Right.Here.°°
|
| Posted: Tue Jan 04, 2005 9:30 am Post subject: |
|
|
| nl255 wrote: |
| Is there a full analysis of the attempted spyware installation, including what security holes if any are used?. |
did you see the link above your post ?
_________________
| Blockpost | Blocklist Pro Internet Security | BLM | Hosts | |
|
| Back to top |
|
|
eburger68
SWW Distinguished Expert
Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 589
Location: Clearwater, FL
|
|
| Back to top |
|
|
Nick
Site Admin
Joined: 27 Feb 2004
Last Visit: 08 Feb 2010
Posts: 4720
Location: California
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 4080
Location: Illegitimus non carborundum
|
| Posted: Tue Jan 11, 2005 11:33 pm Post subject: |
|
|
well put but did you see how windows mediocure player is pinging home to all only majore mp3 sellers what your playing and most likely if its leagal or not.
that elua on the microsucks update to day gives them the right to delete any files or program on your computer. and not weather there spyware or not but if there ms,s or afiliates partners programs.
essence of long horn is allready here!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 4080
Location: Illegitimus non carborundum
|
| Posted: Wed Jan 12, 2005 9:02 am Post subject: |
|
|
new one ms started sending home data from my pc at 15kb,s s
to 207.46.248.248 through port 5492
i have blocked those but most microsucks call home just switches ip addys and ports. till next call home
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
|
