New worm transcodes MP3s to try to infect PCs
A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.
The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.
"The possibility of this has been known for a little while but this is the first time we've seen it done," said David Emm, senior technology consultant for security vendor Kaspersky Lab.
Advanced Systems Format is a Microsoft-defined container format for audio and video streams that can also hold arbitrary content such as images or links to Web resources.
If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.
The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.
The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft's Windows Media Audio format, wraps them in an ASF container and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.
The ".mp3" extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.
Most savvy PC users are aware of the codec ruse, but the style of attack is still effective since many media players do need to receive updated codecs occasionally in order to play files.
"Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream," Secure Computing said.
Users on a digital audio enthusiast site differed over the danger level of the malware.
"I never allow programs to choose which codecs I use to play back media," wrote JXL on the Hydrogen Audio forum "I research it and get the codec bundles off of sites I know to be trustworthy and even then I still scan them and check to make sure they are what they are. I honestly don't feel that this malware has a very good chance of spreading fast."
But most users will probably think the prompt to download a codec is just routine business, wrote a user by the nickname of Citay on the same forum.
"I think that outside a minority of users who really know about all the dangers implied with Internet use, the vast majority of people have no idea that such a codec download could lead to a Trojan infection," Citay wrote.
Trend Micro calls the malware "Troj_Medpinch.a," Secure Computing named it " "Trojan.ASF.Hijacker.gen" and Kaspersky calls it "Worm.Win32.GetCodec.a."
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
malware
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
