funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Speaking of the risks of mixing code and data in data files

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 18 Jul 2008 13:16:56 -0400
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/0
7/18/New_worm_transcodes_MP3s_to_try_to_infect_PCs_1.html


New worm transcodes MP3s to try to infect PCs 


July 18, 2008 


A new kind of malicious software could pose a danger to Windows users who
download music files on peer-to-peer networks.

        

The new malware inserts links to dangerous Web pages within ASF (Advanced
Systems Format) media files.

"The possibility of this has been known for a little while but this is the
first time we've seen it done," said David Emm, senior technology consultant
for security vendor Kaspersky Lab.

Advanced Systems Format is a Microsoft-defined container format for audio
and video streams that can also hold arbitrary content such as images or
links to Web resources.

If a user plays an infected music file, it will launch Internet Explorer and
load a malicious Web page which asks the user to download a codec, a
well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a
proxy program on the PC, Emm said. The proxy program allows hackers to route
other traffic through the compromised PC, helping the hacker essentially
cover their tracks for other malicious activity, Emm said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2
audio files, transcodes them to Microsoft's Windows Media Audio format,
wraps them in an ASF container and adds links to further copies of the
malware, in the guise of a codec, according to another security analyst,
Secure Computing
<http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files> .

The ".mp3" extension of the files is not modified, however, so victims may
not immediately notice the change, according to Kaspersky Lab.

.

 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: