Adware Installed via WMA files by Eric Howes

From DSLR, by Eric Howes:


QUOTE
Hi All:

PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:

Risk Your PC's Health for a Song?
http://www.pcworld.com/news/article/0,aid,119016,00.asp

Protect Yourself From Audio Adware
http://www.pcworld.com/news/article/0,aid,119063,00.asp

In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.

Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.

The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.

I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:

* locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting);
* installing spyware prevention utilities such as SpywareBlaster and SpywareGuard;
* installing at least two reputable anti-spyware scanners and keeping them updated;
* keeping your system updated through Windows Update.

In addition to the above, PC World recommends tweaking the settings for Windows Media Player:


said by PC World:

* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off 'Acquire licenses automatically for protected content'. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose 'No.' Changing this setting in Windows Media Player will affect any other players you use that support Microsoft's DRM scheme.


Full read:
http://www.dslreports.com/forum/remark,12245912~mode=flat

The mul

 

Scary! WMP is not as safe as it seems...

 

WMA adware install update

OK, well it seems Ben Edleman has been busy, installing these things, have a look and see how it works.


QUOTE
Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there's yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain "rights management" features enabled, it opens the web page specified by the file's creator. This page is intended to help a content providers promote its products -- perhaps other music by the same artist or label. But the specified web page can show deceptive messages, including pop-ups that try to install software on users' PCs. User with all the latest software -- Windows XP Service Pack 2 plus Windows Media Player 10 -- won't get these popups. But on older version of Windows, the net effect can be confusing and misleading messages that trick users into installing software they don't want and don't need -- potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

I recently tested a WindowsMedia video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users' computers. I consider the installation misleading for at least three reasons.


Full read:

http://www.benedelman.org/news/010205-1.html

 

Mull....I have merged your WMA adware install update thread into this one since it relates right nicely with Eric's topic and would help with the ongoing discussion.

 

Thanks Bubba, I could not decide if I should have posted it with eric howes discussion or start a new thread, but I will know the next time my friend.

Your friend

THE MUL

 

From Eric Howes:
Hi All:

As you all know, it was recently discovered that Windows Media Player (WMP) files can serve as the vehicle for spyware and adware installations (see »Adware Installed through WMA Files ). Ben Edelman and Ed Bott have documented the installation process on Windows XP, including Windows XP SP2 -- see:

Ben Edelman: Media Files that Spread Spyware
http://www.benedelman.org/news/010205-1.html

Ed Bott: "Poisoned" Windows Media files: more details
http://www.edbott.com/weblog/archives/000340.html


Fopr those who have not followed this story, researchers have discovered specially designed Windows Media Player files that will initiate the installation of spyware and adware when users attempt to play those files. These specially designed media files exploit the DRM (Digital Rights Management) functionality that Microsoft built into Windows Media Player by opening web pages in hosted instances of Internet Explorer. The ostensible purpose for opening these special Internet Explorer windows (which resemble dialog boxes) is to acquire license information needed to play the media files. Once open, though, these hosted instances of Internet Explorer can be used to initiate the download and installation of spyware and adware, just as happens in drive-by-downloads at regular web sites.

Windows XP SP2 vs. Earlier Versions of Windows

As Ed Bott has noted, Windows XP SP2 does offer some protection against this exploit, provided users are also running Windows Media Player 10. On Windows XP SP2 w/ Windows Media Player 10 the special Internet Explorer window that opens when Windows Media Player attempts to acquire license information for the media will behave just like any other instance of Internet Explorer when web sites inititate the installation of ActiveX controls. That means SP2's Internet Explorer will automatically block the installation of those ActiveX controls and display summary information in the SP2 Information Bar, thus lessening the possibility that users will be bamboozled into consenting to the installation of unwanted spyware and adware.

If users are running Windows Media Player 9, however, those XP SP2 security enhancements will not protect users because, as Ed Bott observes, the "instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2." Instead of seeing the XP SP2 Information Bar, users will see the standard ActiveX Security Warning box -- common to earlier versions of Internet Explorer -- prompting them to install software.

These installation prompts, we already know, are inherently confusing for most users, especially when users encounter them in unexpected circumstances (see my submission to the FTC last April for an extended discussion of this issue: http://www.spywarewarrior.com/uiuc/dbd-anatomy.htm. Indeed, the whole purpose of the XP SP2 security enhancements was to improve Internet Explorer's handling of ActiveX installations and thus make the automated installation of software online less confusing for regular users. If users misunderstand what they are being asked to install, they could wind up consenting to the installation of unwanted spyware and adware.

As others have observed, many users will not be running Windows XP SP2 and thus will not enjoy the enhanced protections offered in that service pack. They may be running Windows XP without SP2, or they may even be running earlier versions of Windows. In such cases, users will also encounter standard ActiveX installation prompts, making these Windows Media Player adware installations as confusing and deceptive as the automated installations of spyware and adware that users already encounter at third-party web sites, as Ben Edelman stressed in his write-up.

Who's At Fault?

Some commentators have attempted to minimize the risks posed by this new method for installing spyware and adware, pointing out that with a fully patched version of Internet Explorer no software will be installed without users first being given notice in some form. Thus, these skeptics insist, users who consent to the installation of unwanted software through this process are themselves at fault for clicking through the installation prompts.

But just how clear are the installation prompts presented to users? How easy would it be for users to unwittingly consent to the installation of spyware and adware while attempting to play Windows Media Player files they had encountered on the Net or on a P2P file sharing network?

The answers to these key questions, I discovered, are quite disturbing. Taken in its entirety, the installation process that users will encounter when attempting to play these rogue Windows Media Player files is extremely baffling.

For starters, the installation prompts are presented in confusing circumstances, as most users would never expect that they could acquire spyware and adware simply by playing media files. Still worse, though, the several spyware and adware installation prompts are specifically designed to exploit this initial confusion and coerce users into falsely believing that the spyware and adware programs are license files or even security upgrades to Windows Media Player required to view the media files.

In sum, the installation process used by these Windows Media Player files is among the most deceptive installation processes I have ever encountered, and it is entirely understandable that users could unwittingly consent to the installation of an unbelievable load of spyware and adware.

To illustrate what many users will encounter on versions of Windows other than Windows XP SP2 and with versions of Windows Media Player prior to version 10, I tested the same Windows Media Player file used by Ben Edelman and Ed Bott on a PC with Windows 2000 SP4, Internet Explorer w/ SP1, and Windows Media Player 9. Attached to this post are four screenshots that are critical to understanding the confusion deliberately created by adware vendors through this Windows Media Player license acquisition and software installation process.
Full read, w\screenshots:
http://www.dslreports.com/forum/remark,12298989~mode=flat

THE MUL