Exploit in Windows Media Player

[iago]

If you're downloading movies from P2P, watch out for this.  Or use another movie player.

from http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=5818
===
Video files appear that download malicious application when they are run

01/10/2005. These files are .wmv files infected by Trj/WmvDownloader.A and Trj/WmvDownloader.B, two Trojans that take advantage of a new technology incorporated in Microsoft Windows Media player to install spyware, adware and dialers, as well as computer viruses

PandaLabs has detected the appearance of two new Trojans, Trj/WmvDownloader.A and Trj/WmvDownloader.B, which are spreading through P2P networks in video files. These Trojans take advantage of the new technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content. When a user tries to play a protected Windows media file, this technology demands a valid license. If the license is not stored on the computer, the application will look for it on the Internet, so that the user can acquire it directly or buy it. This new technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are protected by licenses, supposedly issued by the companies overpeer (for Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B). If the user runs a video file that is infected by one of these Trojans, they pretend to download the corresponding license from certain web pages. However, what they actually do is redirect the user to other Internet addresses from which they download a large number adware (programs that display advertisements on screen), spyware, dialers (applications that dial-up high rate toll numbers) and other viruses. Below are some examples of the malicious programs and viruses these Trojans download:

Adware/Funweb

Adware/MydailyHoroscope

Adware/MyWay

Adware/MyWebSearch

Adware/Nsupdate

Adware/PowerScan

Adware/Twain-Tech

Dialer Generic

Dialer.NO

Spyware.AdClicker

Spyware/BetterInet

Spyware/ISTbar

Trj/Downloader.GK

Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc.   Panda Software has made the corresponding updates to its anti-malware solutions available to its clients to detect and disinfect any video file protected by the licenses used by Trj/WmvDownloader.A and Trj/WmvDownloader.B to carry out their malicious actions. Similarly, the Panda Software solutions protect users against the malware that these Trojans try to install on computers.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B or the malicious programs and viruses these Trojans try to download, visit Panda Software's Virus Encyclopedia
===

marc

[rabbit]

I read about this in PCWorld.  The files spawn IE windows to get the licenses, but changing the URL is easy, and lots of them now point to adware and spyware download sites.  On top of that, since it's an IE window (unchangeable), and not just the default browser, there's no way to avoid the ADO loophole besides just not playing the wmvs.

[iago]

ooh, it turns out it's a "Feature", not a "Bug"!

Microsoft: DRM Trojan hole is not a vulnerability
Dan Ilett
ZDNet UK
January 14, 2005, 13:15 GMT
   
Talkback
Tell us your opinion
Microsoft has responded to security warnings about its Media Player by saying that Windows XP SP2 will protect its customers from malware

   
   
Microsoft has denied that an anti-piracy "feature" in its Windows Media Player that allows a Trojan horse to run on a user's PC is a vulnerability.

Panda Software warned earlier this week that hackers are using the player's DRM tool to fool people into downloading spyware and viruses.

The Spanish security company said that virus writers had released licence-protected multimedia files containing Trojan horses (WmvDownloader.A and WmvDownloader.B) that can exploit the anti-piracy features in version 10 of the Media Player and Windows XP SP2.

Despite Panda's warning that the Trojan can download a cocktail of malware, Microsoft denies there is a flaw in its software.

"This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack," said Microsoft in an emailed statement.

"There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM."

But Microsoft didn't say whether Windows XP SP2 fully protected users from unwanted downloads.

"Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan's attempt to deliver malicious software," said Microsoft.

The Redmond giant also said that people should go to the police if they think they have been attacked by such Trojans.

Microsoft also added that "customers in the United States who believe they have been attacked should contact their local FBI office or post their complaint on www.ifccfbi.gov. Customers outside the US should contact the national law enforcement agency in their country."

[rabbit]

It's a "feature" if it gets a license.  It's a "bug" if it gets anything else.

[Quik]

The Redmond giant also said that people should go to the police if they think they have been attacked by such Trojans.

I'll keep that in mind, I'm sure it'd be useful.