[FoRK] One rule for the hackers (criminals), another for the RIAA (establishment)

Owen Byrne owen at permafrost.net
Tue Jan 4 20:32:48 PST 2005

Lets call this Justice (American Style).

> Risk Your PC's Health for a Song?
> Ads and adware have a new way to get on your computer--through files 
> that appear to be music and video.
> Andrew Brandt and Eric Dahl, PCWorld.com
> Wednesday, December 29, 2004
> Think you're downloading a new song or video? Watch out--that file may 
> be stuffed with pop-ups and adware.
> 	Advertisement 	
> /PC World/ has learned that some Windows Media files on peer-to-peer 
> networks such as Kazaa contain code that can spawn a string of pop-up 
> ads and install adware. They look just like regular songs or short 
> videos in Windows Media format, but launch ads instead of media clips.
> When we ran the files, we noted over half a dozen pop-ups, some 
> attempts to download adware onto our test PC, and an attempt to hijack 
> our browser's home page. However, you can take steps to guard your PC 
> <http://www.pcworld.com/news/article/0,aid,119063,00.asp> against this 
> ad invasion.
> Off-Key Experience
> A reader initially alerted /PC World/ to an ad-laden Windows Media 
> Audio file, titled "Alicia Keys Fallin' Songs In A Minor 4.wma." We 
> then found two other WMA files and two Windows Media Video files that 
> had been similarly modified.
> Click here for larger image. <javascript:imgClickHandler( 
> '/news/graphics/119016-n_122904_ads3b.jpg','Playing one of the 
> Overpeer video files launched this nest of pop-up ads.','')>Using a 
> packet analysis tool called Etherpeek, we determined that each media 
> file loaded a page served by a company called Overpeer (owned by 
> Loudeye <http://www.overpeer.com/news.asp>). That page set off a chain 
> of events that led to the creation of several Internet Explorer 
> windows, each containing a different ad or adware.
> Overpeer first made news 
> <http://www.pcworld.com/news/article/0,aid,109816,00.asp> in mid-2002 
> by offering its services to record companies looking to stop P-to-P 
> pirates. It creates fake audio files that purport to be popular songs 
> but play only a short loop of the track or an antipiracy message; the 
> file then pops up a window offering the downloader a chance to buy the 
> song. By flooding file-sharing services with spoofed files, Overpeer 
> makes finding real music files more difficult.
> Marc Morgenstern, Loudeye vice president and general manager of 
> digital media asset protection, says the files we found come from a 
> different division of the company--one that targets users with 
> promotions or ads based on the keywords those users search for on 
> P-to-P networks or in other venues.
> Though the two businesses differ, the result is likely the same--a 
> further reduction in the effectiveness of popular P-to-P networks. 
> Morgenstern characterized Overpeer's actions as just deserts for 
> people who illegally trade copyrighted works for free. "Remember, the 
> people who receive something like (the ad-laden media files), in some 
> cases, were on P-to-P, and they were trying to get illicit files," he 
> says.
> Firms Surprised
> PC World contacted Microsoft and the seven ad-serving companies whose 
> ads popped up when we ran the Keys audio file. "We're looking into 
> exactly what's going on with this file and checking to see if this 
> particular model is in keeping with the licensing terms for Windows 
> Media [Digital Rights Management]," says David Caulton, group product 
> manager for Microsoft's Windows Digital Media Division. "We wouldn't 
> want to endorse anything that involved delivery of content that 
> appears to be one thing, and then something else is delivered."
> Only one of the advertising firms, Kanoodle 
> <http://www.kanoodle.com/>, responded to us. "Kanoodle stringently 
> vets all prospective partners to determine in advance how they will 
> distribute our sponsored links," Lance Podell, the company's president 
> emailed PC World. "As in this case, upon detecting or discovering any 
> prohibited distribution activity, we eliminate it immediately." 
> Indeed, Kanoodle's ads no longer appear when we relaunch the file.
> DRM Loophole
> A loophole in the Windows Media DRM process allows companies to create 
> ersatz media files and link them to adware. Normally, when you 
> download a protected Windows Media file, you also receive a license 
> that lets you play it. According to Caulton, if Windows Media Player 
> can't find a valid license on your PC, it checks in with a remote 
> system running Microsoft's Windows Media DRM Server.
> You'll rarely see that happen. Some files, though, are set up to ask 
> you for information before playing. They do this by displaying a URL 
> in a dialog box labeled License Acquisition. Normally that dialog box 
> is used to check for a user name or offer a chance to purchase the 
> file that's being played.
> For example, a legitimate DRM-encrypted file might let you play it 
> three times, then bring up a window asking if you want to buy it. Or a 
> band might offer a song to you for free if you agreed to sign up for 
> its mailing list or view a 15-second commercial. At least, that's the 
> way it's supposed to work.
> But since the license dialog box acts just like an Internet Explorer 
> window, it can display whatever is on the page it points to--whether a 
> legitimate call for license information or a series of pop-up ads.
> When we played the modified files, the License Acquisition dialog box 
> showed a page containing ads and quickly spawned more IE windows, each 
> containing a different ad.
> Not only did we get bombarded with unwanted ads, but one of the ad 
> windows in a video file tried to install adware onto our test PC 
> surreptitiously, while another added items to our browser's Favorites 
> list and attempted to change our home page. And a window from the 
> original music file asked to download a file called lyrics.zip, which 
> contained the installer for 180search Assistant, commonly categorized 
> as an adware program.
> The media files appear to run once the ads load, but they were devoid 
> of video or music.
> First Wave?
> The ads in Overpeer's disguised media files may annoy some users. But 
> malicious agents such as hackers and thieves could exploit the DRM 
> loophole to do far worse. Security experts fear that, for example, 
> criminals could load their own modified media files with keystroke 
> loggers or other software for taking over your PC, and thus steal your 
> passwords or other sensitive information.
> According to Microsoft's Caulton, "It's possible that someone could 
> modify [an existing audio] file after it's created to point back to 
> their http server." If that's the case, virus and malware writers 
> would gain a powerful platform for launching their attacks.
> Writing the code to infect computers is the easy part, according to 
> Johannes B. Ullrich, the chief technical officer for the SANS 
> Institute's Internet Storm Center, a computer security watchdog group. 
> "With a lot of these Internet Explorer exploits, the big question is 
> how to get people to visit [the site that executes that code]," he says.
> Hacked audio files could provide the perfect incentive. The songs we 
> found gave no warning before launching their string of pop-ups, and 
> before being played they gave little or no indication that they were 
> anything but normal WMA files.
> /Senior Reporter Tom Spring contributed to this report./

More information about the FoRK mailing list