[FoRK] One rule for the hackers (criminals),
another for the RIAA (establishment)
owen at permafrost.net
Tue Jan 4 20:32:48 PST 2005
Lets call this Justice (American Style).
> Risk Your PC's Health for a Song?
> Ads and adware have a new way to get on your computer--through files
> that appear to be music and video.
> Andrew Brandt and Eric Dahl, PCWorld.com
> Wednesday, December 29, 2004
> Think you're downloading a new song or video? Watch out--that file may
> be stuffed with pop-ups and adware.
> /PC World/ has learned that some Windows Media files on peer-to-peer
> networks such as Kazaa contain code that can spawn a string of pop-up
> ads and install adware. They look just like regular songs or short
> videos in Windows Media format, but launch ads instead of media clips.
> When we ran the files, we noted over half a dozen pop-ups, some
> attempts to download adware onto our test PC, and an attempt to hijack
> our browser's home page. However, you can take steps to guard your PC
> <http://www.pcworld.com/news/article/0,aid,119063,00.asp> against this
> ad invasion.
> Off-Key Experience
> A reader initially alerted /PC World/ to an ad-laden Windows Media
> Audio file, titled "Alicia Keys Fallin' Songs In A Minor 4.wma." We
> then found two other WMA files and two Windows Media Video files that
> had been similarly modified.
> '/news/graphics/119016-n_122904_ads3b.jpg','Playing one of the
> Overpeer video files launched this nest of pop-up ads.','')>Using a
> packet analysis tool called Etherpeek, we determined that each media
> file loaded a page served by a company called Overpeer (owned by
> Loudeye <http://www.overpeer.com/news.asp>). That page set off a chain
> of events that led to the creation of several Internet Explorer
> windows, each containing a different ad or adware.
> Overpeer first made news
> <http://www.pcworld.com/news/article/0,aid,109816,00.asp> in mid-2002
> by offering its services to record companies looking to stop P-to-P
> pirates. It creates fake audio files that purport to be popular songs
> but play only a short loop of the track or an antipiracy message; the
> file then pops up a window offering the downloader a chance to buy the
> song. By flooding file-sharing services with spoofed files, Overpeer
> makes finding real music files more difficult.
> Marc Morgenstern, Loudeye vice president and general manager of
> digital media asset protection, says the files we found come from a
> different division of the company--one that targets users with
> promotions or ads based on the keywords those users search for on
> P-to-P networks or in other venues.
> Though the two businesses differ, the result is likely the same--a
> further reduction in the effectiveness of popular P-to-P networks.
> Morgenstern characterized Overpeer's actions as just deserts for
> people who illegally trade copyrighted works for free. "Remember, the
> people who receive something like (the ad-laden media files), in some
> cases, were on P-to-P, and they were trying to get illicit files," he
> Firms Surprised
> PC World contacted Microsoft and the seven ad-serving companies whose
> ads popped up when we ran the Keys audio file. "We're looking into
> exactly what's going on with this file and checking to see if this
> particular model is in keeping with the licensing terms for Windows
> Media [Digital Rights Management]," says David Caulton, group product
> manager for Microsoft's Windows Digital Media Division. "We wouldn't
> want to endorse anything that involved delivery of content that
> appears to be one thing, and then something else is delivered."
> Only one of the advertising firms, Kanoodle
> <http://www.kanoodle.com/>, responded to us. "Kanoodle stringently
> vets all prospective partners to determine in advance how they will
> distribute our sponsored links," Lance Podell, the company's president
> emailed PC World. "As in this case, upon detecting or discovering any
> prohibited distribution activity, we eliminate it immediately."
> Indeed, Kanoodle's ads no longer appear when we relaunch the file.
> DRM Loophole
> A loophole in the Windows Media DRM process allows companies to create
> ersatz media files and link them to adware. Normally, when you
> download a protected Windows Media file, you also receive a license
> that lets you play it. According to Caulton, if Windows Media Player
> can't find a valid license on your PC, it checks in with a remote
> system running Microsoft's Windows Media DRM Server.
> You'll rarely see that happen. Some files, though, are set up to ask
> you for information before playing. They do this by displaying a URL
> in a dialog box labeled License Acquisition. Normally that dialog box
> is used to check for a user name or offer a chance to purchase the
> file that's being played.
> For example, a legitimate DRM-encrypted file might let you play it
> three times, then bring up a window asking if you want to buy it. Or a
> band might offer a song to you for free if you agreed to sign up for
> its mailing list or view a 15-second commercial. At least, that's the
> way it's supposed to work.
> But since the license dialog box acts just like an Internet Explorer
> window, it can display whatever is on the page it points to--whether a
> legitimate call for license information or a series of pop-up ads.
> When we played the modified files, the License Acquisition dialog box
> showed a page containing ads and quickly spawned more IE windows, each
> containing a different ad.
> Not only did we get bombarded with unwanted ads, but one of the ad
> windows in a video file tried to install adware onto our test PC
> surreptitiously, while another added items to our browser's Favorites
> list and attempted to change our home page. And a window from the
> original music file asked to download a file called lyrics.zip, which
> contained the installer for 180search Assistant, commonly categorized
> as an adware program.
> The media files appear to run once the ads load, but they were devoid
> of video or music.
> First Wave?
> The ads in Overpeer's disguised media files may annoy some users. But
> malicious agents such as hackers and thieves could exploit the DRM
> loophole to do far worse. Security experts fear that, for example,
> criminals could load their own modified media files with keystroke
> loggers or other software for taking over your PC, and thus steal your
> passwords or other sensitive information.
> According to Microsoft's Caulton, "It's possible that someone could
> modify [an existing audio] file after it's created to point back to
> their http server." If that's the case, virus and malware writers
> would gain a powerful platform for launching their attacks.
> Writing the code to infect computers is the easy part, according to
> Johannes B. Ullrich, the chief technical officer for the SANS
> Institute's Internet Storm Center, a computer security watchdog group.
> "With a lot of these Internet Explorer exploits, the big question is
> how to get people to visit [the site that executes that code]," he says.
> Hacked audio files could provide the perfect incentive. The songs we
> found gave no warning before launching their string of pop-ups, and
> before being played they gave little or no indication that they were
> anything but normal WMA files.
> /Senior Reporter Tom Spring contributed to this report./
More information about the FoRK