[FoRK] One rule for the hackers (criminals), another for the
Stephen D. Williams
sdw at lig.net
Tue Jan 4 20:50:37 PST 2005
This just seems like another example of hopelessly broken and poorly
designed security from Microsoft. MS "Digital Rights Management" does
not include safeguarding any rights of the user apparently.
Owen Byrne wrote:
> Lets call this Justice (American Style).
>> Risk Your PC's Health for a Song?
>> Ads and adware have a new way to get on your computer--through files
>> that appear to be music and video.
>> Andrew Brandt and Eric Dahl, PCWorld.com
>> Wednesday, December 29, 2004
>> Think you're downloading a new song or video? Watch out--that file
>> may be stuffed with pop-ups and adware.
>> /PC World/ has learned that some Windows Media files on peer-to-peer
>> networks such as Kazaa contain code that can spawn a string of pop-up
>> ads and install adware. They look just like regular songs or short
>> videos in Windows Media format, but launch ads instead of media clips.
>> When we ran the files, we noted over half a dozen pop-ups, some
>> attempts to download adware onto our test PC, and an attempt to
>> hijack our browser's home page. However, you can take steps to guard
>> your PC <http://www.pcworld.com/news/article/0,aid,119063,00.asp>
>> against this ad invasion.
>> Off-Key Experience
>> A reader initially alerted /PC World/ to an ad-laden Windows Media
>> Audio file, titled "Alicia Keys Fallin' Songs In A Minor 4.wma." We
>> then found two other WMA files and two Windows Media Video files that
>> had been similarly modified.
>> '/news/graphics/119016-n_122904_ads3b.jpg','Playing one of the
>> Overpeer video files launched this nest of pop-up ads.','')>Using a
>> packet analysis tool called Etherpeek, we determined that each media
>> file loaded a page served by a company called Overpeer (owned by
>> Loudeye <http://www.overpeer.com/news.asp>). That page set off a
>> chain of events that led to the creation of several Internet Explorer
>> windows, each containing a different ad or adware.
>> Overpeer first made news
>> <http://www.pcworld.com/news/article/0,aid,109816,00.asp> in mid-2002
>> by offering its services to record companies looking to stop P-to-P
>> pirates. It creates fake audio files that purport to be popular songs
>> but play only a short loop of the track or an antipiracy message; the
>> file then pops up a window offering the downloader a chance to buy
>> the song. By flooding file-sharing services with spoofed files,
>> Overpeer makes finding real music files more difficult.
>> Marc Morgenstern, Loudeye vice president and general manager of
>> digital media asset protection, says the files we found come from a
>> different division of the company--one that targets users with
>> promotions or ads based on the keywords those users search for on
>> P-to-P networks or in other venues.
>> Though the two businesses differ, the result is likely the same--a
>> further reduction in the effectiveness of popular P-to-P networks.
>> Morgenstern characterized Overpeer's actions as just deserts for
>> people who illegally trade copyrighted works for free. "Remember, the
>> people who receive something like (the ad-laden media files), in some
>> cases, were on P-to-P, and they were trying to get illicit files," he
>> Firms Surprised
>> PC World contacted Microsoft and the seven ad-serving companies whose
>> ads popped up when we ran the Keys audio file. "We're looking into
>> exactly what's going on with this file and checking to see if this
>> particular model is in keeping with the licensing terms for Windows
>> Media [Digital Rights Management]," says David Caulton, group product
>> manager for Microsoft's Windows Digital Media Division. "We wouldn't
>> want to endorse anything that involved delivery of content that
>> appears to be one thing, and then something else is delivered."
>> Only one of the advertising firms, Kanoodle
>> <http://www.kanoodle.com/>, responded to us. "Kanoodle stringently
>> vets all prospective partners to determine in advance how they will
>> distribute our sponsored links," Lance Podell, the company's
>> president emailed PC World. "As in this case, upon detecting or
>> discovering any prohibited distribution activity, we eliminate it
>> immediately." Indeed, Kanoodle's ads no longer appear when we
>> relaunch the file.
>> DRM Loophole
>> A loophole in the Windows Media DRM process allows companies to
>> create ersatz media files and link them to adware. Normally, when you
>> download a protected Windows Media file, you also receive a license
>> that lets you play it. According to Caulton, if Windows Media Player
>> can't find a valid license on your PC, it checks in with a remote
>> system running Microsoft's Windows Media DRM Server.
>> You'll rarely see that happen. Some files, though, are set up to ask
>> you for information before playing. They do this by displaying a URL
>> in a dialog box labeled License Acquisition. Normally that dialog box
>> is used to check for a user name or offer a chance to purchase the
>> file that's being played.
>> For example, a legitimate DRM-encrypted file might let you play it
>> three times, then bring up a window asking if you want to buy it. Or
>> a band might offer a song to you for free if you agreed to sign up
>> for its mailing list or view a 15-second commercial. At least, that's
>> the way it's supposed to work.
>> But since the license dialog box acts just like an Internet Explorer
>> window, it can display whatever is on the page it points to--whether
>> a legitimate call for license information or a series of pop-up ads.
>> When we played the modified files, the License Acquisition dialog box
>> showed a page containing ads and quickly spawned more IE windows,
>> each containing a different ad.
>> Not only did we get bombarded with unwanted ads, but one of the ad
>> windows in a video file tried to install adware onto our test PC
>> surreptitiously, while another added items to our browser's Favorites
>> list and attempted to change our home page. And a window from the
>> original music file asked to download a file called lyrics.zip, which
>> contained the installer for 180search Assistant, commonly categorized
>> as an adware program.
>> The media files appear to run once the ads load, but they were devoid
>> of video or music.
>> First Wave?
>> The ads in Overpeer's disguised media files may annoy some users. But
>> malicious agents such as hackers and thieves could exploit the DRM
>> loophole to do far worse. Security experts fear that, for example,
>> criminals could load their own modified media files with keystroke
>> loggers or other software for taking over your PC, and thus steal
>> your passwords or other sensitive information.
>> According to Microsoft's Caulton, "It's possible that someone could
>> modify [an existing audio] file after it's created to point back to
>> their http server." If that's the case, virus and malware writers
>> would gain a powerful platform for launching their attacks.
>> Writing the code to infect computers is the easy part, according to
>> Johannes B. Ullrich, the chief technical officer for the SANS
>> Institute's Internet Storm Center, a computer security watchdog
>> group. "With a lot of these Internet Explorer exploits, the big
>> question is how to get people to visit [the site that executes that
>> code]," he says.
>> Hacked audio files could provide the perfect incentive. The songs we
>> found gave no warning before launching their string of pop-ups, and
>> before being played they gave little or no indication that they were
>> anything but normal WMA files.
>> /Senior Reporter Tom Spring contributed to this report./
> FoRK mailing list
swilliams at hpti.com http://www.hpti.com Per: sdw at lig.net http://sdw.st
Stephen D. Williams 703-724-0118W 703-995-0407Fax 20147-4622 AIM: sdw
More information about the FoRK