Yet Even More Fake Media Files
Wednesday May 7, 2008 at 3:25 am CST
Posted by Craig Schmugar
Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire. I took some time to create a video clip showing what the infection process looks like. In doing so, hundreds of additional media files were uncovered. Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:
Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno
Domains linked to from the media files include:
mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net
While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.
– Update May 7 –
Adding some answers for questions that we’ve received.
These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser). Not all media players support this functionality.
Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee. Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days. However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).
May 7th, 2008 at 6:01 am
[…] attacks http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/ http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/ […]
May 7th, 2008 at 9:25 am
Limewire is NOT a network. Limewire is a client program for the Gnutella peer-to-peer network. I wish people were more educated to know the difference between the two …
May 7th, 2008 at 11:17 am
Re: Limewire is NOT a network.
I know, I know. I don’t usually perpetuate such ignorance, but in this case I did as people still tend to think of “networks” based on the clients (servents).
I updated the blog text to address your point.
May 8th, 2008 at 4:08 am
Can you please clarify as to why or how 10% of Mcafee protected computers could actually still proceed to download the malware?!
To the casual observer it appears that mcafee security software is not as secure as it needs to be, especially since the article refers to other vendors not having such a major issue with this malware.
May 8th, 2008 at 7:03 am
Yes, but how do you get rid of it once infected?
May 8th, 2008 at 10:44 am
[…] un post di aggiornamento sempre sul Avert Labs Blog, McAfee ha segnalato di aver identificato centinaia di altri file multimediali fasulli, perlopiù […]
May 9th, 2008 at 12:35 am
I think it would have been helpful if McAfee added to it’s intial trojan report (that got out to all the hundreds of news sites on the net) a list of the most widespread media player softwares (with version numbers) that are susceptible to these malicious mp3 files. After reading about this trojan invasion most people ask themselves: is my PC at threat? How can they know?
Since Windows is the most widespread desktop OS on the market and probably the integrated Windows Media Player is the most widespread media player, it’d help a lot if the news on this Trojan would contain a version number of the player that is immune to these mp3 files.
Or is this a feature of WMP? I mean you pointed out that these are actually ASF files masquarading themselves as MP3. I doubt that the specification of the MP3 format allows ASF content. And as such, these MP3 files are “invalid” and should be rejected by a properly implemented player. Of course I’m just guessing around … I do not know the ins and outs of MP3s that well.