Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago.  Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone.  Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe.  In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

Here are some of the samples names that we’ve seen.  Many many other file names are surely floating around on P2P networks.  File sizes vary as these files are padded with nulls.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files)  a 4,800 word EULA is displayed. 

Notable parts of the EULA include:

(3) The Licensed Materials you install will also include/be bundled with the following 3rd Party software products:

PRODUCT Mirar AND EULA http://policy.getmirar.com/

And my favorite:

22. Effective: January 14, 2007.

END OF DOCUMENT

NetNucleus Privacy Policy/EULA
This End User License Agreement (the “Agreement”) is a legal agreement between you and NetNucleus Corp.

Does END OF DOCUMENT mean you can ignore the rest?  Gotta love it when a “vendor” expects their “customers” to read a EULA that they themselves did not seem to read!

If you agree to the EULA and choose to proceed, Adware “FBrowsingAdvisor” and “SurfingEnhancer” is installed as described in the EULA.  I especially like the directory named used by the developer:

c:\Documents and Settings\tani\My Documents\Dreamsoft\Firefox\firefox_adware\FF-Source\Source\Release\XPCOMEvents.pdb

If Firefox is not installed users may see an error message:

PlayMP3.exe from PlayMP3z.biz is installed, which is simply a browser control wrapped in an exe, and doesn’t actually play local MP3 files, but rather loads a webpage running the Wimpy MP3 Flash player.  This page lets the user listen to a canned selection of a couple dozen songs.

In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

End User License Agreements, those infamous instruments of legal pretzelism, have broken the logic barrier and are beginning to collapse into a nonsensical linguistic singularity. A bold claim, you say? I have evidence! This is a direct quote from an adware-related EULA I recently encountered:

Producing a mental experience similar to that accompanying contemplation of the interstellar void or the size of the US national debt, the mind is confounded here not by huge distances or sums, but by raw logical absurdity: lengthy, multi-clause legalese sentences carefully describing, in English, what you should do if you don’t understand English.

…

At least they include the suggestion that you get a translator to help you read it. How thoughtful!

McAfee Avert Labs Blog End Reader License Agreement:
By reading this blog post you agree to accept any unsolicited slithy toves that may result in the wabe, regardless of whether brillig conditions prevail. You additionally release McAfee from any and all liability should your borogoves become mimsy.

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

As per reader’s feedback on my earlier blog “404 not just “File Not Found“, they wanted more information regarding how a Potentially Unwanted Program, called “System Doctor”, gets installed. So I will emphasis more on this programs behavior in this post.

System Doctor tries to fools users by utilizing images that are similar to a legitimate product from PC Tools called “Spyware Doctor” as shown below:

Installation on the victim’s machine is via an ActiveX control, as shown below, which needs user’s interaction:

Upon installation, System Doctor scans the user’s system and displays an “Error Message” box as shown below:

If the innocent user clicks on the “Repair Now” button he will redirected to another page, where they are asked for credit card details:

In my previous blog it was incorrectly reported as “Spyware Doctor” instead of “System Doctor”. Through further research and discussion, the software is in fact “System Doctor”, a rogue software product that attempts to leverage its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor as per discussion with PC Tools.

We caution web users from entering their card details and CVV number into these masked doctors seen while surfing web as we continue to protect our customers against such social engineering attacks.

The most common use of the popular HTTP error code, 404 is to communicate that the client was able to reach to the server, but the server could not find the requested file. To a naive user this pretty much means “Let’s move on!”

We present the following information to warn users of a social engineering attack currently in vogue with several malware authors. McAfee Avert Labs recently evaluated a website called 404dnserror(dot)com. At the time of writing this blog, the website throws a “fake” 404 file not found page. But a closer look at the error page, as depicted below, shows that the server tries to install an ActiveX control and the installation message communicates that page is not available as it’s blocked by an adware/spyware. It also proposes to install a security product called “System Doctor” to remove this adware/spyware.

Further analysis of System Doctor reveals this is actually a flavor of the “WinFixer” application that claims to fix registry and hardware errors or to clean adware/spyware.

We caution web users of these “fake” error codes seen while surfing web and continue to protect our customers against these attacks.

____________________UPDATE DEC, 6 2006_________________________________

“On 5 December 2006 we incorrectly reported that “Spyware Doctor”, published by PC Tools was involved in this scam resulting in the publication of fake error codes to induce end users to download their software (in the above blog titled “404 Not Just “File Not Found”"). It has since come to our attention through further research that the software in fact was “System Doctor”, a rogue software product which attempts to trade off its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor.”

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

While the definition of malicious software seems clear, that of Potentially Unwanted Programs (PUPs ) is less so.

The first come under the generic title of malware. They are used to steal or destroy information. Even when distributed via games, they can damage the computer system and can often remain resident without authorization. Malware is mainly created to cause harm to the target computer. Authors of malware expect to gain notoriety, or more and more often, illicit income.PUPs on the other hand are usually made by legitimate corporate entities for specific beneficial purposes (to whom they may be beneficial is debatable).

Adwares belong to this category of programs. They install themselves on the user’s machine collecting marketing data and distributing targeted advertising intended to generate income. Their legitimacy becomes debatable when they alter the security state of the computer on which they are installed, or the privacy posture of the user using the computer.

Between 2000 and 2002 there were only about forty or so adware families. Their number rose sharply in the next years. It increased by more than 1000% in three and a half years. In August 2006 there were more than 450 adware families with more than 4000 variants.

I just finished a white paper describing the main participants in the on-line marketing domain. This document explains the concept of affiliators and affiliates and the recognition techniques used to install the payment systems. It analyzes the amounts which affiliates can expect to be paid depending on whether they use “soft” or aggressive methods. The firsts use conventional techniques (pay-per-display, per-click or per-profile). They can expect to receive a payment of $25 for every 1000 positive occurrences produced. On the same basis, an adware pay-per-install payment may bring in up to $150 for 1000 computers.

Following the money, this white paper demonstrates why many low-level delinquents do not hesitate to distribute these programs on a large scale using reprehensible methods.

Now, some “cyber-delinquents” quickly and secretly install thousands of programs each day on target computers without the knowledge of their owners. They are thus able to pocket some tens of thousands of dollars each month.The complete study is available here:

Adware and Spyware: Unraveling the Financial Web