Media Files that Spread Spyware

March 8, 2008 – 4:05 PM

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there’s yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain “rights management” features enabled, it opens the web page specified by the file’s creator. This page is intended to help a content providers promote its products — perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users’ PCs. User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won’t get these popups. But with older software, confusing and misleading messages can trick users into installing software they don’t want and don’t need — potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

I recently tested a WindowsMedia video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users’ computers. I consider the installation misleading for at least three reasons.

1) The pop-up fails to name the software to be installed or the company providing the software, and it fails to give even a general description of the function of the software.

2) The pop-up claims “You must agree to our terms and conditions” — falsely suggesting that accepting the installation is necessary to view the requested WindowsMedia video. (It’s not.)

3) Even when a user specifically requests more information about the program to be installed, the pop-up does not provide the requested information — not even in euphemisms or in provisions hidden mid-way through a long license. Clicking the pop-up’s hyperlink opens SpiderSearch’s Terms and Conditions — a page that mentions “receiving ads of adult nature” and that disclaims warranty over any third-party software “accessed in conjunction with or through” SpiderSearch, but that does not disclose installation of any third-party software.

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (Direct Revenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.

I retained video, packet log, registry, and file system logs of what occurred. As in my prior video of spyware installing through security holes, my records make it possible to track down who’s behind the installations — just follow the money trail, as captured by the “partner IDs” within the various software installation procedures. When one program installs another, the second generally pays the first a commission, using a partner ID number to track who to pay. These numbers make it possible to figure out who’s profiting from the unwanted installations and, ultimately, where the money is going.

http://www.benedelman.org/news/010205-1.html

You must be logged in to post a comment.