Microsoft: piracy is getting virusy

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The underweb grows ever more slimy, Microsoft says, as downloads of  
pirated movies, music, software and other media increasingly come  
bearing malware.

In the latest edition of the Microsoft Security Intelligence Report  
[PDF], released on Monday, the company tackles unsafe supply chains,  
which it describes as "the websites, protocols, and other channels by  
which software and media files are informally distributed, both legally  
and illegally."

The definition covers underground sites where pirated software and media  
are openly exchanged, as well as legitimate websites that make shareware  
or free music files available for public download.

In fact, unsafe supply chains encompass even computers sold at retail.

More .....

http://nakedsecurity.sophos.com/2012/10/11/microsoft-piracy-is-getting-virusy/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=c0e32a4dd4-naked%252Bsecurity

Or  http://goo.gl/RFSJH

Re: Microsoft: piracy is getting virusy

David_B wrote:
  
Quoted text here. Click to load it

http://nakedsecurity.sophos.com/2012/10/11/microsoft-piracy-is-getting-virusy

Quoted text here. Click to load it

This Micro$oft report seems to want to blur the lines between
music/movies and software.

In the many gb worth of music and movies that I've downloaded from
file-lockers, I haven't come across any files that turned out to be
malware.

It it even possible that when launched from a media-player (such as VLC)
that there exists a class of avi, mp3, flac (etc) malware that can
leverage a player vulnerability and cause it to run arbitrary code?

I'm well aware of the bogus movie files that upon viewing they try to
coax you to download a codec, but they can't in-and-of themselves take
control of your computer - without you helping them.

The websites where file-locker links to music, movies and software (and
ebooks, etc) are freely offered (ie - avaxhome.ws) have message boards
for every offering, and any that are found to be malicious would be
quickly flagged - but I've never seen this for music, movies or TV
shows.  This is in contrast to torrent sites where there is often a
barrier to people posting casual, anonymous comments and where movie
files are often fakes.

When it comes to software - I'm not so sure that what can be found on
file-lockers is always the real thing.

For example, would I download this:

http://avaxhome.ws/software/software_type/security/Antiviruses/Avira.Antivirus.Premium.Internet.Security.2013.13.0.0.2688.html

???

I don't know.  I see no mention of a crack or key-gen.  This could
simply be the download package that is freely offered by Avira on their
website, and is useless without a key or serial.

Re: Microsoft: piracy is getting virusy

Virus Guy wrote:
Quoted text here. Click to load it

Thanks for taking the time and trouble to comment, VG! :-)

Quoted text here. Click to load it
http://avaxhome.ws/software/software_type/security/Antiviruses/Avira.Antivirus.Premium.Internet.Security.2013.13.0.0.2688.html
Quoted text here. Click to load it

If I wanted the Avira  software, I'd personally start here:

http://www.avira.com/en/for-home

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

Yes.

Some specific players could be tricked into visiting a maliciously formed
website embedded in the id3tags. Others could execute code embedded in
those tags. This shouldn't still be an issue tho.




--
There ain't no rest for the wicked. Money don't grow on trees. I got bills
to pay. I got mouths to feed. Ain't nothing in this world for free. Oh No.
I can't slow down, I can't hold back though you know I wish I could. Oh no
there ain't no rest for the wicked, until we close our eyes for good.




Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

The Wimad trojan
http://www.symantec.com/security_response/writeup.jsp?docid=2005-011213-2709-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3aASX%2fWimad.BD


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Microsoft: piracy is getting virusy

"David H. Lipman" wrote:
 
Quoted text here. Click to load it


So basically these boil down to browser exploits.  A URL launched from
Windoze Media Player is still a browser exploit.

And they're not even exploits - they depend on user action in the
browser to allow what-ever operation they're trying to accomplish (ie -
social engineering).

What I'm asking about is a media file that upon playing can cause any
media player to run arbitrary code WITHOUT NEEDING THE USER'S HELP, and
thereby cause the user's system to download secondary payloads, change
registry settings, etc.  All without enlisting the system's web-browser.

Has there ever been a media file (mp3, avi, flac, etc) that could
accomplish that?

Re: Microsoft: piracy is getting virusy



Virus Guy wrote:
Quoted text here. Click to load it




Nope, not if a user has file types set.

An exploit in widows can allow renaming a file extension from say .exe to
.mov
Or naming it with no extension at all.
And windows was stupid enough to recognize it as an .exe despite the
extension, and run it as such.

But that is almost impossible now, unless users manually allow that.



Re: Microsoft: piracy is getting virusy

Bast submitted this idea :
Quoted text here. Click to load it

Er, what is stupid is relying on the extension to mean anything. Now,
it is usually the actual format of the file that tells the OS what it
really is and how it should be handled.
Quoted text here. Click to load it

Don't trust names to have any meaning, that goes for extensions too.



Re: Microsoft: piracy is getting virusy

FromTheRafters, while unnecessarily full-quoting, wrote:

Quoted text here. Click to load it



On my win-98 system, my default media player is VLC.  Files that have
extensions like mp3, avi, flac, (etc) show up in my file explorer as
having VLC icons.

I took calc.exe, copied it to somewhere else outside of c:\windows,
renamed it to mp3, and it took on the VLC icon.

When I double-clicked on the file, VLC started up - and just sat there.
Didn't display an error message or anything.  Not even when I drag
calc.mp3 over to it.  When I right-click on it, I don't get "Open" as an
option.  Open is replaced with "Play".

What would happen if I repeated this under XP or win-7?

Would they know the file is really an exe - and launch it as such?

Re: Microsoft: piracy is getting virusy

Virus Guy pretended :
Quoted text here. Click to load it

I took calc.exe and renamed it to the desktop as calc.mp3 and it kept
the calculator icon. It also invoked the calculator when
double-clicked. In properties it is listed as calc.mp3 as the
calculator executable. I *real* mp3 invokes media player and has the
media player icon.

I don't have any MP3's on this machine, so I used Hot-Text's offering
here (http://s-e.mynews.ath.cx:1361/test.mp3 ) to test with.

[...]

Another reason W98 sucks.



Re: Microsoft: piracy is getting virusy

FromTheRafters wrote:
 
Quoted text here. Click to load it

(and it doesn't execute as an exe file when renamed to .mp3)

Quoted text here. Click to load it


So you think that from a vulnerability pov, that an OS can run an
executable even when it's given some other extension is a "good thing"
(tm)  ?

Sorry - you're wrong.

This is another reason why the NT line of Windoze sucks.

When a malicious process or mechanism has deposited an executable file
onto a system, and given the file some innocuous extention (like .txt or
.jpg), I'll take win-98 any day over NT because win-98 will apparently
NOT be tricked into running the malicious file.

If you think it's a good idea that an OS can still know that a mis-named
file is an executable file, and ->run the file when instructed to handle
it<- - you should explain why you think that's a good idea from the pov
of either the OS or the user.

Re: Microsoft: piracy is getting virusy

on 10/12/2012, Virus Guy supposed :
Quoted text here. Click to load it

Absolutely! People shouldn't be fooled by filenames. The old addage
"Don't judge a book by its cover" comes to mind.
Quoted text here. Click to load it

No, you are.
Quoted text here. Click to load it

You're clueless as usual.
Quoted text here. Click to load it

It's not the OS that is fooled, it is the user. To avoid this, the user
should be made to understand that names mean nothing - the actual file
content is what matters. It's quite alright with me that file
extensions for data files can be associated with the client chosen to
handle them, but they should provide a proper error message when such a
file is not what its extension leads one to believe.

Another thing that shouldn't be trusted is the icon. An exe can be
named benign.txt or benign.jpg and have a notepad or image
editor/viewer looking icon and be malicious. It is much more
straightforward to have the OS treat it as what it really is instead of
what some miscreant wants a user to believe it is.
Quoted text here. Click to load it

Names mean *nothing*.

Quoted text here. Click to load it

...and I have.



Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

on smarter OSes that know to check the file header and not assume by
extension alone, it runs. As it's an exe.
 
Quoted text here. Click to load it

The newer OSes are analyzing the internal file header and making
decisions based on that. That's not a vulnerability or an exploit in an
of itself. You can do the same with win98, just not as easily.
 
Quoted text here. Click to load it

For properly analyzing a file header? I'm sorry, you seem to be
confused here.
 
Quoted text here. Click to load it

Nope. You're wrong. Win98 won't run the "txt" exe, but the program that
dropped it can any time it likes. It can even include a start command
run line in your registry or a batch file and place it in one of several
locations. Then easily force you to reboot; your win98 box is crash
happy. I can force a blue screen in 6 lines of assembler.

All it really need do is call itself explorer.exe in root and it's
guaranteed! to run when you restart.

I haven't even touched on the hidden extensions trick. "calc.txt.exe"
then be sure to hide known file extensions is toggled in the registry.

Windows98 machines are so damn open, you can configure whatever you
want, and force the user to reboot when YOU want them to execute your
new additions and modifications. No user rights to deal with, no real
concept of file permissions.. Basically, nothing stopping a rogue
program from 0wning the place. Outright.

It'll appear to be calc.txt, but will execute if clicked.

 
Quoted text here. Click to load it

I think the OS should treat the file as it's file header intended.
Proper file permissions and security policies in place can keep a
harmful file from doing much harm.
 



--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I
wish I could. Oh no there ain't no rest for the wicked, until we close
our eyes for good.




Re: Microsoft: piracy is getting virusy

"Virus Guy" wrote:

Quoted text here. Click to load it

Neither will NT, at least not W2k or XP. I don't know what system FTR
is running but renaming an exe to txt or something else will not invoke
the executable image loader but will start the application associated
with the file extension; e.g. notepad. If an application can't handle
the format, e.g. a media player, then an error message is given.

If the behaviour of Windows since XP has changed, in that the format
is examined to decide how to open it, then this is a very bad idea.
When an advanced user sees a txt extension then he expects a doubl-
click to open the file in a text editor irrespective of its format.
I say "advanced" because I'm talking about those who don't hide the
file extensions. Obviously I'm not addressing the stupid situation
where extensions are hidden and a file named as test.txt.exe (an
executable) shows up as test.txt.



Re: Microsoft: piracy is getting virusy

Ant submitted this idea :
Quoted text here. Click to load it

Yes, it is equivalent to opening the default program to handle that
filetype and selecting the file-open dialog *if* that extension is
associated with that program in the registry. I have hide extensions
for known filetypes checked in my folder options so I wasn't *really*
changing the extension or the association - only how it appears to the
average user.
Quoted text here. Click to load it

As I recall, W98 did that with OLE2 files if extensionless. I think the
trouble comes from inconsistency between the two methods and not that
one method is wrong and the other right. Windows users are quite used
to the idea that a book can be judged by its cover, that is its
filename or its icon. What really counts is the actual type of content.

Quoted text here. Click to load it

Yes, but mostly because he is used to it being that way.

Quoted text here. Click to load it

I often wondered why MS decided to do that as the default condition.
Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop. The
OS wasn't fooled into thinking it was an mp3 but the user might well
have been - even the "properties" dialog lies to the user. As I recall,
even the loaders do not depend upon filename extensions but rather on
actual file content when deciding if they can or cannot handle the
loading of that file's executable image, and even this has caused some
confusion where an exe renamed to bat or com can still execute as if it
hadn't been renamed.



Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

Gets more interesting.. :)

If you have calc.bat, calc.com and calc.exe

which do you think executes? [g]


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Re: Microsoft: piracy is getting virusy

After serious thinking Dustin wrote :
Quoted text here. Click to load it

Since it is *really* an exefile, it is the exefile loader that actually
loads it and it is an exe that executes no matter what the name is.

The exe loader recognizes the exefile by its format and loads it. I'm
not sure which order the loaders are in, but all three extensions will
be associated with the chain. If the first loader doesn't recognize the
file as being something that it knows how to load, it passes it along
to the next loader and on down the line until one does recognize it.

This is the OS ultimately doing this, not the GUI shell. All I'm saying
is that filenames may or may not be indicative of what the file's
content actually is, and the actual content is what matters. If all
files had content in their headers that could be used in the same
manner as Windows uses filename extensions then there wouldn't be any
mismatches and icons and actions could be assigned based upon actual
filetype.



Re: Microsoft: piracy is getting virusy

@dont-email.me:

Quoted text here. Click to load it
not
*really*
Quoted text here. Click to load it
format
quite
has
actually

I agree. However, if you have all three files with the same
aforementioned names and you don't specify the extension, the load order
is bat, com and finally *.exe. So.. if you mark .bat.com hidden!, the
user doesn't know he/she isn't running what they thought they were. [g]
 
Quoted text here. Click to load it

Yep.


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Re: Microsoft: piracy is getting virusy

On Saturday, October 13, 2012 10:32:58 PM UTC+3, Dustin wrote:
=20
Quoted text here. Click to load it

Nobody is laughing at your shit eating grin Dustbin.  Your so-clever-by-hal=
f "security by obscurity" hacks that you used back in the days of command l=
ine DOS OSes are laughable by the standards of today's virus writers, of wh=
ich you know nothing.  If you think you can fool anybody but a noob by mark=
ing the attributes of a file as hidden and system, you are kidding yourself=
.  Go back to your kiddie scripts son.

RL

Re: Microsoft: piracy is getting virusy


Quoted text here. Click to load it

I don't know anyone named Dustbin. My name isn't difficult to spell.

Quoted text here. Click to load it

todays virus writers? Who might those be? I haven't seen many "real"
viruses in several years now. Ray, lemme give you a clue; free of
charge. I still have ops in #virus on undernet. Years! after my
retirement.

I'm still in the game, kiddo. [g]

Quoted text here. Click to load it

Irok isn't a kiddy script. The assembler sources I provided you, which
you commented like so aren't either.

I'm an accomplished coder. You *still* aren't shit.


 OK, but are you saying the hex code 0x4c00 has some significance?
 Not clear if it does but that seems to be your assumption.  Again,
 not demonstrating you can explain anything, even if you know what you
 are doing (which I doubt).

 No.  Again, you show your incompetence.  What I think this is doing
 is moving the ASCII text 'hello' into register dx, which perhaps can
 accept a string.  Not clear though.  Perhaps 'hello' is a variable?
 Not clear.  it is not doing what you claim it is.  I'll say this:
 even if you can code in assembly--and you've not shown me you
 can--you are a lousy teacher.

 WTF you talking about?  Did you call a variable 'stack' and defining
 a stack segment by that name?  Not very smart of you, like calling an
 'int' variable 'int'.  In any event you are not explaining this line
 at all.

As I expected tho, You aren't able to show any respect and just want to
be coddled. I don't be thinking so. :)
 
Quoted text here. Click to load it

Based on your comments above regarding my ASSEMBLER program, It's clear
you're the script kiddy here. [g]


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.



--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.




Site Timeline