In an earlier post, I pointed to the fast-spreading but suspicious story alleging that a flaw in WMA files can plant spyware on your computer. This is a follow-up.
In the extended portion of this post, I provide details and screen grabs. I’m indebted to Eric L. Howes for his assistance. Thanks to Ben Edelman for posting a detailed report on his experiences with earlier operating systems and to Andrew Clover who provided a sample file that ultimately made its way to me.
Here’s a quick summary of what you need to know:
- The PC World story contained several errors and some misleading statements.
- I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.
- The programs in question are digitally signed and are from known companies. The terms of service make it clear what you’re getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
- The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.
- You are most likely to acquire one of these “poisoned” WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.
- If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.
- If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn’t test this scenario.
- Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. [Update: A later update to WMP 10 changed this setting so that it now provides an extra warning before displaying the license acquisition dialog box.]
I copied the test file, which is a file in Windows Media Video (WMV) format, to two test systems. The actual content claims to be a porn file, which no doubt ensures that it will be widely spread. I have read reports that the same technique is used in Windows Media Audio files as well, and from a technical point of view this is absolutely true.
When you first try to play the file, WMP tries to acquire a license from protectedmedia.com (which is apparently a third-party licensing service designed for indie media providers to license content without having to own their own license server). As part of that action, it tries to load a popup and install an ActiveX control.
On a system with SP2 and WMP10, all the security features kick in immediately. Both of these actions are blocked by the security features in SP2. The Information Bar appears in the License Acquisition dialog box (which is a hosted instance of Internet Explorer). Here’s a screen shot:
Note that this dialog box is actually a hosted instance of Internet Explorer. See the Information bar at the top? That’s your sign that the popup and the ActiveX program has been blocked. The image in the dialog box is a Flash animation running on a Web page at protectedmedia.com. (You could bypass all this nonsense by just clicking the Play button at the bottom of the dialog box.) If you click the Info Bar, you can tell it to allow ActiveX programs to be installed. If you do that, a browser window opens with a pornographic Web page in it and you get a Security Warning dialog box where you can choose Install or Don’t Install (the default is Don’t Install). In this second dialog box, the Name of the software is listed as “You must agree to our Terms and Conditions.” When you click the link attached to that text, you go to a Web page that includes the Terms of Service for the software (SpiderSearch). It is digitally signed by the developer, Ultra Web Host LLC. If you click the link to read the terms of service, it clearly says it’s going to show porn ads on your computer.
Notice how the text tries to trick me into installing this software by claiming to be a “required update”? That’s the oldest trick in the book and one that SP2 has specifically been designed to avoid. (Remember that the only reason I am seeing this message is because I authorized ActiveX installations via the Info Bar.) I clicked Don’t Install and saw another message that a pop-up had been blocked. It then prompted me to install a second ActiveX control. This was another spyware program, iSearch. Again, I was presented with a security dialog box where I could choose Install or Don’t Install. The link to the terms of service called it a “Required Media Player Version 9 Browser Update” – a little social engineering. Clicking that link led to a page that was quite clear on what I would get:
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it’s partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.
The security features in SP2 worked. All pop-ups were blocked. To install the spyware, I would have to first click the Info Bar and allow ActiveX controls to be installed from that page. If I did that, I would then have to click Install on two separate dialog boxes, where I would have an opportunity to read the terms of service. A user who tried to play this file would have to blow past a lot of pretty serious warnings, and you would have to click several buttons that pretty clearly say you’re installing software, and the terms of service are pretty clear about what you’re getting. It’s worth noting that these are signed programs. If they were unsigned (I’ve never heard of a virus writer who has gotten a software-signing certificate that any version of Windows would trust) they would be rejected automatically and you would not be presented with an opportunity to install them. Anyone who would go past all these roadblocks has probably already been hit by every form of virus and spyware known to man.
What if you have never upgraded to Windows Media Player 10? With the default version of Windows Media Player 9 Series on Windows XP with SP2, the end result is similar but there’s a crucial difference: the Information Bar doesn’t block the attempt to install the two ActiveX controls. Instead, after I double-clicked the file and the License Acquisition dialog box appeared, I was presented with a Security Warning dialog box for the first ActiveX control. Again, I had to choose Install or Don’t Install, but this choice shouldn’t have been presented to me at all. After I clicked Dont Install, the second ActiveX dialog box appeared. When I then clicked Don’t Install, I got three pop-ups and the clip began playing. These pop-ups appear regardless of SP2 pop-up blocker settings. (I believe the pop-ups are directly related to actions in the license acquisition process. One is associated with each ActiveX control and one is associated with the clip itself.)
It appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2. However, the user still has to click the Install button to install the spyware, and the links to terms and conditions are all there. Nothing is installed automatically.
Initially, I thought that disabling the option to acquire licenses automatically would solve this problem. (In Windows Media Player, you do this by clicking Tools, Options. Click the Privacy tab and then clear the Acquire licenses automatically for protected content check box.) However, further testing reveals that this is not the case. Because these files are tagged as needing a license, the player is going to try to go out and get one. The whole point of this exploit is to bring you to a Web page, so the license is a red herring. In fact, a few seconds ago when I tried to acquire a license, the Flash file disappeared and was replaced with an “adults only” static image. If this were a reputable company, the License Acquisition dialog box would contain legitimate details about the track and the license you just acquired, such as when it expires or how many times you’re allowed to play the clip. [Update: A patch to Windows Media Player 10, released approximately a month after this report, changed the behavior of this option and does provice an extra warning before displaying the license dialog box.]
See how this dialog box tells me I’ve acquired the license and I can just click the Play button?
I don’t see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX “push” installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn’t fall for this stuff.
Update: For the most recent information on this issue, see the follow-up here.
Ed Bott 
I don’t think it’s right to say the license agreement is “quite clear on what [users] would get.” Certainly the license never says anything like “this program will install 30+ other programs from third parties, and clog your registry with tens of thousands of new entries.”
When I did my testing and write-up ( http://www.benedelman.org/news/010205-1.html ), I received a single ActiveX installation prompt pop-up, linking to http://www.spidersearch.com/barterms.php for a license agreement. Unlike the disclosure you quote, that page never mentions installation of third party programs.
You’re certainly right that these installations require users to be tricked, and to click (more than once, if running the latest software) in order to be harmed. But the misleading on-screen text and with misleading circumstances (inference that a special add-on player truly is required to play what users might think is a new file format) make me worry that these deceptive methods could succeed in tricking a fair number of users. Maybe users should know better, but the bad guys here are taking advantage of users in a way that still seems, to me, quite troubling.
Also troubling are the programs that subsequently get installed. 180solutions, for example, has received tens of millions of dollars of funding from venture capitalists — so you might think they’d be cleaning up their act. Instead, they’re paying installation commissions to whoever is doing these installation tricks.
I think the misleading naming such as “Required Windows Media Update” is not such a trivial matter; it’s extremely likely to ‘work’ in practice.
Users can also get a valid popup from MS for WMV codecs at exactly this point. In fact the first time I tested this (XP SP1, WMP9) I did get one ActiveX download box from MS for the DRM stuff immediately prior to the two bogus downloaders, which looked almost identical. I don’t think most people would notice the con.
It’s great that WMP10 does apply the SP2 restrictions properly, but I’m wondering how many people are actually running WMP10+SP2… probably not many. (WMP10 isn’t being downloaded by Automatic Updates is it?) Plus of course non-XP users are a bit stuck. I too would like to see a proper fix for users not lucky enough to be [able to] run this combination.
[Personally, I am looking forward to the European antitrust edition of WinXP with WMP removed, as I dislike WMP version 7+ intensely, and am sick of having to wrestle with Windows File Protection to get rid of it!]
As for:
We all know how much that’s worth! 😦
Unfortunately slack roots like Verisign and Thawte, who…
issue code-signing certs to companies caught abusing IE security holes and installing malicious software;
refuse to either revoke issued certs or disclose the legal addresses of the entities that they ‘verified’;
issue certs to companies using misleading names like ‘MSN Technologies’ or ‘Click to open page’;
memorably once let Microsoft’s own certs escape!
…have made the Authenticode system almost completely worthless in practice.
It remains unclear whether the PC World story is actually talking about the same group (protectedmedia etc.) as we’re dealing with here. The screenshot looks like it might be, with the porn video and all, but I have not been able to link Overpeer to them, nor find the mentioned Overpeer WMA files (yet). Still a bit murky on this one.
Ben, the terms of service I quoted with the iSearch/iLookup module do indeed warn the user that they’re going to get additional software: “…you understand and agree that the Software may, without any further prior notice to you … automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction.”
Which does not excuse the fact that this is sleazy, underhanded and wrong, and that the purveyors of this crap should be horsewhipped. IMHO.
Please see my follow-up posts on this topic here:
http://www.edbott.com/weblog/archives/000341.html
and here:
http://www.edbott.com/weblog/archives/000342.html
From what URL did you get the quote in your prior comment?
The ActiveX installer I received had a single hyperlink, which I followed. It took me to http://www.spidersearch.com/barterms.php . That page does not contain the text you quote, nor any text that’s similar.
Perhaps some other ActiveX — like the one provided to you — gives a good and clear Terms of Service. But not so for the ActiveX I received.
I was presented with two ActiveX installers. The first was the SpiderSearch one that you provided a link to. The second one claimed to be “Required: Media Player Version 9 Update” from iDownload.com; the link was from http://toolbar.isearch.com/terms.html.
As I noted in a follow-up post, GIANT AntiSpyware intercepted the second installation and allowed me to block it. The SpiderSearch module never installed at all even when I clicked the Install button. Very strange. This was on a system with no AV software and only the standard Windows XP Firewall.
Hi All:
I’ve tested the same WMP file on an older system with Windows 2000 SP4, IE 6 w/ SP1, and Windows Media Player. You can find my write-up at DSLReports.com:
http://www.dslreports.com/forum/remark,12298989~mode=flat
In short, the adware installation practices that users encounter through Microsoft’s license acquisition process are incredibly confusing, deceptive, and coercive. Indeed, this is one of the most underhanded installations I have ever encountered.
Regards,
Eric L. Howes
Hi:
EWeek published a new article today on the WMP adware installation problem:
http://www.eweek.com/article2/0,1759,1751248,00.asp
In short, Microsoft plans to do precisely nothing.
My response can be found at DSLR:
http://www.dslreports.com/forum/remark,12378695~mode=flat
Best,
Eric L. Howes
how do we get rid of such kind of spyware. do they have the potential to take up sensitive information from our computers.
I have seen a WMV file opened in WMP8 while Adaware SE realtime agent was running. When this happened it was actively blocking 10,000 plus registry changes. After removing Media Access (the malware) using control panel and add/remove programs, Adaware SE was used to scan as well as Spykiller 2004 and remove other stuff. I have had no prob with SPK2004. Hijack this was also run and one entry with MA was removed. I would never open a WMV or the like again. They are certainly deadly files. Never open them it just isn’t worth even if you are protected.
This is yet another reason I do not allow ActiveX Downloads/Installs on any of the PC’s I own.
I also think, however, if you are breaking the law or engaging in less than acceptable behavior you may deserve what comes your way. That said, in NO WAY is what protectedmedia is doing is right.
The internet isn’t what it used to be…
Brandon Rusnak
http://www.rusnakweb.com
Can also spybot install isearch.com.because in thier license the when you click OK you agree that spybot will allow some advertisers on this computer am I right?
thanks.
Nas, it sounds like you got sucked in by one of the fraudulent sites that claims to be selling you Spybot S&D (which is actually free) but is instead delivering something else.
Hi
I have downloaded some clips from the internet by using Torrents but when I try to play them in Window Media player, there is a messages regarding “Acquire License”, but the other clip has different message there is written that some sort of like that “you have to download somefiles/Softwares to Play this clip”.
If you want to share with me your profound knowledge please do it not for God sake but me.
I will very thanksfull to you, if you will just email me reagarding this.
Wow… I don’t understand why people still do this. Have they not heard of making an honest buck. There is enough corruption with money and politics. Why can’t the internet just be a free place of peace.
Can it automatically charge you money? without permission? at first it said i cannot play it..then i clicked cancel.. but then it suddently said i coudl play it..soemthign about licence.. will this charge me money?
I have windows media player 10, I don’t however have the sp2 which I will see about that in a minute.
Anyway, me and my husband have been using a file sharing program to download music and I ended up with several infestation. I deleted them with my anti virus protection and thought I was good. When I downloaded them to my mp3 player I think a virus has done something to it now is that possible?
Can Any One pls make it simple ?
give me the crack or cheat to pass this stupid message…
…. upgrading this Sh%%# is useless even troubling..
waiting…