WMV movie and music files can now infect your computer

A long time ago, it was easy to decide whether a file was safe or not. For a file to do something dangerous, it had to be able to do something. Hence, only executable files could contain viruses, trojans, worms, and whatever else. And even then, the executable file couldn't actually harm your computer unless you ran it. So the trick was to avoid any executable files (files that ended with ".exe", ".com", ".bat" or ".vbs") from a non-reputable source, and if you somehow accidentally receive such a file, just delete it without running it. The logic is this: Only executable files can tell the computer to do something (such as delete random files, or infect other files, etc.) If you have a text file, it can't actually tell your computer to do anything. Rather, you run a SEPERATE program (for example Notepad.exe) which reads the zeros and ones that make up the text file, and does something with it (for example, displays characters on your screen).

Over time, the virus writers got smarter. Now, when a virus infects someone, it scans their address book and sends it to all their friends. The "make sure it comes from a reputable source" didn't work anymore, 'cause the file now seemed to come from someone I knew. However, if 5 of Bob's friend all claim to have received an e-mail from Bob with a virus sent as an attachment, it was easy to say that Bob was the one who initiated the spreading. So the virus writers got even smarter. In addition to sending the virus to all your friends, it forges the email so that it looks like it came from some random other friend. Bob might have both my, Kilree and GD's e-mail address. Bob's computer sends me a virus that says it's from Kilree, sends Kilree a virus that says it's from GD, and sends GD a virus that says it's from me. Now it's very difficult to track who originally got the virus.

Worst yet, virus writers have found a way around the "only executable files can infect you" rule. The way it works is to trick the program that processes the file. The reason this works is that computers have to use the same memory space to both load the file you want to view, and the program that you use to view the file. Let's say there's an audio file format that allows you to specify who the artist of the song is. Furthermore, let's say whoever invented this audio file format realized that if we limit the maximum length of the artist's name to 256 characters, we could make the audio file load 50% faster. And who has a name that's longer than 256 characters anyway? But then I, a malicious virus writer, make a song in which I intentionally make the artist's name longer than 256 characters. The first 256 characters might just be "Britney Spears" followed by enough spaces to fill up 256 characters. From the 257th character, I put in a computer program that tries to delete all the files in your harddrive.

Now when you load your media playing program, the computer will load your media playing program into memory, and read the first instruction: "Okay, for my first instruction, I want you to open this audio file" which the computer does. Then the computer reads the next instruction from the media playing program. The media player wants to display the artist name. Now it knows that the artist name can only be 256 characters long, because the guy who programmed this media player read the specifications closely. So the next instruction that the computer reads is "Now reserve enough memory for 256 characters, and load the artist field into that space you just reserved". The computer does this, filling the space, and then overflowing a bit at the end. Where does this extra overflow go? It overwrites the actual instructions of the media playing program! The next instruction was supposed to be "load 1 second's worth of music data and play it" but this was overwritten with "delete all files on harddrive". The computer reads the next instruction, sees that it's a request to delete all the files, and does so.

That's a simplification of the attack known as "Buffer Overflow", but the basic concept is there. This is not theoretical stuff. All versions of WinAmp before 5.07 had this exact bug, where if you loaded certain music files, any instruction could have been executed. There was also a similar bug with JPEG files and Windows XP (for which Microsoft has since released a patch for). This is not really the fault of the file formats themselves, but rather the fault of poorly written programs. Rather than naively saying "Load the entire artist field into my 256 slots of memory", more secure code would say something like "Load the first 256 characters of the artist field into my 256 slot of memory. Check if there's any remaining characters in the artist field. If so, display an error explaining to the user that this is an invalid media file since these files can only have artist names of 256 characters or less." Since the program limits in how much of the data it reads in at a time, there's no chance for the file to override some program code.

Anyway, all this is to say that there's a company called "Overpeer". They get hired by companies like MPAA and RIAA to make file sharing as painful as possible. One tactic they've been using over the past while was to intentionally fill the network with "fakes" to make it harder to find the movie you wanted to find. Just today, PCWorld has discovered a new tactic: They're implanting adware into WMV files. WMV is the format that Microsoft Media Player uses to play movies and songs (it's an alternative to mp3, and while it is technically superior to mp3, I personally don't like it because it's a closed standard, meaning no one's allowed to make players or encoders for it except Microsoft and the companies that Microsoft hand picks). Overpeer then shares the adware-filled files over the networks, pretending they are the latest album or the latest movie for download.

E-mail this story to a friend.

You must be logged in to post comments.

Sites linking to this post: