Trojan spreads to multimedia files over P2P

by Steve Ragan - Jul 16 2008, 11:11

For a little over a month now, researchers at Secure Computing have watched a Trojan in the wild that is infecting normal multimedia files like MP3 and WMA audio streams and WMV videos. If infected, all multimedia files on a user’s Mac or PC will be compromised, and those files can spread to other computers if shared via e-mail or P2P sites like Limewire.

Secure Computing discovers an interesting P2P based Malware attack.(IMG:J.Anderson)

Once a user downloads an infected file and attempts to play it back, they are then prompted to install a codec. Unsuprisingly, this codec contains the Malware.

So how is this different from other codec type attacks? Christoph Alme, Team Lead from Secure Computing’s anti-Malware Research Labs, took the time to explain it."The sophisticated new technique that they employ in this Trojan is that they take your existing multimedia files and add their malicious content to them. MP2 and MP3 files are converted into the WMA audio format before infection, but the file extension remains .mp3 so there's no sign of tampering other than the file size that has grown a little," outlined Alme."On the machine compromised by the Trojan, playing one of the infected audio or video files does not even show any suspicious signs, so this first stage of attack remains quite silent. Only after the victim uploaded some of his files to file sharing portals or peer-to-peer networks, and others download these and play them, then will they get a message telling them they'd need to install a missing codec. The fake codec turns out to be a password-stealing malware."

Yet another lesson as to why Limewire is bad.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.