Risk Your PC's Health for a Song?

Think you're downloading a new song or video? Watch out--that file may be stuffed with pop-ups and adware.

PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware. They look just like regular songs or short videos in Windows Media format, but launch ads instead of media clips.

When we ran the files, we noted over half a dozen pop-ups, some attempts to download adware onto our test PC, and an attempt to hijack our browser's home page. However, you can take steps to guard your PC against this ad invasion.

Off-Key Experience

A reader initially alerted PC World to an ad-laden Windows Media Audio file, titled "Alicia Keys Fallin' Songs In A Minor 4.wma." We then found two other WMA files and two Windows Media Video files that had been similarly modified.

Playing one of the Overpeer video files launched this nest of pop-up ads.
Playing one of the Overpeer video files launched this nest of pop-up ads.
Using a packet analysis tool called Etherpeek, we determined that each media file loaded a page served by a company called Overpeer (owned by Loudeye). That page set off a chain of events that led to the creation of several Internet Explorer windows, each containing a different ad or adware.

Overpeer first made news in mid-2002 by offering its services to record companies looking to stop P-to-P pirates. It creates fake audio files that purport to be popular songs but play only a short loop of the track or an antipiracy message; the file then pops up a window offering the downloader a chance to buy the song. By flooding file-sharing services with spoofed files, Overpeer makes finding real music files more difficult.

Marc Morgenstern, Loudeye vice president and general manager of digital media asset protection, says the files we found come from a different division of the company--one that targets users with promotions or ads based on the keywords those users search for on P-to-P networks or in other venues.

Though the two businesses differ, the result is likely the same--a further reduction in the effectiveness of popular P-to-P networks. Morgenstern characterized Overpeer's actions as just deserts for people who illegally trade copyrighted works for free. "Remember, the people who receive something like (the ad-laden media files), in some cases, were on P-to-P, and they were trying to get illicit files," he says.

Firms Surprised

PC World contacted Microsoft and the seven ad-serving companies whose ads popped up when we ran the Keys audio file. "We're looking into exactly what's going on with this file and checking to see if this particular model is in keeping with the licensing terms for Windows Media [Digital Rights Management]," says David Caulton, group product manager for Microsoft's Windows Digital Media Division. "We wouldn't want to endorse anything that involved delivery of content that appears to be one thing, and then something else is delivered."

Only one of the advertising firms, Kanoodle, responded to us. "Kanoodle stringently vets all prospective partners to determine in advance how they will distribute our sponsored links," Lance Podell, the company's president emailed PC World. "As in this case, upon detecting or discovering any prohibited distribution activity, we eliminate it immediately." Indeed, Kanoodle's ads no longer appear when we relaunch the file.

DRM Loophole

A loophole in the Windows Media DRM process allows companies to create ersatz media files and link them to adware. Normally, when you download a protected Windows Media file, you also receive a license that lets you play it. According to Caulton, if Windows Media Player can't find a valid license on your PC, it checks in with a remote system running Microsoft's Windows Media DRM Server.

You'll rarely see that happen. Some files, though, are set up to ask you for information before playing. They do this by displaying a URL in a dialog box labeled License Acquisition. Normally that dialog box is used to check for a user name or offer a chance to purchase the file that's being played.

For example, a legitimate DRM-encrypted file might let you play it three times, then bring up a window asking if you want to buy it. Or a band might offer a song to you for free if you agreed to sign up for its mailing list or view a 15-second commercial. At least, that's the way it's supposed to work.

But since the license dialog box acts just like an Internet Explorer window, it can display whatever is on the page it points to--whether a legitimate call for license information or a series of pop-up ads.

When we played the modified files, the License Acquisition dialog box showed a page containing ads and quickly spawned more IE windows, each containing a different ad.

Not only did we get bombarded with unwanted ads, but one of the ad windows in a video file tried to install adware onto our test PC surreptitiously, while another added items to our browser's Favorites list and attempted to change our home page. And a window from the original music file asked to download a file called lyrics.zip, which contained the installer for 180search Assistant, commonly categorized as an adware program.

The media files appear to run once the ads load, but they were devoid of video or music.

First Wave?

The ads in Overpeer's disguised media files may annoy some users. But malicious agents such as hackers and thieves could exploit the DRM loophole to do far worse. Security experts fear that, for example, criminals could load their own modified media files with keystroke loggers or other software for taking over your PC, and thus steal your passwords or other sensitive information.

According to Microsoft's Caulton, "It's possible that someone could modify [an existing audio] file after it's created to point back to their http server." If that's the case, virus and malware writers would gain a powerful platform for launching their attacks.

Writing the code to infect computers is the easy part, according to Johannes B. Ullrich, the chief technical officer for the SANS Institute's Internet Storm Center, a computer security watchdog group. "With a lot of these Internet Explorer exploits, the big question is how to get people to visit [the site that executes that code]," he says.

Hacked audio files could provide the perfect incentive. The songs we found gave no warning before launching their string of pop-ups, and before being played they gave little or no indication that they were anything but normal WMA files.

Senior Reporter Tom Spring contributed to this report.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon