Become a part of the TranceAddict community!Frequently Asked Questions - Please read this if you haven'tSearch the forums
TranceAddict Forums > Main Forums > Music Discussion > Mp3 Viruses
Pages (2): [1] 2 »   Last Thread   Next Thread
Share
Author
Thread    Post A Reply
dEsidEL
Fu Man Choonz



Registered: Aug 2000
Location: Below the Belt
Exclamation Mp3 Viruses

i don't know if any info about this stuff has been posted here before.. but incase it hasn't here it is. beware, this is actually legit a friend of mine got hit and wiped out about 2.3 gigs of tracks on his drive..

most of the infected mp3's seem to be circulated thru file swapping/sharing programs, which reinforces the fact that sometime's it's better to trade on FTP's since itz hard to tell who ur downloading from over a sharing network..

link:
http://online.securityfocus.com/arc...23/2002-04-29/0

To: BugTraq
Subject: Mp3 file can execute code in Winamp [Sandblad advisory #5]
Date: Apr 26 2002 6:30AM
Author: Andreas Sandblad
Message-ID:


- Sandblad advisory #5 -

---..---..---..---..---..---..---..---..---..---..---..---..----
Title: Mp3 file can execute code in Winamp.
Date: [2002-04-26]
Software: Nullsoft Winamp 2.79
Rating: High because mp3 files are widely trusted as safe.
Impact: Specially crafted mp3 file can execute
arbitrary code when played in Winamp due to a
buffer overflow condition.
Vendor: Nullsoft has confirmed the vulnerability.
Patch: Winamp 2.80 released 02-04-25 will fix the issue.
Download at: http://www.winamp.com/
Workaround: Disable the minibrowser _ _
(enabled by default). o' \,=./ `o
Author: Andreas Sandblad, [email protected][/email] (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---


NON TECHNICAL DESCRIPTION:
==========================
It is possible to modify an existing mp3 file in such a way that it can
carries a virus. The virus is activated when the mp3 file is played in
Winamp and can then infect other mp3 files found on harddrives or network
shares. In order to protect yourself you need to upgrade to Winamp 2.80 or
disable the minibrowser.


TECHNICAL DESCRIPTION:
======================
A mp3 file can contain the ID3v2 tag. It's a newer version of the ID3v1
tag and carries information like title, artist and album. The tag is
parsed by Winamp when a mp3 file is loaded.

If the minibrowser is enabled, Winamp will try to query a script on
http://info.winamp.com for extra information about the song, based on data
from the ID3v2 tag. The buffer overflow condition occours when the url
string intended to be sent to the minibrowser is created. That means the
buffer overflow occours before any actual internet connection to
info.winamp.com is beeing made.

The easiest way to test the buffer overflow condition is to apply at least
159 "?" characters in the title field of the ID3v2 tag. When playing the
mp3 file in Winamp 2.79 the following error log was created:

Access violation - code c0000005 (first chance)
eax=00000021 ebx=00000000 ecx=0012bd00 edx=00000032 esi=00000113
edi=00000113
eip=32253132 esp=00129c08 ebp=25313225 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
32253132 ?? ???

If we debug Winamp we notice that the created url to be sent to the
minibrowser looks something like this:
http://info.winamp.com/winamp/WA.ht...1%21%21%21%2...(alot)...%21Cid=winamp&Tid=&Track=%21%21%21%...(alot)...
We also understand that the buffer is overwritten by maximum one NULL
character, making the register esp change to 0x129c00. The esp is then
incremented by 0x4 and a ret is done, sending the program to the address
found in 0x129c04.

We need the stackpointer 0x129c04 to be in a dataspace we are in control
of. Seems like we are lucky! The url string is stored from 0x1298d8 to
0x129cd8, thus it seems like we can control the eip. And in fact we can.
Simply check the eip of the error log. It displays eip=0x32253132, that is
hex for "2%12". Seems like the stack pointer is located somewhere in our
url string containing "...%21%21%21%21...". (Remember that memory
addresses are retrieved backwards!)

So how do we exploit this thing? Well normal buffer overflow exploit is to
return to anywhere in memory where we can find JMP ESP (opcode 0xFFE4) in
order to get back to the string that caused the buffer overflow. This
method is used because normal buffer overflows are only limited to the
fact that they can't insert 0x00 in the return adress because of string
operations.

The problem we face is we can only use characters a-z, A-Z, 0-9, ".",
because all others will be escaped to %HEX. That means the addresses
containing the JMP ESP instruction we need to find are a bit limited (but
of course in most cases not impossible to find as we only need one
location). Since the versions of the system .dll files Winamp import at
launch is OS and system dependent, it really depends on the system if we
are able to find an available address containing the JMP ESP assembler
instruction.

Once we control the eip we have to do something useful. Since we still are
limited in what kind of opcodes we can construct, it's better to try to
get somewhere in memory where our url is not escaped (ex. ! to %21). When
debugging we notice the register ecx is 0x12bd00 and points to a copy of
our url partly unescaped. So if we somehow can increase the ecx and change
the memory to do JMP ECX we are on a address where we can create any
opcode we want. This can be done with opcodes like:
0x66335142 ("f3QB") XOR DX,[ECX+0x42]
0x4A ("J") DEC EDX
0x665A ("fZ") POP DX
0x6652 ("fR") PUSH DX

It's not an easy task to perform the above and on some OS it has to be
done differently, but still it's possible.


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Feedback:
=========
Please send suggestions and comments to: _ _
[email][email protected] o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--


___________________
Palm Trees > Pine Trees , Sand > Snow

Last edited by dEsidEL on Apr-27-2002 at 23:03

Old Post Apr-27-2002 22:37  Micronesia-Federal State of
Click Here to See the Profile for dEsidEL Click here to Send dEsidEL a Private Message Add dEsidEL to your buddy list Report this Post Reply w/Quote Edit/Delete Message
discitelli
Supreme tranceaddict



Registered: Jan 2002
Location: Melbourne

so in simple language, how do we stop it? I'm sure Nortons will figure the problem out.

AAgggh......why do people make viruses?

Old Post Apr-27-2002 22:43  Australia
Click Here to See the Profile for discitelli Click here to Send discitelli a Private Message Add discitelli to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Shudder
Supreme tranceaddict



Registered: Sep 2000
Location:

thanks for the security info. i'd better be on the lookout
may as well update my winamp

Old Post Apr-27-2002 22:44  Canada
Click Here to See the Profile for Shudder Click here to Send Shudder a Private Message Add Shudder to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Werewolf
Supreme tranceaddict



Registered: Jan 2002
Location:

quote:
Originally posted by discitelli
so in simple language, how do we stop it? I'm sure Nortons will figure the problem out.

AAgggh......why do people make viruses?



make sure u have the latest winamp...

Old Post Apr-27-2002 22:51  Turkey
Click Here to See the Profile for Werewolf Click here to Send Werewolf a Private Message Add Werewolf to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Keown
Sarah Mclachlan Addict



Registered: Feb 2002
Location: N. Ireland

Thanx mate for the info - lets just hope no other ways of puttin virus into MP3 files r found, otherwise it would b flippin crazy!


___________________
https://my.gameservers.com/images/gametracker.php?ip_address=217.163.30.28&game_port=28960&banner=banner_560x95.png

Old Post Apr-27-2002 23:15  United Kingdom
Click Here to See the Profile for Keown Click here to Send Keown a Private Message Visit Keown's homepage! Add Keown to your buddy list Report this Post Reply w/Quote Edit/Delete Message
jon
Respect Mah Authoritah



Registered: Nov 2001
Location: Leeds

I dont know about the virus, but to ensure you never loose your mp3's (or anyother data) BACK UP! cd writers are getting cheeper and cheeper (yeah they may not be 12x speed, but they do the job) and blank cd's are cheep if you buy in bulk, so back upm that way it cant be lost.

Jon


___________________

Beware of killer hamsters and the random running dogs.

Old Post Apr-28-2002 00:50 
Click Here to See the Profile for jon Click here to Send jon a Private Message Add jon to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Rakoon
2001 - 2003



Registered: Jun 2001
Location: Gone
Re: Mp3 Viruses

quote:
Originally posted by dEsidEL
In order to protect yourself you need to upgrade to Winamp 2.80 or
disable the minibrowser.


Theres your solution Thanks for the heads-up though.

Old Post Apr-28-2002 01:37 
Click Here to See the Profile for Rakoon Click here to Send Rakoon a Private Message Add Rakoon to your buddy list Report this Post Reply w/Quote Edit/Delete Message
DamnDirtyApe
BananaAddict



Registered: Mar 2002
Location: Toronto

Yikes... just backing up about 4+ gigs of mp3's now..

And I can vouch for FTP's being the best way to trade music!

(BTW visit mine!)

Old Post Apr-28-2002 01:49  Canada
Click Here to See the Profile for DamnDirtyApe Click here to Send DamnDirtyApe a Private Message Add DamnDirtyApe to your buddy list Report this Post Reply w/Quote Edit/Delete Message
KilldaDJ
birth.school.trance.death



Registered: Sep 2001
Location: tranceaddict wants to know your location
Talking

i dont use the minibrowser and i usually play my mp3s in windows media player 6.4 or atomixmp3 for mixing
so im chuffty


___________________


Found Atlantis - Mixography [mix archive/mokumentary/my soul]?
i writed a song.

Old Post Apr-28-2002 11:17 
Click Here to See the Profile for KilldaDJ Click here to Send KilldaDJ a Private Message Visit KilldaDJ's homepage! Add KilldaDJ to your buddy list Report this Post Reply w/Quote Edit/Delete Message
whiskers
old skool



Registered: Sep 2001
Location: in your dreams

is it the music industry starting another anti-mp3 campaign, trying to scare the shit out of people? geez!

Old Post Apr-28-2002 13:28  Ukraine
Click Here to See the Profile for whiskers Click here to Send whiskers a Private Message Add whiskers to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Rostros
Carbon Sasquatch



Registered: Dec 2001
Location: United Kingdom

you know what i dont care if i get a virus coz everything is backed up and its just a quick reinstall of windows which takes 10 minz . :]


___________________

" You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert."

Old Post Apr-28-2002 17:37  United Kingdom
Click Here to See the Profile for Rostros Click here to Send Rostros a Private Message Add Rostros to your buddy list Report this Post Reply w/Quote Edit/Delete Message
Joost008
...Walking on Clouds...



Registered: Sep 2001
Location: Raalte, the Netherlands

Thats pretty shitty a virus in mp3's hmmm not nice

Grtz


___________________
Some dance to Remember, Some dance to Forget....

My Songs of the Moment:
Madonna - Die Another Day (DJ Tiesto Remix)
DJ Danjo & Rob Styles - Duende (Signum Remix)
Hertz - Recreate (Montana Re-Edit)

Old Post Apr-28-2002 19:14  Netherlands
Click Here to See the Profile for Joost008 Click here to Send Joost008 a Private Message Visit Joost008's homepage! Add Joost008 to your buddy list Report this Post Reply w/Quote Edit/Delete Message

TranceAddict Forums > Main Forums > Music Discussion > Mp3 Viruses
Post New Thread    Post A Reply

Pages (2): [1] 2 »  
Last Thread   Next Thread
Click here to listen to the sample!Pause playbackI'm searchin this track from last year [2003] [3]

Click here to listen to the sample!Pause playbackBody Shock - "Mars-plastic" (Original Mix) [2004]

Show Printable Version | Subscribe to this Thread
Forum Jump:

All times are GMT. The time now is 15:06.

Forum Rules:
You may not post new threads
You may not post replies
You may not edit your posts
HTML code is ON
vB code is ON
[IMG] code is ON
 
Search this Thread:

 
Contact Us - return to tranceaddict

Powered by: Trance Music & vBulletin Forums
Copyright ©2000-2026, Jelsoft Enterprises Ltd.
Privacy Statement / DMCA
Support TA!