Winamp Skins Being Used to Infect PC's

Published on August 26, 2004 By Attila In WinCustomize News

An article on CNET's News.com reports that spyware and virus makers, "...are using a flaw in the way the multimedia software loads graphical themes, or skins, to infect PCs with their wares. The digital music player-made by America Online subsidiary Nullsoft, whose informal mascot is the llama-improperly allows the skin files to run programs."

Users of skin programs that have the ability to apply skins automatically (like Winamp for instance) should be ware.

"The flaw is being used by some spyware makers to infect people's computers with their illicit programs, according to another group of researchers, at French company K-Otik Security. The attack had been used to spread spyware among Internet relay chat users, infecting a computer after the victim clicked on a Web address that appeared in the chat window."

In addition, and to add to the many reasons why one should start using Mozilla Firefox rather than Internet Explorer, the article continues to state:

"A malicious Web site using a specially crafted Winamp skin to place and execute arbitrary programs" could take control of a victim's computer, the company said in a Wednesday advisory. "With Internet Explorer, this can be done without user interaction."

My personal advice to all computer users is to keep yourself informed about the state of internet security so you can protect yourself from these viruses. Don't rely on your antivirus program to do all the work, it takes user education and interaction to work successfuly. Beware of this latest virus scare and stay protected.

Read more about this latest virus here: CNET: Digital attacks on Winamp use 'skins' for camouflage.

Comments

Attila

on Aug 26, 2004

wow, who new blockquote and font formatting tags didn't work on this thing. Let me fix that.

CygnusXII

on Aug 26, 2004

I allways wondered about this possibility, when I saw some of the skins phoning home for updates, and opening control windows and such. I thought that there was alot of power not being tapped on this and how long it would be before being exploited. What a shame. But it is just typical of how the edge is once again being shown by the "badguys." Maybe there should be a quality of standardds when it comes to programs allowing that kind of operability with your system. I mean a bartender can be held accountable for serving drinks to a drunk, and allowing them to leave an establishment and cause damage. There are alot of situations like that, maybe people should have some kind of legal recourse to being invaded. I think spam invasion, cracker intrusion and things of that ilk are akin to home invasion, and being that it usually crosses some kind of State Line or Country Boundry it should be held a Federal Crime. Use the same laws that traditional Crackers are held accoutable too. I mean its' an Organised crime right? It's a concerted effort to organise millions of machines to perform some function, unbeknownst to their operators. So why not use RICO Act to go after them. I understand that alot of these crimes / un nice acts, are being perpetrated from abroad, and user beware is usually the standard, but Damn this is getting rediculous.

Attila

on Aug 26, 2004

Cygnus, those are great thoughts and I agree generally. However, as even quality of standards checks won't catch every conceivable flaw or exploit in a system/application. The collective 'hacker' community is much more powerful than a handful of developers creating an app or even a company developing a network. Some effort should be made toward more end-user insurance/recourse. Having your system invaded shouldn't be the casually thrown around 'hazzard of the work place' / 'use at your own risk' notion that it is.

Alexan

on Aug 26, 2004

Makes me love QCD Player http://www.quinnware.com even more

CygnusXII

on Aug 26, 2004

I concur, whole, heartedly. You have a point. I for one hate to see restrictions put on users.
Unfortunately any Tom, Dick and Jane can pony up the cash and take a chance on becoming one of the mass hordes of Zombie machines out there, and proliferate the "Spam Nation." hmmmm.. I like that phrase.

CygnusXII tucks phrase into hat for safe keeping.

Anyways, it is a sad day when some type of skinning is introduced into the Known Hazzards Community. But as each skinnable program comes to fruitiion as a scripting engine of some sort, then you must ask yourself, whose skinning/scripting engine is next? What does DesktopX fall under in this respect? How will it effect an author, who creates a bad assed design, gets it "Ripped" and Edited to carry a wicked payload and "Upped to another Site. I mean hey it will get found out eventually as a rip, but by the time it is, if it is good enough, the damage will be done...Payload delived...you might say. Kind of adds a whole new dimension to the Ripping aspect of the community. I mean do you actually think the Spammers will balk at ripping someones art work to deliver their goods?

Idea for Brad, Hash marking feature and function for Skinz, and they can be verified from the Correct author. If that goes into effect I expect some goodies for it.

CygnusXII

on Aug 26, 2004

wow I am spitballing this idea with the wife, what we need is a Hashing Widget. Now I think that is original.

CygnusXII Pats self on back... hahaha!

craeonics

on Aug 26, 2004

Moral of this story: minibrowsers stink. Never saw the point in them anyway.

eieio

on Aug 27, 2004

Here's the latest info on this exploit from Winamp Unlimited

Security Exploit Advisory: Facts and Flimflam
21 hours ago
Secunia has put out a security advisory (labeled “extremely critical”) for all Winamp 5.x or 3.x users:

A vulnerability has been reported in Winamp, which can be exploited by malicious people to compromise a user’s system.

The problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz). This can e.g. be exploited by a malicious website using a specially crafted Winamp skin to place and execute arbitrary programs. With Internet Explorer this can be done without user interaction.

NOTE: The vulnerability is reportedly being exploited in the wild.

Currently, the only reported malicious use of this exploit is on IRC. The following describes the user infection process of the worm:

User clicks on a link.

The linked image is not actually an image. Instead, it’s purpose is to run a script which opens up a URL.

The PHP file at the URL loads a WSZ or WAL file (Winamp Skin Zip files). An executable is included in the zip file, as are Winamp’s skin-xml files and an HTM which work together to run the executable.

The WSZ is downloaded and automatically installed, launching the executable. Your Winamp skin is changed. Spyware is installed on the user’s system.

If you are using MIRC, the worm will run a script which sends the link to other people.

While Secunia advises users to switch to alternative media players, DJ Egg has posted some precautionary measures and preferences-editing to prevent your browser from automatically downloading and executing skin files. This solution seems a bit more sensible.

Quakenet has posted instructions for those of you who suspect that you’ve been infected.

The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release—5.04a or 5.05. This next version is already in it’s third beta stage, and will include several other unrelated changes/fixes. The Winamp iPod plug-in will most likely not be included with this update as was previously reported. The ml_ipod bundle will hopefully see a release at a later date.

(Update: CNet, SearchSecurity, and The Register have published articles regarding the security advisory. Consider this Winamp Unlimited news posting as the most up-to-date and informed source.)

johnkerrysucks

on Aug 27, 2004

winamps aren't that good...

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!