The recording industry may be publishing spyware-infested copies of their songs on P2P networks, according to a PC World story by Andrew Brandt and Eric Dahl.
The files are encoded in a Microsoft file format. When the user plays such a file, the user’s browser is forced to visit a URL contained in the file. For the files at issue here, the page at that URL uses various spyware-insertion tricks to try to infect the user’s machine with standard spyware programs. Ben Edelman reports that when he clicked on one such page, “My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs…” Ed Bott notes that fully patched systems won’t catch spyware from this file unless the user foolishly accepts downloads; but Ben Edelman argues that the files try to mislead the user into accepting the downloads, and in any case we know that users often are fooled by such tricks.
Even more interesting, PC World reports that, for at least one such file, the spyware-distribution page is hosted by Overpeer, a company that does lots of business with the recording industry. (It’s not clear whether the particular file Ben Edelman studied had any relation to Overpeer.) Overpeer, for example, is paid by the recording industry to spread spoofed files on P2P networks, in the hope that P2P users will download the fake files rather than real (infringing) ones.
The really interesting angle here, to me at least, is who approved the release of these spyware-bearing audio files onto P2P nets. It sure looks like Overpeer created the files. Did Overpeer release them? That would seem likely.
If Overpeer did release these copyrighted songs onto P2P nets, did they have the permission of the record companies that own the copyrights on the songs? If not, then Overpeer is a P2P infringer. It seems unlikely that Overpeer would take this risk, especially since the files contain a URL that points right back to Overpeer.
So it seems more likely that the record companies gave permission. If so, is it fair to say that these particular files, which contain copyrighted music, are circulating on P2P nets with the copyright owners’ permission? And what does this say about the record industry’s incessant argument that P2P nets distribute spyware?
All of this is speculation, of course. We don’t know for sure who did or didn’t participate in the files’ release. But it’s hard to see a scenario that makes both Overpeer and the record industry look good. There’s a nice investigative reporting opportunity here.
[Updated at 1:40 PM to clarify that the file tested by Ben Edelman might not be one of the files related to Overpeer. Thanks to Ben for his comment pointing this out.]
[Read the comments on this post – they’re particularly good.]
One should be also thinking along the other angles here… If they (The Labels, through Overpeer- they’re going to have a hell of a time proving that there wasn’t some relationship here since they’ve been hired by the same to poison the P2P space with bogus file offerings…) doing illegal or highly questionable acts, does this mean that the labels have unclean hands in the enforcement arena? If you self-help yourself and do something bogus yourself, you place an estoppel to any further civil actions against the infringers.
The record industry may be seeding spyware-infected files onto peer-to-peer networks.
Read….
Based on telephone number on their contact page, ProtectedMedia is likely located in Orange County, California (area code 949).
Ben, you don’t need to know all that stuff about isearch.com and so on. You’ve got your answer right up front. protectedmedia.com is the one causing the malicious events to occur. The rest is just details about how they do it. It doesn’t change who is responsible. The responsible party is protectedmedia.com. They are running a web site which causes harm to users’ computers and at least violates California law.
The host for protectedmedia.com is webair.com, which provides hosting and colo services. The admin and technical contact for protectedmedia.com is listed at whois.000domains.com as Jason Tucker. A press release from WebAir at http://www.webair.com/drm.html describes Jason Tucker as affiliated with Playa Solutions who has developed a DRM technology that WebAir is marketing. Playa Solutions points to a Wired article, http://www.wired.com/news/ebiz/0,1272,57348,00.html , which describes Tucker as founder of the company, whose strategy is to flood P2P networks with DRM’d content.
Putting these pieces together, I’d look to Jason Tucker, Playa Solutions, and WebAir for an explanation of why the ProtectedMedia site is violating California law and loading spyware onto user’s computers. That looks to me like the most promising line to purse.
From the Legislative Counsel’s Summary of CA SB 1436:
“The bill would also prohibit a person or entity who
is not an authorized user from inducing an authorized user to install
a software component by intentionally misrepresenting that it is
necessary for security or privacy or in order to open, view, or play
a particular type of content. ”
Does it not seem, based on the reports linked to in the original entry by Ed, that this is precisely what is going on here? If so, then CA law is being broken, it seems to me. The question is, by whom?
Cyberpunk, I completely agree that tracking web site accesses is generally a good way to figure out who’s behind an online scam. Recall that I suggested following the money trail to figure out who was behind my November 2004 videos of spyware installing through security holes.
But here it’s not to simple. The WindowsMedia file caused my computer to request a web page from protectedmedia.com, and that web page in turn used OBJECT tags to load ActiveX controls from hotsearchbar.com and isearch.com as well as a Script from Gator’s webpdp.gator.com server. I have on hand all the installer IDs of these installations — so if someone from hotsearchbar.com/isearch.com or Gator wanted to (or were forced to) tell us what company is associated with these installer IDs, they could certainly do so. But I don’t see how ordinary internet users — even gumshoes — can, without the power of a subpoena, find out who the bad guys are here.
An additional wrinkle here is that if Overpeer really were behind these scams, they might run the installs without installer IDs or with missing, invalid, or third-party installer IDs. If Overpeer is foisting spyware onto users’ PCs, it might not be doing this to earn the installation commissions, but rather just to mess up users’ computers (and discourage them from using P2P in the future). So even if Overpeer were behind these files, I’m not sure the hyperlinks would directly or even indirectly reference Overpeer.
Ben
Ben, that file accessed an Internet web site, right? That’s where your trojans and such came from. You’re never going to track down the source of the file, but you could try to figure out who owns and runs the web site. That’s where your attention ought to be focused. As I said, if you’d publish the address of that site I’m sure people would be helpful in digging out information about it.
I don’t think it’s totally clear — not yet, at least — which files come from Overpeer. The file I tested is definitely bad news (31 different spyware programs installed if user presses “Yes” once, in a dialog with a substantially misleading title and a bare-bones & seriously incomplete supposed license agreement). But did it come from Overpeer? I have no way to know — it was provided to me by email for testing.
PC World tested (what seems to be) a different file, and reported that that file had come from Overpeer. But not having tested that file for myself, I don’t know how misleading its installation was. (From the looks of the screen-shot PC World posted, it was misleading but perhaps a bit less so than what I tested.)
[I updated the main post to clarify this point. — Ed Felten]
If Overpeer is the site presenting the spyware files, you don’t need to go any farther in knowing who is the bad guy. They should be forced to defend this practice, or stop doing it. Any site which is knowingly hosting files that infect a computer without the owner’s permission is at fault and should be liable. Please publish the IP address or DNS name where the attack files are made available and we can all see for ourselves who it belongs to.
This doesn’t use any new vulnerabilities, nor does it install anything automatically. The DRM file loads a web page in a dialog box. The Web page prompts the user to install one or more ActiveX controls. If the user clicks yes, and they have no auxiliary form of protection, the ActiveX program is installed and begins doing its badness.
I have more details and screen shots at my blog, and Ben Edelman has details of what happens with older operating systems on his site. Both pages are linked in the post above.
Which vulnerabilities are used and is there a fix available, please?
Sounds like any passing malware maker could use the same vulnerability to cause havoc.
IANAL (or a Californian), but wouldn’t this activity be illegal under the CA anti-spyware law now in effect?