Winamp skin exploit. Being used as a vector for infection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • DaWolfey
    Junior Member
    • Aug 2004
    • 18

    Winamp skin exploit. Being used as a vector for infection

    Hi

    I've just seen a new worm spreading across IRC. Clicking a link sends you a winamp skin file, it appears to change your skin then (if you are using mirc) it adds a new script which sends the link to other people.

    Here is the link - I have obfuscated it slightly to prevent accidental clickage. To use it, remove all the *s from the url.

    [edit -> egg] Link removed [/edit]

    I hope the winamp team can analyse this, and if it IS causing infection, can resolve it quickly.
    Last edited by DJ Egg; 26 August 2004, 22:23.
  • DaWolfey
    Junior Member
    • Aug 2004
    • 18

    #2
    If the above link stops working, I have downloaded the files that it sends.

    Comment

    • DJ Egg
      Spectral Techorator
      • Jun 2000
      • 36157

      #3
      /moved from Tech Support to Discussion

      Here's the link...
      copy+paste/use at one's own risk:

      [edit -> egg] link removed [/edit]

      Yeah, it calls a php script which loads a .wsz file, which contains a worm. Dodgy shit!
      Last edited by DJ Egg; 26 August 2004, 22:22.

      Playlist | Twitter | Albums

      Comment

      • mikm
        Major Dude
        • May 2001
        • 1293

        #4
        Hmmm....it doesn't appear to be a valid appliaction or skin (i.e. cannot be uncompressed).
        powered by C₈H₁₀N₄O₂

        Comment

        • DaWolfey
          Junior Member
          • Aug 2004
          • 18

          #5
          [edit steve] Removed to reduce impact of exploit. Fix is underway. [/edit]

          Comment

          • Russ
            Mostly Harmless
            (Alumni)
            • Jan 2001
            • 2319

            #6
            That's just a really cunning way of circumventing IE's zone restrictions. Not really sure whose fault it is.
            For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
            |Musicbrainz|Audioscrobbler|last.fm|

            Comment

            • shaneh
              Major Dude
              • Jan 2004
              • 1193

              #7
              Yeah it is kindof an exploit in IE.. I am not sure if SP2 fixes this problem. However, I think it is a bit of an exploit on behalf of Winamp in that it allows all files contained within a .zip file to be copied to the local machine to a predictable location without prompts. This could be exploited in quite a number of ways...

              Just restricting .exes wont fix it either, as .htas, .js, .bat etc could be abused too. Even .htm files can be dangerous when run from the local machine.

              EDIT: I realised it doesnt put it in a predictable location, as it is extracted to a random temp directory. But nonetheless, downloading and saving arbritrary files to the local machine without prompting is not a terribly good idea.

              As for below: You cannot inspect a .wsz file before it is downloaded and used. IE automatically downloads it and sends it to Winamp without any prompts, which then automatically extracts it and 'executes' it.
              Last edited by shaneh; 22 August 2004, 05:56.
              Music Plugins

              Comment

              • k_rock923
                \m/
                (Forum King)
                • Jul 2003
                • 7850

                #8
                Wouldn't someone notice that there's an xml file in a .wsz??
                Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.

                Comment

                • wildrose-wally
                  The Albertan
                  • Mar 2001
                  • 6132

                  #9
                  Originally posted by k_rock923
                  Wouldn't someone notice that there's an xml file in a .wsz??
                  It would not matter if is was a .wal or a .wsz file, nobody would notice, unless they opened the file in winzip, or checked the temp folder where the skin is extracted to.
                  (In a .wal file there are supposed to be .xml files anyway.)

                  I don't think many users actually do this, unless they are skin reviewers.

                  Comment

                  • k_rock923
                    \m/
                    (Forum King)
                    • Jul 2003
                    • 7850

                    #10
                    Good point, wally. I only open the files of skins that I want to see how something was done. I know there are xmls in modern skins. I guess that's what I kind of meant. Oh well.
                    Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.

                    Comment

                    • Kickboy12
                      Senior Member
                      • Oct 2003
                      • 242

                      #11
                      This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

                      The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.
                      [@imho] man
                      [@imho] I had dreams about unit testing last night :-(
                      [@sim`a] i have nightmares about syntax errors, whats your point

                      Comment

                      • cerebri
                        Junior Member
                        • Aug 2004
                        • 3

                        #12
                        This was one nasty little worm.
                        "Luckly" i found the source of it.. if your would like to check it out it can be found here

                        [edit -> egg] link removed [/edit]
                        download it on your own risc.


                        Hope this can help you ppl in some way...
                        Last edited by DJ Egg; 26 August 2004, 22:26.

                        Comment

                        • Franky752
                          Junior Member
                          • Aug 2004
                          • 1

                          #13
                          advisory

                          Here is the exploit used : Winamp <=5.04 Skin File (.wsz) Remote Code Execution Exploit

                          [edit --> egg] link removed [/edit]

                          and here is the advisory

                          Flexera provides software licensing management, software compliance, installation and application packaging solutions to developers and their customers.


                          and where is the patch ?
                          Last edited by DJ Egg; 26 August 2004, 22:29.

                          Comment

                          • morgado
                            Major Dude
                            • Apr 2003
                            • 1097

                            #14
                            Relax ... just don't download skins for now and wait for 5.05 ...
                            I Love You Ana Luiza
                            MSN

                            Comment

                            • cerebri
                              Junior Member
                              • Aug 2004
                              • 3

                              #15
                              and when will that be? :P

                              Comment

                              Working...
                              X