A couple of days ago McAfee posted an interesting blog entry detailing the aggressive use of fake MP3 files to trick victims into installing a potentially unwanted application (PUA). The article gathered some press, not least because the fake MP3 files were assigned a threat level of ‘medium’ for McAfee’s home users.
Users are likely to receive the fake MP3 files through a file-sharing network. They will use an enticing filename (with an MP3 or MPG file extension most likely) in order to encourage the victim into downloading and running them.
If the user does download and run the media file, they are not rewarded with any form of audio or media clip – instead they are redirected to a remote website and prompted to download and install an executable of filename PLAY_MP3.EXE.
If allowed to run, the PLAY_MP3.EXE installer proceeds to install a potentially unwanted adware application Sophos detect as PlayMP3z.
So what is the risk from this threat?
- The PLAY_MP3.EXE installer is pro-actively detected as PlayMP3z Installer application (detected since December 2007)
- The fake MP3 files are detected as Troj/Wimad-E (detection was updated yesterday to cover this new variant)
- The URL from where the installer is downloader has been blocked by Sophos’s web security appliance as ‘High Risk’ since the beginning of May.
Clearly there are vast numbers of users who have downloaded these fake MP3 files – McAfee’s home users stats show us this. This case is a perfect example of the dangers of file sharing (across P2P networks or otherwise). Corporate users (for whom the use of P2P networks is frowned upon) are unlikely to be at risk from the threat. Maintaining control over the software running on your endpoints can help to ensure you minimise the risk to your network.