Advertise With Us

Vulnerabilities / Threats

5/7/2008
02:13 PM

Thomas Claburn
News

Connect Directly

0 comments
Comment Now

50%

Fake MP3 Trojan Detected On 27% Of PCs

McAfee Avert Labs says more than half a million of the adware programs disguised as media files have been detected in less than a week.

Since Friday, more than half a million Trojan horse programs disguised as media files have been detected on consumer PCs, according to McAfee Avert Labs.

"This is one of the most prevalent pieces of malware in the last three years," said Craig Schmugar, a McAfee Avert Labs researcher, in an e-mailed statement. "We have never before had a threat this significant that arrives as a media file."

The Trojan malware, Downloader-UA.h, was added to the McAfee database several days ago. In the past 24 hours, it has been detected by McAfee VirusScan Online on more than 119,000 computers out of almost 436,000 scanned, an infection rate of 27%. Other malware McAfee is tracking exhibits an infection rate in the 1% to 5% range.

The malware does not affect computers running Mac OS X.

The malicious media files appear to be either MP3 audio files or MPEG video files and can be found on file-sharing services like LimeWire and eDonkey. McAfee believes they were placed there by cybercriminals.

When a user tries to play one of the infected media files, he or she is prompted to download a file called PLAY_MP3.exe, Schmugar explained in a blog post. The file does not contain music or video as advertised. Rather, the Trojan program -- Downloader-UA.h -- presents users with an end-user license agreement. If the user agrees to the terms set forth in the 4,800-word EULA, he or she consents to the installation of NetNucleus' Mirar Toolbar adware, and the Trojan downloads the adware "FBrowsingAdvisor" and "SurfingEnhancer," which serve pop-up and pop-under ads.

"In the end you're left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads," Schmugar wrote.

In December 2006, NetNucleus threatened to sue security company Sunbelt Software for categorizing its Mirar software as adware. Mirar, the company insisted in a letter, "is a bona fide search tool that collects keywords from Web sites to direct users towards similarly themed sites." A month later, Sunbelt's attorney responded, insisting in a letter that Mirar's designation as adware was accurate.

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Simplified IT 105: Making the Most Of the Cloud

eSecurity 101: Protecting the Customer-Facing Website

More Webcasts

White Papers

Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management

Transforming Business Performance with Hybrid Network

More White Papers

Reports

Ponemon Institute Research: How IT security is addressing threats to structured and unstructured data

You're Not as Agile as You Think

More Reports

Comments

Newest First | Oldest First | Threaded View

[close this box]

Be the first to post a comment regarding this story.

Partner Perspectives

What's This?

In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.

VIEW LATEST PERSPECTIVES

Featured Writers

Live Events

Webinars

More UBM Tech
Live Events

App Developer Conference @ GDC Next

iBeacons, BLE beacons and Everything in Between: Unpacking Proximity Sensing Technology @ Black Hat Europe

Mobile Conversion is Broken: How To Fix It with Smart Mobile Design @ App Developers Conference

White Papers

Global Network Service Providers: Security a Position to Challenge the Botnet

Cloud: The Future of Business Communication

6 Benefits of Upgrading to Modern Operating Systems

Dell Latitude 5000 & 7000 Series: Choosing the Best PC's for the Job

Transforming Business Performance with Hybrid Network

More White Papers

Cartoon

Latest Comment: Telecommuting as imagined by Dark Reading cartoonist John Klossner.. LOL

Cartoon Archive

Current Issue

Dark Reading's October Tech Digest

Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Flash Poll

All Polls

Video

All Videos

Slideshows

The Internet of Things: 7 Scary Security Scenarios

7 comments | Read | Post a Comment

Be Aware: 8 Tips for Security Awareness Training

7 Reasons To Love Passwords

More Slideshows

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading OR #DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-4023

Published: 2014-10-28
Cross-site scripting (XSS) vulnerability in tmui/dashboard/echo.jsp in the Configuration utility in F5 BIG-IP LTM, APM, ASM, GTM, and Link Controller 11.0.0 before 11.6.0 and 10.1.0 through 10.2.4, AAM 11.4.0 before 11.6.0, AFM and PEM 11.3.0 before 11.6.0, Analytics 11.0.0 through 11.5.1, Edge Gate...

CVE-2014-8505

Published: 2014-10-28
Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.

CVE-2014-8506

Published: 2014-10-28
Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.

CVE-2003-1599

Published: 2014-10-27
PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.

CVE-2010-5077

Published: 2014-10-27
server/sv_main.c in Quake3 Arena, as used in ioquake3 before r1762, OpenArena, Tremulous, and other products, allows remote attackers to cause a denial of service (network traffic amplification) via a spoofed (1) getstatus or (2) rcon request.

Best of the Web

Infighting, Politics Hampering Cybersecurity Progress in Washington

FBI Created Fake Seattle News Story to Catch Bomb Threat Suspect

NOAA employee charged with stealing U.S. dam information

Phishing Campaign Linked with “Dyre” Banking Malware

Targeted Attacks: Stealing Information Through Google Drive

Dark Reading Radio

Archived Dark Reading Radio

Security Reports From the Field

Follow Dark Reading editors into the field as they talk with noted experts from the security world.

FULL SCHEDULE | ARCHIVED SHOWS