Anonymous writes "April 2003

While conversing with a security group, I sent this iformation and learned this about WMP:

I have been seeing a lot more of these lately and am curious how it is accomplished and how it can be undone.

MPG, AVI and DVD movies that open your default web browser and take you to some site, usually porn.

How is executable coding inserted into a media file?

Why doesn't media players prevent such an execution?

How can the media file be edited to remove the data?

KaZaa abounds with such files.
For example, while searching for Air Pisto Engine,
this result was named Piston Popping Fun and under the title of Get your engine working.

While I appreciate the comparison, it wasn't what I sought at the time... A short porn flick.

A search shows the title should be:
f**king_Machine-Tanya.mpg
about 1.34 Mb

When viewed in Windows Media Player, it starts and then kicks open your browser and takes you to this site:
http://www.amateur-initiations.com/main.htm

I opened the MPG in a hex editor, but didn't find the URL.

It isn't that I am going to a webpage and opening a media file, it is that I am opening a media file and being taken to a web page.

Is it actually possible to insert JAVA code into MPG files?

I sifted through a bunch of M$ posts, but they all seem to point to the browser as the problem and none I found addressed the media file as the problem. Nor did any come close enough to matching this effect, let alone, resolving it.

Somehow, the MPG movie, is passing a code to WMP.
And then WMP is opening the browser.

Oh, and very important, I have now tested this in IrfanView, PowerDVD and in MPGplay, and none open the browser, which suggests an exploit in WMP.
If that helps...
==========================================================================
After posting this information, I received this reply:

While note exactly an answer, this may help.

Introduction
I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. These problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.

In particular, the privacy problems with WMP version 8 are:

* Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is given an electronic fingerprint which identifies the DVD movie being watched and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer.

* The WMP software also builds a small database on the computer hard drive of all DVD movies that have been watched on the computer.

* As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP phones home to get DVD title information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers.

* There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any easy method of clearing out the DVD movie database on the local hard drive.

Technical Details
When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator.

Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.

The first HTTP GET request sent by WMP identified the movie being played. For example, an HTTP GET request is made for this URL for the Dr. Strangelove DVD:
http://windowsmedia.com/redir/QueryTOC.asp?WMPFriendly=true&locale=409&version=8.0.0.4477& cd=1E+96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1151E+13CF9+ 15812+16C5D+1A04F+1BF2D+1ECB7+212E1+22E48+25724+27E9D+2A91A+ 2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D517+4E51B+4FDBC+51F74 The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the Dr. Strangelove DVD.

This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software.

The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player. Here's what this cookie looks like:
MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086 By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated with their WindowsMedia.com cookie. For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers:
http://windowsmedia.com/mg/[email protected]&format=HTM The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known cookie synch tricks, an email address can be associated with a cookie value at any time.

Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched. There is no evidence however that Microsoft is making this connection.

The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch on my computer.

After a series of redirects from the WindowsMedia.Com server, information about the Dr. Strangelove movie was returned in this XML file:
http://services.windowsmedia.com/amgvideo_a/template/QueryDVDTOC_v3.xml?TOC=90a1b0d1571524ea WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Index. I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer.

Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the information. Here are some possibilities:

* Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be customized to offer new movies to a WMP user based on previous movies they have watched.

* Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly top ten lists.

* Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.)

Note: The Video Privacy Protection Act of the United States prevents video rental stores from using movie titles for direct marketing purposes. The letter of this law does not a pply to Microsoft because they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.
Recommendations
I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide. In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched.

If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent Microsoft from tracking individual movie viewing choices.

==========================================================================

Unfortunately, this doesn't resolve the problem yet.
I could use one of the other media players, but they can't handle as many types of media.
I am going to run some more tests.
I plan to try some firewalls and code patching.
However, I would appreciate any help I can get.
Post your replies here.

Using Proxo, I was able to capture URLs and some data being sent. The data is coming from WMP.
But it doesn't tell me how WMP is obtaining that data from the media file.

Meanwhile, consider WMP as a commercial level spyware program with exploitable TROJAN characteristics.
"