First MP3 virus infects millions of iPods
The virus rapidly spreads trough Grokster, Kazaa, BearShare and other popular P2P networks, jumping from iTunes software to iPods. RIAA denies involvemen
When Josh Smith, 17, turned on his iPod on his way to school this morning nothing sounded suspicious. He was happily pedaling his bike while enjoying his favorite Nirvana songs. Then, some 30 seconds into the song, the Nirvana music faded and new music appeared. Violins, many violins. “It was disgusting. I almost choked. I haven’t been exposed to such nasty music for many years. It was like a torment.” (It was later confirmed that the boy was exposed to Vivaldi’s “Four Seasons”.) “I first thought it was just one corrupted song; that somebody played a joke on me”, - continued Mr. Smith who then sheepishly admitted that he had recently downloaded “few dozen songs” from Kazaa. “I skipped the song. Things returned to normal. Then, suddenly, more violins, and then the organ. Yikes! I began browsing through my iPod: at least half of my songs have been vandalized. Vivaldi, Bach, Mozart, jazz, country, blue grass – my entire collection was ruined.”
“We are facing a massive worm attack on popular P2P networks,” – confirms Eugene Kaspersky, the Head of Virus Research at Kaspersky Labs. “This is apparently the first successful mp3 virus.” It was widely believed that mp3 standard was virus-safe. It appears that somebody managed to find and exploit a vulnerability in iPod’s embedded software, which lacks the level of anti-virus protection of large desktop operating systems. Playing an infected song causes iPod’s buffer overflow and malicious code sneaks into the iPod. When synchronized, the virus jumps into iTunes software client. It then connects to a remote server that uploads more malicious code, which in turn infects more mp3 files stored on the hard drive. And that is not whole story. The virus apparently scans the PC for Grokster, Kazaa, BitTorrent or other file-sharing software. If it finds it it copies itself onto other computers on the network. As a result, about 10% to 15% of all files on the major networks are infected. “Apparently, the virus writers released the virus a few weeks ago, and when it has widely spread they suddenly activated the payload”, - suggests Mr. Kaspersky.
Although the virus is easily detectable removing it is problematic. Kaspersky Labs and other anti-virus companies shall be able to come up with software that removes the virus from the PCs. Unfortunately, this does not help. The virus remains on iPod and would copy itself on iTunes at the next synch. And removing it from iPods seems to be beyond the reach of virus hunters. iPod runs a proprietary embedded OS developed by Pixo. Kaspersky, Symantec and other anti-virus companies have no experience with it. Besides, it’s a closed platform; the documentation is sparse at best. Few industry insiders even went as far as to hint that Pixo might be behind the attack: the disagreement between Pixo and Apple is an open secret in Silicon Valley. Pixo believes that Apple has not properly compensated it. Since such allegations would be next to impossible to substantiate it doesn’t make sense even to ask Pixo to rebuff them.
Other conspiracy theorist was quick to point to RIAA, the music industry consortium, currently battling Grokster in Supreme Court. Its representative has denied the allegations. This has not convinced some: the music industry has recently bankrolled a couple of secretive software start-ups whose apparent goal was to hack the file-sharing networks.
The latest reports from the field seem to affirm Pixo’s and RIAA innocence: a new type of malicious payload has been reported. A number of iPod owners had their songs interrupted by radio-style advertising. Ads hawking Viagra, penis enlargement pills and porno sites have been reported. When you correspondent called the provided phone number he was indeed offered to purchase Viagra. The phone number appeared to be rented from Skype (through its Beta SkypeIn service) and judging by the accent of the salesmen was terminated somewhere in Eastern Europe. Asked if the company is afraid of legal action, the representative brazenly replied that people who steal copyrighted music won’t dare to appear in court, even if they manage to figure out in which country.
“When the infected mp3 file is played, the sound quality is somehow affected by the virus. If you suspect that your song sounds a bit differently, turn off your iPod immediately,” – suggests Apple’s Benjamin Miller. “In about 15 seconds the virus copies itself onto the iPod. After that, the best you can do is to throw your iPod away and buy a new one.”
“This is only a prelude of things to come”, comments computer security expert Bruce Schneier. “Proprietary embedded systems are hackers’ paradise. Next year, expect full-fledged 30 sec Viagra TV commercials on your TiVo”.