Our research team has uncovered a malicious Winamp playlist file (.pls) actively being used to hoist spyware onto victims machines who are running unpatched versions of Nullsoft’s Winamp music player.
On Monday, computer security firm Secunia issued an advisory for this bug:
Some vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user’s system.
1) A boundary error during the handling of filenames including a UNC path with a long computer name can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename with an overly long computer name (about 1040 bytes).
NOTE: An exploit is publicly available.
The vulnerability has been confirmed in version 5.12. Other versions may also be affected.
Successful exploitation of any of the vulnerabilities allows execution of arbitrary code on a user’s system when e.g. a malicious website is visited.
Thankfully, Nullsoft quickly posted a fix for this vulnerability on their website. Additionally, users of vulnerable versions are also warned when opening their media player that a newer version (5.13) is available to download to fix this security vulnerability.
Not following the recommendation from Nullsoft to upgrade to version 5.13 could result in the extremely nasty CWS Looking-For.Home Search Assistant infection as well as an installation of our good friend SpySheriff.
After surfing to a malicious website on our test machines, the file “x.pls” begins to download. Almost immediately, Winamp starts to execute the play list and remote code execution begins. A VirusTotal scan shows that only one AV vendor is detecting this.
Screen shots of the hijacked browser:
Sunbelt Software recommends network administrators and individual users block this site either at the gateway or on the desktop:
008k.com (195.225.177.27)
Adam Thomas
Spyware Research