Free music with an unwanted tune

Introduction

One recurring point we have made in several of our security articles is that whenever malware authors find new vehicles to spread their malware, the probability for success increases immensely. One reason is that our automatic defense mechanisms do not immediately recognize the social engineering techniques used.

However, if a cybercriminal is able to find infection vectors that even circumvent the need for social engineering the end users, her probability for success is better yet.

Today's security article will look into such an incident.

Spotify Open version

Spotify is a Swedish music streaming system, which offers a wide range of different music. It is available in several Western European countries, and the music may be accessed through traditional computers (several different operating systems are supported ) as well as various mobile devices (where several different operating systems are also supported).

There are verious versions of Spotify (not all available in every country). One of these is the free version, Spotify Open, which displays advertisements. Spotify explains this on its web site:

 Open is a free version of Spotify. It’ll give you a mouth-watering taste of the full Spotify experience.

You’ll have access to over 10 million tracks and albums. Stream anything you like. It’s like surfing music, you’ll love it. (...)

You’ll hear occasional ads on Spotify Open. This is so we can pay the artists and musicians for their music.

Particularly new Spotify users will probably start with this open version and later go for one of the non-free versions if they like the system.

Spotify Open. Note the song playing in the application - we found it appropriate as an illustration!

Malicious advertisement in Spotify Open

Thursday 24 March, a tweet indicated that something might be wrong with Spotify Open:

Just got a virus alert on a PDF. The process that tried to download/open it is spotify.exe. Has spotify's ad network been compromised?

Several other tweets indicated the same problem 24 and 25 March, and the media soon caught the story.

Spotify tweeted 25 March:

We're still investigating but we take this very seriously and will take every step possible to ensure it doesn't occur again.

Followed by another tweet from Spotify some hours later as more information was available:

We've turned off all 3rd party display ads that could have caused it until we find the exact one.

Spotify made a statement on its web site 25 March (in the Frequently Asked Question section):

Information regarding malware threat

A number of our Spotify Free/Open users in the UK, Sweden, France and Spain running Windows were targeted by a virus contained in an advert which ran from Thursday 24th of March 2011 to Friday the 25th of March 2011.

We quickly removed all third party display ads in order to protect users and ensure Spotify was safe to use. We then isolated and removed the malicious ad. Users with anti-virus software will have been protected.

We sincerely apologise to any users affected. We’ll continue working hard to ensure this does not happen again and that our users enjoy Spotify securely and in confidence. (...)

It seems safe to presume that Spotify will take measures to ensure that a similar incident does not happen again. Which steps the company will take remains to be seen, and may not even be publicly announced.

Malicious ads - what is new? 

So, what is particularly interesting about this case? Is it not a fact that malicious advertisement are the most used spreading technology for malware, and that legitimate web sites are a major spreading vector for these ads?

Norman has written about this in several articles, see e.g. Web advertisements - a significant spreading vector for malware from October 2009.

The Spotify incident is significantly different, however. This is an issue where the malicious advertisement was not available from a web site, but appeared in a particular application.

No social engineering was needed in order to get users to "view" the advertisement (i.e. visit a web site). A user would have been infected even if his Spotify application was running in the background when the malicious advertisement was displayed in his Spotify Open client.

There are two ways that end users to some extent can protect themselves against this malware spreading vector (except running ad-free applications)

1. Ensure that vulnerable software is updated with the latest security updates.
   Experience shows that malware often exploits vulnerabilities that have already been patched.
2. Use antimalware software that supports detection of threats by using technology that is not solely signature based.
   Norman's antimalware software uses our Norman SandBox®, which detects unknown malware.

Consequences

The malware served in the incident that this article is based on, only infected computers running Microsoft Windows. In principle, though, it is not difficult to imagine that other type of devices could have been attacked using the same technique.

We assume that the cybercrime community already researches ways to refine this infection technology through other applications and through other devices.

The application vendors that use third-party advertisements in their software, must engage in developing security mechanisms in their products in order to disallow malicious advertisements to infect users (or being displayed in the first place).

The suppliers of advertisements have a particular responsibility in ensuring that the advertisements they feed are quality checked in such a manner that the recipient of the advertisements can feel safe.

This incident has hopefully been a revelation for software vendors and other types of corporations which are involved in the Internet advertisement business.