Gallery

Music & video

Posted on 13 Aug 2008 at 11:20

With almost nine out of ten Britons on broadband, the internet is a practical and popular way to keep up with the world of entertainment. More than four billion tracks have been downloaded from Apple's iTunes store, while the BBC's iPlayer has served up more than 75 million programmes since its launch last Christmas. But downloading files opens up a new potential avenue of risk, while streaming sites often require you to run an unknown application within your browser. How safe is it to use the internet like this?

You'd think it should be impossible for malware to get onto your computer through a music file or a video - after all, these files are designed to be decoded and displayed, never executed. "If you're downloading data files, there's a reasonable degree of safety there," confirms Eset's Andrew Lee.

"But still," he warned, "you should always be on the lookout and follow the basic rules of security." For example, make sure you're running a current, up-to-date media player, since attackers could theoretically exploit a buggy player to hide executable code in a media file. And before you double-click on a downloaded file, make sure it really is a media file.

In the past, malware downloads have had names such as "movie.avi.exe". With Windows Explorer's default settings, the EXE extension won't be shown, and you could easily be tricked into thinking this malevolent executable was a movie file.

Big fish and small fry

What about the sites that host movies and music? As we noted before, the big organisations can afford to invest in proper security, and it's extremely rare for the likes of Apple or the BBC to be compromised. That's not to say it doesn't happen: last November, hackers managed to get an item of malware hosted on the MySpace page of Alicia Keys - at the time, the fourth most popular musical artist on the site.

Nevertheless, you're more likely to find malware on the countless smaller sites hosting music by independent and unsigned acts. A Google search for "download mp3" returns a host of lesser-known outfits. There aren't so many small video sites, due to the much smaller number of amateur film-makers and the bandwidth demands of hosting large amounts of video. But they do exist, and they face precisely the same security challenges as music sites.

Sad to say, not all such sites are equal to those challenges. When we searched for "mp3 download", the very first page of search results contained a site hosting an invisible IFrame launcher - a method used to surreptitiously install unwanted software onto your computer. Another site, listed on the second page, also tried to install malware onto our machine. Google flagged only the first as potentially harmful, while neither Yahoo nor Windows Live Search caught even that one.

The situation was no better when we searched for "watch music video." Again, two out of the first 20 sites were compromised, one with a cross-site scripting attack and the other with another invisible IFrame launcher. Only one of the sites was flagged as dangerous by Google, and both weren't flagged Yahoo and MSN. In short, when you're searching for media, malware protection is well worth having.

Credit card cracks

Malicious downloads aren't the only concern. Sites like these may sell MP3s or subscriptions using a credit card billing mechanism. If hackers manage to break into a site, they could intervene in this process and pick up the banking details of innocent visitors.