The normally reliable Techdirt admits that the following story raises many more questions than it answers:
Is The Recording Industry Hiding spyware In Windows Media Files?
When the recording industry first tried to get politicians to shut down file sharing networks, they went with the “it’s stealing music” line, which generated some interest, but most people didn’t seem to pay attention. Then, the industry suddenly became oh-so-concerned about the fact that child porn was on these systems, and tried to convince politicians they needed to stop file sharing for the “sake of the children.” Lately, it seems the industry will do whatever it takes to make file sharing systems look bad. With that in mind, it makes you wonder if they’d go so far as to specifically hide spyware on file sharing networks just to upset users. It’s not entirely clear if that’s what happened, but it seems like the most obvious explanation for the following story, which was found on Broadband Reports.
Overpeer, a subsidiary of Loudeye, has been caught hiding adware and spyware within Windows Media files. Overpeer is the same company that the recording industry has hired in the past to dump fake versions of songs on file sharing networks. What the article doesn’t answer is whether or not the industry hired Overpeer to dump spyware on the network as well, but it’s likely they’re pleased either way. Overpeer defends their actions by saying that anyone obviously deserves what they get because, obviously, they were looking for unauthorized files. It’s not clear that everyone would agree. Sneaking malicious files onto someone’s computer because “they deserved it!” doesn’t seem like a very good justification.
What may be even more important to this story, however, is the revelation of just how easy it is, thanks to a huge loophole in Microsoft’s copy protection technology, to include a malicious file with an audio or video file. Basically, because Windows DRM needs to look for a license, all anyone needs to do is point that license to a website that loads malicious content and off you go. Thank you Microsoft, for creating a huge loophole that will probably make sure millions of new computers are loaded with spamming, DDOSing trojans shortly. Thank goodness for that Microsoft DRM, huh? Not only does it not protect any actual property while making things more expensive, it opens up plenty more people to malicious attacks.
OK, first of all, folks have been making similar allegations about Overpeer since 2002, as a quick search will reveal. I don’t know if it’s true, but if so then they should be prosecuted. Period.
However, I am always very suspicious of stories like this, where the underlying facts are impossible to replicate. I know enough about the way SP2 works to know that what is being described here shouldn’t happen on a system with SP2 installed, and I’ve read enough bad journalism from PC World and similar mainstream sites to be suspicious of the underlying facts. In particular, there is no way that Windows Media Player should be able to load an ActiveX control, because of the security zone it runs in. So color me skeptical…
And no, I do not agree that if you use Kazaa you deserve whatever you get. But if you use Kazaa or any underground file-sharing system to randomly troll for files from a worldwide network of untrusted services, you should expect to be attacked often, by the state of the art in malware. Likewise, if you spend enough time trolling in the porn underground you should expect to fight off a steady stream of pop-ups and attempts to load spyware. Is it right? No. Is it real? Absolutely. This is why I refuse to provide support for any friend or family member who uses Kazaa unless they agree to remove it from their system and keep it off. And you know what? It works.
Update: I see this story has now been picked up by Boing Boing, which means it will get a lot of publicity. That’s unfortunate, because the original story is just so murky.
Further update: I’ve received a sample file and have done some tests. Read the results here.
Ed Bott 
I’m against Pirating software, music and movies but I do wish their was a new business model by the Record Industry and the Movie Industry.
As the price of movies continue to go up.. and as the prolifiration of Broadband and Media Centers, BIG plasma TV and other asorted goodies, it would be nice if there was a way to legally download (and pay) for high quality movies that you can watch at home that come out at the same time as the movie theaters. But as of yet their still is no way to do so. I know I would much rather pay $16 (the price of two movie tickets for the wife and me) bucks to stay at home and away from the crowds where I could enjoy a movie, then the options that are currently avalible. I don’t buy movies off of the TV cause all the ones I want to see I paid to see at the threater 5 months before.