Can A Video File Contain A Virus?
Can A Video File Contain A Virus?
Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are incredibly intriguing threat vectors for malware
Reasons for Viruses
- Media players are very frequently used software; users tend to use them for an extended period of time, leaving them open during other tasks, and frequently switch media streams.
- There are a wide variety of different audio players and many of different codecs and audio file plugins - all written by generally non-security-focused people.
- The file formats involved are binary streams, and tend to be reasonably complex. Much parsing is required to manipulate them, and playback calculations can easily result in integer bugs.
- Players take un trusted input from many different unreliable sources (often over the network), and run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged IE instance can launch content in a higher-privileged WMP.
- They are perceived as relatively harmless - users are likely to play files given to them.
- They are frequently invoked without the user’s explicit acknowledgement,
Vulnerabilities
Typical vulnerability vectors are 1) fuzzing the media player by a modified video file and 2) embedding hyperlinks in a video file.
1) Fuzzing is a generic method to force a program to behave un expectantly by providing invalid, unexpected or random data to the inputs.
Fuzzing is designed to find deep bugs and is used by developers to ensure the robustness of code, however, a developer’s best tool can be used to exploit. For media players, which are supposedly "format strict", a corrupted real video file can expose many bugs, most caused by de referencing null pointers. The result is, allowing inappropriate memory access, which indicates the possibility of writing to memory that is not intended to be written [2]. Fortunately, fuzzing media players requires in-depth knowledge of the file format or else the “corrupted” file, will simply be ignored by the player.
2) A more direct method is by obtained by embedding a URL into modern media files.
Examples of File Type Exploits
Below is a table listing the popular media file formats that have been recently exploited by routing the user to malicious sites
| File Format | Detection | Description | First Reported |
| Windows .wma/.wmv | Downloader-UA.b | Exploits flaw in Digital Rights Management | January, 2005 |
| Real Media .rmvb | W32/Realor.worm | Infects Real Media files to embed link to malicious sites | November, 2006 |
| Real Media .rm/.rmvb | Human crafted | Launches malicious web pages without prompting | December, 2007 |
| QucikTime.mov | Human crafted | Launches embedded hyperlinks to pornographic sites | April, 2008 |
| Adobe Flash.swf | Exploit-CVE-2007-0071 | Vulnerability in DefineSceneAndFrameLabelData tag | June, 2008 |
| Windows.asf | W32/GetCodec.worm | Infects .asf files to embed links to malicious web pages | July, 2008 |
| Adobe Flash.swf | Exploit-SWF.c | Vulnerability in AVM2 "new function" opcode | June, 2010 |
| QuickTime.mov | Human crafted | Executes arbitrary code on the target user's system | August, 2010 |
| Adobe Flash.swf | Exploit-CVE-2010-2885 | Vulnerability in ActionScript Virtual Machine 2 | September, 2010 |
| Adobe Flash.swf | Exploit-CVE2010-3654 | Vulnerability in AVM2 MultiName button class | October, 2010 |
Solutions
Not all media players have guarded against malicious links, so the obvious recommendation ensues: do not view un trusted files, never run media players with elevated privileges and don’t accept downloads of “unheard” codecs or strange licenses.
Many antivirus vendors now have added detection by looking for the URL signatures inside media type files, however, this can also be avoided by malware writers by embedding in multi-gigabyte files which can take very long for the engines to properly scan.
As for fuzzing exploits, you will have to trust the programmers have performed the appropriate testing to clean up the deep bugs.
Comments
Post a Comment