I have 2 friends who claimed their computer was infected by a virus from an
avi media file .
They downloaded it off a newsgroup a couple of days ago .
I helped them do a lowlevel format & reinstall of everything & it was
necessary .

How is it possible to imbed or install a virus,trojan etc.. with a media
file
One of my teachers in college claims this can't be done while another says
it can ?
If this is possible , then how do you defend against it ?
Hell I've heard some boast they can put viruses in text now ?

Any info & advice you may have is greatly appreciated

nightwing_97838@yahoo.com wrote:


Well, we all know incompetent people. Some can be recognized by whitespaces
in front of punctuation...


That is, of course, nonsense. Binary stuff on NNTP is a well-excluded for a
reason and commonly not counted as part of the Usenet.


Well, that's trivial.
# cat something.avi malware.exe > something_with_malware_embedded.avi


Well, maybe you're talking nonsense. Embedding is not the problem, getting
it to execute is the real problem. This is typically done by exploiting
vulnerabilities in the associated playback software and some more
complicated embedding scheme.


Not using horribly defective playback software? Normalizing the data?


# cat text.txt malware.exe > text_with_malware_embedded.txt

Now, the very same problem about getting it executed... text editors
typically are not that broken... But I think you were actually talking about
formatted documents in the well-known totally broken pseudo-format .doc
parsed by the well-known totally pseudo office suite from Microsoft.

nightwing_97838@yahoo.com writes:

Malware is entirely possible in an avi or mpeg, pdf file, word .doc,
you name the format, depending on what you view it in, there's
probably some published vulnerability on it.

To get the malware to exectute, there must be a vulnerability in the
media player on which it is played.

For example, here's just one example of an .avi vulnerability that
existed in many versions of windows (patched by Microsoft in
2005)
http://www.securityfocus.com/bid/15063/discuss

--but there are others certainly, and go knows how many privately held
0day exploits for vulnerabilities not known to the general public.

Countermeasures are to vigilantly update with all vendor released
patches, run non-low-hanging-fruit operating systems, or run quality
regularly updated anti-virus programs (and hope to god there's a
reliable signature for whatever malware you might unwittingly
download--there isn't always), and if you're going to download porn
from usenet binary groups where you might be exposing yourself to 0day
exploits for which there is no known signature and the vendors haven't
fixed the vulnerabilities they exploit... then your friends might want
to consider running them in VMWare virtual machines that they fire up
just for the purpose of viewing these untrusted files.


By the way, Sebastian G is a very unhappy person apparently, so my
apologies for having to endure his abusive reply that had a lot more
heat than light in it.

Best Regards,
--
Todd H.
http://www.toddh.net/

From: <nightwing_97838@yahoo.com>

| I have 2 friends who claimed their computer was infected by a virus from an
| avi media file .
| They downloaded it off a newsgroup a couple of days ago .
| I helped them do a lowlevel format & reinstall of everything & it was
| necessary .
|
| How is it possible to imbed or install a virus,trojan etc.. with a media
| file
| One of my teachers in college claims this can't be done while another says
| it can ?
| If this is possible , then how do you defend against it ?
| Hell I've heard some boast they can put viruses in text now ?
|
| Any info & advice you may have is greatly appreciated

Only if it is a double extension fuile such as; Britney Spears.avi .exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:


"The current system settings don't allow you to run this program."

Hm... there's something I'm doing right...

"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

That is certainly the easiest and most common way to get owned by such downloads.

In a rare departure from David's usual reliable advice, though, I'm
afraid I have to disagree that it's the only way. Media files can and
have been crafted to exploit vulnerabilities in specific media players
(buffer overruns, etc.). Quicktime and Flash vulnerabilities seem to
be more common with this than .avi here recently, but .avi has been
hit in the past via DirectX vulns.

Best Regards,
--
Todd H.
http://www.toddh.net/

From: "Todd H." <comphelp@toddh.net>


|
| That is certainly the easiest and most common way to get owned by such downloads.
|
| In a rare departure from David's usual reliable advice, though, I'm
| afraid I have to disagree that it's the only way. Media files can and
| have been crafted to exploit vulnerabilities in specific media players
| (buffer overruns, etc.). Quicktime and Flash vulnerabilities seem to
| be more common with this than .avi here recently, but .avi has been
| hit in the past via DirectX vulns.
|
| Best Regards,

You are right, they can use Exploit Code. However, the question was embedded malware in the
actual file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

That's what I'm talking about.

An embedded netcat listener, for example, is surely an example of
malware, and these can be made extremely tiny in size, and embedded
right into a media file crafted against a specific media viewer's
vulnerability. View the media file, get owned by by malware. No
external moving parts required.

--
Todd H.
http://www.toddh.net/

From: "Todd H." <comphelp@toddh.net>


|
| That's what I'm talking about.
|
| An embedded netcat listener, for example, is surely an example of
| malware, and these can be made extremely tiny in size, and embedded
| right into a media file crafted against a specific media viewer's
| vulnerability. View the media file, get owned by by malware. No
| external moving parts required.
|

Viewing will not extract a binary. You need a helper application to extract a binary from a
graphic or moving graphic file.

The Tibs Trojan is well known to do this with the well known FroggerEXE.

The EXE files are stored in JPEGs and all you see is a simple Frog in a picture.
Viewing the Frog in the JPEG will not extract the EXE. An external program has to do it.

The same holds true for; AVI, MOV, MPEG, etc.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:


Viewing will extract the binary to the memory of the viewer application. If
then an exploit triggers a vulnerability in the viewer application, it can
be made misbehave to jump to the mentioned memory section.

Of course, this means your either need an exploit or make the user run an
external application, whereas the latter rather is a trivial case of PEBKAC
that doesn't need to be discussed.

"Sebastian G." <seppi@seppig.de> writes:

The fallacy in this argument, David, is that "viewing" requires a
viewer, and viewers can and often have had vulnerabilities. Sometimes
the viewer is built into the operating system, but it is still very
much a viewer.

I'll give you 3 examples of past cases.

Here's one AVI example that attacked Windows built in fucntionality
and allowed arbitrary code execution:
http://www.securityfocus.com/bid/15063/discuss
"Successful exploitation will permit execution of arbitrary code
in the context of the user who opens a malicious .AVI file."

"Arbitrary code" in the parlance of these advisories means "yer done."

Here's another .AVI specific example--view a malciciously crafted AVI
in an old version of RealPlayer and yer done:
http://research.eeye.com/html/adviso...D20050623.html

"The vulnerability allows a remote attacker to reliably
overwrite heap memory with arbitrary data and execute arbitrary
code in the context of the user who executed the player. / By
specially crafting a malformed .avi movie file, a direct heap
overwrite is triggered, and reliable code execution is then
possible. This vulnerability can be triggered when a user views
a webpage, or opens an .avi file via email, instant messenger,
or other common file transfer programs."

For an MPEG example, and mpeg-4 file on any version iTunes older than
4.8 allowed arbitrary code execution:
http://www.securityfocus.com/bid/13565/discuss

"A specifically malformed MPEG4 file could trigger this
overflow, causing a denial of service or execution of arbitrary
code. This vulnerability was addressed in iTunes 4.8"

Yup.

And if your nefarious "external application" is small enough, it can
be packed right into the nefarious payload depending on the exploit.

For instance, there is a "bind shell" payload for Windows, for
instance that opens a network port listener on a windows box listening
and waiting for a connection and spawns a command shell if someone
connections. Guess how big it is. It's all of 317 bytes. Not
kilobytes, not megabytes. Bytes. It's freely available as a payload
in the metasploit framework.

In summary, to the original poster's question in the subject of the
this thread, the answer is "yes."

The question that might keep you up at night is "what popular media
viewers currently have unpatched vulnerabilities for which there are
private held, privately developed exploits in circulation in the black
hat community?" The links above are only to known, patched
vulnerabilities. The bad guys don't necessarily give us a nice
database of all the vulns they've discovered.

Best Regards,
--
Todd H.
http://www.toddh.net/

From: "Todd H." <comphelp@toddh.net>


|
| The fallacy in this argument, David, is that "viewing" requires a
| viewer, and viewers can and often have had vulnerabilities. Sometimes
| the viewer is built into the operating system, but it is still very
| much a viewer.
|
| I'll give you 3 examples of past cases.
|
| Here's one AVI example that attacked Windows built in fucntionality
| and allowed arbitrary code execution:
| http://www.securityfocus.com/bid/15063/discuss
| "Successful exploitation will permit execution of arbitrary code
| in the context of the user who opens a malicious .AVI file."
|
| "Arbitrary code" in the parlance of these advisories means "yer done."
|
| Here's another .AVI specific example--view a malciciously crafted AVI
| in an old version of RealPlayer and yer done:
| http://research.eeye.com/html/adviso...D20050623.html
|
| "The vulnerability allows a remote attacker to reliably
| overwrite heap memory with arbitrary data and execute arbitrary
| code in the context of the user who executed the player. / By
| specially crafting a malformed .avi movie file, a direct heap
| overwrite is triggered, and reliable code execution is then
| possible. This vulnerability can be triggered when a user views
| a webpage, or opens an .avi file via email, instant messenger,
| or other common file transfer programs."
|
| For an MPEG example, and mpeg-4 file on any version iTunes older than
| 4.8 allowed arbitrary code execution:
| http://www.securityfocus.com/bid/13565/discuss
|
| "A specifically malformed MPEG4 file could trigger this
| overflow, causing a denial of service or execution of arbitrary
| code. This vulnerability was addressed in iTunes 4.8"
|
| Yup.
|
| And if your nefarious "external application" is small enough, it can
| be packed right into the nefarious payload depending on the exploit.
|
| For instance, there is a "bind shell" payload for Windows, for
| instance that opens a network port listener on a windows box listening
| and waiting for a connection and spawns a command shell if someone
| connections. Guess how big it is. It's all of 317 bytes. Not
| kilobytes, not megabytes. Bytes. It's freely available as a payload
| in the metasploit framework.
|
| In summary, to the original poster's question in the subject of the
| this thread, the answer is "yes."
|
| The question that might keep you up at night is "what popular media
| viewers currently have unpatched vulnerabilities for which there are
| private held, privately developed exploits in circulation in the black
| hat community?" The links above are only to known, patched
| vulnerabilities. The bad guys don't necessarily give us a nice
| database of all the vulns they've discovered.
|
| Best Regards,

Viewing will NOT extract the binary. It will either be seen as garbage (noise), cause a
problem with the viewer or be skipped. The malware would need an extractor/helper
application.

As for the idea of exploitation. Certainly. If a an object uses exploitation code on a
known vulnerability such as a buffer overflow condition then an elevation of privileges and
can lead to malware installation. However the the file using explotation code will NOT be
the infector. It will be the causitive factor but not the end result.


I disagree. The answer to the OP is NO.

Please post a specific case of malware that hides within either a static or moving graphic
file that can install all by itself. I am fully aware of steganographic techniques and they
don't include auto-extraction, installation, capabilities.

I also am fully aware of companies such as Zango exploiting the Windows DRM of Windows Media
Player to download malware.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
Hi David,

What are your definitions of
"Extract the binary"
"Installation"

and how they differ from mere:
"Exploitation"

To me, arbitrary code is arbitrary code. I'm not sure how your
distinction of an exploit payload being a "causitive factor" vs end
result has any bearing on whether an avi or mpeg virus is possible.

To my view, if you're running a vulnerable viewer as a user of
sufficient privilege (administrator as most windows users are), and
you open an .avi or .mpeg maliciously created to to exploit that
viewer's vulnerability, and that vulnerability allows arbitrary code
execution, yer done. What payload the author has chosen to include in
there can attempt to replicate and attach itself to other files, which
would certainly qualify it as a virus. Whether it installs permanent
running processes and adds things to a registry, seems orthogonal to
the discussion.

Best Regards,
--
Todd H.
http://www.toddh.net/

From: "Todd H." <comphelp@toddh.net>


|
| Hi David,
|
| What are your definitions of
| "Extract the binary"
| "Installation"

Extract the binary -- To pull out the binary data that is a distinct executable in such a
form as a disk file or ADS such that the OS can execute it or load it.

Installation -- A disk file or ADS that the OS executes or loads.

|
| and how they differ from mere:
| "Exploitation"

Exploitattion -- The act of taking advnatage of a vulnerability or perceived vulnerability.


|
| To me, arbitrary code is arbitrary code. I'm not sure how your
| distinction of an exploit payload being a "causitive factor" vs end
| result has any bearing on whether an avi or mpeg virus is possible.
|
| To my view, if you're running a vulnerable viewer as a user of
| sufficient privilege (administrator as most windows users are), and
| you open an .avi or .mpeg maliciously created to to exploit that
| viewer's vulnerability, and that vulnerability allows arbitrary code
| execution, yer done. What payload the author has chosen to include in
| there can attempt to replicate and attach itself to other files, which
| would certainly qualify it as a virus. Whether it installs permanent
| running processes and adds things to a registry, seems orthogonal to
| the discussion.
|
| Best Regards,

The privilege of the user is often not a factor as most exploit vulnerabilities that allow
an elevation of privileges. Thus a limited user on a PC found to be vulnerable can lead to
malware being silently being installed even though the actual user's privilege would not
allow it.

Having a given exploitaion effect upon a vulnerability is NOT a guarantee of infection. It
depends on the situation. Take a SDBot variant. It will send TCP ports 135 and/or 445
packets out seeking vulnerabilities in the LSASS or RPC/RPCSS DCOM modules. Then it will
excploit the buffer overflow situation and then install itself on the vulnerable platform.
However this is I-worm activity.

Take a WMV Malware using the Media Player DRM, so-called exploitation. Instead of the video
file seeking a license, it goes out and will try to download a EXE and use Social
Engineering to get you to install the EXE file. This isn't a vulnerability per se but it is
a form of Media Player DRM exploitation because DRM was NOT meant to causer EXE files get
downloaded but that what Zango actually did.

Now I have seen; VML in HTML, WMF, ANI and other Exploits used. These are loaded on web
sites that use a combination of exploitation and code execution. It is the combination of
exploutation and script execution that causes the malware to be installed. Just playing a
WMV, AVI, MPEG, MOOV etc, will not have this one, two, punch. You must look at "HOW" the
"aribitrary code" is to be executed and/or loaded. Now I can download a QTS file that uses
exploitation code but if I take it out of context will it actually cause malware to be
installed ? The answer is no. I will just create a exploitable condition. Now place that
QTS file in a web site or HTML email message and there is a greater possibility of actually
taking advantage of that subsequent exploitable condition.

Getting back to the OP, the answer is no. I believe the discussion the OP had with his
frinds did NOT properdiscuss tghe subject matter and knowing that the OS defaults to "hiding
extensions of know file types" it is much more likely that Social Engineering was the
culprit using a Double-Extension files such as my previous example of; Britney Spears.avi
..exe

This is *very* common. I have come across many files that do the above and in some cases
will use numerous spaces between the VI and .EXE extension.

BTW: Good Discussion :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman wrote:



Which is utterly stupid, since it could simply run this EXE file by itself.


So? The documentation says this it actually what it's supposed to do.


Huh? Using a script to build the exploit code in memory instead of loading
it a a gzipped multi-megabyte file isn't exactly a necessity, just reasonable.


Hm.. but it seems like it does.


Or by simply playing it. That's what users typically do with media files.

comphelp@toddh.net (Todd H.) writes:

Blackhat talk on weaponizing digital media:
http://news.yahoo.com/s/ap/20070803/..._digital_media


--
Todd H.
http://www.toddh.net/

Any movie file format that is capable of doing anything other than
holding the movie itself is inherently dangerous.

WMV files for example were created as a wrapper for movie files
specifically to enable them to do this. Never play or use WMV files is a
good habit.

There is no reason to have a movie file format capable of containing data
or code other than the raw movie itself plus a header identifying the
codec. All arguaments for this are spurious.

Any format doing more than that can will and IS being used to hack.

Providing you have no trojans on your system the following file
formats/codecs are safe:

Intel AVI
Mpeg-1
Mpeg-2
VOB

ALL others are unsafe no matter what claims are made for them.

NEVER install players capable of identifying the file type - eg A media
player that will play an mpeg with an AVI file extension is a massive
security hazard - that means almost all on any microsoft system - they
designed it that way - they create revenue for anti-virus companies.

Those are the facts - what you do about them is up to you.