Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Avi or mpeg virus possible ?

Reply
Thread Tools

Avi or mpeg virus possible ?

 
 
Sebastian G.
Guest
Posts: n/a
 
      07-06-2007
David H. Lipman wrote:

> From: "Todd H." <(E-Mail Removed)>
>
>
> |
> | That's what I'm talking about.
> |
> | An embedded netcat listener, for example, is surely an example of
> | malware, and these can be made extremely tiny in size, and embedded
> | right into a media file crafted against a specific media viewer's
> | vulnerability. View the media file, get owned by by malware. No
> | external moving parts required.
> |
>
> Viewing will not extract a binary. You need a helper application to extract a binary from a
> graphic or moving graphic file.



Viewing will extract the binary to the memory of the viewer application. If
then an exploit triggers a vulnerability in the viewer application, it can
be made misbehave to jump to the mentioned memory section.

Of course, this means your either need an exploit or make the user run an
external application, whereas the latter rather is a trivial case of PEBKAC
that doesn't need to be discussed.
 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      07-06-2007
"Sebastian G." <(E-Mail Removed)> writes:

> David H. Lipman wrote:
>
> > From: "Todd H." <(E-Mail Removed)>
> >
> >
> > |
> > | That's what I'm talking about.
> > |
> > | An embedded netcat listener, for example, is surely an example of
> > | malware, and these can be made extremely tiny in size, and embedded
> > | right into a media file crafted against a specific media viewer's
> > | vulnerability. View the media file, get owned by by malware. No
> > | external moving parts required.
> > |
> >
> > Viewing will not extract a binary. You need a helper application
> > to extract a binary from a graphic or moving graphic file.


The fallacy in this argument, David, is that "viewing" requires a
viewer, and viewers can and often have had vulnerabilities. Sometimes
the viewer is built into the operating system, but it is still very
much a viewer.

I'll give you 3 examples of past cases.

Here's one AVI example that attacked Windows built in fucntionality
and allowed arbitrary code execution:
http://www.securityfocus.com/bid/15063/discuss
"Successful exploitation will permit execution of arbitrary code
in the context of the user who opens a malicious .AVI file."

"Arbitrary code" in the parlance of these advisories means "yer done."

Here's another .AVI specific example--view a malciciously crafted AVI
in an old version of RealPlayer and yer done:
http://research.eeye.com/html/adviso...D20050623.html

"The vulnerability allows a remote attacker to reliably
overwrite heap memory with arbitrary data and execute arbitrary
code in the context of the user who executed the player. / By
specially crafting a malformed .avi movie file, a direct heap
overwrite is triggered, and reliable code execution is then
possible. This vulnerability can be triggered when a user views
a webpage, or opens an .avi file via email, instant messenger,
or other common file transfer programs."

For an MPEG example, and mpeg-4 file on any version iTunes older than
4.8 allowed arbitrary code execution:
http://www.securityfocus.com/bid/13565/discuss

"A specifically malformed MPEG4 file could trigger this
overflow, causing a denial of service or execution of arbitrary
code. This vulnerability was addressed in iTunes 4.8"

> Viewing will extract the binary to the memory of the viewer
> application. If then an exploit triggers a vulnerability in the
> viewer application, it can be made misbehave to jump to the
> mentioned memory section.


Yup.

And if your nefarious "external application" is small enough, it can
be packed right into the nefarious payload depending on the exploit.

For instance, there is a "bind shell" payload for Windows, for
instance that opens a network port listener on a windows box listening
and waiting for a connection and spawns a command shell if someone
connections. Guess how big it is. It's all of 317 bytes. Not
kilobytes, not megabytes. Bytes. It's freely available as a payload
in the metasploit framework.

In summary, to the original poster's question in the subject of the
this thread, the answer is "yes."

The question that might keep you up at night is "what popular media
viewers currently have unpatched vulnerabilities for which there are
private held, privately developed exploits in circulation in the black
hat community?" The links above are only to known, patched
vulnerabilities. The bad guys don't necessarily give us a nice
database of all the vulns they've discovered.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      07-06-2007
From: "Todd H." <(E-Mail Removed)>


|
| The fallacy in this argument, David, is that "viewing" requires a
| viewer, and viewers can and often have had vulnerabilities. Sometimes
| the viewer is built into the operating system, but it is still very
| much a viewer.
|
| I'll give you 3 examples of past cases.
|
| Here's one AVI example that attacked Windows built in fucntionality
| and allowed arbitrary code execution:
| http://www.securityfocus.com/bid/15063/discuss
| "Successful exploitation will permit execution of arbitrary code
| in the context of the user who opens a malicious .AVI file."
|
| "Arbitrary code" in the parlance of these advisories means "yer done."
|
| Here's another .AVI specific example--view a malciciously crafted AVI
| in an old version of RealPlayer and yer done:
| http://research.eeye.com/html/adviso...D20050623.html
|
| "The vulnerability allows a remote attacker to reliably
| overwrite heap memory with arbitrary data and execute arbitrary
| code in the context of the user who executed the player. / By
| specially crafting a malformed .avi movie file, a direct heap
| overwrite is triggered, and reliable code execution is then
| possible. This vulnerability can be triggered when a user views
| a webpage, or opens an .avi file via email, instant messenger,
| or other common file transfer programs."
|
| For an MPEG example, and mpeg-4 file on any version iTunes older than
| 4.8 allowed arbitrary code execution:
| http://www.securityfocus.com/bid/13565/discuss
|
| "A specifically malformed MPEG4 file could trigger this
| overflow, causing a denial of service or execution of arbitrary
| code. This vulnerability was addressed in iTunes 4.8"
|
>> Viewing will extract the binary to the memory of the viewer
>> application. If then an exploit triggers a vulnerability in the
>> viewer application, it can be made misbehave to jump to the
>> mentioned memory section.

|
| Yup.
|
| And if your nefarious "external application" is small enough, it can
| be packed right into the nefarious payload depending on the exploit.
|
| For instance, there is a "bind shell" payload for Windows, for
| instance that opens a network port listener on a windows box listening
| and waiting for a connection and spawns a command shell if someone
| connections. Guess how big it is. It's all of 317 bytes. Not
| kilobytes, not megabytes. Bytes. It's freely available as a payload
| in the metasploit framework.
|
| In summary, to the original poster's question in the subject of the
| this thread, the answer is "yes."
|
| The question that might keep you up at night is "what popular media
| viewers currently have unpatched vulnerabilities for which there are
| private held, privately developed exploits in circulation in the black
| hat community?" The links above are only to known, patched
| vulnerabilities. The bad guys don't necessarily give us a nice
| database of all the vulns they've discovered.
|
| Best Regards,

Viewing will NOT extract the binary. It will either be seen as garbage (noise), cause a
problem with the viewer or be skipped. The malware would need an extractor/helper
application.

As for the idea of exploitation. Certainly. If a an object uses exploitation code on a
known vulnerability such as a buffer overflow condition then an elevation of privileges and
can lead to malware installation. However the the file using explotation code will NOT be
the infector. It will be the causitive factor but not the end result.


I disagree. The answer to the OP is NO.

Please post a specific case of malware that hides within either a static or moving graphic
file that can install all by itself. I am fully aware of steganographic techniques and they
don't include auto-extraction, installation, capabilities.

I also am fully aware of companies such as Zango exploiting the Windows DRM of Windows Media
Player to download malware.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-06-2007
"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
> Viewing will NOT extract the binary. It will either be seen as
> garbage (noise), cause a problem with the viewer or be skipped. The
> malware would need an extractor/helper application.
>
> As for the idea of exploitation. Certainly. If a an object uses
> exploitation code on a known vulnerability such as a buffer overflow
> condition then an elevation of privileges and can lead to malware
> installation. However the the file using explotation code will NOT
> be the infector. It will be the causitive factor but not the end
> result.
>
>
> I disagree. The answer to the OP is NO.
>
> Please post a specific case of malware that hides within either a
> static or moving graphic file that can install all by itself. I am
> fully aware of steganographic techniques and they don't include
> auto-extraction, installation, capabilities.
>
> I also am fully aware of companies such as Zango exploiting the
> Windows DRM of Windows Media Player to download malware.


Hi David,

What are your definitions of
"Extract the binary"
"Installation"

and how they differ from mere:
"Exploitation"

To me, arbitrary code is arbitrary code. I'm not sure how your
distinction of an exploit payload being a "causitive factor" vs end
result has any bearing on whether an avi or mpeg virus is possible.

To my view, if you're running a vulnerable viewer as a user of
sufficient privilege (administrator as most windows users are), and
you open an .avi or .mpeg maliciously created to to exploit that
viewer's vulnerability, and that vulnerability allows arbitrary code
execution, yer done. What payload the author has chosen to include in
there can attempt to replicate and attach itself to other files, which
would certainly qualify it as a virus. Whether it installs permanent
running processes and adds things to a registry, seems orthogonal to
the discussion.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      07-06-2007
From: "Todd H." <(E-Mail Removed)>


|
| Hi David,
|
| What are your definitions of
| "Extract the binary"
| "Installation"

Extract the binary -- To pull out the binary data that is a distinct executable in such a
form as a disk file or ADS such that the OS can execute it or load it.

Installation -- A disk file or ADS that the OS executes or loads.

|
| and how they differ from mere:
| "Exploitation"

Exploitattion -- The act of taking advnatage of a vulnerability or perceived vulnerability.


|
| To me, arbitrary code is arbitrary code. I'm not sure how your
| distinction of an exploit payload being a "causitive factor" vs end
| result has any bearing on whether an avi or mpeg virus is possible.
|
| To my view, if you're running a vulnerable viewer as a user of
| sufficient privilege (administrator as most windows users are), and
| you open an .avi or .mpeg maliciously created to to exploit that
| viewer's vulnerability, and that vulnerability allows arbitrary code
| execution, yer done. What payload the author has chosen to include in
| there can attempt to replicate and attach itself to other files, which
| would certainly qualify it as a virus. Whether it installs permanent
| running processes and adds things to a registry, seems orthogonal to
| the discussion.
|
| Best Regards,

The privilege of the user is often not a factor as most exploit vulnerabilities that allow
an elevation of privileges. Thus a limited user on a PC found to be vulnerable can lead to
malware being silently being installed even though the actual user's privilege would not
allow it.

Having a given exploitaion effect upon a vulnerability is NOT a guarantee of infection. It
depends on the situation. Take a SDBot variant. It will send TCP ports 135 and/or 445
packets out seeking vulnerabilities in the LSASS or RPC/RPCSS DCOM modules. Then it will
excploit the buffer overflow situation and then install itself on the vulnerable platform.
However this is I-worm activity.

Take a WMV Malware using the Media Player DRM, so-called exploitation. Instead of the video
file seeking a license, it goes out and will try to download a EXE and use Social
Engineering to get you to install the EXE file. This isn't a vulnerability per se but it is
a form of Media Player DRM exploitation because DRM was NOT meant to causer EXE files get
downloaded but that what Zango actually did.

Now I have seen; VML in HTML, WMF, ANI and other Exploits used. These are loaded on web
sites that use a combination of exploitation and code execution. It is the combination of
exploutation and script execution that causes the malware to be installed. Just playing a
WMV, AVI, MPEG, MOOV etc, will not have this one, two, punch. You must look at "HOW" the
"aribitrary code" is to be executed and/or loaded. Now I can download a QTS file that uses
exploitation code but if I take it out of context will it actually cause malware to be
installed ? The answer is no. I will just create a exploitable condition. Now place that
QTS file in a web site or HTML email message and there is a greater possibility of actually
taking advantage of that subsequent exploitable condition.

Getting back to the OP, the answer is no. I believe the discussion the OP had with his
frinds did NOT properdiscuss tghe subject matter and knowing that the OS defaults to "hiding
extensions of know file types" it is much more likely that Social Engineering was the
culprit using a Double-Extension files such as my previous example of; Britney Spears.avi
..exe

This is *very* common. I have come across many files that do the above and in some cases
will use numerous spaces between the VI and .EXE extension.

BTW: Good Discussion

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      07-07-2007
David H. Lipman wrote:


> Take a WMV Malware using the Media Player DRM, so-called exploitation. Instead of the video
> file seeking a license, it goes out and will try to download a EXE and use Social
> Engineering to get you to install the EXE file.



Which is utterly stupid, since it could simply run this EXE file by itself.

> This isn't a vulnerability per se but it is


> a form of Media Player DRM exploitation because DRM was NOT meant to causer EXE files



So? The documentation says this it actually what it's supposed to do.

> Now I have seen; VML in HTML, WMF, ANI and other Exploits used. These are loaded on web
> sites that use a combination of exploitation and code execution. It is the combination of
> exploutation and script execution that causes the malware to be installed.



Huh? Using a script to build the exploit code in memory instead of loading
it a a gzipped multi-megabyte file isn't exactly a necessity, just reasonable.

> Just playing a WMV, AVI, MPEG, MOOV etc, will not have this one, two, punch.



Hm.. but it seems like it does.

> I will just create a exploitable condition. Now place that
> QTS file in a web site or HTML email message and there is a greater possibility of actually
> taking advantage of that subsequent exploitable condition.



Or by simply playing it. That's what users typically do with media files.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      08-03-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) (Todd H.) writes:
> (E-Mail Removed) writes:
>
> > I have 2 friends who claimed their computer was infected by a virus
> > from an avi media file . They downloaded it off a newsgroup a
> > couple of days ago . I helped them do a lowlevel format & reinstall
> > of everything & it was necessary .
> >
> > How is it possible to imbed or install a virus,trojan etc.. with a
> > media file One of my teachers in college claims this can't be done
> > while another says it can ? If this is possible , then how do you
> > defend against it ? Hell I've heard some boast they can put viruses
> > in text now ?
> >
> > Any info & advice you may have is greatly appreciated

>
> Malware is entirely possible in an avi or mpeg, pdf file, word .doc,
> you name the format, depending on what you view it in, there's
> probably some published vulnerability on it.
>
> To get the malware to exectute, there must be a vulnerability in the
> media player on which it is played.



Blackhat talk on weaponizing digital media:
http://news.yahoo.com/s/ap/20070803/..._digital_media


--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
for@info.com
Guest
Posts: n/a
 
      10-11-2007


Any movie file format that is capable of doing anything other than
holding the movie itself is inherently dangerous.

WMV files for example were created as a wrapper for movie files
specifically to enable them to do this. Never play or use WMV files is a
good habit.

There is no reason to have a movie file format capable of containing data
or code other than the raw movie itself plus a header identifying the
codec. All arguaments for this are spurious.

Any format doing more than that can will and IS being used to hack.

Providing you have no trojans on your system the following file
formats/codecs are safe:

Intel AVI
Mpeg-1
Mpeg-2
VOB

ALL others are unsafe no matter what claims are made for them.

NEVER install players capable of identifying the file type - eg A media
player that will play an mpeg with an AVI file extension is a massive
security hazard - that means almost all on any microsoft system - they
designed it that way - they create revenue for anti-virus companies.

Those are the facts - what you do about them is up to you.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to convert popular video formats (including MPEG, m1p, m2p, DAT, MPEG, MOV, AVI, WMV) to DVD with Video to DVD Burner bobo DVD Video 2 06-24-2009 10:01 AM
How to convert popular video formats (including MPEG, m1p, m2p, DAT, MPEG, MOV, AVI, WMV) to DVD with Video to DVD Burner zijuan Computer Support 0 07-26-2006 02:05 AM
How to convert popular video formats (including MPEG, m1p, m2p, DAT, MPEG, MOV, AVI, WMV) to DVD with Video to DVD Burner bobo DVD Video 0 07-25-2006 06:46 AM
Looking for technique examples - text transcript alternative for movies (MPEG, AVI, etc) EightNineThree HTML 3 08-24-2003 06:19 PM



Advertisments