virus in video

[bazooka]

I wasnt going to get into this.. BUT i couldnt resist.. mpg jpg mp3 avi cant and dont have the actual virii BUT the can and have had imbeded urls that when played will take you to a web page.. if you are like most and use IE you will then have active x or what ever dl the virii and wam.. thats just one way.. but this has been talked about for years and it all ends the same way.. some people are 100% sure that they are right.. the people that are so sure that you can get one thru one of these files.. please post a link or fwd one of the files to be checked.. not trying to insult anyone.. but actualy trying to have people show facts not just hearsay..

It happened months ago and I do not feel like arguing anymore.

It is not worth it.

[BJ_M]

symantec says they DO exist -- so i guess they are liars also ...

and not by "re-write over the file" , but tagging the file ..

anyway on irc - got to a virus channel and ask the same question and you will get the same answers ..

yes -- there is also a "hoax" mp3 virus ..

but also keep in mind (not a virus) that there are "tagged" mp3s that are designed to call home, this could in theory be done also with some types of video files and disks ..

[Heywould3]

I wasnt going to get into this.. BUT i couldnt resist.. mpg jpg mp3 avi cant and dont have the actual virii BUT the can and have had imbeded urls that when played will take you to a web page.. if you are like most and use IE you will then have active x or what ever dl the virii and wam.. thats just one way.. but this has been talked about for years and it all ends the same way.. some people are 100% sure that they are right.. the people that are so sure that you can get one thru one of these files.. please post a link or fwd one of the files to be checked.. not trying to insult anyone.. but actualy trying to have people show facts not just hearsay..

It happened months ago and I do not feel like arguing anymore.

It is not worth it.

Im not trying to argue.. all i was trying to do is get some facts or proof.. if im wrong or missinformed i would like to be corrected.. i dont like thinking im safe only to be fooled.. BUt on the same hand i dont want to just take peoples word for it.. if there is any proof of this i would like to see it..

again not arguing just skeptical since it was always said you cant in the old days.. i know its possible someone found a way.

I just found this
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.jpegshell.html
so its possible as of the 25th of september.. so thats cool.. i was basing my info on how its been up till now.

in checking i still havent found anything on avi mpg mp3 etc.. all say that they are over writen.. ill keep looking.. i think this is a very important topic since lots of people think it cant be done.

[mats.hogberg]

Now, MS maight have their flaws, but recently, they've started taking security seriously.
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx
Read here. It's about virus in jpeg images. It's not "hijacking your start page" or "redirecting you to an unwanted URL" Its: "an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges."
Hoax? That MS bought?

If it can be done by carefully crafitng a jpeg image, I'd bet my last shirt it can be done with an mp3 and/or a mpg.

/Mats

[bugster]

If it can be done by carefully crafitng a jpeg image, I'd bet my last shirt it can be done with an mp3 and/or a mpg.

/Mats

It depends to a certain extent on what you mean by the phrase "the file contains a virus". As has been pointed out, many file types, including avi, wmv and mp3 can contain 'metadata'. This data could (in theory) be a url which, if the player supports it (and WMP certainly does for avi and wmv, not sure about mp3) could launch your default browser. Assuming this is IE (which will be the case for most windows users) it could end up loading an activeX object whichh contains malicious code, without the users knowledge. So you are now infected with a virus.

Did the avi (or wmv or mp3) contain a virus. Strictly speaking, no, it did not. But it was a combination of the contents of the media file and some malicous scripting that caused you to become infected. So in this kind of situation many people would quite happily say they had an avi (or whatever type of file) that contained a virus.


It all boils down to semantics I guess

[Heywould3]

@bugster. You are right it is all down to semantics..
im a little concirned ( very little) that this could cause most AV SW to become hit or miss. norton is going to have to check the meta of all video/audio files and let you know if there is anything there. there is no way to know if its a link to a virii page or not so it will just ahve to be a warning. i guess symantec could check them all and tell you. but i guess you can do that yourself by setting activex to prompt..

anyway.. to set this all in line.. the virii is not (as far as i can tell today) actually encoded in the file BUT by opening it you are directed to a page or what ever that loads it.. so for most it will look as though its there..
ok ill buy that.

[mats.hogberg]

To me, the definition of a virus is a piece of code that tries to replicate itself to other systems. Semantics aside, what mages up a GIF, a JPG, an MPG, a...? 0 and 1. What makes up a computer program? 0 and 1. So you just have to disguise your program to (or embed it into) an image file (or audio file or video file or PDF or anything) and trick the application used to open it to start executing the code embedded in the "innocent" media data instead of itself. This is mostly done by buffer owerflow, a method as ancient as computers.

/Mats

[BJ_M]

:P

[DereX888]

Thisi s one of the most idiotic threads to appear on this site, I swear!

filename.mp3.exe is NOT mp3 file, its executable file.
filename.mp2.exe is NOT mp2 file, its executable file.
filename.avi.exe is NOT avi file, its executable file.
filename.mpg.exe is NOT mpeg file, its executable file.

filename.mp3.vbs is NOT mp3 file, its executable file.
filename.mp2.vbs is NOT mp2 file, its executable file.
filename.avi.vbs is NOT avi file, its executable file.
filename.mpg.vbs is NOT mpeg file, its executable file.

and so on and on

Same goes with the files having any other "double" or "multiple" extensions, the last extension listed is the real file's extension! Is it so hard to understand?
How can you people even discuss such BS lol
Because someone had set "Hide file extensions" on his computer, and thought that the file.mp3.vbs is .mp3 while it was actually .vbs visual basic script that infected his computer with virii - that doesnt change a thing and it doesnt prove anything! It just proves only that there are still idiots around, nothing else.

And for the embedded urls withing avi, ra/ram, qt and few other formats allowing it (thus someone can download a virus involuntarily): first of all - the file itself obviously doesnt carry a virus, it HAS to be downloaded. Second of all - why would you allow any of your players to automatically download *anything*? If your player doesnt have an option of disabling any downloads or disabling autmatic connections to websites etc - then change your ******* player for better one, geez! Its not a rocket science to figure it out...

You CAN'T have any virus withing MPEG files. Your player should either skip non-mpeg part of the file where the virus was inserted, or error out once reaching it.
Whoever said he got a virus from MP3 is a liar, or his MP3 file was actually a file with .vbs or .exe etc etc extension, and he dont know what he's talking about.

[junkmalle]

http://xforce.iss.net/xforce/alerts/id/182

"The GDI+ library contains a buffer overflow flaw when processing JPEG image files. Improper validation of integer fields in JPEG images can lead to an integer wrap, and a large memory copy operation into an improperly sized heap buffer. This can lead to arbitrary code execution with the privileges of the process or user viewing the image"

[Heywould3]

uh oh.. here we go .. lol

dont know if this last poster actually read all the posts on this.. but if you do it and i have said exactly the same thing..

last two actually.

[bazooka]

To me, the definition of a virus is a piece of code that tries to replicate itself to other systems. Semantics aside, what mages up a GIF, a JPG, an MPG, a...? 0 and 1. What makes up a computer program? 0 and 1. So you just have to disguise your program to (or embed it into) an image file (or audio file or video file or PDF or anything) and trick the application used to open it to start executing the code embedded in the "innocent" media data instead of itself. This is mostly done by buffer owerflow, a method as ancient as computers.

/Mats

It can also replicate to other files in the same computer.

[Heywould3]

/me runs and grabs shot gun and shoots holes all through this topic

Still looking for proof/facts.. other than what I posted.

[bazooka]

How is this for proof? I had a virus attach to my printer driver file and then attached to every other file in my computer forcing a reinstall.

This was three years ago.

[tvideo]

Thisi s one of the most idiotic threads to appear on this site, I swear!

filename.mp3.exe is NOT mp3 file, its executable file.
filename.mp2.exe is NOT mp2 file, its executable file.
filename.avi.exe is NOT avi file, its executable file.
filename.mpg.exe is NOT mpeg file, its executable file.

filename.mp3.vbs is NOT mp3 file, its executable file.
filename.mp2.vbs is NOT mp2 file, its executable file.
filename.avi.vbs is NOT avi file, its executable file.
filename.mpg.vbs is NOT mpeg file, its executable file.

and so on and on

Same goes with the files having any other "double" or "multiple" extensions, the last extension listed is the real file's extension! Is it so hard to understand?
How can you people even discuss such BS lol
Because someone had set "Hide file extensions" on his computer, and thought that the file.mp3.vbs is .mp3 while it was actually .vbs visual basic script that infected his computer with virii - that doesnt change a thing and it doesnt prove anything! It just proves only that there are still idiots around, nothing else.

And for the embedded urls withing avi, ra/ram, qt and few other formats allowing it (thus someone can download a virus involuntarily): first of all - the file itself obviously doesnt carry a virus, it HAS to be downloaded. Second of all - why would you allow any of your players to automatically download *anything*? If your player doesnt have an option of disabling any downloads or disabling autmatic connections to websites etc - then change your ******* player for better one, geez! Its not a rocket science to figure it out...

You CAN'T have any virus withing MPEG files. Your player should either skip non-mpeg part of the file where the virus was inserted, or error out once reaching it.
Whoever said he got a virus from MP3 is a liar, or his MP3 file was actually a file with .vbs or .exe etc etc extension, and he dont know what he's talking about.

Well said, this forum is filled with a lot of misinformed people indeed and this topic is ridiculous and some of the exsadrerations in how the MP3 file is STILL an MP3 file w/ some hidden URL in it is becoming laughable.

I cannot belive this thread is still going on

[bazooka]

Thisi s one of the most idiotic threads to appear on this site, I swear!

filename.mp3.exe is NOT mp3 file, its executable file.
filename.mp2.exe is NOT mp2 file, its executable file.
filename.avi.exe is NOT avi file, its executable file.
filename.mpg.exe is NOT mpeg file, its executable file.

filename.mp3.vbs is NOT mp3 file, its executable file.
filename.mp2.vbs is NOT mp2 file, its executable file.
filename.avi.vbs is NOT avi file, its executable file.
filename.mpg.vbs is NOT mpeg file, its executable file.

and so on and on

Same goes with the files having any other "double" or "multiple" extensions, the last extension listed is the real file's extension! Is it so hard to understand?
How can you people even discuss such BS lol
Because someone had set "Hide file extensions" on his computer, and thought that the file.mp3.vbs is .mp3 while it was actually .vbs visual basic script that infected his computer with virii - that doesnt change a thing and it doesnt prove anything! It just proves only that there are still idiots around, nothing else.

And for the embedded urls withing avi, ra/ram, qt and few other formats allowing it (thus someone can download a virus involuntarily): first of all - the file itself obviously doesnt carry a virus, it HAS to be downloaded. Second of all - why would you allow any of your players to automatically download *anything*? If your player doesnt have an option of disabling any downloads or disabling autmatic connections to websites etc - then change your ******* player for better one, geez! Its not a rocket science to figure it out...

You CAN'T have any virus withing MPEG files. Your player should either skip non-mpeg part of the file where the virus was inserted, or error out once reaching it.
Whoever said he got a virus from MP3 is a liar, or his MP3 file was actually a file with .vbs or .exe etc etc extension, and he dont know what he's talking about.

Well said, this forum is filled with a lot of misinformed people indeed and this topic is ridiculous and some of the exsadrerations in how the MP3 file is STILL an MP3 file w/ some hidden URL in it is becoming laughable.

I cannot belive this thread is still going on

What do you do for a living?

[BJ_M]

ID3-TAGs are special sections within an MP3 file in which information about the artist, album, title, etc. can be stored. During the develpment of MP3, the ID3-TAGs have changed a lot. Today there are two versions which are used: ID3v1 and ID3v2. The primary difference between these versions are:

ID3v1 only contains entries for the title (30), artist (30), album (30), defined genres, track number, year and a comment. The numbers in brackets tells you many characters an entry can contain, because the entry length is limited.

These limits do not exists in the ID3v2-TAGs, and not only are enries are no longer limited in their length, there are also a much greater number of entries possible, like songwriter, web addresses, etc.

Keep in mind that ID3v2-TAGs are still under development, so the new entries which will be given out from id3.org will be integreted in ID3-TagIT in later versions.

For more information: http://www.id3.org

[BJ_M]

the url in a id3 will open a webpage automatically in apps like windows media player and winamp and real media

[tvideo]

You two won't quit will you? LOL

Well bazooka does it make a big difference as to what I do for a living? No matter what I say you will still believe what you want to believe. Aside that is irrelevant, if I am a software developer I could still not know anything about Virii or security anyway. Some people I know aren't IT professionals and know quite a bit in a certain area more than so-called experts.

You place too much faith in ones education or job that this is vital for their knowledge on a certain subject such as Virii - it isn't.

It's late here, I had a busy day...going to bed and letting you two think whatever you want.

As they say "Whatever floats your boat" cya tomorrow gentlemen

[illgamma]

why dont we just do a poll about this? it seems to be a big debate.

[mpack]

I deal in computer security. Why would I make this up? I am a network engineer by trade.

And yes,
You can have a virus within an mp3. I have seen it happen.

Saying it loud dont mean saying it clear. I dont care what business you are in. I have been programming computers big and small since before the days of the Apple II, and I am not aware of any mechanism that allows a computer program to do damage if that computer program is never run. Perhaps I am simply unaware of a mechanism in MP3 that allows for the propagation and execution of program code: if you know of such a mechanism then by all means lets hear it.

[FOO]

Someone needs to explain to me why an MP3 player would be looking for
URLs, executable code, etc. The player would have to be deliberately designed to detect those, change modes, and deal with them. I strongly suspect the MP3 spec has no provisions for containing such things and therefore no sane player will have provisions to look for them . I know for a fact that MP2 has no such thing. I guess I have to go look it up.

You can glue a virus onto or into an audio file all day, but it won't do any good till it gets loded into memory and executed as code which a player
has no business doing.

[mpack]

I wasnt going to get into this.. BUT i couldnt resist.. mpg jpg mp3 avi cant and dont have the actual virii BUT the can and have had imbeded urls that when played will take you to a web page..

Strange... I've implemented my own mpeg and jpeg codecs, all from scratch from the ISO specs, and I don't remember implementing anything that would have allowed either embedded executable code or embedded URLs. Sounds to me like people are confusing features of a particular piece of software, such as IE or Media Player - with the features of the media...

[d_unbeliever]

maybe you could post a link here of a sample mp3 or avi virus and run it in our pc so we will all see......this thread make me thinks twice about downloading MP3

[junkmalle]

"Writing Buffer Overflow Exploits - a Tutorial for Beginners"

http://www.securiteam.com/securityreviews/5OP0B006UQ.html

[mpack]

Semantics aside, what mages up a GIF, a JPG, an MPG, a...? 0 and 1. What makes up a computer program? 0 and 1.

Theres a lot more to it than that. What decides that a collection of 0s and 1s in a file on your hard disk makes it a text file, or a word document, or an mpeg video clip? Potentially, nothing at all: its the act of processing the file in a particular way - and providing that it conforms to the relevant standard - that allows it to be treated as a text file or an mpeg. If the processing performed on the file does not include extracting program code and running it then it cannot be the source of a virus or trojan.

[bazooka]

I deal in computer security. Why would I make this up? I am a network engineer by trade.

And yes,
You can have a virus within an mp3. I have seen it happen.

Saying it loud dont mean saying it clear. I dont care what business you are in. I have been programming computers big and small since before the days of the Apple II, and I am not aware of any mechanism that allows a computer program to do damage if that computer program is never run. Perhaps I am simply unaware of a mechanism in MP3 that allows for the propagation and execution of program code: if you know of such a mechanism then by all means lets hear it.

For crying out loud man, I was trying to drop this.

It is not hard to insert executable malicious code into anything.

[johns0]

How about getting a real virus such as virus.exe and change the extension to virus.mp3 with no exe at the end,you cant get infected.

[DereX888]

What do you do for a living?

None of your **** business, dude! Are you a lonely biatch trying to find some good-income dude to milk or what? How is your question related to this thread?
Stick to the subject or be ignored.

[DereX888]

How about getting a real virus such as virus.exe and change the extension to virus.mp3 with no exe at the end,you cant get infected.

Do it, and see what'll happens lol

Assuming you have no antivirii software - Winamp probably will error out on it, thats about all.
However the subject is about viruses *inside* the mp3 or any other media file (as in "hidden inside", or "attached to it"), and having just a virus with an .mp3 extension does NOT make it mp3, does it?