virus in video

[Capmaster]

What do you do for a living?

None of your **** business, dude! Are you a lonely biatch trying to find some good-income dude to milk or what? How is your question related to this thread?
Stick to the subject or be ignored.

Take it easy. I think he was referring to his experience or training in the field. He wasn't trying to pick you up :P

[DereX888]

What do you do for a living?

None of your **** business, dude! Are you a lonely biatch trying to find some good-income dude to milk or what? How is your question related to this thread?
Stick to the subject or be ignored.

Take it easy. I think he was referring to his experience or training in the field. He wasn't trying to pick you up :P

You never know one's intentions after its (usually) too late

[bazooka]

@Derex

I prefer females. I am not into deviant lifestyles.
I was referring to are you in the IT professional field?

I am also married and have a three year old son.

Relax

[jameshgross]

bazooka is correct, and I am not going to tell the rest of you how to do it.
It is not that difficult but you script kiddies cannt do it. It requires real programing skills, a knowledge of Windows files headers and footers and understanding of exactly what an executable piece of code is. Take it from a programing pro, a virus can ride inside anything that you can download. Even encrypted and embedded in a jpeg file. There are many texts on this subject and if you really want to know then do the research.

[jimmalenko]

Dammmmmmmmn ...... All the good threads happen when I'm asleep

I've read through the entire thread and haven't been able to stop shaking my head.

It's a ******* internet forum, people.

There is absolutely no need for all this "you calling me a liar" bullshit. I mean, what are you going to do about it if someone IS lying ? As the latest vulneribility with JPEGs shows, it is conceivable to me that any file format could carry virus code. Whether windows will fall over because of it is another matter that I don't think any of us really knows, and I'm certainly not prepared to try it out for the benefit of everyone here

Something to think about - if you take virus.vbs and rename it virus.mpg, is it a vbs or a mpg file and why ?

[thor300]

I havent heard of MP3 being able to carry viruses, but you can embed a virus/script into WMV and WMA, check out the script section of Windows media encoder SDK. These scripts will execute through WMP. I have come across WMV that opens dialog boxes and then send you to their website.

[Cornucopia]

Maybe we can come to an agreement here...

#1--A "virus" is a naughty bit of programming code with can do mischief, as well as replicate itself. I think we all understand that.

#2--Being code, it has to be run at some point, otherwise it can't do anything. It's still a virus, but it's not a problem yet. I think we all can agree on that.

#3--ANYTHING can have that code in it, or attached to it, or BE it. However, as per #2, unless that code is run--either by a program/player which recognizes it as code to be run, or script/macro to be run, or it runs by itself, it sits there dormant and innocuous.

#4--If mp3's and jpg's (and I know wmv's do) have metadata that can call URL's, this is a hole/window for malicious code to reside and execute...BUT ONLY if it gets executed.

#5--In the case of the above, this can only happen when "played" on a player/program that recognizes and acts upon the existence of such metadata.

#6--I think we all can agree that a "myfavsong.mp3.vbs" is really a vbs masquerading as an mp3 to those unfortunates who have hidden their file extentions. As a vbs, it can be a vbs virus like so many others. (Same goes for .exe, etc...)

How to avoid these kinds of virii:

1. Show all file extensions
2. Never directly open a file from the web, download and then AV scan 1st.
3. Set IE to not run ActiveX without asking 1st.
4. Set OutlookExpress to read everything as plain text (no HTML...you can still view the HTML if you save & scan attachments)--this has saved my butt 100's of times.
5. Play multimedia files (jpgs, gifs, mpgs, avi's, mov's, wmv's, etc) ONLY in players that just show the payload, not futz with any metadata (or certainly not without asking 1st).
6. Only open scriptable stuff when physically OFFLINE from the web. and include a firewall like ZoneAlarm.
7. Routinely AV scan EVERYTHING on your computer, not just executables.

Anymore questions?/Arguements?

Scott

[Cornucopia]

I'm sure this'll date me, but this kinda reminds me of that old "Backwards Satanic Message" BS from the late '60s/early '70s.

Similarly, as long as one didn't actually rewire their Phonograph players to play backwards, you'd never hear anything of the sort. (I did, cuz I wanted to see what all the fuss was about. Don't waste your time)

Scott

We need to stop using phono players that have those extra "Backwards"-capable switches.

[John2001]

Well, it looks like bazooka's right.


http://www.securityfocus.com/news/338
http://www.securityfocus.com/archive/1/269724
http://www.newscientist.com/hottopics/tech/article.jsp?id=99992236&sub=Gadgets%20and%20Inventions

[Marvingj]

Very interesting Post!

[BJ_M]

Someone needs to explain to me why an MP3 player would be looking for
URLs, executable code, etc. The player would have to be deliberately designed to detect those, change modes, and deal with them. I strongly suspect the MP3 spec has no provisions for containing such things and therefore no sane player will have provisions to look for them . I know for a fact that MP2 has no such thing. I guess I have to go look it up.

You can glue a virus onto or into an audio file all day, but it won't do any good till it gets loded into memory and executed as code which a player
has no business doing.

they do - see https://www.videohelp.com/forum/viewtopic.php?p=1054913#1054913

winamp and wmp both read these tags - so do other apps ..

on the winamp forum -they explain how to construct a tag so playing file will either open a web page or link (which can record an ip or be designed to do whatever web pages can do)

[Heywould3]

Well, it looks like bazooka's right.


http://www.securityfocus.com/news/338
http://www.securityfocus.com/archive/1/269724
http://www.newscientist.com/hottopics/tech/article.jsp?id=99992236&sub=Gadgets%20and%20Inventions

"Because they cannot contain viruses or other malicious code, files in the MP3 format are generally trusted by Internet users, who freely swap such files with strangers over services such as Morpheus, Grokster and Kazaa. "

EDIT: i stand corrected. again thanks for the post John.. thats the info i was looking for,

[bugster]

P.S. i didnt get to the second and third link yet but im working on it.

Perhaps you should have before posting!

from the 2nd link.

It is possible to modify an existing mp3 file in such a way that it can
carries a virus. The virus is activated when the mp3 file is played in
Winamp

and:

The buffer overflow condition occours when the url
string intended to be sent to the minibrowser is created. That means the
buffer overflow occours before any actual internet connection to
info.winamp.com is beeing made.

So, a version of winamp contained a flaw that could lead to a buffer overflow condition. As you are well aware, this is a common type of flaw and often use to spread malicous code. So it looks to me as if an Mp3 containing a carefully crafted URL to exploit this flaw, and also containing some malicous code, is/was a possibility. Note, this is a virus within an otherwise valid, and playable mp3 file, not simply a URL to download a virus from.

As there is now a verified windows exploit using nothing more 'executable' than a jpg picture file, I don't think it safe to assume that any particular file type is safe.

EDIT: BTW, I am not trying to claim that such a thing as a virus carried by an mp3 or video file has ever existed, at least not 'in the wild', just pointing out the theoretical possibilities.

[Heywould3]

P.S. i didnt get to the second and third link yet but im working on it.

Perhaps you should have before posting!

from the 2nd link.

It is possible to modify an existing mp3 file in such a way that it can
carries a virus. The virus is activated when the mp3 file is played in
Winamp

and:

The buffer overflow condition occours when the url
string intended to be sent to the minibrowser is created. That means the
buffer overflow occours before any actual internet connection to
info.winamp.com is beeing made.

So, a version of winamp contained a flaw that could lead to a buffer overflow condition. As you are well aware, this is a common type of flaw and often use to spread malicous code. So it looks to me as if an Mp3 containing a carefully crafted URL to exploit this flaw, and also containing some malicous code, is/was a possibility. Note, this is a virus within an otherwise valid, and playable mp3 file, not simply a URL to download a virus from.

As there is now a verified windows exploit using nothing more 'executable' than a jpg picture file, I don't think it safe to assume that any particular file type is safe.

Thank you Bugster.

Yes, It looks like this is partialy true.. (Winamp Bug) and again.. i was just looking for facts.. it is a fairly new devlopement therefore people stating that it was not possible WERE at one point correct.. the people stating you can are currently right..

I was just looking for verifiable proof which we now have..

To the original poster.. if you follow the last 3 links you will see that it is in fact possible in some cases to have a virus run in an mp3 in some media players. is nothing sacred? sad day for some P2P users. oh well.. if you dont have a good AV and you allow activex you are bound to get into trouble anyway

It looks like this topic can finaly end.

[dphirschler]

I shudder to think what the RIAA (or MPAA) might do with this knowledge.


Darryl

[mats.hogberg]

people stating that it was not possible WERE at one point correct.. the people stating you can are currently right..

Like someone saying July 19, 1969 that man could never land on the moon. And are equally right saying that you can, July 20, 1969?

/Mats

[BJ_M]

I shudder to think what the RIAA (or MPAA) might do with this knowledge.


Darryl

they already do -

[dphirschler]

<shudder>


Darryl

[triphop]

An mp3 could have a virus in the same way that a jpeg could have a virus - the mp3 could cause a buffer overflow in a particular player (heres the rub) and then cause the virus payload to be loaded into the overflowed stack frame. This is entirely possible. But AFAIK there is no such MP3 virus in the lab or the wild.

As for mp3s causing a player to open a URL - you do firewall both incoming and outgoing traffic, don't you???!?!?

It is *VITALLY* important to make sure that you know what information is being sent from PCs behind your firewall out to the internet. Most of the hardware firewalls automatically allow outgoing traffic without permission. Do try and stop this. It will take some work to create a manageable and workable system but it is possible (hint: authenticating proxies on bastion hosts...)

[Heywould3]

people stating that it was not possible WERE at one point correct.. the people stating you can are currently right..

Like someone saying July 19, 1969 that man could never land on the moon. And are equally right saying that you can, July 20, 1969?

/Mats

there are people today that still say we never have :P we dont want to get into that now do we

well i never said you couldnt make one.. i just said that up to the point i was refering to there wasnt.. not that it couldnt happen.. so thats apples and oranges..

I have many times stated that all i wanted was verifyable proof.. not that it couldnt happen..

[Heywould3]

problem with topics like these are that when they get too long people will post on a certin post and not read the rest.. people are now starting to post statements that have alreadybeen gone over or discounted. im somewhat guilty of this too.. but we dont need to go over the jpg or mp3 overflow bug again.

wasnt this started on an AVI or mpeg file ? in the first place?

[triphop]

It was started about virii in mp3s (see title). The principle regarding jpegs, avis, etc is identical. If the player has a exploitable buffer overflow then it is possible to craft a virus to exploit it.

[MOVIEGEEK]

I will add to Cornucopias' recommendations:
In Outlook turn off Preview Pane,this will prevent some virii from executing..not to mention reduce spam.
Use a tag editor to remove any URL's.

[Heywould3]

It was started about virii in mp3s (see title). The principle regarding jpegs, avis, etc is identical. If the player has a exploitable buffer overflow then it is possible to craft a virus to exploit it.

See pic below.. it was video not mp3.. come one guys.. seriously

[bazooka]

I shudder to think what the RIAA (or MPAA) might do with this knowledge.


Darryl

they already do -

Yep- They employ one called Freeze - It locks up your computer for hours.

[tvideo]

I would still say "Freeze" sounds like an exploit not even really a trojan, and no where near being a virus.

None of the "possibilities" are viruses or worms, if anything they are exploits.

I still say there is NO MP3, MPEG etc. virii that infects and spreads it's self to other files.

[bazooka]

Whatever dude.

Stay ignorant for all I care.

We have already stated and proved there are such things.

[tvideo]

NONE of the links you posted were talking about a Virus or Worm. They were talking about exploits.

A Virus or Worm spreads it's self to other files and infects them, it replicates.

Your MP3 does 1 thing, that's a trojan...but from what I see it isn't even that.

For a security expert who doesn't know the differnce between virii & trojans, worms etc. I would look for a new line of work.

[BJ_M]

now it is clear :

[bazooka]

NONE of the links you posted were talking about a Virus or Worm. They were talking about exploits.

A Virus or Worm spreads it's self to other files and infects them, it replicates.

Your MP3 does 1 thing, that's a trojan...but from what I see it isn't even that.

For a security expert who doesn't know the differnce between virii & trojans, worms etc. I would look for a new line of work.

Listen arsehole,

I know the difference between trojans, worms and viruses.