Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are incredibly intriguing threat vectors for malware writers.
Reasons for Viruses
-
Media players are very frequently used software; users tend to use them for an extended period of time, leaving them open during other tasks, and frequently switch media streams.
-
There are a wide variety of different audio players and many of different codecs and audio file plugins - all written by generally non-security-focused people.
-
The file formats involved are binary streams, and tend to be reasonably complex. Much parsing is required to manipulate them, and playback calculations can easily result in integer bugs.
-
Players take untrusted input from many different unreliable sources (often over the network), and run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged IE instance can launch content in a higher-privileged WMP.
-
They are perceived as relatively harmless - users are likely to play files given to them.
-
They are frequently invoked without the user’s explicit acknowledgement, (i.e. embedded in a web page) [1].
Vulnerabilities
Typical vulnerability vectors are 1) fuzzing the media player by a modified video file and 2) embedding hyperlinks in a video file.
1) Fuzzing is a generic method to force a program to behave unexpectantly by providing invalid, unexpected or random data to the inputs.
Fuzzing is designed to find deep bugs and is used by developers to ensure the robustness of code, however, a developer’s best tool can be used to exploit. For media players, which are supposedly "format strict", a corrupted real video file can expose many bugs, most caused by dereferencing null pointers. The result is, allowing inappropriate memory access, which indicates the possibility of writing to memory that is not intended to be written [2]. Fortunately, fuzzing media players requires in-depth knowledge of the file format or else the “corrupted” file, will simply be ignored by the player.
2) A more direct method is by obtained by embedding a URL into modern media files.
For example, Microsoft Advanced System Format (ASF) allows for a simple script commands to be executed. In this case, "URLANDEXIT" is placed at address 0x1329-133B and following any URL. When this code executes, the user is directed to download an executable file, often disguised as a codec and prompting the user to download in order to play the media [1,3].
Metascan Online has an example of one such file: https://www.metascan-online.com/en/scanresult/file/c88e9ff9e59341eba97626d5beab7ebd
The general threat name is "GetCodec", in this specific example, the media player was redirected to http://microsoftmediaplayer.net/pluginerror/ (website was taken down due to malware) and downloaded a trojan [4].
We have scanned the trojan here: https://www.metascan-online.com/en/scanresult/file/bd493d4780924435bfeb96a2af6db5b2
Microsoft (https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147335891#tab=2) and Woodman [4] gives a deeper understanding on how the Trojan behaves.
Examples of File Type Exploits
Below is a table listing the popular media file formats that have been recently exploited by routing the user to malicious sites [3].
File Format | Detection | Description | First Reported |
Windows
.wma/.wmv |
Downloader-UA.b |
Exploits flaw in Digital Rights Management [1] |
January, 2005 |
Real Media
.rmvb |
W32/Realor.worm |
Infects Real Media files to embed link to malicious sites [2] |
November, 2006 |
Real Media
.rm/.rmvb |
Human crafted |
Launches malicious web pages without prompting [3] |
December, 2007 |
QucikTime.mov |
Human crafted |
Launches embedded hyperlinks to pornographic sites [4] |
April, 2008 |
Adobe Flash.swf |
Exploit-CVE-2007-0071 |
Vulnerability in DefineSceneAndFrameLabelData tag [5] |
June, 2008 |
Windows.asf |
W32/GetCodec.worm |
Infects .asf files to embed links to malicious web pages [6] |
July, 2008 |
Adobe Flash.swf |
Exploit-SWF.c |
Vulnerability in AVM2 "new function" opcode [7] |
June, 2010 |
QuickTime.mov |
Human crafted |
Executes arbitrary code on the target user's system [8] |
August, 2010 |
Adobe Flash.swf |
Exploit-CVE-2010-2885 |
Vulnerability in ActionScript Virtual Machine 2 [9] |
September, 2010 |
Adobe Flash.swf |
Exploit-CVE2010-3654 |
Vulnerability in AVM2 MultiName button class [10] |
October, 2010 |
Solutions
Not all media players have guarded against malicious links, so the obvious recommendation ensues: do not view untrusted files, never run media players with elevated privileges and don’t accept downloads of “unheard” codecs or strange licenses.
Many antivirus vendors now have added detection by looking for the URL signatures inside media type files, however, this can also be avoided by malware writers by embedding in multi-gigabyte files which can take very long for the engines to properly scan.
As for fuzzing exploits, you will have to trust the programmers have performed the appropriate testing to clean up the deep bugs.
References
[1] David Thiel. “Exposing Vulnerabilities in Media Software”. December 2013. http://www.blackhat.com/presentations/bh-europe-08/Thiel/Whitepaper/bh-eu-08-thiel-WP.pdf
[2] Colleen Lewis, Barret Rhoden, Cynthia Sturton. “Using Structured Random Data to Precisely Fuzz Media Players”. December 2013. http://www.eecs.berkeley.edu/~brho/fuzz/fuzz_media_players.pdf
[3] Rahul Mohandas, Vinoo Thomas, and Prashanth Ramagopal. "Malicious Media Files: Coming to a Computer Near You". December 2013. http://www.mcafee.com/us/resources/reports/rp-malicious-media-files.pdf
[4]"URLANDEXIT tag in WMV". December 2013. http://www.woodmann.com/forum/showthread.php?13187-URLANDEXIT-tag-in-WMV