====== Malware hidden in video files ====== ===== Abstract ===== While we are extra careful with executable files, we consider video files harmless, even though they can execute relatively high-privilege program, such as Windows Media Player. In this article, we are going to discuss how harmful can video files really be, their way to infect a computer, the extensions used to exploit flaws, how to detect that something’s wrong and how can we defend ourselves against this type of malware. **Tags:** malware, attack, video, files, hidden, steganography, defense, cybersecurity, virus, cybercriminal ===== Introduction ===== The lure of video might be the perfect social engineering trick for malware attacks. Nowadays, we share an enormous amount of video files and images to deliver information about a relative topic, to disconnect from the world, or to just entertain ourselves via any social network, which more than 3.8 billion people around the world use. This and the added thought of video files to be harmless, can be used as a bonus to cybercriminals. Malware has been embedded in image format, such as JPG and PNG for years now, but the latest and newest trend seems to be embedding malicious programs or links into videos using steganography, which is the process of embedding something secret inside some other medium. ===== Attacks ===== As mentioned before, video files are not something that we consider harmful, but this common misconception is precisely its strength. Users share and download a lot of video content without paying attention or without scanning them, since they are heavy files and it would take some time to scan. Also, there are a wide variety of video and audio players, and also many different codecs and plugins, that are written by people that don’t take security as their main priority. This, added to the tendency of users to download video from unreliable sources, is the perfect mix for a malware to be hidden and to spread to many different victims. Said this, there are two types of attacks: fuzzing the media player and embedding hyperlinks. ==== Fuzzing the media player ==== Fuzzing is a technique used to force a program to behave unexpectedly by providing invalid or random data to the inputs. It’s designed to find deep bugs and make sure that the code is robust, although the same tools are used for this purpose can be used against the users. It can result in inappropriate memory access, writing in memory something that was not supposed to be access with write permissions. The good thing is that the attacker must have a deep knowledge about the file format, or else the player will simply ignore the file. ==== Embedding hyperlinks ==== In this technique, a URL with a malicious file or code is embedded into the file. Microsoft Advanced System Format (ASF) allows for simple scripting to be executed. For example, we can execute “URLANDEXIT”, and put some URL with a malicious file and disguise it as a codec necessary to play the video. This way, the user will download the program and the system will be infected. {{ :en:racfor_wiki:a.jpg?600 |}} We can also redirect the user to an infected URL, but that would be a bit more suspicious and wouldn’t get many users off guard. ===== Examples of vulerabilities ===== {{:en:racfor_wiki:b.png?400|}} ===== Defense ===== The best way of defending is not getting infected at all instead of getting rid of the virus once has made its way into our computer. For that, we could open the video file in a hex editor and see if there’s a hyperlink embedded into it. If there is, and the hyperlink redirects to a suspicious website, we can just simply delete it. If the video file seems to be corrupted, the best choice is not to open it at all, since it can fuzz our media player, and if done correctly, the malware could access unauthorized memory spaces containing sensible information or code for the OS. Another way of defending against these attacks is being extra careful with documents or other files that can have video files embedded in them, since opening them would expose us at the same risk that was mentioned before. ===== Sources ===== [1] [[https://nvd.nist.gov/|National Vulnerability Database.]] [2] [[https://securityintelligence.com/killer-music-hackers-exploit-media-player-vulnerabilities/|Dana Tamir, “Killer Music: Hackers Exploit Media Player Vulnerabilities”, Security Intelligence, 2014]] [3] [[https://www.opswat.com/blog/can-video-file-contain-virus#:~:text=Video%20files%20are%20not%20typically,threat%20vectors%20for%20malware%20writers.|Yiyi Miao, “Can a Video File Contain a Virus?”, OPSwat, 2014]] [4] [[https://www.blackhat.com/presentations/bh-europe-08/Thiel/Whitepaper/bh-eu-08-thiel-WP.pdf|David Thiel. "Exposing Vulnerabilities in Media Software", iSEC Partners, 2008]] [5] [[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7414|Colleen Lewis, Barret Rhoden, Cynthia Sturton, "Using Structured Random Data to Precisely Fuzz Media Players", Berkeley University, 2007]] [6] [[https://securityintelligence.com/articles/how-video-became-a-dangerous-delivery-vehicle-for-malware-attacks/|Mike Elgan, “How Video Became a Dangerous Delivery Vehicle for Malware Attacks”, Security Intelligence, 2019]]