54

So I'm not familiar at all with IT Security, but I'm a bit curious about something. I was watching a TV show and at one point, a virus spreads through an office. They investigate and find out that the virus was encoded in a video and it was "activated" when the video was played. So my question is, is this possible? Could that actually happen? Once again, I'm not at all familiar with either IT Security or video encoding/codecs, so forgive my ignorance.

EDIT:

Thanks for all your answers. They were very interesting and insightful. If you're interested, the show in reference was White Collar Season 3 Episode 7 "Taking Account".

pasawaya
  • 1,027
  • 1
  • 9
  • 12
  • 3
    Related to: http://superuser.com/questions/445366/can-avi-files-contain-a-virus – Alfredo Osorio Aug 03 '12 at 14:08
  • @AndrewSmith Did you even read the question correctly? I highly doubt everyone in the office has a TV.. and, computers can play videos as well... right? - and gegal, good show. – cutrightjm Aug 03 '12 at 23:11

8 Answers8

59

Yes, that's possible.

The malware probably wouldn't be embedded in the video itself, but the video file would be specially crafted to exploit a vulnerability in the codec or media player, to gain code execution. The exploit would then download a file and run it, infecting the machine.

These types of exploits have been common amongst popular document formats, e.g. PDF. Their proliferation makes them a good target for exploit writers, because people use them a lot and assume they're safe. At the end of the day, any file type could potentially contain an exploit, since an application that runs executable code is involved at some point.

Exploits like this are usually buffer overflow attacks, which alter control flow by overwriting data structures outside the normal memory range of a buffer.

More info:

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks. I just want to see if more answers trickle in before I mark you as the answer. I +1'd you in the meantime. – pasawaya Aug 03 '12 at 08:22
  • 2
    Of course, exploits like that rarely work against more than one type of reader/player software at the same time -- IE, a bug in windows media player's ogg decoder does not imply that VLC would suffer from the same glitch. So the attacker would have to know beforehand which client the target is using -- or just fire scattershot via spam and make sure the virus dials "home" once it hits. – Shadur Aug 03 '12 at 14:04
  • 9
    Usually this is correct, however some players use the same shared library for a given codec (usually on the same OS, but not always) so a vulnerability that is expressed in a shared library could compromise the security of multiple players (or even operating systems). In this case, the player itself is not the actual infection point, the library is. – Chris Nava Aug 03 '12 at 14:38
  • Chris is correct here. Most players share codecs and libraries, e.g. ffmpeg, making generic exploits easier to craft. – Polynomial Aug 03 '12 at 14:40
  • 1
    It is entirely possible to create a video codec with no possibility of exploitation. Such a codec would have limited flexibility however. – Joel Cornett Aug 03 '12 at 20:17
  • @JoelCornett Theoretically, yes, but in almost 20 years of programming experience I've never found a program without a single bug, let alone one as data-intensive and complex as a video codec. – Polynomial Sep 20 '12 at 14:21
  • 1
    @Polynomial, However, **practically speaking**, when was the last time a media file virus had been found on the popular VLC player? – Pacerier Mar 07 '16 at 16:43
  • @Pacerier VLC itself? [Feb 2015](http://www.videolan.org/security/sa1501.html) was VLC's last security bulletin. But VLC relies on a whole host of decoder libraries which could also be vulnerable, e.g. ffmpeg 2.8.6 fixed five security-impacting bugs in Feb 2016. So the real answer is "continuously". – Polynomial Mar 15 '16 at 15:34
  • Do you happen to know of a text file reader that blows up on specifically crafted text files? I find that unlikely, but I'd love to be proven wrong. – John Dvorak Dec 21 '16 at 19:27
  • 1
    @JanDvorak The one that comes to mind is [this vim vulnerability](https://www.ubuntu.com/usn/usn-3139-1/), but there are others in various rich text editors. – Polynomial Dec 27 '16 at 22:48
6

There is a pretty nice play-by-play of a real-life example of this on h-online (german it publisher). In this case it's a purposed flash video that contains several different attacks to infect the computer trying to display the video

Nicktar
  • 161
  • 2
  • 5
6

Besides @Polynomial's buffer overflow possibility, the "video file" could actually be a trojan executable. Here's a simple example:

  • An executable file is named such that it appears to be a video, like:
    "movie.avi                     .exe"
  • The executable extracts the video data embedded in it, starts your video player, and meanwhile deploys its malicious payload.

To the user, it appears that they've clicked a video file and it opened in their video player just like normal. Instead, they've been tricked into running the trojan.

Edit to add: This is the inverse of your question title. Instead of a virus encoded in a video, a video is encoded in a virus.

Simon
  • 169
  • 2
  • 4
    Your final sentence isn't really correct. Neither are encoded in either. It's just an executable with a name designed to trick people. – Polynomial Aug 03 '12 at 14:42
  • That's a fair point, and that's why I preferred "embedded" in my example. I kept "encoded" to mirror the question title. Of course, there's also the possibility that the video data isn't contained in the executable and is instead downloaded on the fly or is in another file on the computer already. The important part is that the trojan does play a video alongside infecting the host. – Simon Aug 03 '12 at 14:57
  • There are also trojans of this nature that don't attempt to play a decoy video, but that wouldn't fit the scenario in the question. – Simon Aug 03 '12 at 15:00
  • 3
    This is precisely why in Windows I always un-check "Hide file extensions". – 7wp Aug 03 '12 at 16:34
  • 1
    @7wp, and so I can actually rename `.txt` files to `.py` or something else :) – Wayne Werner Aug 03 '12 at 18:54
  • @Wayne Werner, seriously. I like Windows, but the decision from MS to hide file extensions by default boggles my mind since in Windows file extensions play such a critical role how Windows will handles each file type. Especially regarding execution! Isn't that just asking for trouble? – 7wp Aug 04 '12 at 17:19
  • @7wp, I'm still not sure that *good* security is really baked into Windows yet, sadly. With *nix you'll have hundreds of thousands (millions) of users asking you "WTF are you doing using `root` as your default account??!?!" It's pretty routine to just have an administrator account. Also more impressive - I have a non-privileged and privilaged account at work. When I do admin-type tasks, Windows frequently puts my non-admin account in the permissions tiles even though I'm **not an admin**. To me, that screams "WTF?!?!" – Wayne Werner Aug 06 '12 at 11:43
  • @7wp Security theater. You can still be tricked through unicode reversal. You see a file, `history_of_racism`. Easy you say! You enable displaying file extensions, and you see `history_of_racism.mp4`. Sounds safe, right? Nope, the actual file is `history_of_rac4pm.msi`, a Microsoft Installer file. with a unicode reversal character (RTL, or U+202e) inserted after the "rac". `4pm.msi` reversed is `ism.mp4`. – forest Jan 18 '18 at 20:46
  • @forest which is why linux's explicit execution permission is superior, because there is no doubt about the ability to execute a file. – 7wp Mar 11 '18 at 08:21
4

Take a look into this window's bulletin, which describes a patch to fix the jpeg parser (infected by viewing a jpeg image, ouch).

So, it certainly is possible. It is just a matter of finding a hole to execute a custom code. This is usually done by some kind of buffer overflow (see for example here).

BЈовић
  • 1,199
  • 1
  • 9
  • 17
  • I actually found some malware exploiting that bug, many moons ago. Just browsing to a page with a crafty JPEG was enough to trigger code execution. – Daniel Hanrahan Oct 12 '12 at 00:59
3
  • Flash runtime is using Main Concept H.264/AAC as well MP4 demux container format from the same company. There is also fMP4 format with very advanced meta-data. This is pretty much secure software.
  • Flash is also using MP3 audio, VP6 video and Nelly Moser audio formats with FLV muxing, this is is somewhat secure as well however I havent tested this one.
  • There is also Windows Media ASX/WMV/VC-1/WMA formats used by all Windows Browsers and Windows Media Player OCX
  • On linux there is VC-1 player replacement with mplayer
  • VLC plugin is one of the easiest, if user has plugin it's easy to crash the browser
  • Microsoft H.264 addon is using Windows 7 H264 and MPEG-2 decoder to play DVDs, blue-rays as well HD transport streams
  • Shoutcast protocol is also widely used
  • Firefox has Theora video and OGG audio, which is open source.
  • OSX (MAC/iphone/ipad) has MPEG-2 TS decoder done by Apple and works in Safari browser
  • UK freeview Set Top Box is using libcurl / VLC to play the videos
  • Smart TVs are using various open source libraries or same as on Sony Playstation (Sony TV)
  • Android 4 is using MPEG-2 decoder via browser too
  • Silverlight runtime is using Windows Media, H.264 decoder from Microsoft on Windows and Microsoft Phone

There are many other players which can run viruses, some TV's utilize complete scripting which can be injected thru the DVB-T terrestial or DVB-S satellite signal, which is sometimes performed to take out the pirate boxes.

So you see, you can make a living just by hacking video formats. Most of them has serious holes, with the most dodgy one being VLC and the most secure Main Concept.

The show you have seen doesnt need to be true, to actually perform this on main concept itself it's not likely however some formats had bugs previously, but since the adobe player has autoupdate, the problem is much better at the moment than 5 years ago, when the show was shot

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Andrew Smith
  • 1
  • 1
  • 6
  • 19
1

NOTE: this answer was taken from my answer to the same question on SuperUser

Technical answer -- with citations

Most movie players use libavcodec. It's the library behind ffmpeg. This includes VLC, Google Chrome, and many other applications. An "arbitrary codec execution" is a class of vulnerability that allows you to execute code when it's not intended. A "virus" is another name for a payload that when executed replicates. Replication is trivial with an arbitrary code execution vulnerability: these bugs are pretty serious, only under privilege escalation and remote execution.

  • If a vulnerability in libavcodec was found that allowed arbitrary code execution.
  • And, if your media player uses libavcodec
  • Then a video can deliver a virus.

Has a vulnerability of this sort been discovered? Yes. Enter CVE-2020-35964 which was fixed in Ffmpeg 4.3.1. If you're using a media player that is linked against libavcodec 4.3.0 or lower, you're potentially vulnerable. This isn't the only time this happened either... The ffmpeg project discloses the vulnerabilities found on their website. Note some are worse than the one randomly picked above, and some are minor.

tldr; the player is an executable that can link to a library or have a library statically linked in. If a vulnerability is found in that library more than one player will be vulnerable. In the case of libavcodec which has a massive amount of use in the video player ecosystem, you'll have a viable method to execute your payload (without having to craft it to a specific media player, or even operating system).

Evan Carroll
  • 2,325
  • 4
  • 22
  • 29
  • 1
    In fact, it can [even be triggered by thumbnail previews](https://security.stackexchange.com/a/175389/106285) in some cases! – forest Aug 18 '22 at 03:46
0

Yes, it is possible. The video player may have a vulnerability that can be exploited via, i.e., a buffer overflow.

When the particular video file created by the hacker is played on that particular video player, the player will hang and the connection will be transferred to the host and the hacker can access your system remotely every time you are connected to the internet.

Mateen Ulhaq
  • 103
  • 3
-1

In point of fact, it's not only possible, but I can confirm that it exists "in the wild".

I just recently downloaded a "tv show" in .mp4 format, which contained a self-extracting/executing virus. When I played it (with VLC), it crapped out, and my AV presented an alert. Fortunately, my AV intervened and killed the "nasty", but only after it self extracted (and tried to execute).

A subsequent scan of a re-download of the .mp4 showed (and killed) an imbedded self-x.

Anders
  • 64,406
  • 24
  • 178
  • 215
Bob S.
  • 1
  • 1