Is it possible to trigger an antivirus program to alarm by playing a video? I don't want to run malware, I only want the AV to do something. Can I put EICAR in the metadata?
The video file shoudn't be corrupted.
Asked
Active
Viewed 4,899 times
4
-
6Do you care whether the file is a *valid* video file? Because you could easily just put EICAR into a file with a .mp4 extension; it wouldn't be a valid MPEG-4 video file but it should trip your AV. – CBHacking May 20 '19 at 19:43
-
EICAR only works for a file that contains nothing but that string (ostensibly, at least). You can't just put it in the middle of a big video file and cause it to trigger AV. – forest May 21 '19 at 00:11
-
@CBHacking I'm sure it's possible to do it without EICAR. There are some strings (especially containing JS) which trigger most AV software no matter where they are in the file. People on IRC will occasionally post them in big channels when they are found which causes antivirus to delete people's log files. For a video, it would probably be enough to put it in the metadata which would allow the video to remain valid. – forest May 21 '19 at 00:12
-
@forest what about appending it ? – Overmind May 21 '19 at 07:36
-
@Overmind Oh yeah appending a signature would work, but not EICAR. – forest May 21 '19 at 07:37
1 Answers
5
It is possible for malware to be embedded in or disguised as a video file, but the effect of doing this depends on how the media player interprets the content.
Embedding hyperlinks in a video file is a type of possible attack.
A practical how-to example: ASF (Microsoft's Advanced System Format) allows for a simple script commands to be executed - "URLANDEXIT" is placed at address 0x1329-133B and following any URL. When this code executes, the user can be directed to download a dangerous file that can be masked as a plugin,update or codec and require the user to execute it in order for the media file to play. At that point, the user gets compromised.
So to get an AV to trigger all you have to do is point that URL to a file (like EICAR) that is detected as a virus by your AV.
Examples of some video format known cases:
.asf - W32/GetCodec.worm - Infects .asf files to embed links to malicious files
.mov - crafted - Executes arbitrary code on the target user's system
.mov - crafted - Launches embedded hyperlinks to pornographic sites
.rm/.rmvb - crafted - Launches malicious web pages without prompting
.rmvb - W32/Realor.worm - Infects Real Media files to embed link to malicious sites
.swf - Exploit-SWF.c - Vulnerability in AVM2 "new function" opcode
.swf - Exploit-CVE-2007-0071 - Vulnerability in DefineSceneAndFrameLabelData
.swf - Exploit-CVE-2010-2885 - Vulnerability in ActionScript Virtual Machine
.swf - Exploit-CVE2010-3654 - Vulnerability in AVM2 MultiName button class
.wma/.wmv - Downloader-UA.b - Exploits flaw in Digital Rights Management
Overmind
- 8,779
- 3
- 19
- 28
-
-
It really depends on the AV capabilities and settings. It could trigger if the url points to a dangerous .exe or when the url is called but it will certainly trigger when the target .exe is reached. – Overmind May 21 '19 at 11:57
-
-
In general AV does not download and scan content from the URLs seen in resources (there are many reasons), so I don't think this will work. – George Y. May 21 '19 at 20:49
-
True, only some deep analysis tools or specially configured AV modules do that. – Overmind May 22 '19 at 05:49
-
It didn't work. The URL "www.eicar.org/download/eicar.com" is too long. And VirusTotal says EICAR (as URL) is clean. – Ernest Bredar May 22 '19 at 11:22
-
-
My goodness!!! I hope these flaws were fixed. This shows how important it is to also have a "misuse case" along with a "use case" when designing software. I hope the exploits listed here are exhaustive? Else I'd have to be wary of any video anyone gives me. I hope these don't pose much of a danger in Linux environments. – Nav Jul 21 '21 at 04:31