1
Can a virus or malware be bundled with a non executable download?
For example, when choosing 'save link as' on an .mp3 or a .pdf file, is it possible for the download to include more than just the file?
Or are virus/malware only distributable through .exe files...
Jet Blue
Posted 2014-05-22T13:07:36.553
Reputation: 207
2
Short answer - YES a virus can be contained within another file type.
Files like JPG, MP3 etc all have to be opened and "read" by an executable. By "mal-forming" or injecting special code or data into these files, it can cause programs to fault or to execute code contained within the files - which can in turn cause other problems and give a gateway for a full on viral attack.
This example is a link to the sophos website which discusses just such a virus which can be embedded and hidden in a picture file.
Getting back to the rest of your question, by simply "downloaidng an MP3" all you will normally get is the MP3 - but that doesn't mean its not infected. Also, if you download items such as using the "save webpage" features in browsers, you will find the sitesa images etc will also be downloaded - which may in turn contain viruses.
Fazer87
Posted 2014-05-22T13:07:36.553
Reputation: 11 177
Hmm... is it a lot of work to 'mal-form' a media file? That is, is it something someone can do easily for a lot of files, or is it so much work that it becomes a deterrent and only worth the effort for a couple of popular files? – Jet Blue – 2014-05-22T13:39:15.687
@JetBlue: Depends on the format itself and on the players/readers (and on the competence of their developers)... WMF was easy because it actually contained Windows graphics drawing commands, and Windows forgot to filter them correctly; JPEG or MP3 would be much harder, partly due to their (relative) simplicity. PDF is problematic -- it's a complex format and it allows embedded JS; both popular readers, Adobe's and Foxit's, have had dozens of bugs that could be exploited this way (many of them found in 2013, IIRC) despite Adobe's attempts to make Reader more resistant to such bugs. – user1686 – 2014-05-22T13:47:13.813
@JetBlue: e.g. search for "pdf calc.exe" (it's almost a tradition that these kinds proof-of-concept exploits run calc.exe as a way of showing that they managed to get access to the OS). – user1686 – 2014-05-22T13:49:54.537
2
In a way, PDF documents are executable, due to the ability to embed JavaScript into the document. Microsoft Office documents are similar – they allow VBScript macros, which has allowed many "macro viruses" in the past.
In theory, such JavaScript or similar code should be "sandboxed", but in practice people find ways to escape it, sometimes by calling functions that were meant to be limited but aren't, sometimes by finding ways to overwrite the JavaScript interpreter's code.
Another possibility is a malformed file that tricks the reader into executing part of the document as code (this was a particularly huge problem with Adobe Reader just last year).
user1686
Posted 2014-05-22T13:07:36.553
Reputation: 283 655
1Just a niggly annoying little thing.. Office uses VBA macros - not vbscript. Slightly different languages. Petty, I know - but as someone who works with these langages every day - I find its an important distinction to make. – Fazer87 – 2014-05-22T13:32:59.443
1Will stop ignoring those update prompts from Adobe haha – Jet Blue – 2014-05-22T14:59:07.817
-2
If a browser opens an HTTP connection to a web server and the response headers include the field Content-Type: audio/mpeg or Content-Type: application/pdf (for instance). The browser is going to interpret this content as an audio or PDF file. Is going to show downloaded content according to its configuration. If the user saves the files "as...", the browser is going to create a file con disk with that content. The browser won't download any other file than that. Which is one of the questions here.
In the other hand, of course, a virus is nothing but a bunch of bytes. Like any other piece of software expressed in machine code. Then any kind of file could have a virus inside. But under normal circumstances a computer isn't going to execute bytes from an MP3 or PDF file. Even if the virus code is inside that file, it's meaningless.
Finally, if an inexpert user reaches an HTML file, which in turn plays an MP3 file. He could think that using Save as... is going to save the MP3 file. But in fact it's going to save the HTML file. During that process the browser is going to save more than just one file.
drk.com.ar
Posted 2014-05-22T13:07:36.553
Reputation: 2 287
I am not 100% what I just read, but I am pretty sure it was wrong. – Austin T French – 2014-05-22T13:19:02.293
Maybe you would like to take a look now. And reconsider your qualification. – drk.com.ar – 2014-05-22T13:48:58.990
Significantly better, however it sounds more like you describing vectors and social engineering. – Austin T French – 2014-05-22T13:57:17.393
possible duplicate of Can mp3 file contain a virus?, Can AVI files contain a virus?
– Ƭᴇcʜιᴇ007 – 2014-05-22T13:14:55.957Yes; But if it does then the file is malicious and the content isn't actually real. – Ramhound – 2014-05-22T13:15:50.487
Thanks guys for all the info! @techie007 thanks for the link to the 'AVI question' lots of discussion over there. – Jet Blue – 2014-05-22T13:36:05.533