Jump to content
Posted 13 September 2011 - 05:00 PM
Posted 15 September 2011 - 02:30 PM
Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are incredibly intriguing threat vectors for malware writers.
MP3 files are Moving Picture Experts Group Audio Layer 3 files. They are highly compressed audio tracks, and are very popular on the Internet. MP3 files are not programs, and viruses cannot infect them. This file type has the extension MP3.
MP4 (MPEG-4 Part 14) files are used to store digital video and audio streams defined by MPEG, but they can also be used to store other data to include subtitles and still images. Almost any type of file can contain viral/malicious code but only executable files can actually activate and spread the malware.
Malware writers have been known to use fake audio files and fake video codecs (as described here) which look legitimate but are actually Trojans in disguise. Some types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge). If you get a warning prior to playing a file indicating it has a different file extension than what it shows, this likely means the file is not actually an MP3 but disguised as one.
More often attackers tend to use exploits and vulnerabilities found in the Windows operating system and its applications to spread malware.
...a bug in FFMPEG – an open-source library that powers a wide range of media players, video converters and video rippers, can get you infected if you open the wrong file....bug resides in the libavcodec.dll library responsible for encoding, decoding and transcoding files from and to various formats. When a user tries to play a specially-crafted ASF, QuickTime (QT) or Windows Media Video (WMV) file, the local memory gets corrupted, which may allow execution of arbitrary code – a.k.a. “having malware installed on the fly.”...
Media players in personal computers have serious vulnerabilities that could allow online criminals to attach malicious code and infect computers...As a result, audio and video downloads can be turned into digital weapons that hackers could use to hijack or corrupt computers...
Trojan media files are increasingly employed as an infection vector, with attackers exploiting design issues or undocumented features in file formats. Modern media file formats allow for hyperlinks to be embedded inside and are frequently misused as a vehicle for web-centric attacks. Unlike the notorious history associated with executable, Microsoft Office, or PDF files, media files are often perceived as trustworthy by users. And malware authors have been quick to capitalize by using exploit-laden media files to propagate malware.
McAfee reported that it's seen a huge spike in fake MP3 files spreading on peer-to-peer networks. Although the files have names that make them look like audio recordings, they're really Trojan horse programs that try to install a shoddy media player and adware on your computer...
Kaspersky Lab...reports the detection of a malicious program that infects WMA audio files...The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files.
A bug in Microsoft’s flagship operating system software allows computer attackers to craft MP3 or WMA music files that give them control of listeners’ computers. Simply browsing to a Web page or folder where such an MP3 file is stored would be enough to invoke the malicious code, and allow an attacker to create, modify, or delete data on the victim’s computer...Victims need not be induced to play the infected music file to cause an attack. Because of the way Windows file Explorer reads the attribute information, simply hovering over an infected music file’s icon is enough to cause the buffer overrun. Accessing a folder where the file lives would also invoke the malicious program, as would visiting a Web site where the file is stored.
This trojan, after it gets executed, enumerates all files inside the system looking for those files that have .MP2 .MP3 .WMA .WMV .ASF extensions. If a file with this criteria is found, then the malware checks if it's already infected or not by analyzing its ASF header...trojan alters the header of an .ASF file...by adding a special script that makes Windows Media Player connect to a specific website and download another malware disguised as a fake codec needed to play the multimedia file. If the trojan finds a file with .MP3 or .MP2 extension then it converts them to a .ASF format. After it converted the target multimedia file and left the extension and file name as the original one, the downloader script is added to the header of the .ASF file just created.
The malware has wormlike qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft's Windows Media Audio format, wraps them in an ASF container, and adds links to further copies of the malware, in the guise of a codec...The ".mp3" extension of the files is not modified, however, so victims may not immediately notice the change...
The Trojan basically uses legitimate multimedia functions...to do its dirty work. It preys on the Advanced Systems Format (ASF) file feature in MP3 and Windows Media Audio (WMA) music files as well as Windows Media Video (WMV) files...ASF lets you embed script commands in these file. “The attackers use that to inject their commands into all of your multimedia files...It also converts MP2 and MP3 files into WMA format so it can infect them.
0 members, 1 guests, 0 anonymous users