Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can mp3s and video files be infected?


  • Please log in to reply
6 replies to this topic

#1 VaynardX

VaynardX

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 24 October 2010 - 08:03 PM

First of all, if Im posting this on the wrong forum, please move it to the appropriate one. Second, as the topic implies, can malware attach itself to mp3 files or video files? And can jpegs or other photo containers be infected with malware too?

BC AdBot (Login to Remove)

 


#2 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:12:34 PM

Posted 24 October 2010 - 08:57 PM

Can a virus infect an mp3/video file?
No. Since mp3 or video files are not self executing programs but just data files, so even if a virus puts it code inside them, they would stay harmless. If a virus alters such a file, it will most likely get corrupt and will not play or partially play in your media player software.

Can someone make a virus look like an mp3/video file?
Yes. If you have chosen option to hide file extension in Windows Explorer for known file types, then Windows will not show the actual file extension. This is the default setting in Windows.You will see only the icon and file name (without any extension).
An attacker can rename a virus program, for example, malware.exe into Britney Spears.mp3.exe. Because of your Windows Explorer settings, you would only see Britney Spears.mp3. The attacker can also alter the file icon to look like a media file like WinAmp file or WMP file. An unsuspecting use might double-click on this file to play the media file. But actually this would run the malware program and infection would start.

#3 VaynardX

VaynardX
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 25 October 2010 - 06:11 AM

^

Bingo, all the information I need. Thanks man.:thumbsup:

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 25 October 2010 - 08:26 AM

In general, mp3 files can't be infected.
However, malicious mp3 files can be crafted to exploit specific vulnerabilities in media player applications, but these are rare and don't work anymore after the vulnerable media player has been patched.
So it is possible that a malicious mp3 file infects your computer by exploiting a vulnerability in your media player, but these mp3 files are not generic. They only work on specific media players and specific versions of these media players. That's why it is also important to keep your media players up-to-date.

For video files, it's a bit more risky, because there are so many different video-file formats.
In 2007, I analyzed malware that used embedded JavaScript in a QuickTime movie as an infection vector: P0wned by a QT movie
Since then, Apple has removed support for JavaScript in QuickTime, so this vector is neutralized.
But I'm sure that with all the video-formats out there, there are still formats around that supports some kind of embedded executable code.

And like with mp3 files, video files can be crafted to exploit specific vulnerabilities in media players. Like this DivX player vulnerability for subtitles.

So to summarize, you shouldn't worry about malicious media files when you keep your media player updated. And if you still feel uncertain about some media files you have, play them in a sandboxed media player, or even better, don't play them at all.

Edited by Didier Stevens, 25 October 2010 - 08:30 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:34 PM

Posted 25 October 2010 - 09:14 AM

Some information to be aware of in regards to audio/music files:

Can I Get A Virus From An MP3 File?

Unfortunately, yes. Well, in a sense...Various forms of malware can be hidden in a supposed MP3 file, including worms, viruses, and trojan horses. The numerous person-to-person file sharers are breeding grounds for these undesirables so it's rather important to know and become familiar with the warning signs...


A bug in Microsoft’s flagship operating system software allows computer attackers to craft MP3 or WMA music files that give them control of listeners’ computers. Simply browsing to a Web page or folder where such an MP3 file is stored would be enough to invoke the malicious code, and allow an attacker to create, modify, or delete data on the victim’s computer...Victims need not be induced to play the infected music file to cause an attack. Because of the way Windows file Explorer reads the attribute information, simply hovering over an infected music file’s icon is enough to cause the buffer overrun. Accessing a folder where the file lives would also invoke the malicious program, as would visiting a Web site where the file is stored.

Music files can disguise hack attack

A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can exploit this vulnerability by enticing a victim to read a malicious email message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then execute arbitrary code with the privileges of the victim.

CERT Advisory CA-2002-37 Buffer Overflow in Microsoft Windows Shell

McAfee reported that it's seen a huge spike in fake MP3 files spreading on peer-to-peer networks. Although the files have names that make them look like audio recordings, they're really Trojan horse programs that try to install a shoddy media player and adware on your computer...

users infected by fake Trojan MP3 files
Downloader-UA.h: fake music and video files

Windows users who download music files on peer-to-peer networks are at risk from new malware that inserts links to dangerous Web pages within ASF media files...it looks for MP3 or MP2 audio files, transcodes them to Microsoft's Windows Media Audio format, wraps them in an ASF container, and adds links to further copies of the malware, in the guise of a codec...The ".mp3" extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

New worm transcodes MP3s to try to infect PCs
Trojan Attacks Multimedia Files

Kaspersky Lab...reports the detection of a malicious program that infects WMA audio files...The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files.

Kaspersky Lab reports new worm that infects audio files

Various security scanners yielded results such as: nameofsong.mp3 Infected: Trojan-Downloader.WMA.GetCodec

Edited by quietman7, 25 October 2010 - 09:22 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:12:34 PM

Posted 25 October 2010 - 11:25 AM

Thanks for the information Didier Stevens and quietman7. More knowledge for me :thumbsup:

Am I right in thinking that the cases shown are cases of specially crafted media files, that some attacker is distributing over P2P network or a website ? Can a malware program attach itself to a video file on my computer? For example, if I have funny.asf video file on my infected computer. Can it be modified to contain a copy of active malware program or just embedded links?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:34 PM

Posted 25 October 2010 - 01:27 PM

The Trojan converts MP2/MP3 files into WMA format so it can infect them. It does this by altering the header of an .ASF file by adding a special script. The mp3 file extension remains the same so users don't notice the files have been altered.

This article by Prevx offers a basic explanation: GetCodec.A says hello to multimedia files

Advanced Systems Format (ASF) files contain audio, video and arbitrary streams with other information and allows the creation of script streams with simple executable script commands which are embedded in the stream. For more specific information about ASF Files, scripts and how they are used with this infection, please refer to:

Edited by quietman7, 25 October 2010 - 01:34 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users