Slashdot Mirror
Even Flash Can Get Viruses
Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926.
It consists of a Macromedia Flash movie and seems to be the first of its kind.
It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files.
Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
McAfee information is here
Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.
Just proof of concept really.
Hogsback
http://www.satirewire.com/news/0103/outlook.shtml
If you celebrate Xmas, befriend me (538
Could this be one of the first true cross platform viruses?
Things you think are in the Constitution, but are not.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
The virus info from Sophos: http://www.sophos.com/virusinfo/analyses/swflfm926 .html
----- The problem with browsing at +5 is that everyone thinks you're being redundant
Does this virus just spread? Maybe it's time for macromedia to patch Flash, because more dangerous viruses may soon be on the way. And Flash is avalible for Linux too. Does this mean that Linux is equally supseptible (sp?)? I never even heard of or seen Macromedia Flash debugger. I thought Flash was just supposed to be a animation... huh. I guess viruses can seep from anywhere now.
Everything is mainstream now.
Just in case anybody reads the translation and wonders what the 'southwestern German broadcasting corporation' is about. It is just a mis-translation of SWF which used to be short for 'Suedwestfunk' (it doesn't exist any more, merged with another radio station). Of course in this case it just means the file extension of flash.
People can do some cool things with Flash, yes. They can also do many annoying things, and finally they can do some dangerous things, as evidenced by this article.
Yet another victory for Lynx users. When was the last time you heard of a terminal-based text-only browser bringing down a Unix system? ;)
Pain(n): when you're telnetting into a box doing somethin cool, and some luser calls for help with a 'critical error' ad
safe files: gif, jpg, txt, ...
...
.doc, scripting in .swf). Programmers, please keep the documents straightforward and powerless. I guess no one cares.
unsafe files: vbs, exe,
I cannot comprehend the shift towards risk (macros in
I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me. The only reason I can think of is marketing or corporate sabotage for graphic designers.
Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?
I'm clueless here. Help me out.
This is why people that don't use standard tools(HTML and images) on their pages piss me off. Whenever you start using fancy scriptable stuff there exists the possiblity for a security flaw.
We've seen it before and we'll see it again.
For this reason, please do the following:
DO NOT support sites that use Flash
DO NOT support sites that use Java
DO NOT support sites that use ECMAscript
DO NOT support sites that use Quicktime
And the same for other plugins! Plain HTML is the only safe alternative.
Dragging people kicking and screaming into reality since 1996.
This is the real one.
----- The problem with browsing at +5 is that everyone thinks you're being redundant
This pretty much shows that any type of program with a scripting language built in is prone to having viruses written for it. (word macros, VBS, etc...) It will be interesting to see what is done in the future to allow for the benefits of having scripting, but reducing the risks associated as well. A possible solution is simply reducing the power that scripting languages have, such as disabling file writing capabilities (although that's not really a legitimate solution, you see where i'm going with it...)
Once upon a time...
fortunatly Linux/other non-windows non-x86 OS's can be infected
This is not the greatest sig in the world, no. This is just a tribute.
I truly don't feel bad for these companies at all, and I'm not blaming anything or anyone but when you start introducing scripting languages on top of a certain operationg system you put yourself at danger. This will keep happening to people honestly start taking security seriously. I'm not trying to troll or shed bad light on Microsoft or Windows(tm) at all. I'm just stating the facts and calling the plays as I see them.
Flash allows creation of external files??? Isn't that kind of dangerous in and of itself, whether or not it's intended to do so? You'd think a standard flash plugin wouldn't be allowed to do anything but read and write to a limited area of the disk!
Here is a better article on the same virus. A must read, contains much more info than the linked article.
I know I've got that All Your Base swf sitting around.
Unlock it, put in the virus - and viola!
ALL YOUR WINDOWS BOX ARE BELONG TO US!!!
But seriously... XP is built on NT/2000... is this going to be another code red style worm?
Get your Unix fortune now!
One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.
Has there ever been a Java applet virus? Java's very nice security / permissions model should theoretically make this impossible. However, considering that (1) that's only in theory, and (2) just about every browser implementation of Java is complete shit ... well, it could happen. Has it?
The infoworld article in the update is about something completely different from December 2000
Hogsback
The "update" link to infoworld is over a year old and refers to an email (OUTLOOK) spread virus that infects .swf files. People really should check out links before they post them.
Maybe Roscoe should keep a better eye on him. :-)
Please note that the infoworld story quoted at the end of the update has a dateline of December 1st. If that's not stale enough please note that the year on that timeline is 2000.
Rest of the information is timely, though.
Many virus scanners don't scan .swf file by default, so you have update your virus signature file (which is automatic on most scanners) and reconfigure your scanner to scan .swf files (unless you already scan all files on your computer).
This means that if advanced .swf viruses are created, they could become a real problem
until system admins wakes up and gets a clue (and that takes a loooong time, look at Code Red)
RFC1925
{rant}
Any you truly believe that plain, boring, run-of-the-mill HTML is what has brought grandma, grandpa, your niece, and Ubu the dog onto the internet?
High-level scripting languages like Flash, Java, JavaScript, etc., have brought the Internet into a "slicker" dimension... one that appeals to the masses rather than just technodweebs.
Ok, so you say: "Why do I care if they've made the Internet popular with the masses? Fsck 'em, the Internet is made for technodweebies like me anyways!"
Why do you think you can get broadband for $40/mo instead of having to get a T1 at $800/mo? Why do you think you can get $400 off your next computer when you sign up for online access? Why do you think computer prices are falling rapidly and performance is growing just as quick? None of that would be happening if computers, driven by the desire for the Internet, weren't booming.
{/rant}
MadCow
I used to have a sig, but I set it free and it never came back.
Us Linux users can enjoy a flashy virus for once. We need more cross platform stuff like this.
Sophos Anti-Virus warns about a new virus, which infects other files as a macromedia flash movie
and executes self-generated programs. The parasite, baptized "SWF/LFM-926", reaches computers as
SWF-file, and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation.
Sophos says that the virus wasn't yet spotted "in the wild" and therefore spreading. Nevertheless,
the manufacturer of Antivirus software warns about the potential danger which lurks in the
Flash format. The Sophos website provides detailed information about the parasite.
-- The plural of 'anecdote' is not 'data'.
fortune 500, you say? we have to act, act now! (I need caps: FORTUNE 500, YOU SAY? WE HAVE TO ACT, ACT NOW!
give me bongo
Holy Cow! I don't want a virus --- I have children, you know. What is the cure? Who makes the cure? Where can I get it, now?
Please, please help me.
Oh my if I download something and run it, it might be carrying a virus?
Ack who'd a thunk
"Not all chemicals are bad. Without chemicals such as hydrogen and oxygen, for example, there would be no way to m
The Heise Online article is available in english too: http://www.heise.de/english/newsticker/data/ray-08 .01.02-003/
Lies, it's an NAI link!
i hate pansy republicans
actually, plain boring ascii pop3 email is what brought grandma, grandpa, my niece and Ubu the dog onto the internet.
The Web has long ceased to be a place of any interest for most people - at least outside of ebay.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Don't download and run files. If somebody gives you executable code, then consider whether you trust them.
Flash in a browser is safe. It's an entirely separate issue.
Just read the story, and think about what they're really trying to say.
Although the english pages don't carry that many news-items, you should definitely check it out. Heise is a great source for IT-related news.
Could this be the small start of multiplatform Viruses? Virus source code written and engineered to be Operating System independent is pretty deadly, depending on what the virus does. Imagine one virus rendering Windows XP, Sun Solaris 8, Red Hat Linux 7.1, AIX 5, MACOS X, HP-UX, and Irix unstable. Not trying to encourage any hackers here, but wouldn't Java be a very usful language to start developing multiplatform viruses in? Wondering. Also, has there been any attempt at coding a virus for any Anti-Virus software? Unfortunatelly, viruses are software technologies as well, and will keep on advancing.
Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.
The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.
Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.
Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.
You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.
I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.
I guess this gives new meaning to the term "Getting Flashed."
(Insert various sexual innuendos here.)
Sorry, I just couldn't resist it.
For the last time....the plural of virus is virii, not viruses
the infoworld article refers to an executable that uses the macromedia logo, apparently a different virus than the swf one..
Yet another excuse to avoid those fussy, bloated, overrated flash sites.
That infoworld article has nothing to do with this virus. It's also 13 months old.
You guys really need to give a little more effort here sometimes. You are brash, act without any confirmation and show yourselves as totaly incompetent. Can you get me a job there?
Build it; if it becomes popular enough, they will write a virus for it.
Lets all just unplug the computers and go back to cuneiform. I mean hey its all about the information and not that fancy electronic wizardry. What next are you going to cut off your shirt buttons and build a barn.
The sites I go back to, I go back for the content. They are typically weblog/journals or actual information of some sort (reference, reviews, FAQs, whatever).
Flash in particular seems to coincide with either content-free sites, or incomprehensible "artistic" navigation. Java and Javascript I don't have a particular grudge against, apart from speed (Java) and security (Java and JavaScript) issues.
Anyway, I can't get broadband for $40/mo, and last time I looked, there was a fairly significant downturn in the last 18 months in the PC market.
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
...of something I've believed since I started using the Internet in the mid-80's.
Specifically: Why the frell do we even NEED Flash or its brethren in any case? It seems to exist solely to make pretty pictures, and spew forth alleged "music" or other SFX, and waste a lot of bandwidth in the process.
Remember: If you cannot manage your native language well enough to get a CLEAR message across to your site's visitors in plain ASCII text, then NO amount of flashing fonts, pretty colors, bandwidth-hungry animations, or silly sound effects is going to help you in the least.
Don't even get me started about how precious few web sites are even usable by those who are vision-impaired, and need to use a text-to-speech converter on their computer. How many sites are in blatant violation of ADA accessibility guidelines even as I write this?
Web designers, take note: Sites today have entirely too much fluff, and far too little in terms of USEFUL and EASILY READABLE content. Remember that "simple" is NOT a bad thing. This latest virus serves only to emphasize that point.
Bruce Lane, KC7GR,
Blue Feather Technologies
The linked article is about an 11-year-old virus called Flash. It's a "real" virus that infects MS-DOS .com and .exe files, not a script. Certainly not the Flash-infecting worm the thread is talking about.
Don't forget that Flash runs on Linux and Macs as well. With a little smarts, folks can write cross-platform viruses (if Flash can create a script file and arrange to have it executed by the user who is running the browser).
Anyone know whether the Linux Flash plugin is vulnerable to this attack?
What do you call a program that it's hard to avoid downloading, which is then impossible to get rid of, and plasters your browser with irritating messages and sounds you can't turn off?
Macromedia was recently informed of a potential issue with the standalone Macromedia Flash Player running on Microsoft Windows. This issue does not affect web content viewed in a browser. After testing by both Macromedia and Sophos Anti-virus, the company who initially reported this potential issue, Macromedia has found that this issue can only affect content that is sent via email or downloaded from a site and then run outside a browser. In either case, the content must be run in a Macromedia stand-alone Flash Player or associated Projector executable to represent a risk. This player is not installed by any browser installation, and is only installed with the Macromedia Flash authoring product. E-mail users should never open or download attachments or data unless they can be sure it is from a trusted source. Macromedia appreciates the work of Sophos in reporting this potential issue, and will be issuing a patch later this week; a fix will also be included in future versions of the product. For more information on the patch please visit: http://www.macromedia.com/support/flash/. Macromedia will continue to take potential security issues very seriously. Security issues concering the Macromedia Flash player may be mailed to flashplayer_security@macromedia.com. Pete Santangeli Vice President of Engineering, Macromedia Inc.
"they" needs to be capitalized.
We all know who They. We all understand that. No need to protect their so-called "innocence" by playing the pronoun game. They are making the viruses; They are bringing evil into our hearts; They are holding us down.
Protest against The Man, I will not let The Man hold me down!
It appears that the articles have not been read carefully. After comparing the the three, there are two Flash virii being spread around.
...and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation. (German trans. - thanks entrox!!)
...but if you check the date of the Infoworld article, it's December 1, 2000.
.mp3, .jpg, and .zip files to the root folder. It renames each of these files and appends the following text to the extension of each file:
Virus 1 (Conrad's submission) - SWF/LFM.926
The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo)
Virus 2 (bdavenport's infoworld submission) - Creative.exe
The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon. (Infoworld)
From Symantec:
Discovered on: November 30, 2000
Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.
W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all
change atleast now to LINUX
Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.
If I had a sig, this is where it would be.
Speech safe?!!!! Speech can transmit different airborn viruses as well. As for me I switch to using notepads only...
Flash/Java/WhizBang gimmicks are not what attracts 'normal' folks to the net. Flash doesn't work all that well across most people's links (there are still a very large number of people using 56k or less). Webpages that pop open dozens of advertisements as you try to leave their sphere of influence aren't likely to attract too many people either. Email and other person-to-person communications are what attract people. How many have relative that only know how to use AOL and AIM? See!
It isn't too suprising to see a Flash virus appear. The current system just wasn't designed with security in mind. Nothing can ever be safe, but until there is a redesign of the way that your local system trusts 'tainted' input from the outside world there isn't the faintest glimmer of 'safe'.
HTML is 'pretty safe' because its purpose and capabilities are well defined. When you start tacking on things like Visual Basic and Flash you should expect trouble to be lurking just around the corner.
What's the solution? Don't participate in the multi-mediaizing of the net. Don't open ANY attachments and don't install stupid programs like Flash. Fill your webpages with content, not eye candy -- leave that to Hollywood.
Brian
Remember Lexington Green!
I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).
On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."
Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.
The still-excellent l0pht once informed the world that Microsoft had a serious security problem in a product.MS responded with the famous "That vulnerability is purely theoretical.". So, l0pht released a real exploit for the vulnerability.
Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake
Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?
Looks like it isn't very likely to succeed
LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.
I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.
I'm also sure I'm wrong.
It never really occurred to me that Flash was insecure. I just knew that it sucked from the first time I heard about it. So I Just Said No.
I guess bullshit detectors really are a Good Thing. Everybody should get one.
You see, this isn't really just a Flash problem or a programming mistake. It's all just due to really stupid fundamental attitudes. An update from Macromedia will not solve the problem.
Macaffee says the virus was discovered January 8, 2002.
Am I the only one to notice that the Infoworld article is dated December 1, 2000 4:24 pm PT?
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
I've seen major problems with security in Macromedia Flash. Apparently someone was using a security bug in Macromedia software to run arbitrary programs.
Macromedia software wants to check the Macromedia web site for later versions. The communication software appeared to be the gateway for the attack. I reported this problem to Macromedia, but the company showed no interest.
A second problem with using Flash is that you give the URL of each of your customers to Macromedia. A third is that you have to post an advertisement for Macromedia that says "Download Flash if you don't have it". A fourth is that, if the user does not want to run Macromedia software, web sites using it are broken.
Bush's education improvements were
Is here.
While the same content in relatively plain and silent text is still effective, the extra features that Flash allows certainly add to the experience.
Rock on Tenacious D!
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Who's the goon that actually names these viruses? Is there some organization that categorizes and files them, or is it done by the antivirus companies (Symantec, McAfee, etc) that find them? I've never quite understood the odd names that are ascribed to them.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
virii isn't even a word....it's a poor attempt at pig latin mainly used by l33t script kiddies that failed english...
Read the article that someone else posted as a reply
Advanced users are users too!
Formats like Flash, Director, or Toolbook are fairly safe when run in a browser, but when run locally, most gain much more functionality, including the ability to execute arbitrary commands. Many people have the Flash Player plugin, but no standalone executable to open the files locallly is supplied. 99% of all people that do have the standalone player are getting it from an installation of Macromedia Flash (the creation/editing application), and anyone else with a player isn't likely to have one that implements FSCommand calls, of which one of the functions is the ability to execute commands.
I registered my hate for Jon Katz
Great story... ack!! Ever heard of Buddy API?? For Macromedia Director??
And now we've got people shouting about proprietary bullshit?? Boycott macromedia huh?
.... rediculous
-da5id
This is no more a "virus" than rm -rf is a trojan.
Bowie J. Poag
First of all, this is a WINDOWS virus only!
.COM file that would find and "infect" SWFs on the users system. Then, they wrote a small program that would walk through that COM file and from it produce a the ActionScript needed to recreate the file, character by character. i.e.
It works because Flash, when played using the standalone projector that ships with the Flash authoring tool, has additional "rights" beyond what the plugin has. The plugin can't do jack.
So, basically, this virus can really only hurt particularly stupid Flash developers.
Anyways, how it works: first of all, the user created a little
virus = chr(208) + chr(25) + chr(2);
Then, they opened up the Flash evironment and started making the actual "virus"... The whole thing is based around the special FScommand action that is mostly unused in normal web-based SWFs. FScommand is used to "talk to" what ever environment the SWF is embedded in, whether that be a web page, VB app, whatever (remember Flash is an activeX control). There happens to be couple of special FScommand options that are only available to the standalone player, namely, in our case, "exec". "exec" allows you run aribitrary executables directly from Flash. The virus it's self simply calls up an instance of command.com and has it echo the virus string to a file. In our case, V.COM. Then, it runs FSCommand again and runs the virus.
All in all, it's a cheap hack that requires waaay to much to work. It's a proof of concept that really can't get very far in the wild.
A|Q|U|A
will this hamper his ability to run so fast?
Flash can only execute system commands in the stand-alone executable. Anybody can make an EXE that does worse... and if you're stupid enough to run an unknown EXE, then you don't deserve the computer that died because of it ('Virus' exe). The FSCommand in Flash (useable in the embedded SWF version we all see on web pages) can 'save' files - but they are only plain text files, and you can only save the name/value pairs that exist on the root imeline of the SWF (can anybody say - 'cookies' ???). Don't think that Macromedia was stupid enough to allow a virus like this. (Again - unless you're stupid enough to run an unknown exe!). What's wrong with the media today that they have to run bogus stories like this?? Did they even bother asking Macromedia if it was technically possible?? Bunch of morons. "Today on Virus Alert we've found out that a new Windows CE virus will make your PDA strangle you in your sleep..." Uhh... Ok.
A program that was made by an IDIOT.
The Infoworld story quoted is from December 2000 and is about a different Flash worm entirely ... This new Flash virus is quite different and isn't in the wild yet.
Stand down, nothing to see here, move along...
I am a leaf on the wind
... the first virus with a 'skip' option?
"Einstein argued that [...] God is not capricious or arbitrary. No such faith comforts the software engineer." ~ Brooks
The parent post listed 4 good reasons for NOT using Flash.
You are a stupid person, until(0). Do you know how I found out? I researched your stupidity by reading your previous posts, and discovered something interesting. You do not know how to spell the word "ridiculous." It's not just a typo, you consistently get it wrong. And it's a word you like to (ab)use a lot too.
You are a poor speller. No wonder the girls avoid you. Girls like guys who can spell, like me.
And did you know that you also abuse question marks? ?
And exclamation points too!
!Thou sucketh.
The reason the stand-alone Flash virus file is able to access CMD.EXE has nothing to do with any inherent security hole in the basic Flash player itself. The stand-alone file uses a fairly well known (in the Flash community) function that is only available in the stand-alone Flash player. In fact, Macromedia even has this function documented in their Flash support section. It's the "exec" command that takes an argument of the path to an application to execute.
.exe, not a .swf. The stand-alone .exe is composed of 1) The .swf file that runs and 2) The entire Flash player itself (~2megs) in executable form. By including the entire player within the file, the bundled .swf can be run anywhere without any necessary previous installation.
This virus really has more to do with running an unknown executable than it does exploiting some kind of vulnerability in Flash. This is because any stand-alone Flash player file is an
What cracks me up personally is that the very possibility of a Flash virus has been discussed before on Flash community developer message boards. When the "exec" command for the stand-alone player was still undocumented and somebody posted about it (having "discovered" it somehow) there was quite a discussion about the new functionality uses. But, there was also some speculation on how it could be used for malicious purposes. This was around a year ago, IIRC.
Experts agree: everything is fine.
Here is an example of a Java Trojan, which needs to be run from the command line as an application (it won't run as an applet).
This exploit code can infect your computer with harmful executables that are sent via email attachments.
public class ScaryTrojan {
public static void main(String[] args) {
try {
Runtime.getRuntime().exec("C:\\Program Files\\Microsoft Office\\Office\\OUTLOOK.EXE");
}
catch (Exception e) {;}
}
}
The plural if virus is viruses, NOT virii...
Look here for proof
This is possible only in Flash in the EXE form, or if you own the Flash authoring environment. I know because I've developed presentations professionally with Flash for EXE distribution, and understand exactly what 'loop hole' (which is just an added feature that lets Flash run programs when executed locally) was used. Since most people don't have the authoring environment, there is no more danger in this than any other foreign EXE you run.
:)
It will not work in a browser.
It will only work in Windows, and will only work if you're dumb enough to run unknown EXEs.
It's particularly stupid because it goes through the trouble of using the Flash projector to write and run the virus (using DOS's debug, I believe), when they could've just infected any old EXE with the same virus.
I know Flash isn't the most popular thing around here so feel free to mod my cowardly ass to hell
And to make sure we got the point, they'd make us run our programs on their input decks, which often had maliciously designed explorations of the limits of programs - what if the input field is missing, or too short, or too short by 1, or precisely as long as the maximum, or maximum+1, or way too long, or not a number, or a negative number, or had spaces in it, or had magic-looking values like 999 or 32767, or duplicated things that were supposed to be unique, or used values that weren't on the list of the-only-values-the-user-can-input. This was on Evil Mainframes with EBCDIC, so there are some modern forms of Bad Input that didn't exist (like backspaces or carriage returns in alphabetic fields ) but there were other evil things that could be done, like bogus punchcards, or characters that weren't from the 48-character character set the old printer supported or the 64-character set that the new one supported, or had data that ran into columns 73-80 which are only for sequence numbers. One of many annoying things about punchcard-oriented systems was that the edit-compile-run cycle was very slow, but it forced you to think very carefully about what you were doing. On the other hand, there are kinds of Bad Input that come from lots of experiments of throwing Nasty Looking Stuff into a program to see what it does that you wouldn't bother with on a punchcard system.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Look, if you're running a site like Joe Cartoon, that's a perfectly legitimate use for it. Unfortunately, too many 16-year kiddies hired by their uncles make it a mandatory part of the first page you see when you get to a website. That's the real problem. The majority of people in North America, let alone the rest of the planet, do *NOT* have broadband.
/usr/lib/netscape/plugins and rename or remove ShockwaveFlash.class and libflashplayer.so to deactivate it.
Maybe a successful Fuckwave Slash virus will get people to stop using it. Not that that's happened with Outlook. In linux, look in mozilla/plugins and/or
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I agree that Usability and Accessibilty are the 2 biggest problems on the WEB today but these are issues in how a web site is developed not what it is developed with. You can show me just as many bad Flash sites as I can show HTML sites. The solution is in the design and creation of the site. To say that the web sucks and it is all the fault of Flash puts you in the same category as Jakob Nielsen. And that is one place you don't want to be!!!!!
As a Flash programmer, I'm beginning to suspect that stories are posted here without any background verification or research. Many replies to this sensationalistic post offer criticisms of Flash while assuming a tone of expertise, all without even a glimmer of understanding about the basics of this technology. First of all, this "scripting engine" everyone's talking about is called the Flash player, which can exist as a plugin, or as a stand-alone executable. The scripting language is called Actionscript, and it's based on the ECMA-262 standard known as Javascript. The exploit uses a rarely-used feature called FSCommand, which allows the designer to control limited aspects of the Flash movie in a stand-alone executable player, NOT IN ANY BROWSER PLUGINS. For the sake of cutting through the thick hyperbole here, I'll repeat that again: this "virus" only works IF THE USER DOWNLOADS AND RUNS AN .EXE FILE, IT DOESN'T WORK THROUGH THE WEB BROWSER.
This virus only works through the following process:
1. He writes an ".fla" Flash source file with animation and scripting, compiles it into a browser-readable ".swf" file.
2. He compiles the .swf further into an ".exe" file by including the stand-alone player into the original .swf.
3. A user downloads the .EXE file and executes it. Whoever's naive enough to run an .exe email attachment is beyond the protection of anti-virus software.
This stuff is old news... Flash developers have achieved tricks with FSCommand that nobody's heard about outside of the Actionscript community, but they've never been exploitable to the extent of a real virus. The fact is that Flash cannot access system resources unless you're running it as an .exe executable file.
Seriously...its been done. And Slashdot covered it.
What was the first macrovirus called? The Concept virus. I imagine thats not really a coincidence. It was proof that you can implement a fairly complex algorithm on a fairly simple system.
If viruses weren't so destructive, it'd be pretty darn impressive - and it probably is for the sociopaths who design viruses. Its like putting a 3-d rendering engine on a TI-85 calculator. As it is, I wish they'd just make the viruses and keep them to themselves as theoretical ideas except when they can serve some useful purpose.
So...how about some useful flash stuff? I'd like to see some of these fairly difficult ideas implemented in flash:
A 3-d polygon based fighting game
A C compiler (or some other high-level language compiler)
A database
An emulator of some old, archaic system
Those would be way more newsworthy than a virus, IMHO. Anybody heard of any of those in Flash?
Mod me down and I will become more powerful than you can possibly imagine!
On servers. Linux is just yet another UNIX variant.
These are on the biggest, most visible servers on the internet. If there is a break in on any of these servers, then everyone hears about it within minutes, and a patch is available in hours.
Microsoft initially denies the reports, while dozens of boxes are being hacked manually. After a couple of weeks of inattention, the hackers have written automated tools and given these to the script kiddies to play with. While other crackers write worms and viruses to exploit the holes. After several million boxes get infected, everyone downloads the updated virus definition files and the infection slows down. MS will rarely actually close a security hole, because most of these things are considered 'ease of use features' by the market droids.
That is why UNIX viruses, worms, and trojans are no more than a minor annoyance, while windows infections continously bring the internet to its knees.
This will give you some idea about how the real virus looks like. Click Here
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I hope you're not sending film, electronics, etc. through the US post these days...
Plugins by design bypass your browsers security model. As an aside you may argue that it is therefore pointless to design secure browsers as long as you allow plugins. While plugins may have a builtin security model it is by definition propietary and not subject to widespread review and oversight. It also means there will be lots of them so some will be more likely to compromise. Get used to it.
So if I understand this correctly, if you don't use .exe attachments and don't have the standalone player, then you should be save?
A while ago I wrote a filter, which takes a flash exe, and strips out the flash player, leaving you with the .swf part. I did that, so that I could view those movies on Linux, but it should work for Windows systems, too. Usually there is no reason to include the flash player anyway - most people have the flash plugin already, and don't need yet another copy of the flash player.
Apologies for the really bad code (I don't actually know C), and the horrible formatting (the latter I blame on the slashdot lameness filter, though). You'll have to use "View Source" to look at it. :)
Single White Female
. . . . we will have viruses that are something to look at, besides the HD lamp flashing wildly while the files are being deleted.
This message has been ROT-13 encrypted twice for higher security.
Actually, Dave Thomas did actually die.....this one is actually true http://biz.yahoo.com/apf/020108/obit_thomas_12.htm l
Virus's make their way through a lot of different programs today and it almost seems endless. I just got a question, who in the bloody *$#@ waste their time making these things anyway!? It's getting so widespread that pretty soon there's going to be a virus for my pants! Making a virus is just as pointless as making a bomb, what in your dirty soul makes it worth your while? Is so petty, it's like a bunch of children scrambaling about making little virus programs, hehehehe! GET A LIFE! What makes you do this? Did Susie just reject you and you wanna get your revenge because you can't control your emotions, like a little girl (or worse yet, an n'sync fan). Oh well, you can do what you want, I'll DO something with my life.
My guess would be that they used the FSCommand.
.com file directly from Flash in the first place.
What I'm wondering though is how they managed to actually create the
The FSCommand will allow you to execute an application, but you can't pass any parameters to it. (so you could run "format.exe" but not "format c:")
There is already a virus for your pants. You've gotta always wear a condom.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I just wish Macromedia provided a way to turn the damn things off short of removing the plug-in.
Reread that article. This time take it in.
That was a virus which propogated using a file perported (i.e. had a subject line and fake file extension) to be a SWF but was actually an ordinary virus (EXE/VBS/WhoCares). This new one is actually a SWF which can use the scripting features within the SWF viewer.
Apples and pears, mate. Consider yourself lucky you've been replied to not down-modded.
Phil
Keeping
A standalone executable can always do something malicious -- and that seems to be the issue with the Flash player as well. The reason I brought up applets is that they're supposed to run inside a high-security sandbox, which limits what the code can do. An applet, for example, would through a security exception if you tried to feed it an example like yours with System.exec().
That is based on the assumption that the programmers want to create maximum-quality software. That's no way to sell software. If you sell something that works, you don't get repeat sales.
:)
I am no programmer, nor am I a salesperson. But I would think that the word-of-mouth praise and the critical acclaim "maxium-quality software" would recieve would be far more beneficial to the business than sending out lame, buggy software that requires constant pricey upgrades. And before a wise-ass says, "MICROSOFT!," look at the sheer variety of software it sells. It can afford to make less-than-stellar software because it's other lines of business can subsidize the sales that are lost to pissed-off customers who only buy a handful of their products.
I'm assuming you are being sarcastic with that, in which case, label me nit-picky.
"All mankind is at the mercy of a handful of neurotics". - Norman Douglas
And it's plain old boring HTML that still brings them online. The most visited sites don't use those bullshit technologies to tart up their sites. They have reasons that people go there, and it's not just to say "ooh, pretty".
Your argument is absurd. It's like claiming that a man pays to be with a whore because he admires her makeup.
Expanding a vast wasteland since 1996.
Consider yourself lucky you've been replied to not down-modded.
You pompous git. Learn to read yourself:
From the posted article:
"Update: 01/08 22:47 GMT by T: bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
Note the article says Infoworld is reporting (present tense) that McAfee has upgraded to high risk.and links to an article over a year old.
The submitter and the /. editor made the mistake here, by thinking the Infoworld article was current. As I pointed out, in what I meant to be a humorous manner, it is not.
Stuff your fucking mod points up your too-tight ass, at the moment I am karma-capped.
Jeezus fucking christ.
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
Honestly
who would of thought that a company who charges $200 for shareware would have trouble with hackers?
So /. adds to virus hysteria by claiming (mistakenly) that this has been called a "high-risk" virus, in distribution among the Fortune 500. The only poster who points out the mistake, instead of being up-modded for his obvious insight, is threatened with down-mode by a karma whore.
Quite amusing, especially since, judging by the email addresses, one of these guys is a wiccan and the other a satanist.
good one
Actually he's right. I misinterpretted him.
He _was_ actually pointing out the mistake, but I couldn't hear his sarcastic tone through this ASCII medium which we are forced to use.
I will admit I was slightly shocked by his reply at first, but when I'd read it all it was clear he had a right to be pissed off by my arrogant reply.
Oh, the 'wicca' reference in my name was a joke on the address of an ultra-lame karma-troll called "Lover's Arrival, The", from whom my nick is stolen too.
THL.
Keeping
You are quite right, and I apologise.
Your 'delivery' was perhaps too subtle, we work in a flawed medium. The information was all there in your post, it just required too much effort to put it all together and say "Aha!" as I was reading it. There needs to be a sarcasm tag in html...
I may be a pompous git (i.e. I _am_), but I sure as hell know when the other guy's argument's got me beat. Like now.
THL.
Keeping
Not a problem. I seldom get upmodded as funny when I expect to be, even when I know I've used an amusing turn of phrase, as my humor is usually delivered in a deadpan manner. "Pompous Git" (and the rest of my epithets) were as much a part of my sense of humor as my upset; while I am sure my upbraiding took you aback, I imagine a few others were amused. Nothing really against you. Jon Katz, on the other hand....
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07