Slashdot Mirror
Even Flash Can Get Viruses
Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926.
It consists of a Macromedia Flash movie and seems to be the first of its kind.
It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files.
Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
McAfee information is here
Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.
Just proof of concept really.
Hogsback
http://www.satirewire.com/news/0103/outlook.shtml
If you celebrate Xmas, befriend me (538
Could this be one of the first true cross platform viruses?
Things you think are in the Constitution, but are not.
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
The virus info from Sophos: http://www.sophos.com/virusinfo/analyses/swflfm926 .html
----- The problem with browsing at +5 is that everyone thinks you're being redundant
Just in case anybody reads the translation and wonders what the 'southwestern German broadcasting corporation' is about. It is just a mis-translation of SWF which used to be short for 'Suedwestfunk' (it doesn't exist any more, merged with another radio station). Of course in this case it just means the file extension of flash.
I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me. The only reason I can think of is marketing or corporate sabotage for graphic designers.
Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?
I'm clueless here. Help me out.
This is the real one.
----- The problem with browsing at +5 is that everyone thinks you're being redundant
This pretty much shows that any type of program with a scripting language built in is prone to having viruses written for it. (word macros, VBS, etc...) It will be interesting to see what is done in the future to allow for the benefits of having scripting, but reducing the risks associated as well. A possible solution is simply reducing the power that scripting languages have, such as disabling file writing capabilities (although that's not really a legitimate solution, you see where i'm going with it...)
Once upon a time...
One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.
Has there ever been a Java applet virus? Java's very nice security / permissions model should theoretically make this impossible. However, considering that (1) that's only in theory, and (2) just about every browser implementation of Java is complete shit ... well, it could happen. Has it?
Please note that the infoworld story quoted at the end of the update has a dateline of December 1st. If that's not stale enough please note that the year on that timeline is 2000.
Rest of the information is timely, though.
Many virus scanners don't scan .swf file by default, so you have update your virus signature file (which is automatic on most scanners) and reconfigure your scanner to scan .swf files (unless you already scan all files on your computer).
This means that if advanced .swf viruses are created, they could become a real problem
until system admins wakes up and gets a clue (and that takes a loooong time, look at Code Red)
RFC1925
{rant}
Any you truly believe that plain, boring, run-of-the-mill HTML is what has brought grandma, grandpa, your niece, and Ubu the dog onto the internet?
High-level scripting languages like Flash, Java, JavaScript, etc., have brought the Internet into a "slicker" dimension... one that appeals to the masses rather than just technodweebs.
Ok, so you say: "Why do I care if they've made the Internet popular with the masses? Fsck 'em, the Internet is made for technodweebies like me anyways!"
Why do you think you can get broadband for $40/mo instead of having to get a T1 at $800/mo? Why do you think you can get $400 off your next computer when you sign up for online access? Why do you think computer prices are falling rapidly and performance is growing just as quick? None of that would be happening if computers, driven by the desire for the Internet, weren't booming.
{/rant}
MadCow
I used to have a sig, but I set it free and it never came back.
Us Linux users can enjoy a flashy virus for once. We need more cross platform stuff like this.
Sophos Anti-Virus warns about a new virus, which infects other files as a macromedia flash movie
and executes self-generated programs. The parasite, baptized "SWF/LFM-926", reaches computers as
SWF-file, and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation.
Sophos says that the virus wasn't yet spotted "in the wild" and therefore spreading. Nevertheless,
the manufacturer of Antivirus software warns about the potential danger which lurks in the
Flash format. The Sophos website provides detailed information about the parasite.
-- The plural of 'anecdote' is not 'data'.
actually, plain boring ascii pop3 email is what brought grandma, grandpa, my niece and Ubu the dog onto the internet.
The Web has long ceased to be a place of any interest for most people - at least outside of ebay.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Why are gif & jpg necessarily safe?
If there's a buffer overflow in the program rendering it, it could very well be an infectious file.
Could this be the small start of multiplatform Viruses? Virus source code written and engineered to be Operating System independent is pretty deadly, depending on what the virus does. Imagine one virus rendering Windows XP, Sun Solaris 8, Red Hat Linux 7.1, AIX 5, MACOS X, HP-UX, and Irix unstable. Not trying to encourage any hackers here, but wouldn't Java be a very usful language to start developing multiplatform viruses in? Wondering. Also, has there been any attempt at coding a virus for any Anti-Virus software? Unfortunatelly, viruses are software technologies as well, and will keep on advancing.
Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.
The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.
Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.
Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.
You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.
I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.
That infoworld article has nothing to do with this virus. It's also 13 months old.
You guys really need to give a little more effort here sometimes. You are brash, act without any confirmation and show yourselves as totaly incompetent. Can you get me a job there?
Build it; if it becomes popular enough, they will write a virus for it.
The sites I go back to, I go back for the content. They are typically weblog/journals or actual information of some sort (reference, reviews, FAQs, whatever).
Flash in particular seems to coincide with either content-free sites, or incomprehensible "artistic" navigation. Java and Javascript I don't have a particular grudge against, apart from speed (Java) and security (Java and JavaScript) issues.
Anyway, I can't get broadband for $40/mo, and last time I looked, there was a fairly significant downturn in the last 18 months in the PC market.
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
...of something I've believed since I started using the Internet in the mid-80's.
Specifically: Why the frell do we even NEED Flash or its brethren in any case? It seems to exist solely to make pretty pictures, and spew forth alleged "music" or other SFX, and waste a lot of bandwidth in the process.
Remember: If you cannot manage your native language well enough to get a CLEAR message across to your site's visitors in plain ASCII text, then NO amount of flashing fonts, pretty colors, bandwidth-hungry animations, or silly sound effects is going to help you in the least.
Don't even get me started about how precious few web sites are even usable by those who are vision-impaired, and need to use a text-to-speech converter on their computer. How many sites are in blatant violation of ADA accessibility guidelines even as I write this?
Web designers, take note: Sites today have entirely too much fluff, and far too little in terms of USEFUL and EASILY READABLE content. Remember that "simple" is NOT a bad thing. This latest virus serves only to emphasize that point.
Bruce Lane, KC7GR,
Blue Feather Technologies
Don't forget that Flash runs on Linux and Macs as well. With a little smarts, folks can write cross-platform viruses (if Flash can create a script file and arrange to have it executed by the user who is running the browser).
Anyone know whether the Linux Flash plugin is vulnerable to this attack?
"they" needs to be capitalized.
We all know who They. We all understand that. No need to protect their so-called "innocence" by playing the pronoun game. They are making the viruses; They are bringing evil into our hearts; They are holding us down.
Protest against The Man, I will not let The Man hold me down!
It appears that the articles have not been read carefully. After comparing the the three, there are two Flash virii being spread around.
...and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation. (German trans. - thanks entrox!!)
...but if you check the date of the Infoworld article, it's December 1, 2000.
.mp3, .jpg, and .zip files to the root folder. It renames each of these files and appends the following text to the extension of each file:
Virus 1 (Conrad's submission) - SWF/LFM.926
The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo)
Virus 2 (bdavenport's infoworld submission) - Creative.exe
The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon. (Infoworld)
From Symantec:
Discovered on: November 30, 2000
Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.
W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all
change atleast now to LINUX
Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.
If I had a sig, this is where it would be.
The difference is that those are static formats that don't run any code (at least if you believe in the difference between code and date).
...).
Additionally there are quite some different gif and jpg parsers out there, but the number of usefull Flash-Players is rather limited (1 comes to my mind). So if you'd be able to make a gif file that runs arbitary code on the machine that views it, it would most probably be targeted only on this gif-reader software (and this version, and this platform, and
And I think the checks form alformed GIF and JPEGs are rather strict in most image-loading libraries, 'cause defect GIFs and JPEGs are known to exist.
I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).
On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."
Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.
The still-excellent l0pht once informed the world that Microsoft had a serious security problem in a product.MS responded with the famous "That vulnerability is purely theoretical.". So, l0pht released a real exploit for the vulnerability.
Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake
Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?
Looks like it isn't very likely to succeed
LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.
I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.
I'm also sure I'm wrong.
Flamebait? Fuck I should go for broke!
Someone please tell me what is wrong with the uber-parent post?
Slowly I lose my karma.
Get your Unix fortune now!
Who's the goon that actually names these viruses? Is there some organization that categorizes and files them, or is it done by the antivirus companies (Symantec, McAfee, etc) that find them? I've never quite understood the odd names that are ascribed to them.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Formats like Flash, Director, or Toolbook are fairly safe when run in a browser, but when run locally, most gain much more functionality, including the ability to execute arbitrary commands. Many people have the Flash Player plugin, but no standalone executable to open the files locallly is supplied. 99% of all people that do have the standalone player are getting it from an installation of Macromedia Flash (the creation/editing application), and anyone else with a player isn't likely to have one that implements FSCommand calls, of which one of the functions is the ability to execute commands.
I registered my hate for Jon Katz
Troll? WTF is going on today... kill those moders.
Get your Unix fortune now!
This is no more a "virus" than rm -rf is a trojan.
Bowie J. Poag
will this hamper his ability to run so fast?
Flash can only execute system commands in the stand-alone executable. Anybody can make an EXE that does worse... and if you're stupid enough to run an unknown EXE, then you don't deserve the computer that died because of it ('Virus' exe). The FSCommand in Flash (useable in the embedded SWF version we all see on web pages) can 'save' files - but they are only plain text files, and you can only save the name/value pairs that exist on the root imeline of the SWF (can anybody say - 'cookies' ???). Don't think that Macromedia was stupid enough to allow a virus like this. (Again - unless you're stupid enough to run an unknown exe!). What's wrong with the media today that they have to run bogus stories like this?? Did they even bother asking Macromedia if it was technically possible?? Bunch of morons. "Today on Virus Alert we've found out that a new Windows CE virus will make your PDA strangle you in your sleep..." Uhh... Ok.
The Infoworld story quoted is from December 2000 and is about a different Flash worm entirely ... This new Flash virus is quite different and isn't in the wild yet.
Stand down, nothing to see here, move along...
I am a leaf on the wind
The reason the stand-alone Flash virus file is able to access CMD.EXE has nothing to do with any inherent security hole in the basic Flash player itself. The stand-alone file uses a fairly well known (in the Flash community) function that is only available in the stand-alone Flash player. In fact, Macromedia even has this function documented in their Flash support section. It's the "exec" command that takes an argument of the path to an application to execute.
.exe, not a .swf. The stand-alone .exe is composed of 1) The .swf file that runs and 2) The entire Flash player itself (~2megs) in executable form. By including the entire player within the file, the bundled .swf can be run anywhere without any necessary previous installation.
This virus really has more to do with running an unknown executable than it does exploiting some kind of vulnerability in Flash. This is because any stand-alone Flash player file is an
What cracks me up personally is that the very possibility of a Flash virus has been discussed before on Flash community developer message boards. When the "exec" command for the stand-alone player was still undocumented and somebody posted about it (having "discovered" it somehow) there was quite a discussion about the new functionality uses. But, there was also some speculation on how it could be used for malicious purposes. This was around a year ago, IIRC.
Experts agree: everything is fine.
Here is an example of a Java Trojan, which needs to be run from the command line as an application (it won't run as an applet).
This exploit code can infect your computer with harmful executables that are sent via email attachments.
public class ScaryTrojan {
public static void main(String[] args) {
try {
Runtime.getRuntime().exec("C:\\Program Files\\Microsoft Office\\Office\\OUTLOOK.EXE");
}
catch (Exception e) {;}
}
}
And to make sure we got the point, they'd make us run our programs on their input decks, which often had maliciously designed explorations of the limits of programs - what if the input field is missing, or too short, or too short by 1, or precisely as long as the maximum, or maximum+1, or way too long, or not a number, or a negative number, or had spaces in it, or had magic-looking values like 999 or 32767, or duplicated things that were supposed to be unique, or used values that weren't on the list of the-only-values-the-user-can-input. This was on Evil Mainframes with EBCDIC, so there are some modern forms of Bad Input that didn't exist (like backspaces or carriage returns in alphabetic fields ) but there were other evil things that could be done, like bogus punchcards, or characters that weren't from the 48-character character set the old printer supported or the 64-character set that the new one supported, or had data that ran into columns 73-80 which are only for sequence numbers. One of many annoying things about punchcard-oriented systems was that the edit-compile-run cycle was very slow, but it forced you to think very carefully about what you were doing. On the other hand, there are kinds of Bad Input that come from lots of experiments of throwing Nasty Looking Stuff into a program to see what it does that you wouldn't bother with on a punchcard system.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The bottom line is that Flash is not an effective tool for creating websites. This is what HTML was designed for. With Flash, there are two things that particularly get my goat:
- you can't right-click a link and open it in the background (as I do often with Opera), in order to check out several areas of the site at once. This may sound like something that broadband users would complain about the most, because they can load several pages in parallel quickly, but actually it's something that I find not only helpful for efficiency, but necessary for my sanity as a dialup user, because if I had to click every page in serial I would spend so long waiting for the single page I can view to load that I'd stop using the internet altogether
- the second thing is that Flash sites are typically rendered at 640x480 or 800x600 to cater for users with low-end monitors, and cannot be resized (afaik, ianal, blah blah) because a Flash file is effectively a bunch of raster images bunged together. This means that this stupid little website is sitting in the middle of my 1152x864 screen, with an enormous blank space around it. Some people even do this with html for some completely unknown reason; for a good example of a site that uses both Pointless Flash(TM) for a Pointless Entrypage(TM) and Huge Blank Spaces(TM) check out the personal website of someone I don't like very much. I'm sure those people with 21" monitors and 2080x1024 screen resolutions know far better than I what I am talking about
To be fair, there are sites that use Flash as a banner animation at the top, and it doesn't get in the way and is merely decorative, and that's fine, it's attractive and enhances the site. A good example of this is NZ Gamer Forums, and an example of a site that is annoying in its use of a complete Flash "gui" is its parent site. Yes, it's well-laid out and attractive, but just for starters, try entering your name into the "username" section. If you touch-type like I do, you'll very quickly get over how the animations when you enter a character are neet, and pretty quickly discover how they're very irritating. The sounds, too, are annoying to me. Basically, I think this website could have been made to look similar simply using HTML, and it would have loaded far more quickly (it took a good three minutes to load on my 56k--more than I'm normally willing to wait).The Forums are an example of Flash used in moderation, and JavaScript used in debatable moderation. I have no problem with it; it does add to the site having those tables light up blue, but it's also not particularly necessary. Mostly the site is very usable, and while there are a lot of images, it doesn't take a hugely long time to load. I think the person who designed the gamer.net.nz site and subsites needs a lesson in accessibility, because his sites are great if you can run Flash and feel like waiting for all the images to load, but get a browser like Opera 6, assume you don't have the flash plugin, and disable images so it loads faster, and you'll get a broken frontpage, and semi-broken threads in the forums because you have to use the horizontal scroll so much--the only thing this guy knows how to do is eye-candy.
The only real gripe I have against JavaScript is the open() function. A lot of people seem to think it's a really great idea to have links open in a new window using this function. I'm all for opening in a new window; I do it on my site all the time--and you'll notice I use basic JavaScript for the image rollovers in the title, because they markedly add to the visual effect of the site without increasing much in the download time. But hey, there's already this great attribute called "target" in the <a> tag! Use it! I loathe sites where I right-click, open a window in the background without checking its exact href in the status bar of my browser, and going back to it a few seconds later expecting it to have loaded and finding a blank page with "javascript:open(window.crap)" in the address bar.
Just my little rant. Please mod down accordingly.
A word can paint a thousand pictures
As a Flash programmer, I'm beginning to suspect that stories are posted here without any background verification or research. Many replies to this sensationalistic post offer criticisms of Flash while assuming a tone of expertise, all without even a glimmer of understanding about the basics of this technology. First of all, this "scripting engine" everyone's talking about is called the Flash player, which can exist as a plugin, or as a stand-alone executable. The scripting language is called Actionscript, and it's based on the ECMA-262 standard known as Javascript. The exploit uses a rarely-used feature called FSCommand, which allows the designer to control limited aspects of the Flash movie in a stand-alone executable player, NOT IN ANY BROWSER PLUGINS. For the sake of cutting through the thick hyperbole here, I'll repeat that again: this "virus" only works IF THE USER DOWNLOADS AND RUNS AN .EXE FILE, IT DOESN'T WORK THROUGH THE WEB BROWSER.
This virus only works through the following process:
1. He writes an ".fla" Flash source file with animation and scripting, compiles it into a browser-readable ".swf" file.
2. He compiles the .swf further into an ".exe" file by including the stand-alone player into the original .swf.
3. A user downloads the .EXE file and executes it. Whoever's naive enough to run an .exe email attachment is beyond the protection of anti-virus software.
This stuff is old news... Flash developers have achieved tricks with FSCommand that nobody's heard about outside of the Actionscript community, but they've never been exploitable to the extent of a real virus. The fact is that Flash cannot access system resources unless you're running it as an .exe executable file.
Seriously...its been done. And Slashdot covered it.
What was the first macrovirus called? The Concept virus. I imagine thats not really a coincidence. It was proof that you can implement a fairly complex algorithm on a fairly simple system.
If viruses weren't so destructive, it'd be pretty darn impressive - and it probably is for the sociopaths who design viruses. Its like putting a 3-d rendering engine on a TI-85 calculator. As it is, I wish they'd just make the viruses and keep them to themselves as theoretical ideas except when they can serve some useful purpose.
So...how about some useful flash stuff? I'd like to see some of these fairly difficult ideas implemented in flash:
A 3-d polygon based fighting game
A C compiler (or some other high-level language compiler)
A database
An emulator of some old, archaic system
Those would be way more newsworthy than a virus, IMHO. Anybody heard of any of those in Flash?
Mod me down and I will become more powerful than you can possibly imagine!
This will give you some idea about how the real virus looks like. Click Here
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
So if I understand this correctly, if you don't use .exe attachments and don't have the standalone player, then you should be save?
A while ago I wrote a filter, which takes a flash exe, and strips out the flash player, leaving you with the .swf part. I did that, so that I could view those movies on Linux, but it should work for Windows systems, too. Usually there is no reason to include the flash player anyway - most people have the flash plugin already, and don't need yet another copy of the flash player.
Apologies for the really bad code (I don't actually know C), and the horrible formatting (the latter I blame on the slashdot lameness filter, though). You'll have to use "View Source" to look at it. :)
Reread that article. This time take it in.
That was a virus which propogated using a file perported (i.e. had a subject line and fake file extension) to be a SWF but was actually an ordinary virus (EXE/VBS/WhoCares). This new one is actually a SWF which can use the scripting features within the SWF viewer.
Apples and pears, mate. Consider yourself lucky you've been replied to not down-modded.
Phil
Keeping
A standalone executable can always do something malicious -- and that seems to be the issue with the Flash player as well. The reason I brought up applets is that they're supposed to run inside a high-security sandbox, which limits what the code can do. An applet, for example, would through a security exception if you tried to feed it an example like yours with System.exec().
And it's plain old boring HTML that still brings them online. The most visited sites don't use those bullshit technologies to tart up their sites. They have reasons that people go there, and it's not just to say "ooh, pretty".
Your argument is absurd. It's like claiming that a man pays to be with a whore because he admires her makeup.
Expanding a vast wasteland since 1996.