Slashdot Mirror
Online Videos May Conduct Viruses
Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"
I thought this was obvious...
ilovegeorgebush
And I thought my porn was safe with AV and spyware/adware blockers and cookie cleaners and...
Every new application that places a large footprint of code in the line of fire on the internet will be subject to attack.
Media apps are big, hairy and process gobbets of data straight from the attacker's server. What did people expect?
Evil people are out to get you.
So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?
TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.
A Human Right
What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.
All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??
is viruses. Virii is made up. Go look it up. Viri is man, there is no "virii"
... you don't have to worry if you run Linux!
Those are my principles, and if you don't like them... well, I have others.
thufferin' thuccotas! that's a dethpicable sylvesterism!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
in the text: ... with worms and virii....
note: there is no Latin plural for the word
virus (means slime, basically). the expected
plural, viri, is the plural of vir (man). the
plural of virus is viruses.
Kevin O'Kane http://www.cs.uni.edu/~okane/
Flash player may conduct viruses. Or Real Player may conduct viruses. Or WMP may conduct viruses.
I have yet to see any evidence of the videos themselves containing viruses.
And linking to a malware site isn't a virus as well.
Isn't this all a bit "Schrodinger's Cat"? These virii are half-written, half not written, and we only get to know which one it is if we open the video clip of Anna Kournikova...
...or at least have someone hypothesize if such a thing may be possible.
Would the esteemed learning establishment care to debate if we will be living on the moon, wearing shiny suits, eating meal pills, flying around with our prsonal jet-packs? I for one want to know
Hmmmm.
Shiny. Let's be bad guys...
When people try to look smart by using incorrect words like "virii" they wind up looking both stupid and pretentious.
Way to go, Zonk. We're all really impressed.
hey 'technical writing geek,' you need a little schooling--'flash media' is something like a thumb drive or other non-disk storage space, while Flash Video is streaming video based on the Flash platform. you're welcome!
Why in the world should the Flash player have any kind of access/execution/write privileges on the browser's machine? I can understand that the player needs to be able to execute some form of code to create interactivity, but shouldn't this be so totally sandboxed that presents a minimal threat to the user or the OS.
This just confirms my opinion that Flash is an evil cancer on the web designed to move control of the web experience from the person browsing to the Flash author (who maybe a botnet builder).
Two wrongs don't make a right, but three lefts do.
Let's leave the MS-apologist spin out of the summary. Video has nothing to do with it:
It's the WMV format that conducts the viruses.
Was it a morally corrupt web site? Those are the worst kind.
If you wanna get rich, you know that payback is a bitch
I'm pretty sure that Bill Gates could come much closer to being the botnet king if he wanted to.
The eternal struggle of good vs. evil begins within one's self.
http://en.wikipedia.org/wiki/Plural_of_virus
:)
I think that should clear it up.
This attack vector isn't new however its spreading more and more as time progresses. What I find to be a worst attack vector are the ad servers such as Doubleclick, Akamai, etc.:
Yahoo's Right Media had Trojans in banner ads
Posted by Elinor Mills
For several weeks starting in early August, visitors to MySpace, Photobucket, Bebo and other high-traffic Web sites were exposed to banner ads that contained Trojan horse software that could wreak havoc on a computer.
Web security company ScanSafe tracked the malicious ads back to Yahoo's Right Media network and estimates that they ran several million times, according to The Washington Post's Security Fix news site. (source
Infiltrated dot Net
Why is this posted as a supposedly novel discovery ?
...)
A previous post allready mentioned WMV format has an on-purpose function build-in that lets it "phone home" (and retrieve whatever code it likes) without as much as a peep to the user.
The real issue here is not that some kind of "information" (movies, PDF's, etc) could harbour methods to retrieve (or even contain) the actual malicious code, but how the creators of those methods think that its a good idea to let their displaying-software "phone home" 1) whenever it likes 2) without notifying the user 3) without offering a way to disable it (it should be off by default if you ask me
Ban flash. Hell, ban all Adobe products - every bit of software they acquire seems to get revamped into crap, and minus photoshop all the software they develop is bloated and slow.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It's security vulnerabilities in old versions of Flash Player that make them vulnerable to malicious files. Here's one of the more severe ones: http://secunia.com/advisories/26027. It doesn't matter if the file has no executable content when the reader has a buffer overflow that can be exploited with a malicious file. Strictly speaking, the exploit is executable machine code.
The issue of executable or scriptable content in media files is something different. As other people pointed out, WMVs can have script a web event, like opening a browser to a certain page, but in that case, a malicious website would be exploiting your browser. The media player is just a vector to open that web page.
http://www.youtube.com/watch?v=eBGIQ7ZuuiU
Question everything
A number of things.
/tmp ( or whatever the equivalent is on windows ) and thus it acts as a weak form of DRM, forcing people to return to the site since they don't know how to download a permanent copy.
...
a)Most users don't realize it is easy to copy the flash movies from your
b)Flash stores data on the client computer ( a bit like cookies ) which is used to snoo... errr... automatically obtain customer feedback.
c)Flash lets you have all kinds of annoying banners, clickable monkeys, advert overlays, etc
So in short:
Control, Data mining, Money
It won't end as such, but eventually competitors that offer a better/different type of service will appear. The old sites won't go away thou, because some people won't care about the adds and continue to use them. Sort of like you get tabloids, magazines and newspapers. At the end of the day, pick the ones you like and ignore the crap. I'm sure there is some firefox plugin which lets you block flash on all pages except the ones you explicitly whitelist ( will somebody link it since I'm ignorant about it ? ).
News flash - computer viruses are computer code, not viruses.
Lets create a law saying anyone referring to the plural of "computer virus" has to use "computer viruses" in every instance.
Otherwise, make up a new term "virii" referring to computer viruses, and continue to use "viruses" for the biological ones to prevent cross contamination in database search results.
The Flash player runs in memory as a process, or at least within the memory space of a host process, and it is taking a stream of data from an outside source according to a protocol. There must be methods for handling that data and if those methods are not carefully constructed then it it may be possible for a malicious user to smash the stack by sending carefully crafted packets to the host running the flash session. Now, most modern operating systems, even including Windows after the 9.x branch was retired, protect memory access on a per process basis so that the operating system itself cannot be compromised in this way. However, it may still be possible for an attacker to gain control of the Flash player itself and do anything which the flash player could do, including possibly reads and writes to certain files or calls to API functions. In this manner, when there were flaws found in the Windows API functions, the attacker might conduct a multi-stage attack whereby the Flash player is compromised first and then an Windows API function is called with another crafted exploit, piggybacking on the first attack, to complete the compromise. Every program that directly faces the network over a port is potentially subject to these types of attacks so this is not something special about Flash per se.
If for example a wmv file really contains and mpeg with some junk, is it enough to rename that whole file .mpeg or can you actually remove the junk. Something that does like a
..except in a windows utility (or command?!.)?..
$ cat wrapped.wmv | grep -v "http://spawnsomecrap.com/crap.html" > clean.mpeg
"With an untrusted viewer and scripting on, a video could easily launch this attack."
Could, is not does. The GP was simply asking for any evidence (you know, actual cases) of FlashVideo being used as a vector for attack. Two categories: possible attacks & actual attacks. Let's be clear which one we mean.
damaged by dogma
I never understood how this is even possible. Like vulnerabilities in image formats or video formats. How does this work? The media player, or image viewer, should be reading the bits in the file and display it as an image, or as video. Why do these bytes of data get executed? Who writes an application which opens an image file, reads the bits from the file and then EXECUTES it ?!?!?
I just don't get it. I'd love an explanation. Maybe it's like a website that takes user input and runs it as server side code... or some such. Just seems stupid to me. It should be impossible to have your video file executed...
most of the time. IMHO. I viewed video as the next necessary evil. Reminds me of how I avoided making purchases over the Internet for the first 5-7 years of its existence only to find that my wife, on her computer, had been making credit card purchases over the Internet the whole time. Ah, well. I now follow the really, really, really big school of itty bitty fish philosophy for lack of a better idea. (Well, that and my teens help keep my credit cards maxxed and my bank account empty.)
+That link suggests that it's Windows Media Player, rather than WMV, that's the problem, due to embedded IEness. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually).
So, list of places windows users will probably pick up nastyware now includes... actually, anybody know of something that *won't* lead to malware with windows?
Liberte, Egalite, Fraternite (TM)
This sort of thing really gives me POOR IMPULSE CONTROL. >=(
Shouldn't that be "contain" not "conduct" viruses? The use of the word conduct makes me thing the video is telling the virus what to do, or something. Or is it conduct like lightning? Still not a great analogy.
The article is almost bad with it's talk of video being a "conduit" for viruses.
Dan
Although it may be disturbing, that Rick Astley youtube video is pretty much harmless to your computer and should not be considered a "virus" per se.
Stupid Cheap Guitars
Ahem... I do believe the word virus is a fourth-declension latin derivative, where therefore its plural is viruses and not virii. Also the root would be vir- not viri- and so even if it were a second declension (-us noun) its plural would be viri, and not virii. Unfortunately, I believe viri is already the plural of the word vir, which means "man" (viri - men).
In soviet Russia, viruses conduct you!
-Rush?
OK, disregard the trollish subject line...
Why blame Flash when MS's WMA and WMV formats are the biggest culprits of such exploits?
No Snowcrash references...
This is just FUD - but obviously this is Slashdot so who cares about facts anyway?
The truth is that the Flash player has actually a pretty draconian sandbox:
1. A flash movie can not write to disk or execute any command. Period. It only has a "cookie" mechanism to store info on user's computer but the user can allow/deny the action and allocate a quota for that info. The cookie is saved in the user's Documents and Settings folder (and the Mac/Linux equivalent), e.g. "C:\Documents and Settings\user\Application Data\Macromedia\Flash Player\#SharedObjects\LQ93AHGQ\www.youtube.com" The flash app cannot control the location or the file name.
2. A flash movie can't simultaneously have read access from the local file system and the Internet. What I mean is - either a flash movie loads a local file (text, xml, jpg, flv, etc) or it can communicate with a site (load URL, send variables with GET/POST, invoke a WS, etc) - but it cannot do both of them. A user has to go to Adobe website and specifically trust an application in order for that app to have more access.
3. Flash movies can't read the clipboard.
4. Access to microphone/webcam is disabled by default and must be enabled on a per-URL basis.
Anyone who RTFA knows that it's not about exploits inside the video stream, it's about fake links.
Now, I'm pretty sure I just wasted 10 minutes of my time trying to dispel some myths, because the average Slashdot user is too busy hating Flash and worshiping Steve Jobs. Mod me down, or better yet, just ignore this post and keep on living inside your bubble.
I, for one, appreciate your taking the 10 minutes to explain this and would mod you up if I hadn't already commented in this thread. I still dislike Flash because it takes away my ability to search for and browse information on my terms, but I feel better knowing that the technology is not inherently insecure.
Two wrongs don't make a right, but three lefts do.
this has been going on for years I remember one time I got hosed via a porn video trying to aquire a license in windows media player I had to format entire system and I used to get spyware regularly, I eventually got sick and stopped using windows media player. I now use it again as it has fixed these holes but no doubt they will work on trying to find more holes.
Virii is the /. editors best guess at viruses:
http://dictionary.reference.com/help/faq/language/g63.html
Please stop the incorrect usage!
Like mail, sound, or anything else that doesn't need to execute directly on the underlying platform, there is nothing that says video transmission has to be a virus vector. A properly-written protocol that limits itself to video display and is properly interpreted should be immune from attack.
If your transmission system and playback system are well-designed and well-implemented you'll be okay.
If they aren't then change to something else.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
That should have been:
1)go the video you want and load it in order to see it
2)open konqueror and go to "/tmp/" and sort the files by "date"
3) The last video on the list will have a name like "Flashfwfwea".
4)Open with mplayer
5)
I had .asf files (pretty sure it was) that forwarded me to a webpage with virus and unmoral content back in 2002 or something.
isit same like spam from the testimonial u get in friendster? pic like baby but head is dog ~
Crypto: 0
As received by: Transceiver Relay03 at Relay
Language path: Cloudmark -> Twiskweline, SjK units
[Cloudmark is a High Beyond trade language. Despite colloquial rendering, only core meaning is guaranteed.]
From: Transcendent Bafflements Trading Union at Cloud Center
Subject: Matter of life and death
Summary: Arbitration Arts has fallen to Straumli Perversion via a Net attack. Use Middle Beyond relays till emergency passes!
Key phrases: Net attack, scale interstellar warfare, Straumli Perversion
Distribution: War Trackers Interest Group, Threats Interest Group, Homo Sapiens Interest Group
Date: 61.12 days since the fall of Straumli Realm
Text of message:
WARNING! The site identifying itself as Arbitration Arts is now controlled by the Staumli Perversion. The Arts' recent advertisement of communications services is a deadly trick. In fact we have good evidence that the Perversion used sapient Net packets to invade and disable the Arts' defenses. Large portions of the Arts now appear to be under direct control of the Straumli Power. Parts of the Arts that were not infected in the initial invasion have been destroyed by the converted portions: Fly-throughs show several stellifications.
What can be done: If during the last thousand seconds you have received any High-Beyond-protocol packets from "Arbitration Arts," discard them at once. If they have been processed, then the processing site and all locally netted sites must be physically destroyed at once. We realize that this means the destruction of solar systems, but consider the alternative. You are under Transcendent attack.
If you survive the initial peril (the next thirty hours or so), then there are obvious procedures that can give relative safety: Do not accept High Beyond protocol packets. At the very least, route all communications through Middle Beyond sites, with translation down to, and then up from, local trade languages.
For the longer term: It's obvious that an extraordinarily powerful Class Two Perversion has bloomed in our region of the galaxy. For the next thirteen years or so, all advanced civilizations near us will be in great danger.
If we can identify the background of the current perversion, we may discover its weakness and a feasible defense. Class Two Perversions all involve a deformed Power that creates symbiotic structures in the High Beyond - but there is an enormous variety of origins. Some are poorly-formed jokes told by Powers no longer on the scene. Others are weapons built by the newly transcendent, and never properly disarmed.
The immediate source of this danger is well-documented: a species recently up from the Middle Beyond, Homo sapiens, founded Straumli Realm. We are inclined to believe the theory proposed in messages [ . . . ], namely that Straumli researchers experimented with something in Shortcuts, and that the recipe was a self-booting evil from an earlier time. One possibility: Some loser from long ago planted how-to's on the Net (or in some lost archive) for the use of its own descendants. Thus, we are interested in any information related to Homo sapiens.
Even we can't watch movie online peacefully!
Maybe we should just change everything to ASCII code so that no virus can attack. Just like the old time..
it makes sense. viruses can be attached to executable files and shall not bring any harm as long as those files are not executed. which means the downloadable ones should be scanned first before we watch them.the online ones are pretty much hard to be determined if they carry viruses or not.
how about audio files?
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
Well, if I could see the source, I would believe you.
Secret code always does secret things.
online video is the best way to spread virus in easy and faster way. it's kind of trends nowaday,mostly for internet surfer to get their video resource from online video. but just wondering, why attackers think about this brilliant ideas just now?why not on 2005 or 2006?
'Nuff said.
NOT off-topic. I should not have been so quick to speak up; I was caught exactly the same way by some modders a while ago.
It is useful for some things, but for distribution of videoclips over the net, as it has commonly been used lately, it sucks. The quality is invariably lower than the original, sometimes to the point that it is unwatchable. I like to view videoclips on the Net, but I try to avoid sites that use Flash Player to display them.
morally corrupt web site?
Do you mean the ones where you can get free adult content or the ones that only provide 3 lines of semi-interesting information and split it over 12 pages with so many ads that each page needs 2 min to load on my 10Mb/s connexion (and did I mentioneed that some of these ads usually overlap the content for which I came in in the first place). Yes, the latter kind should be banned.
Dan Kaminsky has done some research into this. If you combine Flash with a DNS rebinding attack, interesting things can happen that wouldn't happen without Flash (which is to blame for a fire, the fuel or the air?).
Scary web threats (HTML version)
Scary web threats (Powerpoint)
How confident can we be that there are no more remote command execution vulnerabilities in the Flash player?
The designed security measures are only part of the puzzle when something is in the field.
huh..this day finally come.. i have been wondering when this is going to happen when i discovered a year ago that 'porn' media files (downloaded from torrent) contain malicious coding that launched a porn site when the file is open
lol.. u funny.. but did u notice that the two kinds of 'morally corrupted' website are kinda similar.. i mean, the first definition also contain 3 lines of interesting information + pages of ads..
.. a new meaning to the term 'viral video'.
1. A flash movie can not write to disk or execute any command. Period. It only has a "cookie" mechanism to store info on user's computer but the user can allow/deny the action and allocate a quota for that info. The cookie is saved in the user's Documents and Settings folder (and the Mac/Linux equivalent), e.g. "C:\Documents and Settings\user\Application Data\Macromedia\Flash Player\#SharedObjects\LQ93AHGQ\www.youtube.com" The flash app cannot control the location or the file name.
Then what is the flash "Global Storage Settings Panel" option to set 0-unlimited of local storage for?
Do you think so? Every time I read news about an exploit that can be used to transfer an agent using a digital media file, I think of this passage from Fire Upon the Deep.
I have seen the less-informed use non-word "virii" for as long as I can remember. How long does it take to drill this into people thick skulls?
;)
On the other hand, I've gotta jet. I think a hacker just hijacked a few of my boxen.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
i thought it suppose to be "inevitable"..what does this "Indevitable" suppose to mean??
this should be clear enough. http://linuxmafia.com/~rick/faq/plural-of-virus.html
Windows Media Player Apple QuickTime Player Real Player (Free Version) Adobe Flash Player Adobe Shockwave Player Camtasia TSCC Codec DivX Player (Free Version) ...if you have these on your machine then your pretty much covered for watching video online..
"online video may be a new avenue of attack" is this proven, and how can i believe it fully? it is stated "may be" and it can be "maybe not". i think it is not possible to attack via videos, because videos is not in exe form, how to attach a virus in video, is it in the middle of the running videos. what is virii actually??? "variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms" "viri is already used in Latin as the plural of vir, meaning "man" (thus making viri mean "men")" acording to wikipedia
the only way a video can easily infect our system with a virus is if it takes benefits of a well known exploit in the video player like a buffer overflow.the virus creator can embed this in a video and when the video is played on the player that contains the exploit, then it will infect the machine.youtube compresses all video which is uploaded;so the exploit written in the video will be destroyed through the compression
So it caches your puzzle games and Madness Combat flicks. Those aren't video, that setting is for everything else Flash does.
The only time I have ever gotten trojans (of the computer variety) was from a video clip I downloaded and forgot to scan before I watched it. It left 9 things on my computer, including a keystroke logger and 2 dialers. Fortunately, I discovered and eliminated the threats before they could do their dirtywork.
for my point of view it is not secure to use the online videos that can lead damage to your softwares sometimes. if you are using the online videos make sure that who have install the anti virus sofrware to protect your datas and files. eventhough the viruses will not attact your hardwares but still it will effect your softwares.
online video may be a new technique to attact. and it is very clear to say that viruses will attact and damage the system
Attacks coming from the internet are increasing more and more these days, especially related to videos from the internet. One of the method used by an attacker is forcing you download a video player containing a virus or trojan. This is done by encrypting a certain video file and uploading it to the internet so anybody can download it. When you download it and try to play it on your normal video player, it will ask you to download a specific video player to watch the video. The most common one is 3wplayer.
There is a way to decode the file using ActivePerl but most likely you will end up getting the video that you did not intend to download.
This is just a warning for those who don't know.
can cause damage to our software.
The simple ways to prevent pc from get virus is NO DOWNLOAD + NO PIRACY = NO VIRUS!! Get the original video from original CD/DVD.. ;p
Easy and safe!! Isn't it? :)
somehow, it's lot safer walking in the middle of the nite in the bad neighborhood than surfing internet. been waiting for this kind of attack, concerning the popularity of youtube and other online video streaming.
This will be a bummer for YouTube..... guess they will be in touch with IBM for their new dedicated virus scanning machinces
I was hoping after the fact that people would think it was a witty reference to something they didn't know about, when in reality it was a typographic error.
Evil people are out to get you.
That link suggests that it's Windows Media Player, rather than WMV, it is there any issue , due to embedded IE. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually). So, list of places windows users will probably pick up nastyware .
eventhou, there are many risk when using online video like youtube..this online video will change pattern and habit in watching TV..thus,increase the video online market...so,why not all genius make some tool or new technology to prevent all malicious attack?...just wonder