Online Videos May Conduct Viruses

Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"

Dammit!

[djasbestos]

And I thought my porn was safe with AV and spyware/adware blockers and cookie cleaners and...

It's Indevitable.

[TechyImmigrant]

Every new application that places a large footprint of code in the line of fire on the internet will be subject to attack.

Media apps are big, hairy and process gobbets of data straight from the attacker's server. What did people expect?

Anyone seen any code?

[grassy_knoll]

"The next logical step seems to be the media players," Rouland said.

So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.

Re:Anyone seen any code?

[grassy_knoll]

That's a redirection, not necessarily an infected FLV.

Re:Anyone seen any code?

[Technician]

So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.

The FA was short on details, but from what I've seen in online video, there are 2 probable ways this is done. Most flash video sites require scripting to be on.. Duh there is a vector right there. Other sites insist you download their viewer (Untrusted software anyone?). With an untrusted viewer and scripting on, a video could easily launch this attack.

They don't have to be

[XanC]

What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

Re:They don't have to be

[satoshi1]

Yes.

Re:They don't have to be

[UbuntuDupe]

Two words: money.

Well, make that three: control.

Re:They don't have to be

[kebes]

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

Actually it would be much, much easier to design a system that just exposed the URL for a standard video file. The user/browser could then either download it, or have a plugin that buffers and displays it inside the browser. This eliminates all kinds of problems both for the web developers and the user.

But, of course, the real reason for using Flash-based players is that it acts as a weak form of DRM. The intention is to force the user to watch the video only at the site (with ads, etc.), and to not allow the user to take the video, transfer it elsewhere (e.g. iPod), edit out commercials, redistribute it, etc.

Of course, we all know that it is possible to write a script that extracts the video... but it becomes a tiresome arms race. This is just another example of the fundamental tradeoff between the notion of "convenience" (for the user) and "control" (for the distributor). The user wants freedom. The distributor wants DRM.

Re:They don't have to be

[mha]

Hi,

I would like to add my opinion this time. Some time ago I started a new idea: building *multimedia* learning content. Sounds easy enough, only that I had some more goals. Among them was to build a community-based platform - as in "OWNED by the community", not a "web 2.0" startup.

By the way, the current state is at http://letexa.com/ - I'm giving the URL because you can see what I'm going to talk about next in real-life examples.

So, I tried with HTML/Javascript. I always knew I had to use Flash vor the Video and/or Audio in any case. See the Change-Blog of the site for how it went. I ended up with an all-Flash solution.

BREAK - for those asking me why I want video/audio and that this is a huge waste: I want MULTIMEDIA, as I already said... yes, I add closed captioning but I'm iin the "MM" business. I don't want to join a discussion "everything should be text", you can sell your TV and radio if you like (I don't have a TV at home at all) and go all-newspaper if you like. I *like* producing MM content.

So how can I produce content for worldwide delivery, that I can distribute not only on the web but as standalone software too? Produce Videos, like it's done so often? No way. I want to add interactivity (I admit to having just two interactive examples on my page, of the few that are there in the first place, and only one of them is actually *really* interactive content and not just "if you click here another video starts"), .avi .mp4 or whatever don't help at all. Also, other advantages of Flash:

- It scales. Not just the vector contents, the pixel-contents scales too! That sounds strange, but what I mean is this: You can add pictures (and videos) to Flash that have way more pixels than needed at the chosen resolution. This is NOT useless, because if the user resizes the viewer (which you as the author have to allow in the code and which youtube and co don't do) the additional pixels are used!

- When I create multimedia content and not a technical manual or a news article I like being able to position all content at exact places and sizes (and have them scale all together, see above). Flash does that. To do the same in HTML I need to add LOTS of Javascript and recalculate positions, add hidden divs for resizing detection, etc. HTML was made for Universities and tech. TEXT articles/content, and trying to create all kinds of stuff like user interfaces with it is just a huge horrible hack. The JS libraries that exist are fine (YUI is my choice, etxjs(.com) seems great too (originally it was a YUI extension) but is for web-based apps only - while YUI takes care of "normal" websites too). However, the complexity is enormous, and has anyone ever thought about where all those GIGA(!)-hertz are going? I used to have a 486DX33 and that machine was FAST! Do we really get THAT much more today for all the additional power of PCs, or isn't it true most power is needed to power the many many many code and library layers?

- So to come back to Flash, what I also like about it that the Player is pretty lean compared to what it does.

- the integration Javascript-Flash (Actionsccript) is VERY good (and Actionscript is ECMA script like Javascript, but they try to hide the prototypipcal inheritance and make it appear to be a "classical" inheritance language... oh well.

- What is BAD about Flash: Adobe is a BIG company and VERY bad at reacting to individual problems. Instead of bugfixes you get a completely new release 8and have to pay them again, big time - I had to purchase Creative Suites 1, 2 and 3 so far... but I must admit I'm quite happy with it overall)

So to finish my long but somewhat confused comment (my problem is I always start way too may thoughts and then get lost - don't tell me you didn't notice :-) ), for *my* problem of producing multimedia content I still cannot think of anything else but Flash! I obviously *have* to use "multimedia", and webbrowsers don't do

Re:They don't have to be

[vertinox]

Was the first word "ninja?"

The word

[Anarke_Incarnate]

is viruses. Virii is made up. Go look it up. Viri is man, there is no "virii"

Re:The word

Correct. There is no virii.

Unless you find them on your boxen.

Re:The word

[Anarke_Incarnate]

well, then all I have to say to you, sir, is Blahjk kniga nuok! covered in natalie portman

P.S. The g is silent, as is the first k and the last !

Of course....

[TechForensics]

... you don't have to worry if you run Linux!

Indevitable?

[circletimessquare]

thufferin' thuccotas! that's a dethpicable sylvesterism!

the plural of virus is viruses

[kcokane]

in the text: ... with worms and virii....

note: there is no Latin plural for the word
virus (means slime, basically). the expected
plural, viri, is the plural of vir (man). the
plural of virus is viruses.

There's a lot of conjecture here.

[jackpot777]

Isn't this all a bit "Schrodinger's Cat"? These virii are half-written, half not written, and we only get to know which one it is if we open the video clip of Anna Kournikova...

Would the esteemed learning establishment care to debate if we will be living on the moon, wearing shiny suits, eating meal pills, flying around with our prsonal jet-packs? I for one want to know ...or at least have someone hypothesize if such a thing may be possible.

Hmmmm.

Re:Erm

[Ucklak]

Yeah, 1996 called, they want their virus distribution back.

I guess the researchers at Georgia Tech were 11 and younger when this was done before.

Why should Flash have any kind of write access???

[G4from128k]

Why in the world should the Flash player have any kind of access/execution/write privileges on the browser's machine? I can understand that the player needs to be able to execute some form of code to create interactivity, but shouldn't this be so totally sandboxed that presents a minimal threat to the user or the OS.

This just confirms my opinion that Flash is an evil cancer on the web designed to move control of the web experience from the person browsing to the Flash author (who maybe a botnet builder).

Correction : WMV conducts viruses

Let's leave the MS-apologist spin out of the summary. Video has nothing to do with it:

It's the WMV format that conducts the viruses.

Re: Online Video May Conduct Viruses

[bogie]

Was it a morally corrupt web site? Those are the worst kind.

Plural of virus

[Spy+der+Mann]

http://en.wikipedia.org/wiki/Plural_of_virus

I think that should clear it up. :)

Not new

[packetmon]

This attack vector isn't new however its spreading more and more as time progresses. What I find to be a worst attack vector are the ad servers such as Doubleclick, Akamai, etc.:

Yahoo's Right Media had Trojans in banner ads
Posted by Elinor Mills

For several weeks starting in early August, visitors to MySpace, Photobucket, Bebo and other high-traffic Web sites were exposed to banner ads that contained Trojan horse software that could wreak havoc on a computer.

Web security company ScanSafe tracked the malicious ads back to Yahoo's Right Media network and estimates that they ran several million times, according to The Washington Post's Security Fix news site. (source

Online video may conduct Virusses ? Old news !

Why is this posted as a supposedly novel discovery ?

A previous post allready mentioned WMV format has an on-purpose function build-in that lets it "phone home" (and retrieve whatever code it likes) without as much as a peep to the user.

The real issue here is not that some kind of "information" (movies, PDF's, etc) could harbour methods to retrieve (or even contain) the actual malicious code, but how the creators of those methods think that its a good idea to let their displaying-software "phone home" 1) whenever it likes 2) without notifying the user 3) without offering a way to disable it (it should be off by default if you ask me ...)

Example of fake video

[doyoulikeworms]

http://www.youtube.com/watch?v=eBGIQ7ZuuiU

Is there a tool to remove wrappers?

[CranberryKing]

If for example a wmv file really contains and mpeg with some junk, is it enough to rename that whole file .mpeg or can you actually remove the junk. Something that does like a

$ cat wrapped.wmv | grep -v "http://spawnsomecrap.com/crap.html" > clean.mpeg ..except in a windows utility (or command?!.)?..

Re:How does this work??

[CoffeeIsMyGod]

It's a little bit more subtle than that. Here is a simple example: there could be a section of the file that is supposed to be 100 bytes long, null terminated. The program could read it in but some joker put 200 bytes and a null there instead and the program dutifly reads all 200 bytes into a 100 byte buffer. If the size isn't checked you could overflow the stack, overwrite the return pointer, and cause the function that read the bytes return execution into some bits of code that are storred in the buffer. Think of it as hijacking the execution process.

Most media readers don't actually execute the media.

Well, except for the embedded URL feature in Windows media... and Flash ActionScript... and...

Oh dear.

Correction : Everything conducts Viruses

[Repossessed]

+That link suggests that it's Windows Media Player, rather than WMV, that's the problem, due to embedded IEness. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually).

So, list of places windows users will probably pick up nastyware now includes... actually, anybody know of something that *won't* lead to malware with windows?

Re:Erm

[Crayon+Kid]

Yeah, 1996 called, they want their virus distribution back.

And yet it's so damn sad to see that in 10 years the industry has still not learned to do things right.

Good security starts from the design phase. If it was not meant to be hacked it should not be hacked. Security holes are mainly the fault and the responsability of the people who designed those buggy pieces of software.

And yet we see the media always blaming "hackers". Sure, they're assholes who try to break and enter. But it's like a bank leaving its vault wide open and allowing anyone in, and then complaining that some people stole the money.

Why don't the programmers fix the security holes? Why do they allow the holes to exist in the first place? Nobody seems to ask those questions. I suppose "hackers are at it again" makes better headlines than "bad engineers are at it again".

Re:Why should Flash have any kind of write access?

[gaspyy]

This just confirms my opinion that Flash is an evil cancer on the web designed [...] blah blah blah

This is just FUD - but obviously this is Slashdot so who cares about facts anyway?

The truth is that the Flash player has actually a pretty draconian sandbox:
1. A flash movie can not write to disk or execute any command. Period. It only has a "cookie" mechanism to store info on user's computer but the user can allow/deny the action and allocate a quota for that info. The cookie is saved in the user's Documents and Settings folder (and the Mac/Linux equivalent), e.g. "C:\Documents and Settings\user\Application Data\Macromedia\Flash Player\#SharedObjects\LQ93AHGQ\www.youtube.com" The flash app cannot control the location or the file name.
2. A flash movie can't simultaneously have read access from the local file system and the Internet. What I mean is - either a flash movie loads a local file (text, xml, jpg, flv, etc) or it can communicate with a site (load URL, send variables with GET/POST, invoke a WS, etc) - but it cannot do both of them. A user has to go to Adobe website and specifically trust an application in order for that app to have more access.
3. Flash movies can't read the clipboard.
4. Access to microphone/webcam is disabled by default and must be enabled on a per-URL basis.

Anyone who RTFA knows that it's not about exploits inside the video stream, it's about fake links.

Now, I'm pretty sure I just wasted 10 minutes of my time trying to dispel some myths, because the average Slashdot user is too busy hating Flash and worshiping Steve Jobs. Mod me down, or better yet, just ignore this post and keep on living inside your bubble.