Can A Video File Contain A Virus?

Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are incredibly intriguing threat vectors for malware writers.

Reasons for Viruses

  • Media players are very frequently used software; users tend to use them for an extended period of time, leaving them open during other tasks, and frequently switch media streams.
  • There are a wide variety of different audio players and many of different codecs and audio file plugins - all written by generally non-security-focused people.
  • The file formats involved are binary streams, and tend to be reasonably complex. Much parsing is required to manipulate them, and playback calculations can easily result in integer bugs.
  • Players take untrusted input from many different unreliable sources (often over the network), and run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged IE instance can launch content in a higher-privileged WMP.
  • They are perceived as relatively harmless - users are likely to play files given to them.
  • They are frequently invoked without the user's explicit acknowledgement, (i.e. embedded in a web page) [1].

Vulnerabilities

Typical vulnerability vectors are 1) fuzzing the media player by a modified video file and 2) embedding hyperlinks in a video file.

1) Fuzzing is a generic method to force a program to behave unexpectantly by providing invalid, unexpected or random data to the inputs.

Fuzzing is designed to find deep bugs and is used by developers to ensure the robustness of code, however, a developer's best tool can be used to exploit. For media players, which are supposedly "format strict", a corrupted real video file can expose many bugs, most caused by dereferencing null pointers. The result is, allowing inappropriate memory access, which indicates the possibility of writing to memory that is not intended to be written [2]. Fortunately, fuzzing media players requires in-depth knowledge of the file format or else the "corrupted" file, will simply be ignored by the player.

2) A more direct method is by obtained by embedding a URL into modern media files.

For example, Microsoft Advanced System Format (ASF) allows for a simple script commands to be executed. In this case, "URLANDEXIT" is placed at address 0x1329-133B and following any URL. When this code executes, the user is directed to download an executable file, often disguised as a codec and prompting the user to download in order to play the media [1,3].

MetaDefender Cloud, OPSWAT's anti-malware multi-scanning tool, has an example of one such file: https://www.MetaDefender.com/#!/results/file/c88e9ff9e59341eba97626d5beab7ebd/regular

The general threat name is "GetCodec", in this specific example, the media player was redirected to microsoftmediaplayer.net/pluginerror/ (website was taken down due to malware) and downloaded a trojan [4].

We have scanned the trojan here: https://www.MetaDefender.com/#!/results/file/bd493d4780924435bfeb96a2af6db5b2/regular

Microsoft (https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147335891#tab=2) and Woodman [4] gives a deeper understanding on how the Trojan behaves.

Examples of File Type Exploits

Below is a table listing the popular media file formats that have been recently exploited by routing the user to malicious sites [3].

File FormatDetectionDescriptionFirst Reported
Windows
.wma/.wmv
Downloader-UA.bExploits flaw in Digital Rights Management [1]January, 2005
Real Media
.rmvb
W32/Realor.wormInfects Real Media files to embed link to malicious sites [2]November, 2006
Real Media
.rm/.rmvb
Human craftedLaunches malicious web pages without prompting [3]December, 2007
QucikTime.movHuman craftedLaunches embedded hyperlinks to pornographic sites [4]April, 2008
Adobe Flash.swfExploit-CVE-2007-0071Vulnerability in DefineSceneAndFrameLabelData tag [5]June, 2008
Windows.asfW32/GetCodec.wormInfects .asf files to embed links to malicious web pages [6]July, 2008
Adobe Flash.swfExploit-SWF.cVulnerability in AVM2 "new function" opcode [7]June, 2010
QuickTime.movHuman craftedExecutes arbitrary code on the target user's system [8]August, 2010
Adobe Flash.swfExploit-CVE-2010-2885Vulnerability in ActionScript Virtual Machine 2 [9]September, 2010
Adobe Flash.swfExploit-CVE2010-3654Vulnerability in AVM2 MultiName button class [10]October, 2010

Solutions

Not all media players have guarded against malicious links, so the obvious recommendation ensues: do not view untrusted files, never run media players with elevated privileges and don't accept downloads of "unheard" codecs or strange licenses.

Many antivirus vendors now have added detection by looking for the URL signatures inside media type files, however, this can also be avoided by malware writers by embedding in multi-gigabyte files which can take very long for the engines to properly scan.

As for fuzzing exploits, you will have to trust the programmers have performed the appropriate testing to clean up the deep bugs.

References

[1] David Thiel. "Exposing Vulnerabilities in Media Software". December 2013. http://www.blackhat.com/presentations/bh-europe-08/Thiel/Whitepaper/bh-eu-08-thiel-WP.pdf

[2] Colleen Lewis, Barret Rhoden, Cynthia Sturton. "Using Structured Random Data to Precisely Fuzz Media Players". December 2013. http://www.eecs.berkeley.edu/~brho/fuzz/fuzz_media_players.pdf

[3] Rahul Mohandas, Vinoo Thomas, and Prashanth Ramagopal. "Malicious Media Files: Coming to a Computer Near You". December 2013. http://www.mcafee.com/us/resources/reports/rp-malicious-media-files.pdf

[4] "URLANDEXIT tag in WMV". December 2013. http://www.woodmann.com/forum/showthread.php?13187-URLANDEXIT-tag-in-WMV

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.