SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow2718
Most employees have some awareness about malware attacks. Many probably know that you should never open an executable file from a stranger or install a thumb drive found in the parking lot, for example. But videos, or links to videos, can deliver malware just like that executable or thumb drive. Do your employees know this too? And even if they do know it, will they be tricked into chasing malicious videos anyway?
Here's why it's time to start focusing on video malware.
[...] The video habit (or addiction) in our culture has paved the way for video malware — malicious code embedded into video files. Video malware is part of a larger trend toward more effective stealth in the delivery of malware. It's also the latest, and probably the most interesting, example of malicious steganography — the embedding of something secret inside some other medium. When the medium is an executable file, it's called stegware.
Malware has been embedded in still-image file formats, such as JPG, PNG and BMP formats, for years. Now, it appears that video malware is having a moment.
(Score: 2) by DannyB on Tuesday August 20 2019, @03:22PM (4 children)
I am still in the "me too" crowd above that don't understand this attack.
In step 2, user downloads, presumably, a single file. That file is executable or it is not. If it is executable, then you don't run it. Period. if it is not executable then it is "data" to consumed by other software such as a video player. That player takes apart the content during playback.
Now I understand the idea that this "unpacker" be it video player, Microsoft Word, Excel, or a PDF viewer, etc can have vulnerabilities in how it takes apart a complex file format. Especially when written in a language that makes it easy or simply possible to have unchecked array bounds, buffer overflows, etc. Or if part of the parser for the format has features incompatible with untrusted input. For example, a hypothetical JSON parser that recognizes certain convenient extensions, that allow, say, executing a shell command -- because that might be useful. Useful yes, but incompatible with untrusted input. Or how PHP uses (or did use) CURL to handle fetching from a URL. Clue: CURL has all kinds of cool features neat for a command line utility, but totally unsuitable for untrusted input!
Now if a data file (eg, AVI, PDF, DOC, XLS, etc) is carefully constructed to exploit a flaw (eg, vulnerability) in how the decoder works, then I WOULD NOT call that steganography.
Steganography allows you to hide data within a file format, but that file format is otherwise decodable in the ordinary fashion.
So I still don't get it.
A malformed file to exploit the Android media framework is using a malformed file (NOT steganography) to exploit a vulnerability.
Steganography allows me to hide information in, say, a video file, that passes right through the decoder undetected. In fact, the information is hidden by subtly fiddling numerically with some of the data, such as pixels in an image or video. These changes DO have a visible effect. Just not a perceivable effect.
So I still don't get it.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @04:08PM
I haven't read TFA, but that's not a very safe assumption. Seems more likely that they've misrepresented the situation than that video players are intentionally executing code from video files.
(Score: 2) by Pino P on Wednesday August 21 2019, @05:09PM (2 children)
To establish a baseline for comparison, let's say you have an alternate hypothetical situation without malware. How would something like VLC media player get onto your computer in the first place if you didn't run it because its installer was executable? Question mark?
(Score: 2) by DannyB on Thursday August 22 2019, @01:59PM (1 child)
An installer is expected to be executable. You know it is executable when you download it. You expect that what it installs is executable. No surprises.
If I download a video file, then it is presumably not an executable. Both in terms of its actual file extension, and the way you would identify the file contents from the first bytes within the file.
Now I realize it is possible, sometimes, to cleverly make a file have dual formats. Such as a Windows EXE that also just happens to be a ZIP file. But if I download it, and its file extension is ZIP, then there is no obvious way to execute it. Unzip it, yes.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Pino P on Thursday August 22 2019, @02:40PM
The attacker can easily adapt to that mentality. Imagine finding the following in some HTML document on the web:
So you click the "Watch or download" link, and it produces a file in your Downloads folder called Colony_of_cabbits_found_in_Salloughby_360p.webm. But your Windows PC or Mac didn't ship with a viewer for WebM files, as the major proprietary operating systems tend to ship with decoders for only royalty-bearing codec stacks like MPEG-4 AVC/AAC, not royalty-free codec stacks like WebM. So you click "Download player", expecting a file in .exe or .dmg format, and get a file in .exe or .dmg format. How do you know whether this player is malware?