Submitted via IRC for SoyCow2718
Most employees have some awareness about malware attacks. Many probably know that you should never open an executable file from a stranger or install a thumb drive found in the parking lot, for example. But videos, or links to videos, can deliver malware just like that executable or thumb drive. Do your employees know this too? And even if they do know it, will they be tricked into chasing malicious videos anyway?
Here's why it's time to start focusing on video malware.
[...] The video habit (or addiction) in our culture has paved the way for video malware — malicious code embedded into video files. Video malware is part of a larger trend toward more effective stealth in the delivery of malware. It's also the latest, and probably the most interesting, example of malicious steganography — the embedding of something secret inside some other medium. When the medium is an executable file, it's called stegware.
Malware has been embedded in still-image file formats, such as JPG, PNG and BMP formats, for years. Now, it appears that video malware is having a moment.
Related Stories
It was an innocuous-looking photograph that turned out to be the downfall of Zheng Xiaoqing, a former employee with energy conglomerate General Electric Power:
According to a Department of Justice (DOJ) indictment, the US citizen hid confidential files stolen from his employers in the binary code of a digital photograph of a sunset, which Mr Zheng then mailed to himself.
It was a technique called steganography, a means of hiding a data file within the code of another data file. Mr Zheng utilised it on multiple occasions to take sensitive files from GE.
[...] The information Zheng stole was related to the design and manufacture of gas and steam turbines, including turbine blades and turbine seals. Considered to be worth millions, it was sent to his accomplice in China. It would ultimately benefit the Chinese government, as well as China-based companies and universities.
Zheng was sentenced to two years in prison earlier this month. It is the latest in a series of similar cases prosecuted by US authorities. In November Chinese national Xu Yanjun, said to be a career spy, was sentenced to 20 years in prison for plotting to steal trade secrets from several US aviation and aerospace companies - including GE.
Originally spotted on Schneier on Security.
Related:
- Say Goodbye to the Dots and Dashes to Enhance Optical Storage Media
- How Video Became a Dangerous Delivery Vehicle for Malware Attacks
- New Zeus Trojan Variant Using Steganography
(Score: 1, Touché) by Anonymous Coward on Tuesday August 20 2019, @02:34AM (3 children)
Good luck convincing employees not to share inane videos with everyone in their social circle. Make no mistake: malware is not a technical problem. Malware is a social problem. Malware spreads within social circles in exactly the same way as STDs.
(Score: 3, Touché) by Anonymous Coward on Tuesday August 20 2019, @03:38AM (2 children)
Well, strictly speaking, not "exactly" the same way. It's much more fun to spread STDs!
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @03:57AM (1 child)
Use your phone during sex to spread malware and STDs at the same time.
(Score: 2) by MostCynical on Tuesday August 20 2019, @04:00AM
Safe sex: using a camcorder, rather than a phone or webcam..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Tuesday August 20 2019, @06:22AM
code is data.
data is code.
(Score: 4, Insightful) by Anonymous Coward on Tuesday August 20 2019, @07:10AM (7 children)
My fault, but I fail to understand why a video player needs to extract metadata and treat them as executable code... ?_?
CYA
(Score: 4, Insightful) by Mykl on Tuesday August 20 2019, @07:35AM (6 children)
Me too. I understand that code can be hidden within video (either in metadata, or through Steganographic means), but unless a video player has been specifically developed to extract and run that code, what's the problem?
You could write an extortion letter to me in Mandarin, but if I can't interpret it then I'm just going to throw it away, none the wiser.
(Score: 3, Interesting) by Pino P on Tuesday August 20 2019, @01:24PM (5 children)
The general structure of the attack is as follows:
One example of malware packaging described in the featured article is a Microsoft Word document (.docx) containing the both the video and an executable macro. Another is a malformed file to be played through versions of the Android operating system's media framework prior to a July 2019 security update.
(Score: 2) by DannyB on Tuesday August 20 2019, @03:22PM (4 children)
I am still in the "me too" crowd above that don't understand this attack.
In step 2, user downloads, presumably, a single file. That file is executable or it is not. If it is executable, then you don't run it. Period. if it is not executable then it is "data" to consumed by other software such as a video player. That player takes apart the content during playback.
Now I understand the idea that this "unpacker" be it video player, Microsoft Word, Excel, or a PDF viewer, etc can have vulnerabilities in how it takes apart a complex file format. Especially when written in a language that makes it easy or simply possible to have unchecked array bounds, buffer overflows, etc. Or if part of the parser for the format has features incompatible with untrusted input. For example, a hypothetical JSON parser that recognizes certain convenient extensions, that allow, say, executing a shell command -- because that might be useful. Useful yes, but incompatible with untrusted input. Or how PHP uses (or did use) CURL to handle fetching from a URL. Clue: CURL has all kinds of cool features neat for a command line utility, but totally unsuitable for untrusted input!
Now if a data file (eg, AVI, PDF, DOC, XLS, etc) is carefully constructed to exploit a flaw (eg, vulnerability) in how the decoder works, then I WOULD NOT call that steganography.
Steganography allows you to hide data within a file format, but that file format is otherwise decodable in the ordinary fashion.
So I still don't get it.
A malformed file to exploit the Android media framework is using a malformed file (NOT steganography) to exploit a vulnerability.
Steganography allows me to hide information in, say, a video file, that passes right through the decoder undetected. In fact, the information is hidden by subtly fiddling numerically with some of the data, such as pixels in an image or video. These changes DO have a visible effect. Just not a perceivable effect.
So I still don't get it.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @04:08PM
I haven't read TFA, but that's not a very safe assumption. Seems more likely that they've misrepresented the situation than that video players are intentionally executing code from video files.
(Score: 2) by Pino P on Wednesday August 21 2019, @05:09PM (2 children)
To establish a baseline for comparison, let's say you have an alternate hypothetical situation without malware. How would something like VLC media player get onto your computer in the first place if you didn't run it because its installer was executable? Question mark?
(Score: 2) by DannyB on Thursday August 22 2019, @01:59PM (1 child)
An installer is expected to be executable. You know it is executable when you download it. You expect that what it installs is executable. No surprises.
If I download a video file, then it is presumably not an executable. Both in terms of its actual file extension, and the way you would identify the file contents from the first bytes within the file.
Now I realize it is possible, sometimes, to cleverly make a file have dual formats. Such as a Windows EXE that also just happens to be a ZIP file. But if I download it, and its file extension is ZIP, then there is no obvious way to execute it. Unzip it, yes.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Pino P on Thursday August 22 2019, @02:40PM
The attacker can easily adapt to that mentality. Imagine finding the following in some HTML document on the web:
So you click the "Watch or download" link, and it produces a file in your Downloads folder called Colony_of_cabbits_found_in_Salloughby_360p.webm. But your Windows PC or Mac didn't ship with a viewer for WebM files, as the major proprietary operating systems tend to ship with decoders for only royalty-bearing codec stacks like MPEG-4 AVC/AAC, not royalty-free codec stacks like WebM. So you click "Download player", expecting a file in .exe or .dmg format, and get a file in .exe or .dmg format. How do you know whether this player is malware?
(Score: 2) by Gaaark on Tuesday August 20 2019, @12:23PM (1 child)
"You coming Gracie?"
"Yes...YES...YESSSSS!"
Ah, the good old off-topic.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by DannyB on Tuesday August 20 2019, @03:28PM
Maybe the audio portion of a video exploits some vulnerability in the audio decoder. Maybe smashes the stack, or heap, or something. Part of the audio data just happens to be executable code that gets run because of, say, a smashed stack return address. This is nothing more than a vulnerability in the audio decoder.
Not worth screaming about.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Insightful) by DutchUncle on Tuesday August 20 2019, @03:52PM (5 children)
Once upon a time there were clear distinctions between "data files" and "executable files" (including "executable"-ness limited to a scripting language restricted to the application). Scripting systems like VisiCalc and Lotus started accessing outside their context, which was dangerous but at least still clearly "executable". The problem started when Microsoft thought it would be clever for documents and pictures to become "active". Blurring distinctions looks like a convenience feature, just like it's so much more convenient to leave your door unlocked so you don't have to bother taking out your keys.
(Score: 2) by DannyB on Tuesday August 20 2019, @04:19PM (4 children)
The security model of ActiveX was that it required code singing. If someone did something bad, then where did they get their code singing certificate from?
Other than requiring code to be signed
sungthere was no security. It's just an executable ma'am.To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by Pino P on Thursday August 22 2019, @02:42PM (1 child)
Where is the hobbyist developer of a good-faith free software project supposed to get a code signing certificate? Is finding a corporate sponsor the preferred way?
(Score: 2) by DannyB on Thursday August 22 2019, @03:17PM
Just spend the $800 or thereabout to get the code signing certificate.
Obviously Microsoft did not think this through carefully. But that should be obvious by the fact that certificates and code signing do not make an actual security model.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by DutchUncle on Friday August 23 2019, @02:47PM (1 child)
>>>> code singing
After "literate programming" and "extreme programming" and "pair programming" and "agile programming", some good communal code singing sounds great. Maybe around a campfire.
(Score: 2) by DannyB on Friday August 23 2019, @03:45PM
A pyre to the passing of Microsoft. Who gaveth us ActiveX.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Touché) by Anonymous Coward on Tuesday August 20 2019, @08:52PM (1 child)
Why focking haill did HTML 5 allow that?
(Score: 2) by Joe Desertrat on Tuesday August 20 2019, @09:29PM
Just guessing, but I would not at all be surprised to find it has to do with allowing DRM.