Forgot your password?
typodupeerror
Security

Even Flash Can Get Viruses 277

Posted by timothy
from the blesshyoo dept.
Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926. It consists of a Macromedia Flash movie and seems to be the first of its kind. It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files. Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."
This discussion has been archived. No new comments can be posted.

Even Flash Can Get Viruses

Comments Filter:
  • McAfee (Score:5, Informative)

    by hogsback (548721) on Tuesday January 08, 2002 @05:46PM (#2806610) Homepage
    McAfee information is here [nai.com]

    Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.

    Just proof of concept really.
    • Re:McAfee (Score:1, Redundant)

      by BigBir3d (454486)
      today NT, tomorrow WinME or Win2k, and next week WinXP.

      this one was probably just a test, although i am guessing they did not want to on the radar until they had a bigger badder version that affected all OS's.

      my $.02
      • Re:McAfee (Score:2, Interesting)

        by hogsback (548721)
        By NT I meant NT/2K/XP - they're all the same really!

        It's probably a minor change for Win9x/WinMe.

        I don't know anything about the Flash scripting language - but it is using OS tools to do the actual infection of other files...this makes it less likely to be very cross-platform.
        • by Alan (347)
          Not many viruses are cross platform (unless you're talking about nt/2k/me/xp/98/98se being different platforms that is). Most of the virii out there aren't "email viruses" they are "Outlook express" viruses, and I don't see why this one isn't the same. To create a real cross platform virus would take a bit of doing IMHO.
          • Re:McAfee (Score:2, Informative)

            by hogsback (548721)
            There's Winux [nai.com] whcih infects PE and ELF format files on Linux and Windows. Fortunately,according to the description, it doesn't work very well .
    • by chazR (41002) on Tuesday January 08, 2002 @07:36PM (#2807179) Homepage
      The still-excellent l0pht [l0pht.com] once informed the world that Microsoft had a serious security problem in a product.MS responded with the famous "That vulnerability is purely theoretical.". So, l0pht released a real exploit for the vulnerability.

      Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake [atstake.com]

      Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?

      Looks like it isn't very likely to succeed

      LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.

      I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.

      I'm also sure I'm wrong.
      • I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.

        No, of course not. They'll be attacked in new and interesting ways.

        I'm also sure I'm wrong.

        Aren't we all. Nice to see someone admit it though ;)
  • Cross Platform? (Score:2, Interesting)

    by Mr. Sketch (111112)
    Could this be one of the first true cross platform viruses?
    • Re:Cross Platform? (Score:3, Informative)

      by hogsback (548721)
      Not this one ... it uses cmd.exe (from Windows NT) to write a script for debug (the DOS/Windows so-called debugger). So it looks like it's NT/x86 specific.
      • Perhaps it could be modified to use Bash and other Unix tools to do the same job? Of course, the infestion would be user-specific.

        Someone has found a way to make Flash act outside the boundaries of its sandbox, and this should make everyone worry.

        At least a little bit.
  • by Ethelred Unraed (32954) on Tuesday January 08, 2002 @05:48PM (#2806626) Journal
    ...write a virus for it.

    Cheers,

    Ethelred

    • Build it; if it becomes popular enough, they will write a virus for it.
    • "they" needs to be capitalized.

      We all know who They. We all understand that. No need to protect their so-called "innocence" by playing the pronoun game. They are making the viruses; They are bringing evil into our hearts; They are holding us down.

      Protest against The Man, I will not let The Man hold me down!
  • by BinaryAlchemy (521587) on Tuesday January 08, 2002 @05:48PM (#2806628) Homepage
    The virus info from Sophos: http://www.sophos.com/virusinfo/analyses/swflfm926 .html
  • translation (Score:3, Informative)

    by twms2h (473383) on Tuesday January 08, 2002 @05:50PM (#2806647) Homepage
    Just in case anybody reads the translation and wonders what the 'southwestern German broadcasting corporation' is about. It is just a mis-translation of SWF which used to be short for 'Suedwestfunk' (it doesn't exist any more, merged with another radio station). Of course in this case it just means the file extension of flash.
  • Flash is an advanced scripting language at its heart. Seriously, people - DUH! Of course you can do virii with it - look at Java. Yes, it's supposed to run in a sandbox. Theory and practice are often light-years apart.

    People can do some cool things with Flash, yes. They can also do many annoying things, and finally they can do some dangerous things, as evidenced by this article.

    Yet another victory for Lynx users. When was the last time you heard of a terminal-based text-only browser bringing down a Unix system? ;)

  • by Anonymous Coward
    safe files: gif, jpg, txt, ...
    unsafe files: vbs, exe, ...

    I cannot comprehend the shift towards risk (macros in .doc, scripting in .swf). Programmers, please keep the documents straightforward and powerless. I guess no one cares.
    • by sqlrob (173498)
      Why are gif & jpg necessarily safe?

      If there's a buffer overflow in the program rendering it, it could very well be an infectious file.
      • by Rentar (168939)
        The difference is that those are static formats that don't run any code (at least if you believe in the difference between code and date).

        Additionally there are quite some different gif and jpg parsers out there, but the number of usefull Flash-Players is rather limited (1 comes to my mind). So if you'd be able to make a gif file that runs arbitary code on the machine that views it, it would most probably be targeted only on this gif-reader software (and this version, and this platform, and ...).

        And I think the checks form alformed GIF and JPEGs are rather strict in most image-loading libraries, 'cause defect GIFs and JPEGs are known to exist.
  • I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me. The only reason I can think of is marketing or corporate sabotage for graphic designers.

    Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?

    I'm clueless here. Help me out.
    • The worm does not destroy files on a user's computer, but renames all files of the .jpeg and .zip type and moves them to the PC's root directory, said Patrick Nolan, a virus researcher with McAfee's Anti-Virus Emergency Response Team (AVERT).

      Although the worm does not delete files, it can clog e-mail networks and take e-mail servers offline. Cleaning up files that have been relocated and renamed could also waste considerable man hours, Nolan said.

      like most viri written by 1337 script kiddies, the real aim appears to create confusion and waste people's time/money. the "I Love You" virus didn't have a real payload, but boy did it do a job on the mail servers of many corporation. several friends' companies lost several days of work b/c their employees like to click EXEs. this will be the same. plenty of people send funnies with SWF files - with the virus infecting via that cute pink icon, expect plenty of people to click away.
    • Virus Prevention Software Companies.
      Take a look at the corolation between virus companies stocks, and the discovery of new virus.
    • I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me. ... I'm clueless here. Help me out.

      Well my guess would be this person is as sick of flash being abused by websites for annoying ads as I am. I'd love to be able to tell MSIE to remove Flash and never re-install it, but this seems impossible. Maybe if we get firewall-level blocking of Flash due to this virus, I might be happy. :-)
    • It's probably a proof-of-concept. The idea is that, if you have a way to attack something, you need to demonstrate that you can break in far enough to do something potentially significant.

      It infects other SWF files, but this really just means that it can do whatever it wants, including becoming an attack not traceable to the actual source.
    • I've met some virus authors at the end of 80-s. All of them were driven by "because I can" reason only. It was just a challenge; not many of them were thinking about the possible damages, etc. BTW, Scientific American had an article about viruses in the under the "Mathematical Recreations" topic, because it was a recreation.

      I'm sure most of the virus authors nowadays still have the same mentality. I don't think they do it for some pragmatic reason. Just because they can. It's the stupidity in its pure form.


    • I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me.


      I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).


      On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."


      Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.

    • Seriously...its been done. And Slashdot [slashdot.org] covered it.

      What was the first macrovirus called? The Concept [sc.edu] virus. I imagine thats not really a coincidence. It was proof that you can implement a fairly complex algorithm on a fairly simple system.

      If viruses weren't so destructive, it'd be pretty darn impressive - and it probably is for the sociopaths who design viruses. Its like putting a 3-d rendering engine on a TI-85 calculator. As it is, I wish they'd just make the viruses and keep them to themselves as theoretical ideas except when they can serve some useful purpose.

      So...how about some useful flash stuff? I'd like to see some of these fairly difficult ideas implemented in flash:
      A 3-d polygon based fighting game
      A C compiler (or some other high-level language compiler)
      A database
      An emulator of some old, archaic system

      Those would be way more newsworthy than a virus, IMHO. Anybody heard of any of those in Flash?
  • Yow (Score:1, Flamebait)

    This is why people that don't use standard tools(HTML and images) on their pages piss me off. Whenever you start using fancy scriptable stuff there exists the possiblity for a security flaw.

    We've seen it before and we'll see it again.

    For this reason, please do the following:

    DO NOT support sites that use Flash
    DO NOT support sites that use Java
    DO NOT support sites that use ECMAscript
    DO NOT support sites that use Quicktime

    And the same for other plugins! Plain HTML is the only safe alternative.
    • by ekrout (139379)
      This is why people that don't use standard tools(HTML and images) on their pages piss me off. DO NOT support sites that use Flash

      DO NOT support sites that use Java

      DO NOT support sites that use ECMAscript

      DO NOT support sites that use Quicktime

      So in other words, you don't like a god damn soul... :-/ ;-)

    • {rant}
      Any you truly believe that plain, boring, run-of-the-mill HTML is what has brought grandma, grandpa, your niece, and Ubu the dog onto the internet?

      High-level scripting languages like Flash, Java, JavaScript, etc., have brought the Internet into a "slicker" dimension... one that appeals to the masses rather than just technodweebs.

      Ok, so you say: "Why do I care if they've made the Internet popular with the masses? Fsck 'em, the Internet is made for technodweebies like me anyways!"

      Why do you think you can get broadband for $40/mo instead of having to get a T1 at $800/mo? Why do you think you can get $400 off your next computer when you sign up for online access? Why do you think computer prices are falling rapidly and performance is growing just as quick? None of that would be happening if computers, driven by the desire for the Internet, weren't booming.

      {/rant}

      MadCow
      • actually, plain boring ascii pop3 email is what brought grandma, grandpa, my niece and Ubu the dog onto the internet.

        The Web has long ceased to be a place of any interest for most people - at least outside of ebay.
      • The sites I go back to, I go back for the content. They are typically weblog/journals or actual information of some sort (reference, reviews, FAQs, whatever).

        Flash in particular seems to coincide with either content-free sites, or incomprehensible "artistic" navigation. Java and Javascript I don't have a particular grudge against, apart from speed (Java) and security (Java and JavaScript) issues.

        Anyway, I can't get broadband for $40/mo, and last time I looked, there was a fairly significant downturn in the last 18 months in the PC market.
      • Well, for those of us who remember the Internet before 1998, we remember that it was plain old boring HTML that brought them online. And e-mail, and IRC. More precisely, it was the content inside those that brought them online. My son, who is under two, likes the flashy stuff, because he can see Blue and Elmo. But he's happy just to bang on the keyboard and drool on the mouse.

        And it's plain old boring HTML that still brings them online. The most visited sites don't use those bullshit technologies to tart up their sites. They have reasons that people go there, and it's not just to say "ooh, pretty".

        Your argument is absurd. It's like claiming that a man pays to be with a whore because he admires her makeup.

    • Heck screw that I don't even use the internet anymore I'm just mailing in this post.

      Worlds over I'm going back just to reading books and writing my code on a legal pad with a pencil and having someone else type it in.
    • Re:Yow (Score:2, Insightful)

      I know it's bordering on off-topic, but the parent poster does have a point. I have not yet been to a Flash site that has anything on it that I was hoping to find, unless it's artwork (which I am interested in on occasion), and generally I gave up trying to navigate in frustration a few minutes later because either it was slow, or it was very badly designed.

      The bottom line is that Flash is not an effective tool for creating websites. This is what HTML was designed for. With Flash, there are two things that particularly get my goat:

      1. you can't right-click a link and open it in the background (as I do often with Opera), in order to check out several areas of the site at once. This may sound like something that broadband users would complain about the most, because they can load several pages in parallel quickly, but actually it's something that I find not only helpful for efficiency, but necessary for my sanity as a dialup user, because if I had to click every page in serial I would spend so long waiting for the single page I can view to load that I'd stop using the internet altogether
      2. the second thing is that Flash sites are typically rendered at 640x480 or 800x600 to cater for users with low-end monitors, and cannot be resized (afaik, ianal, blah blah) because a Flash file is effectively a bunch of raster images bunged together. This means that this stupid little website is sitting in the middle of my 1152x864 screen, with an enormous blank space around it. Some people even do this with html for some completely unknown reason; for a good example of a site that uses both Pointless Flash(TM) for a Pointless Entrypage(TM) and Huge Blank Spaces(TM) check out the personal website [bigbadmatrix.com] of someone I don't like very much. I'm sure those people with 21" monitors and 2080x1024 screen resolutions know far better than I what I am talking about
      To be fair, there are sites that use Flash as a banner animation at the top, and it doesn't get in the way and is merely decorative, and that's fine, it's attractive and enhances the site. A good example of this is NZ Gamer Forums [gamer.net.nz], and an example of a site that is annoying in its use of a complete Flash "gui" is its parent site [gamer.net.nz]. Yes, it's well-laid out and attractive, but just for starters, try entering your name into the "username" section. If you touch-type like I do, you'll very quickly get over how the animations when you enter a character are neet, and pretty quickly discover how they're very irritating. The sounds, too, are annoying to me. Basically, I think this website could have been made to look similar simply using HTML, and it would have loaded far more quickly (it took a good three minutes to load on my 56k--more than I'm normally willing to wait).

      The Forums are an example of Flash used in moderation, and JavaScript used in debatable moderation. I have no problem with it; it does add to the site having those tables light up blue, but it's also not particularly necessary. Mostly the site is very usable, and while there are a lot of images, it doesn't take a hugely long time to load. I think the person who designed the gamer.net.nz site and subsites needs a lesson in accessibility, because his sites are great if you can run Flash and feel like waiting for all the images to load, but get a browser like Opera 6, assume you don't have the flash plugin, and disable images so it loads faster, and you'll get a broken frontpage, and semi-broken threads in the forums because you have to use the horizontal scroll so much--the only thing this guy knows how to do is eye-candy.

      The only real gripe I have against JavaScript is the open() function. A lot of people seem to think it's a really great idea to have links open in a new window using this function. I'm all for opening in a new window; I do it on my site [dnip.net] all the time--and you'll notice I use basic JavaScript for the image rollovers in the title, because they markedly add to the visual effect of the site without increasing much in the download time. But hey, there's already this great attribute called "target" in the <a> tag! Use it! I loathe sites where I right-click, open a window in the background without checking its exact href in the status bar of my browser, and going back to it a few seconds later expecting it to have loaded and finding a blank page with "javascript:open(window.crap)" in the address bar.

      Just my little rant. Please mod down accordingly.

  • Scripting Security (Score:3, Interesting)

    by svwolfpack (411870) on Tuesday January 08, 2002 @05:52PM (#2806668) Homepage
    This pretty much shows that any type of program with a scripting language built in is prone to having viruses written for it. (word macros, VBS, etc...) It will be interesting to see what is done in the future to allow for the benefits of having scripting, but reducing the risks associated as well. A possible solution is simply reducing the power that scripting languages have, such as disabling file writing capabilities (although that's not really a legitimate solution, you see where i'm going with it...)
    • Any scripting language that is allowed to get out of its sand box only.
      • Right. But a scripting language, that can't get out of its sandbox is rather useless (except for some special cases like Flash). A scripting language without a sandbox is of course much worse.

        But there are two ways a script can get out of a sanbox (in some languages there is only one ...):

        • A Bug in the Sandbox. this is the most obvious but can be avoided rather well with some good design (not completly of course, good code and constant security audits are still needed)
        • The 'official' way.

        As I said a scripting language without a official way out of the Sandbox is rather limited. In Java (not strictly a scripting language, but the Sandbox I'm most familiar with) an Applet can escape the Sandbox if it is both signed and gets the permission by the user (the signing part can be skiped, but therefore you have to modify client settings). We all know that the permission of the user is only a problem of social engineering and virus authors are pretty good in this (or at least good enough for Joe Outlook-User out there).

        The signing part is actually quite good. A virus author would have to get a valid, certified key from an Certification Aurthority (like Verisign) and sign the Virus with this key ... well, this obviously would be stupid, except if he is planing to find out about live in prison pretty fast.

        Now the really big problems arise when a [scripting] language allows a script/program to escape the sandbox, when it is not sign (or is sign with a self-signed certificate), even when it does so after a big red flashing DONT-EVER-DO-THIS sign, where the user has to enter a 12-digit prime number he has to calculate from a formular that is printed on page 123 of his handbook ... in reverse, using polish translation. Nothing of this would prevent the user from executing harmfull, unkown code.

        Actually I just remembered a third method, or rather a combination of the first two: A bug in ther Certification-Check-System. IIRC Netscape had some in their 4.x-releases that allowed any valid Signature to verify the validity of any host and not just that of the host it was made for.

        • The signing part is actually quite good. A virus author would have to get a valid, certified key from an Certification Aurthority (like Verisign) and sign the Virus with this key ... well, this obviously would be stupid, except if he is planing to find out about live in prison pretty fast.

          ITYM would have to break into the machine of _anyone_ who happens to have an already valid signing key (gosh - wonder how many people with one of them keep it on an unsecured Windows box on a broadband link. Only needs to be one).

          After that it's a matter of distributing the virus before the owner of the key realises it's been 'borrowed'. That is soooooo unlikely, sure.
  • fortunatly Linux/other non-windows non-x86 OS's can be infected
  • I truly don't feel bad for these companies at all, and I'm not blaming anything or anyone but when you start introducing scripting languages on top of a certain operationg system you put yourself at danger. This will keep happening to people honestly start taking security seriously. I'm not trying to troll or shed bad light on Microsoft or Windows(tm) at all. I'm just stating the facts and calling the plays as I see them.
    • Don't forget that Flash runs on Linux and Macs as well. With a little smarts, folks can write cross-platform viruses (if Flash can create a script file and arrange to have it executed by the user who is running the browser).

      Anyone know whether the Linux Flash plugin is vulnerable to this attack?

  • Flash allows creation of external files??? Isn't that kind of dangerous in and of itself, whether or not it's intended to do so? You'd think a standard flash plugin wouldn't be allowed to do anything but read and write to a limited area of the disk!
  • The Norton info page on this virus can be found here [symantec.com].

    One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.

  • Java applet viruses? (Score:3, Interesting)

    by melquiades (314628) on Tuesday January 08, 2002 @05:58PM (#2806710) Homepage
    Has there ever been a Java applet virus? Java's very nice security / permissions model should theoretically make this impossible. However, considering that (1) that's only in theory, and (2) just about every browser implementation of Java is complete shit ... well, it could happen. Has it?
    • by C. Mattix (32747) <cmattix AT gmail DOT com> on Tuesday January 08, 2002 @06:15PM (#2806815) Homepage
      For Java to do anything bad it has to have explicit permission from the user. In that case, in my opinion, it isn't a virus, just a dangerous program and the user should acuatlly read the warning boxes.
      It could happen if some company would give away the private keys for a trusted company and then use that key to sign a modified and dangerous version. (Say like a rooted version of Yahoo chat or something like that, that has to be trusted to run right.)
      • For Java to do anything bad it has to have explicit permission from the user. In that case, in my opinion, it isn't a virus, just a dangerous program and the user should acuatlly read the warning boxes.

        I don't think that this disqualifies it as a virus. The user may accept that the program may "access the local file system", but he certainly doesn't want it to trash his harddisk.

        Additionally I'd keep in mind that "Users don't read documentation" which can be gerneralized to "Users don't read.", so Joe Average won't be interested what the message box says that stops him from playing with this cool "web thingy" (which in technical terms could be described as an Java Applet), he just wants to find out which button he must press for the warning dialog to go away.

        • Actually it does disqualify it as a virus. These type of programs are called trojans. Being a virus requires self-reproduction. Posing as a useful program is categorized as a trojan horse..

          Technically even the outlook 'worms' are not viruses as they require user to run the offending attachment in order to propagate.

          Trojan horses they are but as it doesn't sound as exciting as virus so.. oh well.
    • Here is an example of a Java Trojan, which needs to be run from the command line as an application (it won't run as an applet).
      This exploit code can infect your computer with harmful executables that are sent via email attachments.

      public class ScaryTrojan {
      public static void main(String[] args) {
      try {
      Runtime.getRuntime().exec("C:\\Program Files\\Microsoft Office\\Office\\OUTLOOK.EXE");
      }
      catch (Exception e) {;}
      }
      }
      • A standalone executable can always do something malicious -- and that seems to be the issue with the Flash player as well. The reason I brought up applets is that they're supposed to run inside a high-security sandbox, which limits what the code can do. An applet, for example, would through a security exception if you tried to feed it an example like yours with System.exec().
  • The infoworld article in the update is about something completely different from December 2000
  • The "update" link to infoworld is over a year old and refers to an email (OUTLOOK) spread virus that infects .swf files. People really should check out links before they post them.
  • Maybe Roscoe should keep a better eye on him. :-)
  • Please note that the infoworld story quoted at the end of the update has a dateline of December 1st. If that's not stale enough please note that the year on that timeline is 2000.

    Rest of the information is timely, though.

  • by geirt (55254) on Tuesday January 08, 2002 @06:03PM (#2806746)

    Many virus scanners don't scan .swf file by default, so you have update your virus signature file (which is automatic on most scanners) and reconfigure your scanner to scan .swf files (unless you already scan all files on your computer).

    This means that if advanced .swf viruses are created, they could become a real problem until system admins wakes up and gets a clue (and that takes a loooong time, look at Code Red)

  • Finally! (Score:3, Funny)

    by kilrogg (119108) on Tuesday January 08, 2002 @06:04PM (#2806753) Homepage
    Us Linux users can enjoy a flashy virus for once. We need more cross platform stuff like this.
  • by entrox (266621)
    Sophos Anti-Virus warns about a new virus, which infects other files as a macromedia flash movie
    and executes self-generated programs. The parasite, baptized "SWF/LFM-926", reaches computers as
    SWF-file, and after being run, infects other Flash movies while displaying the message
    "Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
    file V.COM, which gets executed afterwards without confirmation.

    Sophos says that the virus wasn't yet spotted "in the wild" and therefore spreading. Nevertheless,
    the manufacturer of Antivirus software warns about the potential danger which lurks in the
    Flash format. The Sophos website provides detailed information [sophos.com] about the parasite.
  • Could this be the small start of multiplatform Viruses? Virus source code written and engineered to be Operating System independent is pretty deadly, depending on what the virus does. Imagine one virus rendering Windows XP, Sun Solaris 8, Red Hat Linux 7.1, AIX 5, MACOS X, HP-UX, and Irix unstable. Not trying to encourage any hackers here, but wouldn't Java be a very usful language to start developing multiplatform viruses in? Wondering. Also, has there been any attempt at coding a virus for any Anti-Virus software? Unfortunatelly, viruses are software technologies as well, and will keep on advancing.
    • Java has a security layer.
      In a webbrowser, it only has access to a few fuctions, which don't include access to the file system.

      However, you could rap it up in a .jar, and hope for stupid users that double click, or (in the case of UNIX-like systems) run anything they are sent, i.e. it would still end up being an MS problem, maybe a few Mac's would be effected to and a VERY SMALL amount of UNIX boxes.

      mlk
  • by Twillerror (536681) on Tuesday January 08, 2002 @06:39PM (#2806910) Homepage Journal
    Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.

    The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.

    Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.

    Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.

    You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.

    I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.
    • programs still have direct control over the IP...

      I hope so. Otherwise, they'd be executing a single instruction pretty damn often :-). I hope you meant that there are too many ways for data coming into a program to inadvertantly take control of the IP.

    • The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer

      I might be totally wrong:) But it looks like what you're talking about are vulnerabilities that have to do with buffer-overruns; they work by moving the IP to a data-segment by modifying the stack. To solve that, wouldn't it be enough to separate the data from the code (this is normal under Linux, I believe (?)) and not allow the IP to jump to the data(and stack)-segment AND not allow the code to modify itself. That would solve this problem, wouldn't it?

      Virusses don't have much to do with this; they are about modifying executables which has nothing to do with the IP, but can indeed be solved partially by file-system improvements. Partially... users that get infected by virusses usually are users that have permission to install executables that are in the default path (most users on properly designed systems don't run any executables of their own). That's enough for a virus to infect the system. And nothing can be done about it without restricting the users' ability to install new software. And that's - at least partially - solved pretty well under Unix since nearly all executables are owned by the root user. And if a virus gets in via the root-account then that's usually plain stupidness of root:]

      Please correct me when I'm wrong:)

    • The problem is, there's no way to algorithmically tell a virus from a badly written program, or a normal user command to overwrite a file or document data.

      Let's say we're using your theoretical virus-proof OS. Well, I still want to be able to open a shell window and run my programs that do things. Sometimes I'm going to want to delete files or overwrite older versions of files with newer ones.

      If the OS is designed to never let the user overwrite any data, that's not going to be a very useful OS! Basically, anything a user can do via stupidity (or obscure necessity) can be replicated with a virus. Remember, a virus is just a program that does nasty things instead of word processing -- there's no way for a nonsentient OS to tell, definitively, whether a program is supposed to be deleting files or not! Even if it prompts you for confirmation that you want to delete a given file, there's no way for the computer to be sure that it's really a sentient user hitting enter, and a virus simulating an "Enter" hit from the keyboard. (Well, there are specific ways around specific attacks, but I'm talking generally. OSes cannot pass the Turing test yet!)
      • I think you're wrong about that. If a system prevents applications from reading or writing data that they did not create, it can be optional, and vary from program to program.

        For example, "rm" would need the ability to delete files that it had not created. But it wouldn't need the ability to read or write files it hadn't created. Bash would need the ability to execute other programs. But it wouldn't need the ability to delete files.

        I'm not sure how many spanners scripts throw into the works-- in theory, rm just becomes a replacement for your unlink() call, and any program(script) can delete any file. This is because your shell has and requires the ability to run any executable on the system. (Something which, again, rm doesn't need.) A mechanism is required that prevents bash's (or rm's) permissions from exceeding the bash script itself.

        Okay-- what if permissions are subtractive? rm can't read other-app files, so neither can any program rm runs. Bash does have the right to delete any file, and so does rm, so if you run rm through Bash, you delete the file. However, cp does not have the right to delete any file, so even if you run cp through Bash, it can't delete a file it did not create.

        And when a file contains #!/bin/bash, any permissions the script does not have, are subtracted from the permissions of bash when it runs.

        You know, this actually sounds feasible. . .
    • The first two lessons we learned were "here's what to do with a keypunch" and "if you don't comment your code we'll give you a bad mark even if it appears to work fine", but the first *real* lesson we learned was "Your program can *never* *ever* trust its input."

      And to make sure we got the point, they'd make us run our programs on their input decks, which often had maliciously designed explorations of the limits of programs - what if the input field is missing, or too short, or too short by 1, or precisely as long as the maximum, or maximum+1, or way too long, or not a number, or a negative number, or had spaces in it, or had magic-looking values like 999 or 32767, or duplicated things that were supposed to be unique, or used values that weren't on the list of the-only-values-the-user-can-input. This was on Evil Mainframes with EBCDIC, so there are some modern forms of Bad Input that didn't exist (like backspaces or carriage returns in alphabetic fields ) but there were other evil things that could be done, like bogus punchcards, or characters that weren't from the 48-character character set the old printer supported or the 64-character set that the new one supported, or had data that ran into columns 73-80 which are only for sequence numbers. One of many annoying things about punchcard-oriented systems was that the edit-compile-run cycle was very slow, but it forced you to think very carefully about what you were doing. On the other hand, there are kinds of Bad Input that come from lots of experiments of throwing Nasty Looking Stuff into a program to see what it does that you wouldn't bother with on a punchcard system.

    • This is naive, but insightful. The basic problem is that most existing operating systems run anything intended for a specific user with all the privileges of that user. That's terrible design.

      Existing hardware has enough protection to allow running hostile executable code, if the OS won't let it do anything harmful. Hostile code running in a FreeBSD "jail", for example, can't do much. And there are secure Linux variants which run untrusted content with limited privileges, so that it can't do much. You don't need an interpreter to provide protection. (In fact, Java hasn't turned out to provide as much protection as originally claimed.)

      What we need are some apps, like browsers, media players, and web servers, which can operate under very limited privileges. Then they can be run on secure variants of Linux. That will provide some examples of secure systems (and something Microsoft doesn't have.) Get busy, people.

      The sad thing is that if an operating system today was secure enough to lock remote content in a jail, all that stuff content owners want would stop working. Like preventing anything else from running while their content is decrypted, or sending information to their web site.

    • TWillerror asks:

      Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.

      A few reasons:
      • An increasing number of complex applications have powerful scripting languages that are relatively easy to develop malicious code for
      • Most operating systems give user-run applications way too much power on the system. Windows is one of the worst offenders here, but many Unix/Linux/*BSD installations have their problems along these lines as well.
      The reason for both the above is simple. Users want to be able to do nifty things with their machines, and they don't think about whether or not other people can do nifty things to their machines until it's too late.

      Good security takes a lot of work and planning, even given an OS that offers good security features. Most people (including most software companies) don't care to go through this work. Hence we have security holes, viruses, trojans, worms and so on.
  • Hey Timothy!

    That infoworld article has nothing to do with this virus. It's also 13 months old.

    You guys really need to give a little more effort here sometimes. You are brash, act without any confirmation and show yourselves as totaly incompetent. Can you get me a job there?

  • ...of something I've believed since I started using the Internet in the mid-80's.

    Specifically: Why the frell do we even NEED Flash or its brethren in any case? It seems to exist solely to make pretty pictures, and spew forth alleged "music" or other SFX, and waste a lot of bandwidth in the process.

    Remember: If you cannot manage your native language well enough to get a CLEAR message across to your site's visitors in plain ASCII text, then NO amount of flashing fonts, pretty colors, bandwidth-hungry animations, or silly sound effects is going to help you in the least.

    Don't even get me started about how precious few web sites are even usable by those who are vision-impaired, and need to use a text-to-speech converter on their computer. How many sites are in blatant violation of ADA accessibility guidelines even as I write this?

    Web designers, take note: Sites today have entirely too much fluff, and far too little in terms of USEFUL and EASILY READABLE content. Remember that "simple" is NOT a bad thing. This latest virus serves only to emphasize that point.
    • Flash is great for vector images because they can scale to the window size, they work over a much wider range of color depths, are smaller than bit maps, they print out at printer resolutions.

      Of course I have never seen them used that way.
    • I think you're seeing a problem, but you're not diagnosing it properly. The problem is not the fanciness or expressivity of flash. It is the fact that flash is a programmtic language, not declarative. From a security perspective, if you're handed declaritive information, it's fairly easy to ensure that the programmtic code you have running over the declarative code isn't going to go haywire, since it is 'closed'. However, on the other hand, if you're simply handed programmtic code, you cannot tell what the program is going to do with certainty, given the tremendous amount of states it can enter.

      This debate is currently being played out in the XSLT community. Some people want scripting information in XSLT, but that's a dangerous road to go down. XSLT appeals to me because it is powerful, yet fully declarative.

      If I had taken the Language Theory instead of Advanced Algorithms (or whatever they were called) in college I could probably express myself better here (FSM's and similar).

    • I believe that is the first time I've encountered bleed-over of fictional swear words into real life, albet online.
    • We may not need flash for regular websites, but the amount of funny movies, extremely cool artwork etc. that's been done in Flash is enough reason for it's existance in my opinion. www.megacar.com, www.kimble.com, AYBABTU, the wassup-flood and this multi-episode manga-like gothic movie of which I can't remember the name etc. etc. Maybe that's not all "culturally correct art", but nearly all of us geeks know about and have watched them... you may consider this waste of bandwidth, but it's pure entertainment and that's what the web is about for the majority of its users. But I agree: Flash is being used way too much where it's not necessary.
  • by philam3nt (267961) on Tuesday January 08, 2002 @07:07PM (#2807038) Homepage
    It appears that the articles have not been read carefully. After comparing the the three, there are two Flash virii being spread around.

    Virus 1 (Conrad's submission) - SWF/LFM.926
    The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo) [yahoo.com]
    ...and after being run, infects other Flash movies while displaying the message "Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a file V.COM, which gets executed afterwards without confirmation. (German trans. - thanks entrox!!) [slashdot.org]

    Virus 2 (bdavenport's infoworld submission) - Creative.exe
    The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
    The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
    One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon.
    (Infoworld) [infoworld.com]
    ...but if you check the date of the Infoworld article, it's December 1, 2000.

    From Symantec: [symantec.com]

    Discovered on: November 30, 2000
    Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.

    W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all .mp3, .jpg, and .zip files to the root folder. It renames each of these files and appends the following text to the extension of each file:

    change atleast now to LINUX

    Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A


    So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.

  • Virus Names (Score:3, Interesting)

    by CAIMLAS (41445) on Tuesday January 08, 2002 @08:01PM (#2807264) Homepage
    Who's the goon that actually names these viruses? Is there some organization that categorizes and files them, or is it done by the antivirus companies (Symantec, McAfee, etc) that find them? I've never quite understood the odd names that are ascribed to them.
  • by Segfault 11 (201269) on Tuesday January 08, 2002 @08:08PM (#2807291) Homepage
    I work in Flash, and I can explain exactly what this is.

    Formats like Flash, Director, or Toolbook are fairly safe when run in a browser, but when run locally, most gain much more functionality, including the ability to execute arbitrary commands. Many people have the Flash Player plugin, but no standalone executable to open the files locallly is supplied. 99% of all people that do have the standalone player are getting it from an installation of Macromedia Flash (the creation/editing application), and anyone else with a player isn't likely to have one that implements FSCommand calls, of which one of the functions is the ability to execute commands.



  • This is no more a "virus" than rm -rf is a trojan.

  • will this hamper his ability to run so fast?
  • by VAYKENT (412834) on Tuesday January 08, 2002 @09:00PM (#2807427)
    Flash can only execute system commands in the stand-alone executable. Anybody can make an EXE that does worse... and if you're stupid enough to run an unknown EXE, then you don't deserve the computer that died because of it ('Virus' exe). The FSCommand in Flash (useable in the embedded SWF version we all see on web pages) can 'save' files - but they are only plain text files, and you can only save the name/value pairs that exist on the root imeline of the SWF (can anybody say - 'cookies' ???). Don't think that Macromedia was stupid enough to allow a virus like this. (Again - unless you're stupid enough to run an unknown exe!). What's wrong with the media today that they have to run bogus stories like this?? Did they even bother asking Macromedia if it was technically possible?? Bunch of morons. "Today on Virus Alert we've found out that a new Windows CE virus will make your PDA strangle you in your sleep..." Uhh... Ok.
  • The Infoworld story quoted is from December 2000 and is about a different Flash worm entirely ... This new Flash virus is quite different and isn't in the wild yet.

    Stand down, nothing to see here, move along...
  • by silhouette (160305) on Tuesday January 08, 2002 @11:21PM (#2807847)
    The reason the stand-alone Flash virus file is able to access CMD.EXE has nothing to do with any inherent security hole in the basic Flash player itself. The stand-alone file uses a fairly well known (in the Flash community) function that is only available in the stand-alone Flash player. In fact, Macromedia even has this function documented in their Flash support section. [macromedia.com] It's the "exec" command that takes an argument of the path to an application to execute.

    This virus really has more to do with running an unknown executable than it does exploiting some kind of vulnerability in Flash. This is because any stand-alone Flash player file is an .exe, not a .swf. The stand-alone .exe is composed of 1) The .swf file that runs and 2) The entire Flash player itself (~2megs) in executable form. By including the entire player within the file, the bundled .swf can be run anywhere without any necessary previous installation.

    What cracks me up personally is that the very possibility of a Flash virus has been discussed before on Flash community developer message boards. When the "exec" command for the stand-alone player was still undocumented and somebody posted about it (having "discovered" it somehow) there was quite a discussion about the new functionality uses. But, there was also some speculation on how it could be used for malicious purposes. This was around a year ago, IIRC.
  • As a Flash programmer, I'm beginning to suspect that stories are posted here without any background verification or research. Many replies to this sensationalistic post offer criticisms of Flash while assuming a tone of expertise, all without even a glimmer of understanding about the basics of this technology. First of all, this "scripting engine" everyone's talking about is called the Flash player, which can exist as a plugin, or as a stand-alone executable. The scripting language is called Actionscript, and it's based on the ECMA-262 standard known as Javascript. The exploit uses a rarely-used feature called FSCommand, which allows the designer to control limited aspects of the Flash movie in a stand-alone executable player, NOT IN ANY BROWSER PLUGINS. For the sake of cutting through the thick hyperbole here, I'll repeat that again: this "virus" only works IF THE USER DOWNLOADS AND RUNS AN .EXE FILE, IT DOESN'T WORK THROUGH THE WEB BROWSER. This virus only works through the following process: 1. He writes an ".fla" Flash source file with animation and scripting, compiles it into a browser-readable ".swf" file. 2. He compiles the .swf further into an ".exe" file by including the stand-alone player into the original .swf. 3. A user downloads the .EXE file and executes it. Whoever's naive enough to run an .exe email attachment is beyond the protection of anti-virus software. This stuff is old news... Flash developers have achieved tricks with FSCommand that nobody's heard about outside of the Actionscript community, but they've never been exploitable to the extent of a real virus. The fact is that Flash cannot access system resources unless you're running it as an .exe executable file.

  • This will give you some idea about how the real virus looks like. Click Here [zukunftsformen.de]

  • It seems one of the viruses mentioned is actually just an infected .exe file, and the other problem only occurs with the standalone player, not with the browser plugin.

    So if I understand this correctly, if you don't use .exe attachments and don't have the standalone player, then you should be save?

    A while ago I wrote a filter, which takes a flash exe, and strips out the flash player, leaving you with the .swf part. I did that, so that I could view those movies on Linux, but it should work for Windows systems, too. Usually there is no reason to include the flash player anyway - most people have the flash plugin already, and don't need yet another copy of the flash player.

    Apologies for the really bad code (I don't actually know C), and the horrible formatting (the latter I blame on the slashdot lameness filter, though). You'll have to use "View Source" to look at it. :)

    /* exe2swf.c ** */ #include #include void main () { int ch; int match; // start of swf file int search; int sig_len; int sig[3]; int i; int k; match = 0; search = 1; i = 0; sig_len = 3; sig[0] = 'F'; sig[1] = 'W'; sig[2] = 'S'; while ((ch = getchar()) != EOF) { if (match) putchar(ch); if (ch == sig[i]) i++; else i = 0; if (i == sig_len-1 && search) { // detected signature match = 1; search = 0; // output signature again for(k=0;k

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...