Even Flash Can Get Viruses

Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926. It consists of a Macromedia Flash movie and seems to be the first of its kind. It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files. Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."

McAfee

[hogsback]

McAfee information is here [nai.com]

Looks like it isn't very likely to succeed - it needs Windows NT and the stand alone version of the flash player.

Just proof of concept really.

It may be readable but this is in english

[BinaryAlchemy]

The virus info from Sophos: http://www.sophos.com/virusinfo/analyses/swflfm926 .html

Re:Cross Platform?

[hogsback]

Not this one ... it uses cmd.exe (from Windows NT) to write a script for debug (the DOS/Windows so-called debugger). So it looks like it's NT/x86 specific.

translation

[twms2h]

Just in case anybody reads the translation and wonders what the 'southwestern German broadcasting corporation' is about. It is just a mis-translation of SWF which used to be short for 'Suedwestfunk' (it doesn't exist any more, merged with another radio station). Of course in this case it just means the file extension of flash.

Sorry, ./ mangled my url

[BinaryAlchemy]

This is the real one. [sophos.com]

Norton Users - Something to note

[ianaverage]

The Norton info page on this virus can be found here [symantec.com].

One important thig to note on this webpage...we should add .swf to the extensions that we scan. Hopefully that will help protect us in the future of more dangerous flash viruses that are sure to come.

Many scanners don't scan .swf files

[geirt]

Many virus scanners don't scan .swf file by default, so you have update your virus signature file (which is automatic on most scanners) and reconfigure your scanner to scan .swf files (unless you already scan all files on your computer).

This means that if advanced .swf viruses are created, they could become a real problem until system admins wakes up and gets a clue (and that takes a loooong time, look at Code Red)

A native translation..

[entrox]

Sophos Anti-Virus warns about a new virus, which infects other files as a macromedia flash movie
and executes self-generated programs. The parasite, baptized "SWF/LFM-926", reaches computers as
SWF-file, and after being run, infects other Flash movies while displaying the message
"Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a
file V.COM, which gets executed afterwards without confirmation.

Sophos says that the virus wasn't yet spotted "in the wild" and therefore spreading. Nevertheless,
the manufacturer of Antivirus software warns about the potential danger which lurks in the
Flash format. The Sophos website provides detailed information [sophos.com] about the parasite.

English version of Heise article

[Juergen Kreileder]

The Heise Online article is available in english too: http://www.heise.de/english/newsticker/data/ray-08 .01.02-003/ [heise.de]

Re:McAfee

[hogsback]

There's Winux [nai.com] whcih infects PE and ELF format files on Linux and Windows. Fortunately,according to the description, it doesn't work very well .

Infoworld is reporting on a *different virus*

[philam3nt]

It appears that the articles have not been read carefully. After comparing the the three, there are two Flash virii being spread around.

Virus 1 (Conrad's submission) - SWF/LFM.926
The virus, dubbed SWF/LFM.926...must be downloaded manually and cannot spread...over e-mail. (Yahoo) [yahoo.com]
...and after being run, infects other Flash movies while displaying the message "Loading Flash-Movie...". The virus exploits the scriptability of Macromedia Flash to generate a file V.COM, which gets executed afterwards without confirmation. (German trans. - thanks entrox!!) [slashdot.org]

Virus 2 (bdavenport's infoworld submission) - Creative.exe
The virus...arrives in an e-mail bearing the subject line, "A great shockwave flash movie."
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the movie attachment, the worm sends a copy of itself to all people in the address book of the user's Microsoft Outlook e-mail program, potentially clogging e-mail networks.
One reason the Creative.exe virus may be spreading so quickly is that it uses the Shockwave Flash movie icon. (Infoworld) [infoworld.com]
...but if you check the date of the Infoworld article, it's December 1, 2000.

From Symantec: [symantec.com]
Discovered on: November 30, 2000
Due to a recent decrease in world-wide infections of this worm, SARC has decreased the threat level of this worm to 3 and removed it from the Top Threats list.

W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address book. The worm moves all .mp3, .jpg, and .zip files to the root folder. It renames each of these files and appends the following text to the extension of each file:

change atleast now to LINUX

Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A

So...Creative.exe is NOT a flash virus, and is old news, unrelated to SWF/LFM-926.

Re:two classes of files:

[Rentar]

The difference is that those are static formats that don't run any code (at least if you believe in the difference between code and date).

Additionally there are quite some different gif and jpg parsers out there, but the number of usefull Flash-Players is rather limited (1 comes to my mind). So if you'd be able to make a gif file that runs arbitary code on the machine that views it, it would most probably be targeted only on this gif-reader software (and this version, and this platform, and ...).

And I think the checks form alformed GIF and JPEGs are rather strict in most image-loading libraries, 'cause defect GIFs and JPEGs are known to exist.

Re:This is a really great example...

[thogard]

Flash is great for vector images because they can scale to the window size, they work over a much wider range of color depths, are smaller than bit maps, they print out at printer resolutions.

Of course I have never seen them used that way.

Re:MultiPlatform Viruses? Java good for this?

[mlk]

Java has a security layer.
In a webbrowser, it only has access to a few fuctions, which don't include access to the file system.

However, you could rap it up in a .jar, and hope for stupid users that double click, or (in the case of UNIX-like systems) run anything they are sent, i.e. it would still end up being an MS problem, maybe a few Mac's would be effected to and a VERY SMALL amount of UNIX boxes.

mlk

This can't happen via HTTP

[Segfault 11]

I work in Flash, and I can explain exactly what this is.

Formats like Flash, Director, or Toolbook are fairly safe when run in a browser, but when run locally, most gain much more functionality, including the ability to execute arbitrary commands. Many people have the Flash Player plugin, but no standalone executable to open the files locallly is supplied. 99% of all people that do have the standalone player are getting it from an installation of Macromedia Flash (the creation/editing application), and anyone else with a player isn't likely to have one that implements FSCommand calls, of which one of the functions is the ability to execute commands.

Not a real WEB virus.

[VAYKENT]

Flash can only execute system commands in the stand-alone executable. Anybody can make an EXE that does worse... and if you're stupid enough to run an unknown EXE, then you don't deserve the computer that died because of it ('Virus' exe). The FSCommand in Flash (useable in the embedded SWF version we all see on web pages) can 'save' files - but they are only plain text files, and you can only save the name/value pairs that exist on the root imeline of the SWF (can anybody say - 'cookies' ???). Don't think that Macromedia was stupid enough to allow a virus like this. (Again - unless you're stupid enough to run an unknown exe!). What's wrong with the media today that they have to run bogus stories like this?? Did they even bother asking Macromedia if it was technically possible?? Bunch of morons. "Today on Virus Alert we've found out that a new Windows CE virus will make your PDA strangle you in your sleep..." Uhh... Ok.

that's an old Infoworld story - different worm!

[Audent]

The Infoworld story quoted is from December 2000 and is about a different Flash worm entirely ... This new Flash virus is quite different and isn't in the wild yet.

Stand down, nothing to see here, move along...

Re:everything can get viruses

[Dirtside]

The problem is, there's no way to algorithmically tell a virus from a badly written program, or a normal user command to overwrite a file or document data.

Let's say we're using your theoretical virus-proof OS. Well, I still want to be able to open a shell window and run my programs that do things. Sometimes I'm going to want to delete files or overwrite older versions of files with newer ones.

If the OS is designed to never let the user overwrite any data, that's not going to be a very useful OS! Basically, anything a user can do via stupidity (or obscure necessity) can be replicated with a virus. Remember, a virus is just a program that does nasty things instead of word processing -- there's no way for a nonsentient OS to tell, definitively, whether a program is supposed to be deleting files or not! Even if it prompts you for confirmation that you want to delete a given file, there's no way for the computer to be sure that it's really a sentient user hitting enter, and a virus simulating an "Enter" hit from the keyboard. (Well, there are specific ways around specific attacks, but I'm talking generally. OSes cannot pass the Turing test yet!)

No vulnerability in Flash itself

[silhouette]

The reason the stand-alone Flash virus file is able to access CMD.EXE has nothing to do with any inherent security hole in the basic Flash player itself. The stand-alone file uses a fairly well known (in the Flash community) function that is only available in the stand-alone Flash player. In fact, Macromedia even has this function documented in their Flash support section. [macromedia.com] It's the "exec" command that takes an argument of the path to an application to execute.

This virus really has more to do with running an unknown executable than it does exploiting some kind of vulnerability in Flash. This is because any stand-alone Flash player file is an .exe, not a .swf. The stand-alone .exe is composed of 1) The .swf file that runs and 2) The entire Flash player itself (~2megs) in executable form. By including the entire player within the file, the bundled .swf can be run anywhere without any necessary previous installation.

What cracks me up personally is that the very possibility of a Flash virus has been discussed before on Flash community developer message boards. When the "exec" command for the stand-alone player was still undocumented and somebody posted about it (having "discovered" it somehow) there was quite a discussion about the new functionality uses. But, there was also some speculation on how it could be used for malicious purposes. This was around a year ago, IIRC.

Uninformed and misleading post

[wooozle]

As a Flash programmer, I'm beginning to suspect that stories are posted here without any background verification or research. Many replies to this sensationalistic post offer criticisms of Flash while assuming a tone of expertise, all without even a glimmer of understanding about the basics of this technology. First of all, this "scripting engine" everyone's talking about is called the Flash player, which can exist as a plugin, or as a stand-alone executable. The scripting language is called Actionscript, and it's based on the ECMA-262 standard known as Javascript. The exploit uses a rarely-used feature called FSCommand, which allows the designer to control limited aspects of the Flash movie in a stand-alone executable player, NOT IN ANY BROWSER PLUGINS. For the sake of cutting through the thick hyperbole here, I'll repeat that again: this "virus" only works IF THE USER DOWNLOADS AND RUNS AN .EXE FILE, IT DOESN'T WORK THROUGH THE WEB BROWSER. This virus only works through the following process: 1. He writes an ".fla" Flash source file with animation and scripting, compiles it into a browser-readable ".swf" file. 2. He compiles the .swf further into an ".exe" file by including the stand-alone player into the original .swf. 3. A user downloads the .EXE file and executes it. Whoever's naive enough to run an .exe email attachment is beyond the protection of anti-virus software. This stuff is old news... Flash developers have achieved tricks with FSCommand that nobody's heard about outside of the Actionscript community, but they've never been exploitable to the extent of a real virus. The fact is that Flash cannot access system resources unless you're running it as an .exe executable file.