Even Flash Can Get Viruses

Mechel Conrad writes: "Heise Online(German) writes about a Virus called SWF/LFM-926. It consists of a Macromedia Flash movie and seems to be the first of its kind. It uses Flash's scripting language in order to open a debug terminal creating and executing a file called V.COM, which infests other .SWF Files. Although the virus is not very dangerous and not widespread yet, it suggests clear security holes in Flash." The translation of the Heise article is quite readable, too. Update: 01/08 22:47 GMT by T : bdavenport adds: "this report on Yahoo lists a new Shockwave virus as low grade due to the need of manual downloading. infoworld is reporting that McAfee has upgraded to high risk after several Fortune 500 firms have reported it in the wild, arriving as an email attachment."

Why Infect Flash?

[Lysander Luddite]

I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me. The only reason I can think of is marketing or corporate sabotage for graphic designers.

Maybe its just a case of "I can do it, so I must"? It's not like ActionScripting can be used in DoS attacks or to steal your credit card. Wouldn't you need to need a system to get the credit card number and another to actually send it somewhere?

I'm clueless here. Help me out.

Re:two classes of files:

[sqlrob]

Why are gif & jpg necessarily safe?

If there's a buffer overflow in the program rendering it, it could very well be an infectious file.

MultiPlatform Viruses? Java good for this?

[KwamiMatrix]

Could this be the small start of multiplatform Viruses? Virus source code written and engineered to be Operating System independent is pretty deadly, depending on what the virus does. Imagine one virus rendering Windows XP, Sun Solaris 8, Red Hat Linux 7.1, AIX 5, MACOS X, HP-UX, and Irix unstable. Not trying to encourage any hackers here, but wouldn't Java be a very usful language to start developing multiplatform viruses in? Wondering. Also, has there been any attempt at coding a virus for any Anti-Virus software? Unfortunatelly, viruses are software technologies as well, and will keep on advancing.

everything can get viruses

[Twillerror]

Why is it that almost every system out there can get a virus? I'm under the opinion that it is the OS's fault, *nix, windows included.

The reason anything can get a virus is because programs still have direct control over the IP ( instruction pointer ). This is a fatal flaw found in most OS's. Programs should be ran inside of a VM with tight security. Of course performance calls for some apps, especially servers to be ran in compiled code, but this should not be the default. If such an app needs to be installed or run the OS should prompt the user warning them of such activity.

Another flaw is the fact that we are still using a basic file system. Whether it's fat32, ntfs, or ext2 it is still just placing a byte stream on a disk, managing the name, where it starts and where it ends. Lets evolve a little. The file system should be more like a database. It should be able attach any number of properties to a file. It should be able to manage security at any level, and it should be able to isolate files from process to process.

Imagine if when a program installs it has access to it's portion of the file system and that is it. It couldn't see the rest if it wanted to. Installed programs could get quotas. They sure as hell wouldn't be able to start overwriting executables all over the place.

You could argue that good user level security could solve these problems, but it's obviously not enough since so many viruses simply find away around it.

I could go on and on about how OS's treat applications wrong. But the main point is that they treat them like friends when they are really strangers. The answer is to take control away from the app, and put it back in the OS. Perl and Java are a good start ( since they are both interrupted in a way), but obviously more work needs to be done.

Re:McAfee

[PD]

On my systems, the damage would be limited to the account that I would accidentally run a virus in - my user account.

Unfortunately, EVERYTHING that is important is under that account. Everything that's NOT under the account was installed from my Debian CD's.

Limited damage means limited only to the most important files on my machine in this case.

Re:Yow

[D Anderson n'Swaart]

I know it's bordering on off-topic, but the parent poster does have a point. I have not yet been to a Flash site that has anything on it that I was hoping to find, unless it's artwork (which I am interested in on occasion), and generally I gave up trying to navigate in frustration a few minutes later because either it was slow, or it was very badly designed.

The bottom line is that Flash is not an effective tool for creating websites. This is what HTML was designed for. With Flash, there are two things that particularly get my goat:

1. you can't right-click a link and open it in the background (as I do often with Opera), in order to check out several areas of the site at once. This may sound like something that broadband users would complain about the most, because they can load several pages in parallel quickly, but actually it's something that I find not only helpful for efficiency, but necessary for my sanity as a dialup user, because if I had to click every page in serial I would spend so long waiting for the single page I can view to load that I'd stop using the internet altogether
2. the second thing is that Flash sites are typically rendered at 640x480 or 800x600 to cater for users with low-end monitors, and cannot be resized (afaik, ianal, blah blah) because a Flash file is effectively a bunch of raster images bunged together. This means that this stupid little website is sitting in the middle of my 1152x864 screen, with an enormous blank space around it. Some people even do this with html for some completely unknown reason; for a good example of a site that uses both Pointless Flash(TM) for a Pointless Entrypage(TM) and Huge Blank Spaces(TM) check out the personal website [bigbadmatrix.com] of someone I don't like very much. I'm sure those people with 21" monitors and 2080x1024 screen resolutions know far better than I what I am talking about

To be fair, there are sites that use Flash as a banner animation at the top, and it doesn't get in the way and is merely decorative, and that's fine, it's attractive and enhances the site. A good example of this is NZ Gamer Forums [gamer.net.nz], and an example of a site that is annoying in its use of a complete Flash "gui" is its parent site [gamer.net.nz]. Yes, it's well-laid out and attractive, but just for starters, try entering your name into the "username" section. If you touch-type like I do, you'll very quickly get over how the animations when you enter a character are neet, and pretty quickly discover how they're very irritating. The sounds, too, are annoying to me. Basically, I think this website could have been made to look similar simply using HTML, and it would have loaded far more quickly (it took a good three minutes to load on my 56k--more than I'm normally willing to wait).

The Forums are an example of Flash used in moderation, and JavaScript used in debatable moderation. I have no problem with it; it does add to the site having those tables light up blue, but it's also not particularly necessary. Mostly the site is very usable, and while there are a lot of images, it doesn't take a hugely long time to load. I think the person who designed the gamer.net.nz site and subsites needs a lesson in accessibility, because his sites are great if you can run Flash and feel like waiting for all the images to load, but get a browser like Opera 6, assume you don't have the flash plugin, and disable images so it loads faster, and you'll get a broken frontpage, and semi-broken threads in the forums because you have to use the horizontal scroll so much--the only thing this guy knows how to do is eye-candy.

The only real gripe I have against JavaScript is the open() function. A lot of people seem to think it's a really great idea to have links open in a new window using this function. I'm all for opening in a new window; I do it on my site [dnip.net] all the time--and you'll notice I use basic JavaScript for the image rollovers in the title, because they markedly add to the visual effect of the site without increasing much in the download time. But hey, there's already this great attribute called "target" in the <a> tag! Use it! I loathe sites where I right-click, open a window in the background without checking its exact href in the status bar of my browser, and going back to it a few seconds later expecting it to have loaded and finding a blank page with "javascript:open(window.crap)" in the address bar.

Just my little rant. Please mod down accordingly.