Forgot your password?
typodupeerror
Security Media The Internet Worms

Online Videos May Conduct Viruses 195

Posted by Zonk
from the tubes-are-just-full-of-surprises dept.
Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"
This discussion has been archived. No new comments can be posted.

Online Videos May Conduct Viruses

Comments Filter:
  • I thought this was obvious...
    • Re:Erm (Score:4, Funny)

      by Ucklak (755284) on Tuesday October 02, 2007 @12:58PM (#20825159)
      Yeah, 1996 called, they want their virus distribution back.

      I guess the researchers at Georgia Tech were 11 and younger when this was done before.
      • Re: (Score:3, Interesting)

        by Crayon Kid (700279)

        Yeah, 1996 called, they want their virus distribution back.

        And yet it's so damn sad to see that in 10 years the industry has still not learned to do things right.

        Good security starts from the design phase. If it was not meant to be hacked it should not be hacked. Security holes are mainly the fault and the responsability of the people who designed those buggy pieces of software.

        And yet we see the media always blaming "hackers". Sure, they're assholes who try to break and enter. But it's like a bank leaving

    • by Anonymous Coward

      Let's leave the MS-apologist spin out of the summary. Video has nothing to do with it:

      It's the WMV format [eweek.com] that conducts the viruses.

      • by Repossessed (1117929) on Tuesday October 02, 2007 @02:29PM (#20826503)
        +That link suggests that it's Windows Media Player, rather than WMV, that's the problem, due to embedded IEness. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually).

        So, list of places windows users will probably pick up nastyware now includes... actually, anybody know of something that *won't* lead to malware with windows?
        • by master_p (608214)
          "Actually, anybody know of something that *won't* lead to malware with windows?"

          Linux?
  • Dammit! (Score:3, Funny)

    by djasbestos (1035410) on Tuesday October 02, 2007 @12:45PM (#20824907)
    And I thought my porn was safe with AV and spyware/adware blockers and cookie cleaners and...
    • by hahiss (696716)
      I guess this says that you probably should start wearing a condom as well.
      • by Joebert (946227)
        Nah, at this point you just start using anti-bacterial soap & learn to spot people with the same, uhh, intrests you have.
  • It's Indevitable. (Score:5, Insightful)

    by TechyImmigrant (175943) * on Tuesday October 02, 2007 @12:46PM (#20824933) Journal
    Every new application that places a large footprint of code in the line of fire on the internet will be subject to attack.

    Media apps are big, hairy and process gobbets of data straight from the attacker's server. What did people expect?

    • by XanC (644172) on Tuesday October 02, 2007 @12:50PM (#20825019)

      What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

      All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

      • Re: (Score:3, Insightful)

        by UbuntuDupe (970646)
        Two words: money.

        Well, make that three: control.
      • Then they can't surround the video with ads, or do cool things like show "You would also like" after the video.

        Also, having done some work on this kind of thing, you get your videos working on the most computers without having to make users do anything if you use flash. You might not like it, but it gets higher coverage than something like an mpeg.
        • by XanC (644172)

          You're certainly right about ads.

          But won't most browsers talk to the default media player and play an MPG in the browser window when you click on it?

      • by kalirion (728907)
        Maybe same reason people want images embedded into webpages so that you don't have to download them to view in a seperate image viewer?
        • by XanC (644172)
          That should be up to the user agent. As far as I know, media player plugins by default play video in the web page, or at least pop right up when you click on a video.
          • by PitaBred (632671)
            So don't install flash, and don't play the videos. You can still use Lynx to browse the Internet, you know. It's still 100% up to the user agent. But you'll miss out on a lot. Besides, the flash video is more elegant than mpeg video in general, what with being able to easily custom-brand videos and such.
      • by kebes (861706) on Tuesday October 02, 2007 @01:34PM (#20825693) Journal

        All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??
        Actually it would be much, much easier to design a system that just exposed the URL for a standard video file. The user/browser could then either download it, or have a plugin that buffers and displays it inside the browser. This eliminates all kinds of problems both for the web developers and the user.

        But, of course, the real reason for using Flash-based players is that it acts as a weak form of DRM. The intention is to force the user to watch the video only at the site (with ads, etc.), and to not allow the user to take the video, transfer it elsewhere (e.g. iPod), edit out commercials, redistribute it, etc.

        Of course, we all know that it is possible to write a script that extracts the video... but it becomes a tiresome arms race. This is just another example of the fundamental tradeoff between the notion of "convenience" (for the user) and "control" (for the distributor). The user wants freedom. The distributor wants DRM.
        • by Goaway (82658)
          No, the real real reason to use Flash players is that they work for the largest range of users. No other solution works as well, nor is as convenient.
          • Standard video files used to work quite well before those flash player appeared.

            • by mad.frog (525085)
              What is this video file "standard" of which you speak? You know, the one that has 95%+ of web surfers with the right software preinstalled to view them?

            • by Goaway (82658)
              Oh, is that why we had all those online video sites that were just like Youtube except they used "standard video files" before?
        • by merreborn (853723)

          All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

          Actually it would be much, much easier to design a system that just exposed the URL for a standard video file. The user/browser could then either download it, or have a plugin that buffers and displays it inside the browser. This eliminates all kinds of problems both for the web developers and the user.

          That creates a new one, however: what video plugin do you use? And wh

          • People like being able to click a link and have the video load right there in their player.

            That should have been:

            People like being able to click a link and have the video load right there in their browser.
      • Re: (Score:2, Informative)

        by mha (1305)
        Hi,

        I would like to add my opinion this time. Some time ago I started a new idea: building *multimedia* learning content. Sounds easy enough, only that I had some more goals. Among them was to build a community-based platform - as in "OWNED by the community", not a "web 2.0" startup.

        By the way, the current state is at http://letexa.com/ [letexa.com] - I'm giving the URL because you can see what I'm going to talk about next in real-life examples.

        So, I tried with HTML/Javascript. I always knew I had to use Flash vor the Vi
        • by XanC (644172)
          That's fine and all, and it looks like you have a neat site. You're talking about building an app for a particular platform, Flash, and that's fine; you've got some bad and good and found what works for you. My complaint is about bog-standard video being buried under Flash for no particular reason.
        • by mha (1305)
          I forgot to mention that I like being able to use various pixel based content like videos or images in different resolutions and handled independently of one another, and vector based content. Plus, the link between everything is loose - made by Flash code (even if you produce an animation in the Flash authoring environment it is saved as code in the end).

          If I wanted to produce one big (learning) video that would not matter, right, but even there I have an argument to keep the various content pieces separat
      • by forkazoo (138186)

        What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

        All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

        No, it's actually trivially easy to have both a flash player and a simple download link. They

      • A number of things.

        a)Most users don't realize it is easy to copy the flash movies from your /tmp ( or whatever the equivalent is on windows ) and thus it acts as a weak form of DRM, forcing people to return to the site since they don't know how to download a permanent copy.

        b)Flash stores data on the client computer ( a bit like cookies ) which is used to snoo... errr... automatically obtain customer feedback.

        c)Flash lets you have all kinds of annoying banners, clickable monkeys, advert overlays, etc ...

        So i
        • by mad.frog (525085)
          Most users don't realize it is easy to copy the flash movies from your /tmp ( or whatever the equivalent is on windows )

          Only if the site is using progressive download for video. If they have a true streaming backend (eg, Flash Media Server) then there is no useful temp file to snarf.
      • by vertinox (846076)
        All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

        Do you promise to view all the ads on the site and to not direct link the MPG on your blog without crediting the source?

        But seriously, the one nice thing about Youtube is that it gives me the ability upload video to a 3rd party site and not have some leecher hose my web server. Sure flash is crappy, but I think in the end... Most people with web servers were tried of people j
        • by XanC (644172)
          How does that have one thing to do with Flash? Send YouTube your video and they can host the embedded MPG.
      • by mpcooke3 (306161)
        There are plenty of reasons, here are some:
        - Flash has better penetration than native MPEG players and native embedded players.
        - Gives a more consistent user experience regardless of OS/browser
        - It is guaranteed that most users will be able to work out how to play the video, even if they don't understand downloading or what an mpg is.
        - Guarantees that that the user can stay on the site and easily navigate elsewhere.
        - Gives less annoy
        • I think 1997 was the last time I used a GUI web browser that couldn't play MPEG video. The problem with MPEG is that it's big. Flash video is not as good as something like H.264 in terms of video quality for size, but it's much better than MPEG-1, and much more widely supported.
          • by mpcooke3 (306161)
            Mpeg size depends on quality and size of encoding, at similar quality and size to flv I believe the usual codec used for mpeg produces small files than the standard ones used for flv. This was true until very recently anyway when Flash started to support H. 264.
        • by Hatta (162192)
          These are all good reasons to provide a flash video. These are not reasons to not provide an mpg/avi.
      • by antdude (79039)
        MPEG files are bigger and have higher quality than Flash video format (FLV). People would have to wait longer to watch those MPEGs for those with slower Internet connections.
    • thufferin' thuccotas! that's a dethpicable sylvesterism!
    • Hasn't this already been done?
      I seem to recall nefarious crackers using the myspace embedded video feature to serve up Windows Media files that took advantage of code execution in the Windows Media Player.
      Or is this just new an interesting because it's flash, instead of WMV?
  • by grassy_knoll (412409) on Tuesday October 02, 2007 @12:48PM (#20824983) Homepage

    "The next logical step seems to be the media players," Rouland said.


    So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

    TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.
    • Re: (Score:3, Insightful)

      by Technician (215283)
      So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

      TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.


      The FA was short on details, but from what I've seen in online video, there are 2 probable ways this is done. Most flash video sites require scripting to be on.. Duh there is a vector right there. Other sites insist you download their viewer (Untrusted software anyone?). With an untrusted viewer and scr
    • by Jugalator (259273)
      Yes, these news was just spun in a weird way by a Swedish tabloid into "YouTube videos can spread viruses!"

      I don't think anyone has seen a YouTube.com hosted Flash video to be virus infected??

      The article makes it sound more like that they're talking about people using popular online videos / video sites to spread viruses, not the streaming video file itself. As in YouTube comments, e-mails with links to supposedly "cool" online videos, etc. And then this comes off as nothing new at all.
  • The word (Score:5, Informative)

    by Anarke_Incarnate (733529) on Tuesday October 02, 2007 @12:50PM (#20825023)
    is viruses. Virii is made up. Go look it up. Viri is man, there is no "virii"
    • Re: (Score:1, Insightful)

      by Woek (161635)
      Mod parent up, "virii" should be exterminated!
    • Re: (Score:3, Funny)

      by Anonymous Coward
      Correct. There is no virii.

      Unless you find them on your boxen.
    • by pilgrim23 (716938)
      Vir is man. Viri is men (Latin)
    • You must be new around here.
    • I don't have a problem with it being made up. I have a problem with it being stupid.

      The word "virii" implies the singular is "virius" and is only used by clueless people who are dazzled by the double i's. If you are going extrapolate grammar and spelling constructs based on other languages, which is a time-honored hacker tradition [catb.org], then at least be consistent about it.

      Given that, by extrapolation from the word "radius", it then makes sense to talk about two Toyota "Prii", but two "viri", with one 'i' at t
    • by Hatta (162192)
      All words are made up. And I don't think anyone says virii thinking that it is proper. They're just having a little fun with the language, what's so bad about that?

      From the venerable Jargon File:

      This is not 'poor grammar', as hackers are generally quite well aware of what they are doing when they distort the language. It is grammatical creativity, a form of playfulness. It is done not to impress but to amuse, and never at the expense of clarity.
  • by TechForensics (944258) on Tuesday October 02, 2007 @12:50PM (#20825029) Homepage Journal
    ... you don't have to worry if you run Linux!
  • by kcokane (253536) on Tuesday October 02, 2007 @12:52PM (#20825061) Homepage
    in the text: ... with worms and virii....

    note: there is no Latin plural for the word
    virus (means slime, basically). the expected
    plural, viri, is the plural of vir (man). the
    plural of virus is viruses.

    • by Chyeld (713439)
      I'm surprised that this is not as well known as it is. Having had a feminist neighbor living next door for over five years now, one would think that it would be immediately obvious that the plural of slime would be men. Aren't the synonyms or something?
      • by trongey (21550)

        I'm surprised that this is not as well known as it is. ...

        That looks like one of the best self-contradicting sentences I've never seen.
    • I have seen the less-informed use non-word "virii" for as long as I can remember. How long does it take to drill this into people thick skulls?

      On the other hand, I've gotta jet. I think a hacker just hijacked a few of my boxen. ;)
  • by jackpot777 (1159971) on Tuesday October 02, 2007 @12:56PM (#20825133)
    Isn't this all a bit "Schrodinger's Cat"? These virii are half-written, half not written, and we only get to know which one it is if we open the video clip of Anna Kournikova...

    Would the esteemed learning establishment care to debate if we will be living on the moon, wearing shiny suits, eating meal pills, flying around with our prsonal jet-packs? I for one want to know ...or at least have someone hypothesize if such a thing may be possible.

    Hmmmm.
  • by G4from128k (686170) on Tuesday October 02, 2007 @01:02PM (#20825247)
    Why in the world should the Flash player have any kind of access/execution/write privileges on the browser's machine? I can understand that the player needs to be able to execute some form of code to create interactivity, but shouldn't this be so totally sandboxed that presents a minimal threat to the user or the OS.

    This just confirms my opinion that Flash is an evil cancer on the web designed to move control of the web experience from the person browsing to the Flash author (who maybe a botnet builder).
    • I'm pretty sure that Bill Gates could come much closer to being the botnet king if he wanted to.
    • It's security vulnerabilities in old versions of Flash Player that make them vulnerable to malicious files. Here's one of the more severe ones: http://secunia.com/advisories/26027 [secunia.com]. It doesn't matter if the file has no executable content when the reader has a buffer overflow that can be exploited with a malicious file. Strictly speaking, the exploit is executable machine code.

      The issue of executable or scriptable content in media files is something different. As other people pointed out, WMVs can have scrip
    • The Flash player runs in memory as a process, or at least within the memory space of a host process, and it is taking a stream of data from an outside source according to a protocol. There must be methods for handling that data and if those methods are not carefully constructed then it it may be possible for a malicious user to smash the stack [securityforest.com] by sending carefully crafted packets to the host running the flash session. Now, most modern operating systems, even including Windows after the 9.x branch was retire
    • by gaspyy (514539) on Tuesday October 02, 2007 @04:49PM (#20828705)

      This just confirms my opinion that Flash is an evil cancer on the web designed [...] blah blah blah

      This is just FUD - but obviously this is Slashdot so who cares about facts anyway?

      The truth is that the Flash player has actually a pretty draconian sandbox:
      1. A flash movie can not write to disk or execute any command. Period. It only has a "cookie" mechanism to store info on user's computer but the user can allow/deny the action and allocate a quota for that info. The cookie is saved in the user's Documents and Settings folder (and the Mac/Linux equivalent), e.g. "C:\Documents and Settings\user\Application Data\Macromedia\Flash Player\#SharedObjects\LQ93AHGQ\www.youtube.com" The flash app cannot control the location or the file name.
      2. A flash movie can't simultaneously have read access from the local file system and the Internet. What I mean is - either a flash movie loads a local file (text, xml, jpg, flv, etc) or it can communicate with a site (load URL, send variables with GET/POST, invoke a WS, etc) - but it cannot do both of them. A user has to go to Adobe website and specifically trust an application in order for that app to have more access.
      3. Flash movies can't read the clipboard.
      4. Access to microphone/webcam is disabled by default and must be enabled on a per-URL basis.

      Anyone who RTFA knows that it's not about exploits inside the video stream, it's about fake links.

      Now, I'm pretty sure I just wasted 10 minutes of my time trying to dispel some myths, because the average Slashdot user is too busy hating Flash and worshiping Steve Jobs. Mod me down, or better yet, just ignore this post and keep on living inside your bubble.
  • by bogie (31020) on Tuesday October 02, 2007 @01:05PM (#20825295) Journal
    Was it a morally corrupt web site? Those are the worst kind.
    • morally corrupt web site?

      Do you mean the ones where you can get free adult content or the ones that only provide 3 lines of semi-interesting information and split it over 12 pages with so many ads that each page needs 2 min to load on my 10Mb/s connexion (and did I mentioneed that some of these ads usually overlap the content for which I came in in the first place). Yes, the latter kind should be banned.
  • Not new (Score:5, Informative)

    by packetmon (977047) on Tuesday October 02, 2007 @01:20PM (#20825463) Homepage
    This attack vector isn't new however its spreading more and more as time progresses. What I find to be a worst attack vector are the ad servers such as Doubleclick, Akamai, etc.:

    Yahoo's Right Media had Trojans in banner ads
    Posted by Elinor Mills

    For several weeks starting in early August, visitors to MySpace, Photobucket, Bebo and other high-traffic Web sites were exposed to banner ads that contained Trojan horse software that could wreak havoc on a computer.

    Web security company ScanSafe tracked the malicious ads back to Yahoo's Right Media network and estimates that they ran several million times, according to The Washington Post's Security Fix news site. (source [news.com]
  • by Anonymous Coward
    Why is this posted as a supposedly novel discovery ?

    A previous post allready mentioned WMV format has an on-purpose function build-in that lets it "phone home" (and retrieve whatever code it likes) without as much as a peep to the user.

    The real issue here is not that some kind of "information" (movies, PDF's, etc) could harbour methods to retrieve (or even contain) the actual malicious code, but how the creators of those methods think that its a good idea to let their displaying-software "phone home" 1) whe
  • The solution.... (Score:1, Flamebait)

    by Khyber (864651)
    Ban flash. Hell, ban all Adobe products - every bit of software they acquire seems to get revamped into crap, and minus photoshop all the software they develop is bloated and slow.
  • by Thaelon (250687)
    irony:

    Technical Writing Geek
    A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video fil

  • If for example a wmv file really contains and mpeg with some junk, is it enough to rename that whole file .mpeg or can you actually remove the junk. Something that does like a

    $ cat wrapped.wmv | grep -v "http://spawnsomecrap.com/crap.html" > clean.mpeg ..except in a windows utility (or command?!.)?..
    • by master_p (608214)
      An AK47 may do a fine job...
    • by Richy_T (111409)
      Yes you can.

      The Link appears as something like URL:http://annoyingsite.com in unicode within the WMV. You can process the file and change the "url" to (for example) "urx" and windows doesn't know what to do with it so ignores it.

      I've run across some files where the URLs are not openly visible like that but they were in the minority (May be more prevalent now).

      I had a program that did it. Here is what I searched for:

      char lstr[]={0x55,0x00,0x52,0x00,0x4c,0x00,0x00,0x00};

      And here is what killed the redirect:
  • I never understood how this is even possible. Like vulnerabilities in image formats or video formats. How does this work? The media player, or image viewer, should be reading the bits in the file and display it as an image, or as video. Why do these bytes of data get executed? Who writes an application which opens an image file, reads the bits from the file and then EXECUTES it ?!?!?

    I just don't get it. I'd love an explanation. Maybe it's like a website that takes user input and runs it as server side code.
    • Re: (Score:2, Insightful)

      It's a little bit more subtle than that. Here is a simple example: there could be a section of the file that is supposed to be 100 bytes long, null terminated. The program could read it in but some joker put 200 bytes and a null there instead and the program dutifly reads all 200 bytes into a 100 byte buffer. If the size isn't checked you could overflow the stack, overwrite the return pointer, and cause the function that read the bytes return execution into some bits of code that are storred in the buffe
    • by jotok (728554)
      See http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx [microsoft.com].

      The JPEG handler is not "supposed" to run code; but, absolutely any program that receives data, processes it, and is expected to come to some kind of outcome with it can potentially be exploited if the programmers didn't have the foresight to check for buffer overruns and other exploitable conditions.

      The best way to handle these is to sandbox applications--that is, limiting what they can do on the system. You can go really extreme and abs
  • Although it may be disturbing, that Rick Astley youtube video is pretty much harmless to your computer and should not be considered a "virus" per se.
  • this has been going on for years I remember one time I got hosed via a porn video trying to aquire a license in windows media player I had to format entire system and I used to get spyware regularly, I eventually got sick and stopped using windows media player. I now use it again as it has fixed these holes but no doubt they will work on trying to find more holes.
  • Crypto: 0
    As received by: Transceiver Relay03 at Relay
    Language path: Cloudmark -> Twiskweline, SjK units
    [Cloudmark is a High Beyond trade language. Despite colloquial rendering, only core meaning is guaranteed.]
    From: Transcendent Bafflements Trading Union at Cloud Center
    Subject: Matter of life and death
    Summary: Arbitration Arts has fallen to Straumli Perversion via a Net attack. Use Middle Beyond relays till emergency passes!
    Key phrases: Net attack, scale interstellar warfare, Straumli Perversion
    Distrib
  • It is useful for some things, but for distribution of videoclips over the net, as it has commonly been used lately, it sucks. The quality is invariably lower than the original, sometimes to the point that it is unwatchable. I like to view videoclips on the Net, but I try to avoid sites that use Flash Player to display them.

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.

Working...