21

I was stupid and did not check a video file I downloaded from an untrustworthy source. It was .wmv file with no readable properties of the video. I know that .wmv videos can download viruses. What I don't know is if they can do this to VLC on Linux (my guess is not).

When I opened the file, it did not play when I clicked the Play button and my system froze (I must reiterate I was an idiot). I did a hard restart.

I am now running a ClamAV scan (I am not confident at all in an antivirus' abilities). I ran find -cmin -20 in my home dir to look over the log of modified files (nothing suspicious found).

VLC did not have root so it could not have written to /.

Should I be worried, and why did my computer freeze?

Edit: It my have been this attack. I removed padding then sent it to Cuckoo Sandbox. VLC does not support .wmv DRM

user
  • 827
  • 10
  • 16
  • 1
    Seems like someone should make and self-answer an "Is it safe to open an X file?" question and mark the rest as dupes, because 99% of the time, the answer is "Theoretically yes, but software has bugs". – Colonel Thirty Two May 02 '16 at 23:01
  • @Polynomial The difference is this is about a specific video player(VLC) and OS(Linux) – user May 03 '16 at 10:22
  • @ColonelThirtyTwo That would be good; but in general people(in this case me) know "Theoretically yes, but software has bugs", but not necessarily where to go to find the bugs or what to look for to id the bug. This is why questions like this help people like me by providing information to learn from a specific instance. – user May 03 '16 at 10:28
  • 1
    Unfortunately, many of these questions just specify a file type and not the program they use. Even if they did, I'm not sure how well received floods of "Is it safe to open X with Y" questions will be. As for where to find vulnerabilities, the [Common Vulnerabilities and Exposures database](https://cve.mitre.org/) is a good place to start. – Colonel Thirty Two May 03 '16 at 12:23

4 Answers4

20

Video files by themselves can not contain a "virus" in the classical sense but they can be used to exploits bugs in the media players (or sometimes even the OS) when handling the file formats and codecs. By using these exploits they can then execute code.

Like most video players vlc also has/had lots of bugs which could be exploited, including in the handling of WMV files. But it is unlikely that antivirus will find such exploits because they usually don't know much about codecs and don't even scan video files. Since such exploits are usually OS specific and most care only about Windows because of the market share you are probably safe nevertheless with Linux unless you got specifically targeted.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    It was a widely downloaded file and had this as a read me "This video has been encoded using the latest DivX+ software, if you are having trouble playing this video please try windows media player Media Player should automatically update any out dated codecs. ". I assume that means that they are not targeting VLC or linux. – user May 02 '16 at 06:57
  • @user That's the same text that always accompanies the common Windows Media Player attack discussed in your linked question. – Alexander O'Mara May 02 '16 at 06:58
  • @AlexanderO'Mara I am aware. That's why I am hitting my head against this here brick don't you know. – user May 02 '16 at 07:00
  • @user I've included some info on how you can reasonably verify if this WMV was truly one such WMV. – Alexander O'Mara May 02 '16 at 07:01
  • the symptoms looks like this attack https://www.cvedetails.com/cve/CVE-2007-0256/. It appears to just make your computer useless till reset – user May 02 '16 at 07:05
  • 8
    @user: If I would be an attacker I would probably also write into a file that it is best played with Windows Media Player so that the really targeted user in Linux does not suspect anything. This would just be like the mails which contain malware but which also include the information that they were scanned by whatever Antivirus and found clean. Never trust the content of untrusted files - in no way. – Steffen Ullrich May 02 '16 at 07:17
  • 1
    This answer makes me question VLC. "*Like most video players vlc also has/had lots of bugs which could be exploited*" – Aloha May 02 '16 at 09:49
  • 9
    @PandaLion98: VLC is no better or worse than most others. Codecs are usually developed with performance as the main target and not security. This means usually C/C++ with lots of tricks and only few checks because they just uselessly cost performance if you can assume that the data are sane. Same with processing image data. – Steffen Ullrich May 02 '16 at 10:27
  • 1
    Maybe the Windows virus exploits running on Linux caused your PC to freeze.When it froze were the cooling fans at high speed (indicates high CPU usage) – Suici Doga May 02 '16 at 12:59
  • The fact that media files can exploit bugs to execute arbitrary code means they *can* contain "viruses in the classical sense", as far as I can see. – Boann May 03 '16 at 03:09
  • I wonder what would happen if you convert the wmv to mp4 using `ffmpeg` or `avconv`... – Maxwell175 May 03 '16 at 04:59
  • @MDTech.us_MAN: hard to predict. WMV and MP4 are just containers (i.e. like ZIP vs. RAR) and can both contain the same codecs. Thus if the bug propagates depends if the problem is in the container or in the codec. – Steffen Ullrich May 03 '16 at 06:24
  • @SteffenUllrich: Thus my wondering, but this looks to be a container problem since the problem seems to be WMV's poor DRM implementation. I predict that the bug will not transfer.to MP4 for example. another interesting thing to test is to convert WMV to MP4 and back. – Maxwell175 May 03 '16 at 20:46
  • @MDTech.us_MAN: there are a few indicators that the video in question might have been a very specific bug but I consider them to few to be really sure about it. Apart from that the question is not about a specific video file but about .wmv in general and therefore my answer is more general and not restricted to only the specific bug which may or may not be the one which was observed. – Steffen Ullrich May 04 '16 at 04:15
  • @SteffenUllrich: I was just trying to use this bug as an example. I am just saying that it would be interesting to see what types of bugs would transfer from one format to another. These are just my personal thoughts which may or may not be directly involved in the question, though I would like to think that they still pertain to the topic nonetheless. – Maxwell175 May 05 '16 at 04:49
13

Yes, VLC can be hacked. Here you can check CVE list of VLC.

But don't panic, just because your VLC freeze, that doesn't necessarily ​mean that someone hacked you. Make sure that your VLC is up to date.

Can you submit that file to this website Cuckoo Sandbox and then paste the report here, just out of curiosity let us see, what will happen when that file is "fired" in sandbox.

EDIT: After being analyzed with cuckoo sandbox.

Ok, we have one problem, there is no VLC inside that sandbox, so I'd like to see what will happen in the same box with VLC, but so far there is a suspicious URL inside that file:

DO NOT OPEN LINKS!

h**p://aavid.xyz?id=&dlgx=200&dlgy=200&adv=0

After this one it will redirect you on new one:

h**p://playbackerrormediaplayercodecrequiredtoplaythisfileinstallcodec.playbackerrormediaplayercodecrequiredtoplaythisfileinstallcodec.mediaplayerfix.tech/drm.php?id=&dlgx=200&dlgy=200&adv=0

Then it will give you option to download codec:

h**p://alfafile.net/file/NfpC

and another redirection:

h**p://a5.alfafile.net/dl/8va8w/CodecFix.exe 

enter image description here

and that same file is definitely malicious.

https://www.virustotal.com/en/file/8cabc36f1e3180de4a8e429b1a6cc7e2ad04243764033916486a22c80de2244f/analysis/

For the closure; I didn't analyze that file on my own, but what I did is just a quick peek into the strings, so I can not be sure how this file is acting on the real system neither if it's using vulnerability from VLC.

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
Mirsad
  • 10,075
  • 8
  • 33
  • 54
  • VLC is up to date. – user May 02 '16 at 07:01
  • This files may have been supposed to be copyrighted material. Do you think they mind. I will use a vpn obviously. – user May 02 '16 at 07:15
  • 1
    https://malwr.com/analysis/OGIxY2I2NTQ4NWU4NGU1YTg2ODhlY2IzZjFiOTE5YTY/ – user May 02 '16 at 08:39
  • Looks like a social engineering attack. – Aloha May 02 '16 at 10:49
  • 1
    @mirsad where are you finding that url? I can only find one to Microsoft. – user May 02 '16 at 11:36
  • @mirsad also since I did not click any download link just the vlc play button and from what I have read vlc does not support .wmv files with drm doesn't that mean I don't have the virus. Also there were no add files to my system. – user May 02 '16 at 12:00
  • Update VLC does not support DRM see:https://wiki.videolan.org/Windows_Media/#Compatability – user May 02 '16 at 12:08
5

The attack listed in the referenced question certainly would not work with VLC or Linux. VLC does not support the obscure Windows Media Player DRM it utilizes (at least not to my knowledge), and even if it did, the purpose of the attack is to trick you into downloading and running some Windows executable files.

That being said, a different kind of attack is theoretically possible, if a security vulnerability were found in VLC itself which a maliciously crafted WMV could exploit. It's more-likely from your description the malicious WMV uses the former attack though.

In the case of those common malicious WMV's targeting Windows Media Player, if you inspect the WMV in a hex editor, you would find very little actual data consisting primarily of a URL, followed by nothing but empty padding to make it the expected file size.

Alexander O'Mara
  • 8,794
  • 6
  • 34
  • 38
  • The file is full size, but I think it is mostly legit with the bad placed in – user May 02 '16 at 07:26
  • 1
    @user Its possible they are now using random or even real data to pad up the file sizes now. It's been a while since I've had someone ask me about these files. (Maybe because I told them nothing good ever comes in a wmv. =) ) – Alexander O'Mara May 02 '16 at 07:31
  • I know I was really dumb – user May 02 '16 at 07:40
-6

As a programmer, the answer is simply put: "No."

Video files do not contain executable code. Even if they did, Windows is very different from Linux in design. The two use different binary formats for the OS that are incompatible. What exploits work on Windows normally won't work on Linux.

The only thing that a tampered video file could do is trip a bug in VLC or another video player, or your web browser if it is set to automatically follow links. The likelihood of such a bug allowing them to "hack" Linux using a video file is so ridiculously remote that it isn't worth mentioning.

You have a better chance of being hit by a car getting your newspaper.

I'd also consider that WMV codecs under Linux are usable but mostly an unsupported format. Microsoft rarely even uses them anymore, having set them aside in favor of MP4, which Microsoft has a patent stake in. Frankly, you shouldn't use them either -but convert it to MP4 or VP8.

If you are using something like Ubuntu or Arch Linux, you are also using programs that have not been fully debugged. You should expect issues.