1

I know pirated movies .avi, .mp4 etc can contain a payload to exploit the media player been used to open the movie, or any file pdf office documents.

I use Linux but assume that's unsafe. What's a secure way to open these files and be certain they can't infect the host OS? I used to think using a live USB was a good way, I know a live USB has write access to the hard disk and could rewrite the MBR for a rootkit etc

Not sure a write protected USB or cd would help here, possibly removing the hard disk while using a live USB would solve it been able to write to the hard disk only small chance of bios been a vector then?

I know about Sandboxie for Windows and firejail for Linux I'm not sure firejail or sandboxie is a good method, also heard of using virtual machines.

I also own a Chromebook. They're meant to be security hardened so much, a drive-by on a website shouldn't infect them so I want to know if infected media files and others could be opened on ChromeOS safely. I guess I could stream from an infected site without been infected if sandboxing the os is that safe.

I know everyone has their own opinion about piracy. I only want helpful answers for the circumstances I'm asking about.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Alister
  • 77
  • 3
  • 14
  • 1
    I'm not sure if the question should be closed because it is too broad or because the answers will be primarily opinion-based. Probably both. Anyway, there are several posts on this site which ask how to deal with potentially infected files (like [How to safely view a malicious PDF?](https://security.stackexchange.com/questions/18878/how-to-safely-view-a-malicious-pdf)) so I recommend to first look at the existing questions and answers and then ask a more focused question. – Steffen Ullrich Jul 14 '18 at 07:41
  • I get your point, i could of simply stopped with how to open infected media files that can exploit media players, tho thought giving what i no about would be helpful in the context whoever answers has that information before suggesting it. Or encourages someone with information about some of it to answer. – Alister Jul 14 '18 at 07:46
  • All answers to all questions on this site are opinion based aren't they? or opinions based on known facts? – Alister Jul 14 '18 at 07:47
  • 1
    While there are some opinions with many answers the difference is between **primarily** opinion-based or **primarily** fact-based. And the kind of question you have asked often attract answers which are primarily opinion-based. – Steffen Ullrich Jul 14 '18 at 08:19
  • Yeah i no what your saying except there are people here who, no things which you can always say is there opinion i'm the type of person, that is going to research there answer and make sure it's pretty likely to be correct. Anyways close this thread I can ask several of my things as specific questions i see your point. – Alister Jul 14 '18 at 08:26
  • This is very opinion based. Everyone has different OpSec. When working on sensitive data, but not critical data. I will use full-disk encryption using AES256-GCM or AES-256-XTS with a randomly generated password that is non-memorable (easily forgettable) and is discarded upon completion of the work. Critical data follows a similar policy, but uses volatile memory instead of persistent. – safesploit Jul 15 '18 at 19:47
  • Not only pirated content may contain malware; content that was paid for may contain malware as well. Remember the [Sony rootkit](https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)? – S.L. Barth Jul 17 '18 at 08:13

4 Answers4

1

The theoretical answer is you cannot. If the attacker has a set of exploits that take over the operating system then they can write to many places beyond RAM or the hard drive. These places include but are not limited to: the UEFI (for example http://blog.frizk.net/2017/08/attacking-uefi.html), GPU (for example, https://www.extremetech.com/computing/205270-proof-of-concept-gpu-rootkit-hides-in-vram-snoops-system-activities) intel management interface (for example, https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html).

On a practical level, if you insist on trying, you have two choices: you can use a cheap device like an Amazon Fire Tablet (still rootable, and still able to attack your router and other devices from the inside), or an IoS device, which is also still attackable, but the attacks are rare, and unlikely to be wasted on you, unless you happen to work for the GRU, CIA, a human rights org that's annoyed a government, etc, etc.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • I see your point, do you think using a live OS on usb is at all possibly a safe way to stream movies on possibly infected hosting sites, if internal hard drive is removed to remove chance of it been written to? – Alister Jul 15 '18 at 09:54
  • As all the data should be deleted from ram at reboot? i did think opening movies with the internal disk removed would avoid hard disk been written to, tho there's a chance the external drive with the movies on it could be infected with a mbr rootkit to get persistence. I see where you where going with the device suggestions, tho if they get infected there a potential threat to infect computers networks there connected to themselfs. – Alister Jul 15 '18 at 09:58
  • A Chromebook opening infected files, visiting infected sites might be ok, don't no as there the most secure devices currently available. – Alister Jul 15 '18 at 09:59
  • @Alister no a live OS or even removing the hard drive doesn't fully protect you -- there are lots of places to hide a rootkit beyond. – Adam Shostack Jul 15 '18 at 16:20
  • @Alister I didn't list chromebooks because they too are easily rooted. – Adam Shostack Jul 15 '18 at 16:20
  • Theoretical you cannot be safe. Joanna Rutkowska explained this when building Blue Pill; a rootkit based on x86 virtualisation. However, we can study known attack vectors and mitigate an attack surface from there. – safesploit Jul 15 '18 at 20:09
  • The GPU does not keep persistent data, and the ME and UEFI issues are the same (they both are in the BIOS flash area). – forest Jul 16 '18 at 02:20
  • @ Adam Shostack can malware running on a liveusb infect the usb the live os itself is running on? i no the mbr of usb can be rewritten for a rootkit, if that happened on a live os usb stick the host probably would be infected starting it up. I thought maybe i would only have to worry about the live usb malware writting to the external hard drives non infected files or it's mbr? i no there's bios threats but there not common right? – Alister Jul 16 '18 at 07:16
  • 1
    @ Adam Shostack chromebooks easily rooted? you lost me, unless you turn on developer mode your chromebook isn't running with root? they use verified boot when starting using two copies of the os, if anything changes modifies the os verified boot restores the system from the clean state of second copy. Then all chrome apps and tabs are sandboxed. They have write protect hardware screws to stop there bios been written to. and TPM chips – Alister Jul 16 '18 at 07:20
0

So for me there is only one safe answer: Simply don´t. While it is intriguing to download each and every stuff on the internet, from a security point of view this is bad habit.

Pirated movies: Besides the legal concerns it´s much more convenient to join a streaming service for nowadays little money and get what you want any time even without any download hassle.

Infected files:

A) You already know that the file is infected? Why open it then? If you are looking for key generators, cracks etc then yes, most of them will have mailicous payloads inside. Its your choice of risk, but a good sandbox might help.

B) You dont know the file is infected, but you are afraid it could be? Depends on the source IMHO: From a web page with good reputation: Rather it will be ok. Check the web page if it offers hash fingerprints to compare (SHA, MD5 sums etc). From Usenet: Take care. From Hacks, Warez sites: Simply don´t.

The internet can be fun, educational and a good friend. There are so many activities you can do without getting into risk, so its easy to avoid the few activities that might harm you, your friends and family by malicious payloads spreading off your device.

flohack
  • 547
  • 3
  • 8
  • Don't have unlimited internet, tho i no what your saying about streaming services, something about having permanent copies of things appeals to me. Yep i don't don't download, patches cracks keygens or any of them anymore. Just movies, or music of pdf files ect i no about md5 sha can't with movies from untrusted sources tho – Alister Jul 15 '18 at 10:05
0

You cannot really be sure if it’ll ever be safe to open untrusted files. The “payload” could be clever enough to bypass normal safety measures if there are any. The “safest” way I can think of when running untrustworthy files is by running them on a virtual machine, but even it’s possible to leak your host OS from a virtual machine though much more difficult.

However, i think it’s much safer to watch pirated movies streamed in websites if you use a good proxy and by making sure you do not run or download and files

AznBoyStride
  • 39
  • 1
  • 4
  • I was going to upvote the first half, but the second half...what does a "good proxy" do, and what does the streaming service send you? Odds are good it's sending you mp4 or mov, but chunk by chunk, so the exploit could still be present. – Adam Shostack Jul 14 '18 at 16:57
  • By streaming it, you are relying on your browser executing JavaScript codes using a JavaScript API that is intended to allow users to stream mp4 or mov instead of executing it “outside” of your browser. I guess you would be right to say that there could still be an exploit like finding some bufferover flow vulnerability on a JavaScript media player API that controls your browser to execute arbitrary codes. However I can easily just say that even Virtual Machines are not safe either, and nothing is safe as long as your executing somebody else’s crafted code, so don’t even open a computer – AznBoyStride Jul 14 '18 at 18:40
  • ok, that's fair, you need an exploit to get out of the codec, and another to escape the browser's sandbox. – Adam Shostack Jul 14 '18 at 19:09
  • Also, a “good” proxy like a trusted VPN service will hide the fact that you are streaming pirated movies from your ISP. You may not get a virus from streaming pirated movies on the internet, but you may get caught doing so. – AznBoyStride Jul 14 '18 at 20:58
  • Steaming could exploit the os drive by download. Tho it might be possible a chromebook is immune to been infected by a pirated streaming service or opening infected movies i'm not sure. Running a live OS on USB without the computers internal hard disk inside of it, may also be safe since everything is in ram and removed at shutdown if the live os is infected opening the files, and the hard disk is removed it couldn't write to it and should contained in the memory then deleted? maybe just streaming websites it would still have access to an external hard disk UEFI BIOS. – Alister Jul 15 '18 at 09:51
  • As a general guideline, just don’t open any untrusted files. By streaming movies using your browser, you are not opening any files, and if you don’t open a file containing a malicious code then how is malicious code is going to run on your computer? It is still theoretically possible still for an attacker to exploit your browser to execute malicious code in your computer even though you didn’t open any malicious files, but it is much more difficult for an attacker to do especially with secured modern browsers. – AznBoyStride Jul 15 '18 at 21:27
  • @AznBoyStride this covers how you get infected by streaming, https://heimdalsecurity.com/blog/fmovies-utorrent-common-malware-infections/ this covers how you get infected visiting just a site even legit ones, https://heimdalsecurity.com/blog/how-drive-by-download-attacks-work/ – Alister Jul 16 '18 at 12:02
0

A couple of ideas come to mind:

  1. Live CD This could be done on a device where ALL writable devices are disconnected prior to boot, and the live CD is on a device with read-only access (use CD/DVD or a write blocker). Then access the files from this "one-time" volatile OS, on an air gapped computer. This will ensure any potential malicious files are contained within a true sandbox.

  2. Virtual Machine Although this method is not full proof, it provides greater protection than not using a virtual machine. For this instance, I will use VirtualBox, be self-aware, VirtualBox vulnerabilities. This shows CVE vulnerabilities that have previously been discovered and patched for VirtualBox. Setup VirtualBox and create a new VM with your OS of choice. Disable the networking interfaces for that VM within VirtualBox, insert the ISO image and proceed to access the "malicious" files. The purpose is to contain any malware and dispose of the "infected" OS after usage.

Alternative, Qubes OS is an option. "Whonix runs on top of Qubes as a VM (virtual machine), just like any other typical OS does in Qubes." similarly, Qubes OS has VMs for different sessions and uses disposable VM sessions (volatile).

Consider looking into WMV files, which were designed to allow executable code. Ergo, malware was often bundled into WMV. Executable code can be bundled into AVI, MKV, and MP4. However, they were not intended for this purpose, hence it does not conceal well.

As for the website idea. While server-side languages will not be able to do significant damage to you, client-side (JavaScript) can run executable code within your browser. This could take advantage of a vulnerability within your browser, and presume the browser uses sandboxing could jailbreak, making code execution within the OS possible. NoScript would be advisable here to disable JavaScript, also consider XSS, which has greater potential when HTTP (not secure) is used.

safesploit
  • 1,847
  • 8
  • 18
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/80329/discussion-on-answer-by-safesploit-how-to-safely-watch-pirated-movies-open-infe). – Rory Alsop Jul 18 '18 at 11:00