2

Based on existing answers, I found out that viruses can "hide" in a video by exploiting the software/libraries used to open the video, say ffmpeg. But my question is:

If a video contains such malicious code, can the video itself still be playable and function normally, making it very hard for the user to detect?

And are there any limits to what a such virus can do, such as escaping a virtual environment?

The operating system I'm referencing to is Linux, if that matters.

2 Answers2

3

Technically, it's not the virus(1) per se that hides in the video but specially crafted media data. The data can exploit either a vulnerability that will cause the media player to misbehave (e.g. for vlc or media player) or loose rules about extented media content (Note: link to an article that advertises a product - I'm not affiliated with it, though).

[...] can the video itself still be playable and function normally [...]

It depends on the attack method. Exploiting a vulnerability of the media player usually disrupts the normal flow of the player - so you'll be able to notice it. If you are just redirected to a "codec download" and tricked to execute malware, then you won't notice anything (at least the first time, because if you keep being redirected then obviously something's wrong)

[...] are there any limits to what a such virus can do [...]

Depends on the account privileges with which the malware infects your system. If you are infected when being a non-privileged user then there are some limits and contraints on what the malware can do. If, however, the malware infects the system when you are a privileged user (e.g. admin) or it has a way to escalate its privileges (e.g. kernel exploit) then all bets are off.


(1) You can, however, trick an MS-Windows user into thinking that an executable malicious program ending in e.g. .mp4.exe is just a video and execute the malware directly, but this is a different discussion

Spyros
  • 1,451
  • 1
  • 14
1

In this answer, I address with technical citations what kinds of exploits have been discovered in videos. One such exploit listed is an arbitrary code execution vulnerability in libavformat, which is used as a library in ffmpeg.

An arbitrary code execution vulnerability means you can do anything given the permission level. This includes executing a payload that does the exact thing you're intending to do. The exploit in the question linked above attaches to Vividas VIV header parser for their video files. You would have to craft a header on this file that basically,

  • Copies in runtime or stores for the arch a backup of the code you're overwriting.
  • Stores a payload that at a specific place you know to execute, which
    • Does something.
    • Restores or executes the copy.

In the case of header parsing that's pretty easy, since that's probably only run once on a video load.

It's substantially harder to find an arbitrary code execution vulnerability then to maintain the user-experience during execution.

Evan Carroll
  • 2,547
  • 4
  • 23
  • 35