Originally Published February 17, 2014.
Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are intriguing threat vectors for malware writers.
Why the Concern for Video Files?
- Media players are frequently used software, users tend to use them for an extended period of time leaving them open during other tasks, and frequently switch media streams.
- Many vulnerabilities are found in media players. NIST [1] shows more than 1,200 vulnerabilities from 2000 to 2014 [2]. In early 2020, NIST recorded a new high-severity vulnerability, CVE-2020-0002, in Android Media Framework.
- Attractive video content and high-speed internet leads users to download and share without paying attention, and as these files are perceived as relatively harmless, users are likely to play files given to them.
- The file formats involved are binary streams and tend to be reasonably complex. Much parsing is required to manipulate them, and playback calculations can easily result in integer bugs.
- The file is usually large; users are likely to skip scanning solutions to avoid performance impact.
- They are perceived as relatively harmless - users are likely to play files given to them.
- There are a wide variety of different audio players and many of different codecs and audio file plugins, all written by generally non-security-focused people.
- Users download videos from many unreliable sources, and the videos run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged Internet Explorer instance can launch content in a higher-privileged Windows Media Player.
- Videos are frequently invoked without the user's explicit acknowledgement (i.e. embedded in a web page) [3].
Typical Vulnerability Vectors
Fuzzing the media player by a modified video file
Fuzzing is a generic method to force a program to behave unexpectedly by providing invalid, unexpected, or random data to the inputs.
Fuzzing is designed to find deep bugs and is used by developers to ensure the robustness of code, however, a developer's best tool can be used to exploit the user as well. For media players, which are supposedly "format strict," a corrupted real video file can expose many bugs, most caused by dereferencing null pointers. This results in inappropriate memory access, which offers the possibility of writing to memory something that is not intended to be written [4]. Fortunately, fuzzing media players requires in-depth knowledge of the file format or else the corrupted file, will simply be ignored by the player.
Embedding hyperlinks in a video file
A more direct method is obtained by embedding a URL into modern media files.
For example, Microsoft Advanced System Format (ASF) allows for simple script commands to be executed. In this case, "URLANDEXIT" is placed at a specific address and following any URL. When this code executes, the user is directed to download an executable file, often disguised as a codec and prompting the user to download in order to play the media.
MetaDefender Cloud, OPSWAT's anti-malware multiscanning tool, has an example of one such file: https://metadefender.opswat.com/results#!/file/c88e9ff9e59341eba97626d5beab7ebd/regular/information.
The threat name is "GetCodec." In this example, the media player was redirected to a link to download a trojan. See the scanned trojan here.
Examples of File Type Exploits
Below is a table listing the popular media file formats that have been exploited by routing the user to malicious sites or executing arbitrary codes remotely on target users’ systems.
| File Format | Detection | Description |
| Windows .wma/.wmv | Downloader-UA.b | Exploits flaw in Digital Rights Management |
| Real Media .rmvb | W32/Realor.worm | Infects Real Media files to embed link to malicious sites |
| Real Media .rm/.rmvb | Human crafted | Launches malicious web pages without prompting |
| QucikTime.mov | Human crafted | Launches embedded hyperlinks to p*rnographic sites |
| Adobe Flash.swf | Exploit-CVE-2007-0071 | Vulnerability in DefineSceneAndFrameLabelData tag |
| Windows.asf | W32/GetCodec.worm | Infects .asf files to embed links to malicious web pages |
| Adobe Flash.swf | Exploit-SWF.c | Vulnerability in AVM2 "new function" opcode |
| QuickTime.mov | Human crafted | Executes arbitrary code on the target user's system |
| Adobe Flash.swf | Exploit-CVE-2010-2885 | Vulnerability in ActionScript Virtual Machine 2 |
| Adobe Flash.swf | Exploit-CVE2010-3654 | Vulnerability in AVM2 MultiName button class |
| Windows .wmv | Exploit CVE-2013-3127 | WMV Video Decoder Remote Code Execution Vulnerability |
| Matroska Video .mkv | Exploit-CVE2019-14438 | Vulnerability in VLC, executes arbitrary code with privileges on the target user's system |
Solutions
Many anti-malware vendors now have added detection by looking for the URL signatures inside media type files. OPSWAT MetaDefender Multiscanning technology leverages 35+ anti-malware engines and significantly improves detection of known and unknown threats. Deep CDR also supports video and audio file formats and can help to prevent Zero Day attacks. MetaDefender’s file-based vulnerability assessment technology can detect vulnerabilities in media player installers before they are installed.
If you don’t have OPSWAT Solutions, you need to pay more attention to media files, do not view untrusted files, never run media players with elevated privileges, and don't accept downloads of unknown codecs or strange licenses. Always keep your media player software up-to-date to avoid vulnerabilities.
References
[1]National Vulnerability Database.
[2]Killer Music: Hackers Exploit Media Player Vulnerabilities.
[3]David Thiel. "Exposing Vulnerabilities in Media Software".
[4]Colleen Lewis, Barret Rhoden, Cynthia Sturton. "Using Structured Random Data to Precisely Fuzz Media Players".
Tags:
- MetaDefender Cloud ,
- Deep CDR Technology ,
- Multiscanning Technology
