Page 1 of 5 123 ... LastLast
Results 1 to 10 of 50

Thread: How does an MP3 contain a Virus???

  1. #1
    Join Date
    May 2003
    Posts
    896
    Rep Power
    0

    Default How does an MP3 contain a Virus???

    Explain this to me please.

  2. #2
    Join Date
    Aug 2002
    Posts
    1,236
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    mp3 virus? probably not
    http://www.f-secure.com/hoaxes/mp3vir.shtml

    mp3s that cause buffer overflow? That's a different story
    http://www.cert.org/advisories/CA-2002-37.html

  3. #3
    Join Date
    May 2003
    Posts
    896
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    I thought a virus/trojan/worm/logic bomb had to be an 'exe' file or a vb script of some sort to get things going. If I'm correct then how does an mp3 contain a virus. Wouldn't the player have to interpret/compile the virus/trojan code in the mp3 itself to get the ball rolling? What language is the trojan or worm written in?

  4. #4
    Join Date
    May 2003
    Posts
    896
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    [quote author=pigeonflight link=board=5;threadid=1247;start=0#msg11633 date=1058199453]
    mp3 virus? probably not
    http://www.f-secure.com/hoaxes/mp3vir.shtml

    mp3s that cause buffer overflow? That's a different story
    http://www.cert.org/advisories/CA-2002-37.html
    [/quote]

    So basically the story isnt true then?

  5. #5
    Join Date
    Mar 2003
    Posts
    1,700
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    I followed the links posted by pigeonflight. However, since I've seen this done m'self, I have no reason to think it's a hoax.

    Have you ever heard of a program called BackOrifice? BackOrifice has a module that allows you to wrap a trojan virus with an exe file or even an MPEG layer so that you can mail this new exe or movie to an unsuspecting person. When you execute the file, it plays to a point, and then crashes.

    The trick is, when it crashes (or in the case of MP3 files, produces noise) that's where the wrapping ends and the trojan begins. I'm not saying that all MP3 files that have glitches are like this, but you do not know for sure which files have this wrapping and which do not.

    When I was a teenager, we use to wrap a NetBus trojan with an MPEG movie layer and pass it around to our friends so that we could gain access to their PCs using a NetBus client and do crazy things like sending them cryptic messages via Windows' built in Messenger service, or fool around with their programs in memory, eject their CD-ROM drives, or in the case of one malicious person we wanted to get back at, format their hard drive.... we were pretty evil then.

    I've done it before, and that was back in 1997. There's no reason why they could not have done it for MP3s today. BackOrifice had a tool that allowed you to wrap trojans into EXE files and such. Later, we discovered one that wrapped trojans in MPEG files.

    The RIAA and the MPAA were actually proposing these methods to the courts for targetting people who infringe on the copyright act by downloading movies and music through peer to peer networks. That's why the court could not authorise such moves because they constitute hacking and it would just be breaking one law to enforce another. Furthermore, as I've said, it would be infringing on the Internet Copyright act signed by Bill Clinton in 1995.

    I don't care how many websites out there say it's a hoax. They are probably put there to make you not believe in that sorta thing, thus perpetuating the chaos. If the MPAA and the RIAA were thinking about doing this, how could it possibly be a hoax? Furthermore, this is something I have done myself in the past when I was younger and immature, albeit, with MPEG files, not MP3 files. Therefore I have no reason to believe that it's impossible.

    If you choose to continue thinking that it is a hoax, that's your problem. :P

  6. #6
    Join Date
    May 2003
    Posts
    3,041
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    [quote author=Xenocrates link=board=5;threadid=1247;start=0#msg11644 date=1058201948]
    I followed the links posted by pigeonflight. However, since I've seen this done m'self, I have no reason to think it's a hoax.

    Have you ever heard of a program called BackOrifice? BackOrifice has a module that allows you to wrap a trojan virus with an exe file or even an MPEG layer so that you can mail this new exe or movie to an unsuspecting person. When you execute the file, it plays to a point, and then crashes.

    The trick is, when it crashes (or in the case of MP3 files, produces noise) that's where the wrapping ends and the trojan begins. I'm not saying that all MP3 files that have glitches are like this, but you do not know for sure which files have this wrapping and which do not.

    When I was a teenager, we use to wrap a NetBus trojan with an MPEG movie layer and pass it around to our friends so that we could gain access to their PCs using a NetBus client and do crazy things like sending them cryptic messages via Windows' built in Messenger service, or fool around with their programs in memory, eject their CD-ROM drives, or in the case of one malicious person we wanted to get back at, format their hard drive.... we were pretty evil then.

    I've done it before, and that was back in 1997. There's no reason why they could not have done it for MP3s today. BackOrifice had a tool that allowed you to wrap trojans into EXE files and such. Later, we discovered one that wrapped trojans in MPEG files.

    The RIAA and the MPAA were actually proposing these methods to the courts for targetting people who infringe on the copyright act by downloading movies and music through peer to peer networks. That's why the court could not authorise such moves because they constitute hacking and it would just be breaking one law to enforce another. Furthermore, as I've said, it would be infringing on the Internet Copyright act signed by Bill Clinton in 1995.

    I don't care how many websites out there say it's a hoax. They are probably put there to make you not believe in that sorta thing, thus perpetuating the chaos. If the MPAA and the RIAA were thinking about doing this, how could it possibly be a hoax? Furthermore, this is something I have done myself in the past when I was younger and immature, albeit, with MPEG files, not MP3 files. Therefore I have no reason to believe that it's impossible.

    If you choose to continue thinking that it is a hoax, that's your problem. :P
    [/quote]

    What you are refering to are the many trojan packaging tools freely available to you. However, I have never seen an mp3 crash winamp before. Not that it cannot be done, especially if a large string-pulling group like the RIAA spends alotta money researching it.
    Not only that, any function, procedure written in a malicious virus must be invoked. A crash would not invoke this unless something was already listening in the background. In other words, how would the wrapped code be executed?


  7. #7
    Join Date
    Aug 2002
    Posts
    1,257
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    From my knowledge I think what they exploit is a flaw in the MP3 player and not such wrapping the viri code into the mps file......

    Remember the flaw in Windows Media player a while back more than likely they are exploting the player not the actual file itself...

  8. #8
    Join Date
    May 2003
    Posts
    896
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    Virii need to be executed by performing the appropriate action associated with the file, double clicking for an exe file and having the associated runtime files for a VB script. Now if an MP3 had a virus in it what format would the virus be in?

    Wouldn't the actual program doing the playing/executing of the file have to be written to execute code in the mp3 or mpeg file.

    Xeno could wrap a file and put it for me to upload if you dont mind ;D. This is real interesting and I'd really like to see this working.

  9. #9
    Join Date
    May 2003
    Posts
    2,546
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    you are approaching the issue wrong. ok, lets approach from the opposite angle.
    you are basically viewing the player as the controller. it calls the file and it executes a set of routines on the file and so the file is a slave. right.
    but, the following is also true.
    the player is an engine and the file is the given set of instructions that determine how the player is gonna respond. the engine has a set of rules that must be stayed within in order for it to perform correctly.
    as mentioned above by pigeon, buffer overflows is one condition where the instruction has stepped outside of the rule box. this is known as an exploit.
    now lets say you really understand how these engines work, then it wouldnt be too difficult for you to exploit other rules that exist in the engine which arent used.
    a real example of this comes when the programming isnt done clean. what i mean is, whenever you write code, you tend to use the standard include files, in C they are your 'h' or 'include' files.
    if the compiler doesnt strip the code it doesnt need, then you have calls sitting around that can be utilised, once you know how.
    remember that jpg picture that did its rounds on the net some time back? it would display the contents of the C drive on your computer whenever you ran it in iexplorer. just an example of exploiting redundant coding by slipping in calls. normally in kept in the header sections of the infected files.
    virus checkers check these files for fingerprints for these kinda illegal calls. the virri checker must know beforehand what its looking for, hence its a game of catchup. this is why they scan files and look for irregular coding, anything out of the ordinary will trigger the alert.
    hope this helps.

    in order to LEARN more on these issues and make you a better system defender.....check out new order and get to grip with some of their tutorials. they can be used for good or bad but its best to at least learn how to implement good security against these things in your career as sys or network admins. ;D 8)
    http://neworder.box.sk/index.php

  10. #10
    Join Date
    Mar 2003
    Posts
    1,700
    Rep Power
    0

    Default Re:How does an MP3 contain a Virus???

    Thank you deakie.

    I was going to ask folks if they have ever written a virus before or seen the code for a virus. From my very limited experience, a virus is almost NEVER an executable file.

    The code in a virus is just one BIG loop. Polymorphic virii use C++'s polymorphic functions to make various virtual function calls via a superclass / subclass hierarchy. Each subclass is a new instance of the virus with additional functionality.

    To get a virus to do its thing, all you have to do is to get it into memory. The file to which a virus is compiled is rarely an exe file. How you get it into memory is irrelevant. I have seen JPEG files that transport virii. I have seen Compuserve GIFs transport deadly macros. I have seen Wordperfect documents load NATAS to kill hard drives.

    The bottomline is this:

    For any file to be used, it has to first be loaded into memory. If you place a virus into active RAM, you don't need to tell it to run, it runs automatically, just like any exe file.

    The EXE extension merely allows Windows end users to differentiate between files that are executable and files that are not. Because, as I'm sure you already know, DLL files are often executable, as well as MSI, and SYS files. All executable files however, have a similar header instruction set. If you have written code in Assembly, you will know this. This instruction set merely tells the loading module to execute the code. Therefore, a virus doesn't need an EXE extension. All it needs to do is to get into memory. Only executable files execute and stay in memory (remember, executable files aren't limited to exe files) and will only exit once their exit condition is met.

    [More to come...]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •