EPTIs there anyway for me to put a virus/trojan into that .mp3, and then send it to somebody else?
If something has a known tag like .mp3, or .txt, its safe correct?
As long as it's not .dll or .exe?
Question about keyloggers / Viruses
| Blogs > kdog3683 |
|
kdog3683
United States916 Posts
Is there anyway for me to put a virus/trojan into that .mp3, and then send it to somebody else? If something has a known tag like .mp3, or .txt, its safe correct? As long as it's not .dll or .exe? | ||
|
paper
13196 Posts
| ||
|
DeadVessel
United States6269 Posts
| ||
IntoTheWow
is awesome32268 Posts
| ||
|
kdog3683
United States916 Posts
On August 02 2008 09:09 IntoTheWow wrote: Who do you want to infect lol Don't want to infect anyone lol Just incase sombody sends me a .mp3 or video, I want to make sure no keylogger comes with -~ | ||
|
XCetron
5225 Posts
| ||
|
0xDEADBEEF
Germany1235 Posts
Other files are usually just for storing data in a certain format. MP3 is a simple audio format, there's nothing in there that your computer will execute by default. However, there might be a tiny chance that the music player you use won't handle a malformed/manipulated MP3 file correctly, and if that's the case, there MIGHT be a way to smuggle executable code into it. In the past there was one version of Winamp which allowed for "virus MP3s": play a MP3 and code gets executed, just like with a .exe. This requires the player to have a bug which allows that, though... and that's really almost never the case, I think it happened only that one time, and that's years back. More interesting are file formats like .doc/.xls and the like which contain normal data but also scripts/macros. Macro viruses exist, so a .doc/.xls etc. could be used to execute code, but the programs which open these files (e.g. MS Office) of course won't allow every action a macro script wants to do (would you like opening a .doc and "format c: /quicktest" is executed in the background?). So basically a macro virus can ONLY do something nasty if Office allows it respectively has a bug which allows the virus to bypass the protection. Years ago this was often the case because MS programs were quite insecure, but they are much more secure these days. So there's an additional layer of security which makes it hard for macro viruses to affect the system. Generally, only real executable files are a threat. For the rest, it's either impossible or very hard to find a way to execute code from it. | ||
|
XCetron
5225 Posts
| ||
|
HeadBangaa
United States6512 Posts
The funnest part about microhacking is the social engineering~ | ||
|
fusionsdf
Canada15390 Posts
remember jpgs being used for this kind of stuff? | ||
|
DamageControL
United States4222 Posts
On August 02 2008 11:23 HeadBangaa wrote: If you want to be evil, compile your trojan and bind it with an executable that simply displays an error message "Wrong Windows version. Windows 95 required", name the extension of the resulting executable to ".scr" and tell people it's a screen saver. The funnest part about microhacking is the social engineering~ Your evil, pure evil! | ||
|
Night[Mare
Mexico4793 Posts
| ||
GHOSTCLAW
United States17042 Posts
if you just watch out for executables (and most of the time a decent antivirus program will figure it out) then you should be fine. | ||
Jibba
United States22883 Posts
On August 02 2008 11:12 0xDEADBEEF wrote: Roughly speaking, there are two types of files: executables and everything else. The most common executables are .exe, .scr, .com, .lnk (shortcut), and several scripts like .bat, .vbs, .wsh and so on. There are more. Other files are usually just for storing data in a certain format. MP3 is a simple audio format, there's nothing in there that your computer will execute by default. However, there might be a tiny chance that the music player you use won't handle a malformed/manipulated MP3 file correctly, and if that's the case, there MIGHT be a way to smuggle executable code into it. In the past there was one version of Winamp which allowed for "virus MP3s": play a MP3 and code gets executed, just like with a .exe. This requires the player to have a bug which allows that, though... and that's really almost never the case, I think it happened only that one time, and that's years back. http://www.infoworld.com/article/08/05/06/Trojan-adware-hiding-in-MP3s-McAfee-says_1.html | ||
|
kdog3683
United States916 Posts
| ||
|
Jibba
United States22883 Posts
| ||
|
anotak
United States1537 Posts
http://milw0rm.com/ - exploits found every day, and that's not the only site like that ex. on the 29th was found "CoolPlayer m3u File Local Buffer Overflow Exploit" On August 02 2008 15:17 kdog3683 wrote: Anyway to distinguish between these fakes and legit mp3's before you run it? not unless you want to learn asm | ||
|
0xDEADBEEF
Germany1235 Posts
On August 02 2008 14:31 Jibba wrote: http://www.infoworld.com/article/08/05/06/Trojan-adware-hiding-in-MP3s-McAfee-says_1.html Hm interesting, but I just searched for details and it's like this: These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser). Not all media players support this functionality. So basically it's just a deception thing... a bit like renaming .mp3 to .mp3.exe and hoping the user has hidden file extensions. The thing is, MP3 files have no such functionality by default, so if you try to play a MP3 and your media player directs you to a URL you know that there's something wrong about this file (i.e. it's NOT actually a .mp3) and that they want you to download malware. Opening the file, though, does not by itself harm you unless you use this trick and direct the browser to a webpage which tries to exploit a security hole in the browser. If that's not the case (and it's hard to do so), then just playing the file and seeing this page pop up isn't doing anything yet; this trick mostly relies on user stupidity ("you need a codec please download this .exe"). And if you just use a music player which doesn't support playing .asf named as .mp3 and doesn't support such redirection URLs then nothing happens at all. The MP3 format is inherently safe, like I wrote. This is really more of a deception/social engineering trick because it's a file format disguised as another one. A good player should have no problem detecting this. What I wrote about was about REAL MP3s, and in that case it's practically impossible to sneak malware into them unless a certain player has a certain weakness in reading MP3s in general which allows code to be executed. | ||
MasterOfChaos
Germany2896 Posts
With DEP+ASLR these bugs are harder to exploit. | ||
|
anotak
United States1537 Posts
On August 02 2008 22:18 0xDEADBEEF wrote: So basically it's just a deception thing... a bit like renaming .mp3 to .mp3.exe and hoping the user has hidden file extensions. The thing is, MP3 files have no such functionality by default, so if you try to play a MP3 and your media player directs you to a URL you know that there's something wrong about this file (i.e. it's NOT actually a .mp3) and that they want you to download malware. Opening the file, though, does not by itself harm you unless you use this trick and direct the browser to a webpage which tries to exploit a security hole in the browser. If that's not the case (and it's hard to do so), then just playing the file and seeing this page pop up isn't doing anything yet; this trick mostly relies on user stupidity ("you need a codec please download this .exe"). And if you just use a music player which doesn't support playing .asf named as .mp3 and doesn't support such redirection URLs then nothing happens at all. The MP3 format is inherently safe, like I wrote. This is really more of a deception/social engineering trick because it's a file format disguised as another one. A good player should have no problem detecting this. What I wrote about was about REAL MP3s, and in that case it's practically impossible to sneak malware into them unless a certain player has a certain weakness in reading MP3s in general which allows code to be executed. I'm familiar with this vulnerability. It's not a deception trick. The mp3 file is listed AS AN mp3 file. the file name is not .mp3.asx. Windows Media Player will open the "mp3" file and notice that it is NOT an mp3 file and then decide to try it as an asx file. gg. also, mp3 is not that inherently secure. all file formats are POTENTIALLY vulnerable to a buffer overflow exploit of one variety or another. looking at milworm, here's several media-file-format related exploits, and that's just with a quick search: Windows Media Player 6.4 MP4 File Stack Overflow PoC RealPlayer 10 ".smil" File Local Buffer Overflow Exploit AtomixMP3 2.3 (pls File) Local Buffer OverFlow Exploit Acoustica MP3 CD Burner 4.32 Local Buffer Overflow PoC mpg123 0.59r Malformed mp3 (SIGSEGV) Proof of Concept | ||
| ||
