Industry News

Watch your Torrents: Video Files Can Get You Infected, Advisory Claims

Multimedia files are one category of content that has been somewhat shielded from malicious attacks. Until now.

Audio and video files are a significant chunk of content available on the web and, except for some families of malware such as Wimad, they were out of the reach of malware creators. However, a bug in FFMPEG – an open-source library that powers a wide range of media players, video converters and video rippers, can get you infected if you open the wrong file.

FFMPEG Logo. Image courtesy of ~barrymieny

According to two separate advisories issued by Secunia and Microsoft, respectively, the flaw affects all versions of FFMPEG up to and including 0.11.2. More to the point, the bug resides in the libavcodec.dll library responsible for encoding, decoding and transcoding files from and to various formats. When a user tries to play a specially-crafted ASF, QuickTime (QT) or Windows Media Video (WMV) file, the local memory gets corrupted, which may allow execution of arbitrary code – a.k.a. “having malware installed on the fly.”

The good thing is that ASF, QT and WMV files are not quite so popular that you stumble upon them while browsing the Internet, but they are extremely popular in the dark corners of the web, such as torrent sites, piracy resources or even the old-fashioned Direct Connect / E-Mule file-sharing services, where they impersonate blockbuster movies soon-to-be-released on Blu-Ray.

This is not the first attempt at planting malware on users’ PCs via multimedia files, as they look relatively inconspicuous, are rarely scanned by AV solutions since they are not executable and are found in abundance. Since 2008, many families of malware such as the Trojan.Wimad have tried to fool Windows Media Player users into opening the file and installing the recommended codecs – which turned to be adware and rogue video file players.

However, the FFMPEG incident is much broader, as it’s a core component that powers a wide range of codec packs or video and audio players such as MPlayer, GOMPlayer, KMPlayer and VLC, but is also being used in Google Chrome for various rendering purposes required by HTML5.

The new version of FFMPEG (1.0), released in September, is not vulnerable anymore. But simply replacing the DLL file of your favorite vulnerable media-player won’t do the trick, as these libraries are rarely compatible with newer versions. So, until a security fix becomes available for your player, keep a close eye on where you’re downloading your videos from and try to stay away from the mentioned formats.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.