IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
Can FLAC be used to run Malicious Code?, ie, can playing an infected flac file infect your computer?
crozone
post Apr 20 2012, 13:49
Post #1





Group: Members
Posts: 1
Joined: 20-April 12
Member No.: 99025



Ok, so firstly I'd like to start off by saying that all FLAC files in question are coming from an external source. However, they are being used to replace an extensively damaged, legally owned disk, so please, please, please don't give me all that DCMA stuff. I like to buy my music.

Secondly I'll say that I'm exactly new to computers, and I realise that this at first sounds like kind of a trivial question, so I apologise for that.

Basically I have some FLAC files that microsoft security essentials has picked up as trojans, before I even did anything with the files, so they are currently sitting dormant.

Normally I would say that they are false positives thrown up by MSE's heuristics, except that they are Trojan:JS/Pdfjsc.Y and Exploit:JS/Neosplit.A, in two separate files.

I understand that in order for the files to actually do anything, they have to be run as executable code, which in theory, is impossible for a FLAC file. But are there any known exploits in older FLAC decoders that could possibly allow a trojan to run itself? (ie, a buffer overrun or something like the windows picture viewer TIFF exploit).

If not, why would a FLAC file have a virus attached anyway? or has the original owner allowed a rather stupidly coded trojan to arbitrarily infect the files, because it can?

I should probably just bite the bullet, open them, and have foobar tell me that they're both corrupted, but I'm ultra paranoid about these things. Is it worth creating a throwaway virtual machine just too see what happens?

Thanks.


Go to the top of the page
+Quote Post
tpijag
post Apr 20 2012, 14:20
Post #2





Group: Members
Posts: 2352
Joined: 19-May 08
Member No.: 53637



Run a different AV program on the files. If you don't want to download a complete AV program, there are many anti virus programs that also offer an online version. Pick a few and run them on the files.

Download the files from a different source.
Go to the top of the page
+Quote Post
hlloyge
post Apr 20 2012, 14:49
Post #3





Group: Members
Posts: 698
Joined: 10-January 06
From: Zagreb
Member No.: 27018



Just because it has FLAC extension doesn't mean it's FLAC file smile.gif
God knows what is it, really.
To my knowledge, you can't pick up any nastyness with flac files - but to be sure, load them up in some tag editor, and see if there isn't something attached to them in tags.
Go to the top of the page
+Quote Post
Brand
post Apr 20 2012, 17:09
Post #4





Group: Members
Posts: 318
Joined: 27-November 09
Member No.: 75355



If they are genuine FLAC files, I guess they could contain some malicious JPG images..

I could take a look at them.
I also suggest uploading them to Virustotal or similar.

This post has been edited by Brand: Apr 20 2012, 17:11
Go to the top of the page
+Quote Post
Nessuno
post Apr 20 2012, 17:53
Post #5





Group: Members
Posts: 423
Joined: 16-December 10
From: Palermo
Member No.: 86562



Why not simply try a flac -t filename.flac from CLI, to start, then if they really are flac files, give a look at their metadata with metaflac?
Of course, all this from an unprivileged user (which is always a very good thing to do to stay on the safer side!).


--------------------
... I live by long distance.
Go to the top of the page
+Quote Post
saratoga
post Apr 21 2012, 04:16
Post #6





Group: Members
Posts: 5038
Joined: 2-September 02
Member No.: 3264



QUOTE (crozone @ Apr 20 2012, 08:49) *
Basically I have some FLAC files that microsoft security essentials has picked up as trojans, before I even did anything with the files, so they are currently sitting dormant.


Probably just a mistake.

QUOTE (crozone @ Apr 20 2012, 08:49) *
I understand that in order for the files to actually do anything, they have to be run as executable code, which in theory, is impossible for a FLAC file. But are there any known exploits in older FLAC decoders that could possibly allow a trojan to run itself? (ie, a buffer overrun or something like the windows picture viewer TIFF exploit).


Generally decoder libraries aren't the most secure thing, but there are many different variations and separate implementations. I suspect that if someone really wanted, and knew your specific software configuration, they might be able to develop an exploit given enough time and resources. The odds of someone including an exploit that happened to work with your specific software by chance are extremely small to the point of being insignificant.
Go to the top of the page
+Quote Post
AudioKitten
post Apr 21 2012, 06:37
Post #7





Group: Members
Posts: 18
Joined: 11-April 12
Member No.: 98656



I would set up a virtual machine running say, a flavor of Linux, and then loading all the FLAC files in there. What I would do to be on the extra paranoid state would be to convert them all into WAV files and then back into FLAC files with an automated BASH script. That's just me though, I'm quite paranoid when it comes to computer security.

I disagree with Nessuno, though, about running from an unprivileged user. Unprivileged user accounts aren't good enough because of the way Microsoft products handle privilege separation. If you suspect that something might be virus infected then you *must* open it in a virtual machine until you've verified that they're clean.
Go to the top of the page
+Quote Post
Nessuno
post Apr 21 2012, 09:31
Post #8





Group: Members
Posts: 423
Joined: 16-December 10
From: Palermo
Member No.: 86562



QUOTE (AudioKitten @ Apr 21 2012, 07:37) *
I disagree with Nessuno, though, about running from an unprivileged user. Unprivileged user accounts aren't good enough because of the way Microsoft products handle privilege separation. If you suspect that something might be virus infected then you *must* open it in a virtual machine until you've verified that they're clean.


Ok, but we are speaking of running a single, well known, executable to open and read in a well known way a (possibly) infected file. If you then suspect that the flac executable itself is not clean, you can always download a fresh one, but then the problem is somewhere else in your system. In this case, well: a virtual environment is actually made of executables, with high privileges and very low level access to system resources. They could be infected as well.

So, to be really but really paranoid: put that files on a USB flash drive, turn off the PC, disconnect all your HDs, boot from a live Linux CD and re-encode them.

@OP: anyway, the safest thing to do and cost effective, compared with the (very unlikely) risk of corrupting your whole running system is to buy again that CD! wink.gif


--------------------
... I live by long distance.
Go to the top of the page
+Quote Post
_mē_
post Apr 21 2012, 10:11
Post #9





Group: Members
Posts: 231
Joined: 6-April 09
Member No.: 68706



Why do you ask here?
It's Microsoft's tool, they are the ones supposed to know why does it flag music files as trojans.
Go to the top of the page
+Quote Post
detmek
post Apr 21 2012, 12:49
Post #10





Group: Members
Posts: 71
Joined: 24-June 08
Member No.: 54802



Isn't easier to just upload file to VirtusTotal?
P.S. Maximum supported file size is 32MB.
Go to the top of the page
+Quote Post
kwanbis
post Apr 21 2012, 16:40
Post #11





Group: Developer (Donating)
Posts: 2362
Joined: 28-June 02
From: Argentina
Member No.: 2425



Use this service to scan: http://virusscan.jotti.org/en

It uses 22 virus scanners at once.


--------------------
MAREO: http://www.webearce.com.ar
Go to the top of the page
+Quote Post
nu774
post Apr 21 2012, 17:40
Post #12





Group: Developer
Posts: 537
Joined: 22-November 10
From: Japan
Member No.: 85902



QUOTE (crozone @ Apr 20 2012, 21:49) *
Normally I would say that they are false positives thrown up by MSE's heuristics, except that they are Trojan:JS/Pdfjsc.Y and Exploit:JS/Neosplit.A, in two separate files.

From their name, MSE seems to think they are malicious JavaScript. JavaScript in FLAC files? Funny.
Go to the top of the page
+Quote Post
andy o
post Apr 22 2012, 20:18
Post #13





Group: Members
Posts: 1326
Joined: 14-April 09
Member No.: 68950



If this from the OP is not a mistake (I guess s/he intended to say "not")
QUOTE
Secondly I'll say that I'm exactly new to computers, and I realise that this at first sounds like kind of a trivial question, so I apologise for that.

Then it could be the oldest trick in the book, double extensions. Windows by default hides extensions for "known" file types, though I would say 95% of Windows users don't know what an extension is.
Go to the top of the page
+Quote Post
Porcus
post Apr 22 2012, 20:52
Post #14





Group: Members
Posts: 1898
Joined: 30-November 06
Member No.: 38207



An earlier version of FLAC.exe had a security flaw which was subsequently fixed. It might be that this is one of the attempts to exploit that. I would rather put my money on the double-extension trick (whoever decided that BillOS should hide extensions, should serve at the pillory stock) though.


--------------------
One day in the Year of the Fox came a time remembered well
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 20th October 2014 - 22:55