Re: Embedded Malware

[Ryan Sears <rdsears () mtu edu>]

Hey Subba,

Well I don't necessarily have any citations, but that's a problem that's plagued programs since they basically existed 
- the separation of data and code. 

If you examine both code and data on a hard drive, they are the /exact/ same. A collection of bytes. Depending on the 
context it is up to either the operating system, or the individual program itself to make that distinction, but it's 
mostly the program. The problem lies in when you find an unmetered buffer, double free()'d buffer or some other way to 
corrupt memory and manage to re-direct execution flow. When this happens it is very much possible then to make your own 
interactions with the underlaying OS (thus making network connections or changing files), although things like apple's 
sandbox, the NX bit, ASLR, and DEP make it very much more difficult to actually interact with the os and run your own 
shellcode, but these systems aren't perfect. They have their flaws too, and can be bypassed with a number of methods 
(stack bruteforcing on 32 bit machines, return-oriented programming, etc) 

It is very possible to write malware for /any/ platform, be it a cell phone, a switch, or a control system. 

As for malware inside media files, I suppose that would be possible as well, I myself have a number of crashes in 
libavcodec with the FLV file format, and have yet to attempt to write any exploit code for it. There's lots of weird 
math to corrupt, and sometimes that DOES mean exploitable bugs, but of course sometimes it doesn't. In my experience 
though, I have never seen a bug that would trigger an exploit who's movie file actually plays after that. Usually it 
crashes the program when you re-direct execution flow, although depending on how the exploit was written I suppose it 
would be possible to repair the corruption and jump on the right path again, but that's usually way more sophisticated 
then people are willing to go when writing exploits. 

I guess I'd say look at comex's PDF exploit, and sandbox escaping for the Iphone, or as it was commonly referred - 
jailbreak.me. (http://www.f-secure.com/weblog/archives/00002002.html)

These were very real vulnerabilities that could very well have been modified to do anything on a victim's phone, from 
stealing the sms database, reading emails, to placing premium phone calls! Thankfully comex wasn't doing anything 
malicious, and just wanted to jailbreak people's phones for them.

I hope it helps!
Ryan Sears

----- Original Message -----
From: "Subba Rao" <kleanchap () tanucoo com>
To: "Pauldotcom" <pauldotcom () mail pauldotcom com>
Sent: Tuesday, January 25, 2011 2:27:48 PM GMT -05:00 US/Canada Eastern
Subject: [Pauldotcom] Embedded Malware

I am having a serious discussion with one of my colleagues about
embedded Malware.  In our discussions, I have told him about about
Malware in AVI and other media files which get spread from P2P networks
etc.

His argument is that Malware inside a media file is considered data.
When you play the file, the application treats it like data and it
should not effect the OS.  His argument was not too strong but I need
some information to show that embedded malware can be lethal to the OS.
 Any pointer in this subject area?

Thank you in advance.

Subba Rao
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com