Virus within a film?

[tlustymen]

Yesterday I torrented a film. When I wanted to play it, it opened some system folder where it opened a command line (can't remember what program it was exactly, it was blue and wasn't cmd). Thankfully it was stopped by antivirus, but I just can’t stop wondering what it wanted to do. The torrent was deleted since then, so I can't try it again for more info. And how did it go through uTorrent pro’s antivirus protection? Any ideas? Thanks

 

edit: It opened Powershell and yes, it wasn't a movie

I also deep scanned the pc yesterday, everything should be alright, but I'm gonna scan it with few more scanners recommended to me, just to be sure.

[minibois]

It probably opened Powershell (it looks kind of like CMD, but with a blue background ) which means it could have done damn near anything.

It could be the person who made the virus exploited some part of the uTorrent antivirus stuff, which your áctual antivirus' was able to stop. 

[WereCatf]

1 minute ago, tlustymen said:

Yesterday I torrented a film. When I wanted to play it, it opened some system folder where it opened a command line (can't remember what program it was exactly, it was blue and wasn't cmd). Thankfully it was stopped by antivirus, but I just can’t stop wondering what it wanted to do. The torrent was deleted since then, so I can't try it again for more info. And how did it go through uTorrent pro’s antivirus protection? Any ideas? Thanks

First of all, are you sure it was a movie? Did you check the file-extension of it? One of the various ways baddies get people to run bad stuff is by giving files names like "Movie.mp4.exe" -- it'll look like "Movie.mp4" in e.g. Explorer by default, unless you have set Explorer to show file-extensions.

 

Another way baddies spread bad stuff is by embedding bad metadata in videos; there are certain players that don't handle metadata correctly and end up executing stuff inside them. It's not as popular nowadays, since most players have fixed such vulnerabilities, but poorly-made players still exist and that's why I always recommend VLC -- they pay a lot of attention into trying to avoid any such vulnerabilities.

 

As for why uTorrent didn't catch it...well, you better ask them.

[vanished]

Video files are not executables, they cannot run commands.  The only explanations I can think of is a) it wasn't a video at all and you got fooled, or b) it was an intentionally malformed video file designed to harness a vulnerability in a particular player or codec.

 

Also, just an edit for additional information to clear up some confusion we've seen both in the thread here and behind the scenes: helping with piracy is still not permitted on the forum.  Advocating piracy is still not permitted on the forum.  We're past that point though.  OP did something, and has moved on.  This discussion is about general safe computing practices - how to spot and avoid malware, which is good advice in general and nothing specific to piracy.

Edited August 30, 2019 by Ryan_Vickers

[dgsddfgdfhgs]

most virus are hidden in path of downloading the file, ads/ popups/ fake download link etc

[Gunshark]

Isn't torrenting a film illegal? Should not be advertised here.

 

[WereCatf]

Just now, Gunshark said:

Isn't torrenting a film illegal? Should not be advertised here.

Depends on the film. Besides, OP's questions are about malware/viruses and not about torrenting, per se. Personally, I believe this doesn't fall on the wrong side of the forums' guidelines.

[dgsddfgdfhgs]

2 minutes ago, Gunshark said:

Isn't torrenting a film illegal?

whats your point? virus is legal?

[Gunshark]

It's like saying I stole an apple, I ate it and i got diarrhea what do I do?

I get that the diarrhea needs to be fixed, but what about doing things right in the first place by not torrenting a film then you might have a lot less chances to catch a virus, since official channels are better protected, that's why you pay too.

 

Can't have both the butter and the money from the butter.

 

Virus is good to have in torrents: if you go rob a bank expect to get killed. 

[mariushm]

There were some discussions about being able to infect movies but they're basically about this:

 

* create a really corrupted jpg image and include it in the metadata of the movie as a "album cover" picture. If the movie player shows album cover for movies and IF it's not updated and IF the movie player runs in administrator mode (most don't run by default in administrator mode) then when the movie player tries to decode the jpg picture, if the bug wasn't patched in the library that decodes the jpg pictures, as the corrupted picture gets decoded code could be placed in memory and executed (code would be something simple as "download file from url and run it" - which requires administrator account.

 

* create a really corrupted font for a subtitle (ex a SSA subtitle can reference fonts that can be embedded with the movie the same as subtitle tracks or audio tracks). Rely on bugs in Windows that would cause code to be run when Windows tries to load the font as you render the subtitle. Again... most movie players don't run with administrator account and corrupting a font in such a way is incredibly difficult and such vulnerabilities are really rare and most likely patched

 

In the past, some WMV video files had the option to automatically open a web page in the Windows Movie Player and some smart guys took advantage of a bug in Internet Explorer (which rendered pages inside Windows Movie Player) to pop out of windows media player and have active x or javascript run in internet explorer in the background or show popups and so on...

 

In you particular case, you probably felt for the classic double file extension, like mp4.exe  etc

 

 

[Dujith]

4 minutes ago, Gunshark said:

Virus is good to have in torrents: if you go rob a bank expect to get killed. 

No, you know for how many big files i use torrent? screw viruses. Torrent =/= Piracy

You know how much Public domain movies and music and many other free things there are? And they use Torrent to spread it as it wont require you to rent a very expensive server to store them (plus you pay for bandwith, popular student movie = broke student  )

 

Again, Torrent is not piracy. 

[tlustymen]

37 minutes ago, Minibois said:

It probably opened Powershell (it looks kind of like CMD, but with a blue background ) which means it could have done damn near anything.

It could be the person who made the virus exploited some part of the uTorrent antivirus stuff, which your áctual antivirus' was able to stop. 

Oh yes, it was poweshell, you are right.

[Sauron]

24 minutes ago, Gunshark said:

Isn't torrenting a film illegal? Should not be advertised here.

 

 

17 minutes ago, Gunshark said:

It's like saying I stole an apple, I ate it and i got diarrhea what do I do?

I get that the diarrhea needs to be fixed, but what about doing things right in the first place by not torrenting a film then you might have a lot less chances to catch a virus, since official channels are better protected, that's why you pay too.

 

Can't have both the butter and the money from the butter.

 

Virus is good to have in torrents: if you go rob a bank expect to get killed. 

1) Public domain films are a thing, stop falling for the propaganda that torrenting is inherently illegal, and 2) answering a question about what a virus could do wouldn't really fall within the realm of "advertising" or condoning piracy. Oh, and 3) "official channels" don't always exist. You're pretty much talking out of your butt, you don't know the situation and seem to be painfully ignorant on how both torrenting and movie distribution work.

 

Also wtf is that reasoning at the end? When did torrenting become equivalent to robbing a bank and when did robbing a bank become a sufficient reason to have someone killed?

[captain_to_fire]

36 minutes ago, Ryan_Vickers said:

b) it was an intentionally malformed video file designed to harness a vulnerability in a particular player or codec.

I think that’s possible with steganography https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

https://spectrum.ieee.org/tech-talk/telecom/security/the-dark-side-of-steganography

 

[tlustymen]

38 minutes ago, WereCatf said:

First of all, are you sure it was a movie? Did you check the file-extension of it? One of the various ways baddies get people to run bad stuff is by giving files names like "Movie.mp4.exe" -- it'll look like "Movie.mp4" in e.g. Explorer by default, unless you have set Explorer to show file-extensions.

 

Another way baddies spread bad stuff is by embedding bad metadata in videos; there are certain players that don't handle metadata correctly and end up executing stuff inside them. It's not as popular nowadays, since most players have fixed such vulnerabilities, but poorly-made players still exist and that's why I always recommend VLC -- they pay a lot of attention into trying to avoid any such vulnerabilities.

 

As for why uTorrent didn't catch it...well, you better ask them.

It was deleted so I can't check it again, but it definitely wasn't a movie, tho it looked like one. I couldn't choose with what to open it (I use only vlc) so I double clicked it and it acted like a shortcut and opened some system folder including the powershell, which it tried to run. I use extenctions and normally I watch out for anything suspicious, I just had to somehow miss this.

[tlustymen]

41 minutes ago, Ryan_Vickers said:

Video files are not executables, they cannot run commands.  The only explanations I can think of is a) it wasn't a video at all and you got fooled, or b) it was an intentionally malformed video file designed to harness a vulnerability in a particular player or codec.

Wasn't a video, just looked like one. Yes, I got fooled.

[WereCatf]

1 minute ago, captain_to_fire said:

I think that’s possible with steganography https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

https://spectrum.ieee.org/tech-talk/telecom/security/the-dark-side-of-steganography

Mmmno. You'd still need something to actually decode the steganographically-hidden payload, you can't use the steganographically-hidden payload itself as a means to utilize a vulnerability without a separate, non-steganographically-hidden payload.

[WereCatf]

1 minute ago, tlustymen said:

I couldn't choose with what to open it (I use only vlc) so I double clicked it

Well, there you go, then. You were careless and got fooled.

[spooder]

28 minutes ago, Gunshark said:

It's like saying I stole an apple, I ate it and i got diarrhea what do I do?

I get that the diarrhea needs to be fixed, but what about doing things right in the first place by not torrenting a film then you might have a lot less chances to catch a virus, since official channels are better protected, that's why you pay too.

 

Can't have both the butter and the money from the butter.

 

Virus is good to have in torrents: if you go rob a bank expect to get killed. 

You can just as easily get food poisoning from food that you purchased legally. It sounds like you have a one track mind about torrenting. More than one person on here has explained that torrenting isn't always illegal. I'm willing to bet that this guy was downloading a movie or something like it illegally, but it wasn't outlined that way, and it was more of a circumstance rather than what this post is actually about. I think you knew that to begin with and just wanted to throw your opinion out there, it's not constructive whatsoever.

[captain_to_fire]

3 minutes ago, WereCatf said:

You'd still need something to actually decode the steganographically-hidden payload, you can't use the steganographically-hidden payload itself as a means to utilize a vulnerability without a separate, non-steganographically-hidden payload.

It's possible that OP's antivirus included algorithms to detect and block steganography based malware. Considering it being a commonly disseminated virus rather than a targeted attack, I wouldn't be surprised if his AV detected it.

[Sauron]

9 minutes ago, tlustymen said:

Wasn't a video, just looked like one. Yes, I got fooled.

Lesson to be learned for next time: check file extensions, run an AV scan on files you download before you open them.

[tlustymen]

2 minutes ago, Sauron said:

Lesson to be learned for next time: check file extensions, run an AV scan on files you download before you open them.

Definitely. Like I said, I did a deep scan, but is it still somehow possible that some part of it stayed?

[tlustymen]

12 minutes ago, WereCatf said:

Well, there you go, then. You were careless and got fooled.

Sadly true.

[Sauron]

3 minutes ago, tlustymen said:

Definitely. Like I said, I did a deep scan, but is it still somehow possible that some part of it stayed?

If the AV caught it you're probably safe, just run a full AV scan to make sure.

[tlustymen]

2 minutes ago, Sauron said:

If the AV caught it you're probably safe, just run a full AV scan to make sure.

Okay, thank you