Is VLC on Linux vulnerable to an attack from .wmv files designed to install viruses?

Video files by themselves can not contain a "virus" in the classical sense but they can be used to exploits bugs in the media players (or sometimes even the OS) when handling the file formats and codecs. By using these exploits they can then execute code.

Like most video players vlc also has/had lots of bugs which could be exploited, including in the handling of WMV files. But it is unlikely that antivirus will find such exploits because they usually don't know much about codecs and don't even scan video files. Since such exploits are usually OS specific and most care only about Windows because of the market share you are probably safe nevertheless with Linux unless you got specifically targeted.


Yes, VLC can be hacked. Here you can check CVE list of VLC.

But don't panic, just because your VLC freeze, that doesn't necessarily ​mean that someone hacked you. Make sure that your VLC is up to date.

Can you submit that file to this website Cuckoo Sandbox and then paste the report here, just out of curiosity let us see, what will happen when that file is "fired" in sandbox.

EDIT: After being analyzed with cuckoo sandbox.

Ok, we have one problem, there is no VLC inside that sandbox, so I'd like to see what will happen in the same box with VLC, but so far there is a suspicious URL inside that file:

DO NOT OPEN LINKS!

h**p://aavid.xyz?id=&dlgx=200&dlgy=200&adv=0

After this one it will redirect you on new one:

h**p://playbackerrormediaplayercodecrequiredtoplaythisfileinstallcodec.playbackerrormediaplayercodecrequiredtoplaythisfileinstallcodec.mediaplayerfix.tech/drm.php?id=&dlgx=200&dlgy=200&adv=0

Then it will give you option to download codec:

h**p://alfafile.net/file/NfpC

and another redirection:

h**p://a5.alfafile.net/dl/8va8w/CodecFix.exe

enter image description here

and that same file is definitely malicious.

https://www.virustotal.com/en/file/8cabc36f1e3180de4a8e429b1a6cc7e2ad04243764033916486a22c80de2244f/analysis/

For the closure; I didn't analyze that file on my own, but what I did is just a quick peek into the strings, so I can not be sure how this file is acting on the real system neither if it's using vulnerability from VLC.


The attack listed in the referenced question certainly would not work with VLC or Linux. VLC does not support the obscure Windows Media Player DRM it utilizes (at least not to my knowledge), and even if it did, the purpose of the attack is to trick you into downloading and running some Windows executable files.

That being said, a different kind of attack is theoretically possible, if a security vulnerability were found in VLC itself which a maliciously crafted WMV could exploit. It's more-likely from your description the malicious WMV uses the former attack though.

In the case of those common malicious WMV's targeting Windows Media Player, if you inspect the WMV in a hex editor, you would find very little actual data consisting primarily of a URL, followed by nothing but empty padding to make it the expected file size.

Tags:

Linux

Video

Virus

Trojan

File Types

Related

Can free Wi-Fi hotspot providers snoop on HTTPS communications? Bank complains about rooted Android. Is it really any worse than a Windows desktop? Will same-site cookies be sufficent protection against CSRF and XSS? Can governments intercept end-to-end encrypted Whatsapp communication through lawful interception? Why is it considered safe to install something as a non-root user in Linux environments? How can the nmap tool be used to evade a firewall/IDS? What are the disadvantages of using public key cryptography when encrypting files? How can I tell if a PDF file I was sent contains malware? I almost searched my password, but didn't press enter. Is my password at risk, because of autocomplete or anything else? Could keystroke timing improve security on a password? How do I remove my website from the malware database? Does FTPS (FTP+S) offer better security than SFTP on the server side?

Recent Posts