Can AVI files contain a virus?

virus malware avi

Solution 1:

TL;DR

An .avi file is a video, and therefore is not executable, so the operating system can/will not run the file. As such, it cannot be a virus in its own right, but it can indeed contain a virus.

History

In the past, only executable (i.e., “runnable”) files would be viruses. Later, Internet worms started using social-engineering to trick people into running viruses. A popular trick would be to rename an executable to include other extensions like .avi or .jpg in order to trick the user into thinking it is a media file and run it. For example, an email client may only display the first dozen or so characters of attachments, so by giving a file a false extension, then padding it with spaces as in "FunnyAnimals.avi              .exe", the user sees what looks like a video and runs it and gets infected.

This was not only social-engineering (tricking the user), but also an early exploit. It exploited the limited display of filenames of email clients to pull off its trick.

Technical

Later, more advanced exploits came along. Malware writers would disassemble a program to examine its source-code and look for certain parts that had poor data- and error-handling which they could exploit. These instructions often take the form of some sort of user input. For example, a login dialog box on an OS or web-site may not perform error-checking or data-validation, and thus assume/expect the user to enter only appropriate data. If you then enter data that it does not expect (or in the case of most exploits, too much data), then the input will end up outside of the memory that was assigned to hold the data. Normally, the user-data should be contained only in a variable, but by exploiting poor error-checking and memory-management, it is possible to put it in a part of memory that can be executed. A common, and well-known method is the buffer-overflow which puts more data in the variable than it can hold, thus overwriting other parts of memory. By cleverly crafting the input, it is possible to cause code (instructions) to be overrun and then transfer control to that code. At that point, the sky is usually the limit as to what can be done once the malware has control.

Media files are the same. They can be made so that they contain a bit of machine code and exploit the media-player so that the machine code ends up running. For example, it might be possible to put too much data in the media file’s meta-data so that when the player tries to open the file and read it, it overflows the variables and causes some code to run. Even the actual data could theoretically be crafted to exploit the program.

What’s worse with media files is that unlike a login which is clearly bad, even to lay-persons (e.g., username: johndoe234AUI%#639u36906-q1236^<>3;'k7y637y63^L:l,763p,l7p,37po[33p[o7@#^@^089*(^#)360as][.;][.][.>{"{"#:6326^), a media file can be made so that it actually contains proper, legitimate media that is not even corrupt and so looks completely legitimate and goes utterly undetected until the infection’s effects take place. Steganography (literally “covered writing”) is usually used to conceal data in other data, but this is essentially the same thing since the malware would be hidden in what looks like legitimate media.

So yes, media files (and for that matter, any file) can contain a virus by exploiting vulnerabilities in the program that opens/views the file. The problem is that you often do not even need to open or view the file to be infected. Most file types can be previewed or have their meta-data read without purposely opening them. For example, simply selecting a media file in Windows Explorer will automatically read the meta-data (dimensions, length, etc.) from the file. This could potentially be a vector of attack if a malware writer happened to find a vulnerability in Explorer’s preview/meta-data function and crafts a media file that exploits it.

Fortunately, exploits are fragile. They usually only affect one media player or another as opposed to all players, and even then, they are not guaranteed to work for different versions of the same program (that's why operating systems issue updates to patch vulnerabilities). Because of this, malware writers usually only bother to spend their time cracking systems/programs in wide use or of high value (e.g., Windows, bank systems, etc.) This is particularly true since hacking has gained in popularity as a business with criminals trying to get money and is no longer just the domain of nerds trying to get glory.

Application

If your video file is infected, then it will likely only infect you if you happen to use the media player(s) that it is specifically designed to exploit. If not, then it may crash, fail to open, play with corruption, or even play just fine (which is the worst-case scenario because then gets flagged as okay and gets spread to others who may get infected).

Anti-malware programs usually use signatures and/or heuristics to detect malware. Signatures look for patterns of bytes in the files that usually correspond to instructions in well-known viruses. The problem is that because of polymorphic viruses that can change each time they reproduce, signatures become less effective. Heuristics observe behavior patterns like editing specific files or reading specific data. These usually only apply once the malware is already running because static analysis (examining the code without running it) can be extremely complex thanks to malware obfuscation and evasion techniques.

In both cases, anti-malware programs can, and do, report false-positives.

Conclusion

Obviously the most important step in computing safety is to get your files from trusted sources. If the torrent you are using is from somewhere you trust, then presumably it should be okay. If not, then you may want to think twice about it, (especially since there are anti-piracy groups who purposely release torrents containing fakes or even malware).

Solution 2:

I won't say it's impossible, but it would be difficult. The virus writer would have to craft the AVI to trigger a bug in your media player, and then somehow exploit that to run code on your operating system -- without knowing what media player or OS you are running. If you keep your software up to date, and/or if you run something other than Windows Media Player or iTunes (as the biggest platforms, they will be the best targets), you should be pretty safe.

However, there is a related risk that is very real. Movies on the internet these days use a variety of codecs, and the general public doesn't understand what a codec is -- all they know is "it's something I sometimes have to download so the movie will play". This is a genuine attack vector. If you download something and are told "to view this, you need the codec from [some website]", then we very sure you know what you're doing because you could infect yourself.

Related

How do I mount the EFI partition on Windows 8.1 so that it is readable and writeable?
Way to limit bandwidth of programs on Windows?
Italian keyboard: entering tilde (~) and backtick (`) characters without changing keyboard layout
Variables in batch file not being set when inside IF?
grub: boot from ISO
Problem recreating BCD on Windows 7 64bit - The requested system device cannot be found
How can I remove multiple segments from a video using FFmpeg?
How to make a shortcut from CMD?
Switch between windows on Mac OS X?
How to install Windows 7 from the network?
What are all the Windows 7/8/8.1 updates (KBs) I must skip to avoid Windows 10 upgrading -and nags-?
Upgrading and installing packages through the Cygwin command-line?