Can FLAC be used to run Malicious Code?, ie, can playing an infected flac file infect your computer? Options

[crozone]

Ok, so firstly I'd like to start off by saying that all FLAC files in question are coming from an external source. However, they are being used to replace an extensively damaged, legally owned disk, so please, please, please don't give me all that DCMA stuff. I like to buy my music.

Secondly I'll say that I'm exactly new to computers, and I realise that this at first sounds like kind of a trivial question, so I apologise for that.

Basically I have some FLAC files that microsoft security essentials has picked up as trojans, before I even did anything with the files, so they are currently sitting dormant.

Normally I would say that they are false positives thrown up by MSE's heuristics, except that they are Trojan:JS/Pdfjsc.Y and Exploit:JS/Neosplit.A, in two separate files.

I understand that in order for the files to actually do anything, they have to be run as executable code, which in theory, is impossible for a FLAC file. But are there any known exploits in older FLAC decoders that could possibly allow a trojan to run itself? (ie, a buffer overrun or something like the windows picture viewer TIFF exploit).

If not, why would a FLAC file have a virus attached anyway? or has the original owner allowed a rather stupidly coded trojan to arbitrarily infect the files, because it can?

I should probably just bite the bullet, open them, and have foobar tell me that they're both corrupted, but I'm ultra paranoid about these things. Is it worth creating a throwaway virtual machine just too see what happens?

Thanks.

[tpijag]

Run a different AV program on the files. If you don't want to download a complete AV program, there are many anti virus programs that also offer an online version. Pick a few and run them on the files.

Download the files from a different source.

[hlloyge]

Just because it has FLAC extension doesn't mean it's FLAC file
God knows what is it, really.
To my knowledge, you can't pick up any nastyness with flac files - but to be sure, load them up in some tag editor, and see if there isn't something attached to them in tags.

[Brand]

If they are genuine FLAC files, I guess they could contain some malicious JPG images..

I could take a look at them.
I also suggest uploading them to Virustotal or similar.

This post has been edited by Brand: Apr 20 2012, 17:11

[Nessuno]

Why not simply try a flac -t filename.flac from CLI, to start, then if they really are flac files, give a look at their metadata with metaflac?
Of course, all this from an unprivileged user (which is always a very good thing to do to stay on the safer side!).

[saratoga]

Basically I have some FLAC files that microsoft security essentials has picked up as trojans, before I even did anything with the files, so they are currently sitting dormant.

Probably just a mistake.

I understand that in order for the files to actually do anything, they have to be run as executable code, which in theory, is impossible for a FLAC file. But are there any known exploits in older FLAC decoders that could possibly allow a trojan to run itself? (ie, a buffer overrun or something like the windows picture viewer TIFF exploit).

Generally decoder libraries aren't the most secure thing, but there are many different variations and separate implementations. I suspect that if someone really wanted, and knew your specific software configuration, they might be able to develop an exploit given enough time and resources. The odds of someone including an exploit that happened to work with your specific software by chance are extremely small to the point of being insignificant.

[AudioKitten]

I would set up a virtual machine running say, a flavor of Linux, and then loading all the FLAC files in there. What I would do to be on the extra paranoid state would be to convert them all into WAV files and then back into FLAC files with an automated BASH script. That's just me though, I'm quite paranoid when it comes to computer security.

I disagree with Nessuno, though, about running from an unprivileged user. Unprivileged user accounts aren't good enough because of the way Microsoft products handle privilege separation. If you suspect that something might be virus infected then you *must* open it in a virtual machine until you've verified that they're clean.

[Nessuno]

I disagree with Nessuno, though, about running from an unprivileged user. Unprivileged user accounts aren't good enough because of the way Microsoft products handle privilege separation. If you suspect that something might be virus infected then you *must* open it in a virtual machine until you've verified that they're clean.

Ok, but we are speaking of running a single, well known, executable to open and read in a well known way a (possibly) infected file. If you then suspect that the flac executable itself is not clean, you can always download a fresh one, but then the problem is somewhere else in your system. In this case, well: a virtual environment is actually made of executables, with high privileges and very low level access to system resources. They could be infected as well.

So, to be really but really paranoid: put that files on a USB flash drive, turn off the PC, disconnect all your HDs, boot from a live Linux CD and re-encode them.

@OP: anyway, the safest thing to do and cost effective, compared with the (very unlikely) risk of corrupting your whole running system is to buy again that CD!

[_m²_]

Why do you ask here?
It's Microsoft's tool, they are the ones supposed to know why does it flag music files as trojans.

[detmek]

Isn't easier to just upload file to VirtusTotal?
P.S. Maximum supported file size is 32MB.

[kwanbis]

Use this service to scan: http://virusscan.jotti.org/en

It uses 22 virus scanners at once.

[nu774]

Normally I would say that they are false positives thrown up by MSE's heuristics, except that they are Trojan:JS/Pdfjsc.Y and Exploit:JS/Neosplit.A, in two separate files.

From their name, MSE seems to think they are malicious JavaScript. JavaScript in FLAC files? Funny.

[andy o]

If this from the OP is not a mistake (I guess s/he intended to say "not")

Secondly I'll say that I'm exactly new to computers, and I realise that this at first sounds like kind of a trivial question, so I apologise for that.

Then it could be the oldest trick in the book, double extensions. Windows by default hides extensions for "known" file types, though I would say 95% of Windows users don't know what an extension is.

[Porcus]

An earlier version of FLAC.exe had a security flaw which was subsequently fixed. It might be that this is one of the attempts to exploit that. I would rather put my money on the double-extension trick (whoever decided that BillOS should hide extensions, should serve at the pillory stock) though.