0

I'm trying to find out if video containing malware can be cleaned by converting the video to a different format. Similar to how images containing malware can be cleaned by converting them to .BMP.

I expect it's not that simple due to the complexity of video formats, but I haven't been able to find a definitive answer by Googling many reworded questions, so I'm hoping someone here may have an answer :).

Thanks.

Markus
  • 665
  • 2
  • 9
  • 22

1 Answers1

2

I don't think you will find a definitive answer to this as it will depend on the particular malware attack.

For example (with fictitious example attacks):

  • if the malware relies on a particular set of bytes in a data stream to trigger the attack, then transcoding and repackaging from one format to another will most likely change the bytes and hence defeat the attack.
  • if the malware is triggered by the user clicking a link in the video or by scanning an image for a barcode etc then transcoding will not impact the attack.

Looking at the first point - a given frame might be transported 'wrapped' in multiple layers:

  • raw pixels bitmap
  • raw pixels encoded (e.g. h.264, h.265 encoded)
  • encoded video stream packaged into container with audio streams, subtitles etc (e.g. mp4, avi container)
  • container broken into 'chunks' or segments for streaming (e.g. HLS or DASH streaming format).

If we look at transcoding from one codec to another as an example of changing the format, then, if your malware is in a particular byte sequence in the raw pixels then this transformation will change the bytes and presumably remove it. If the sequence of bytes was in the container or the streaming protocol, for example in one of the container metadata fields, then the malware would survive.

Similarly if you changed the container from mp4 to avi, but kept the codec the same, then the malware would survive if it was in the encoded video.

If you want to make sure everything has changed you would need to change the codec, the container and the streaming protocol and additionally probably remove all metadata and text as this would likely stay the same even when changing containers.

Note that the streams can be encrypted also which may help depending on where the vulnerable component is - i.e. if it is a router or firewall, but be aware many encryption schemes only partially encrypt video streams, for efficiency and to allow the metadata be read in some cases.

Mick
  • 24,231
  • 1
  • 54
  • 120
  • Thanks Mick. I'm looking at it purely from the playing of the video file for viewing and trying to alleviate the risk of activating malware. Regarding your first dot point, I understand that transcoding the video itself can change the bytes of the video itself, but are there other executable parts in some video formats that may stay untouched depending on what format you change the video to, or is it safe to say, changing the format across something significant like mp4 to avi will basically change everything? I'm viewing if from the simple concept of jpeg to bmp. – Markus Feb 17 '20 at 21:28
  • @Markus, I added some notes to the answer - essentially you would need to change multiple 'layers' to ensure a malicious byte pattern did not survive, for example. I suspect there may be easier ways to get the bytes to the end device than video, as an aside, but I'm guessing you have a particular scenario in mind you need to protect against. – Mick Feb 17 '20 at 22:03
  • thank you for the very detailed explanation, that's given me the level of understanding I was hoping for and I now understand the level of complexity I'm dealing with. A great answer, awesome. – Markus Feb 17 '20 at 23:20