How Do Computer Viruses Transfer from an Infected DVD?

Factual Questions
1

After reading Google, I only see the same common information over and over. Can a virus transfer from an infected DVD-RW or other storage peripheral by simply viewing the contents? While it is typically said that an infected file has to be opened to activate a virus, are there other ways a virus can spread from the peripheral to the PC hard drive? For one, can a virus lurk as a hidden file sitting in a folder and spread from there once the folder is opened, or must it be embedded within a document?

Please help me understand the ways a computer virus can spread. Thanks!

2

I gave a 'puter the ‘Noint’ virus when I look at the contents of a floppy, didn’t even open a folder!

3

If you’re computer is set to auto-run anything in that drive, that would do it. Think about it, when you put a cd or dvd into your computer, generally, something starts happening automatically. Be it a media player pops up or a game starts playing or there’s an installer that shows up on the screen. All that happens because the computer reads what’s on the disc. If the disc is set to autorun a malicious program, it can easily transfer a virus to your computer.

4

I don’t know of any current exploits, but in theory, something like a specially-crafted preview icon on a data DVD could be an infection vector. If there was a bug in the jpeg decoder (for example, this (old) issue in Windows), then just inserting the DVD could be enough to compromise your system. But, as I said, I don’t think there are any current exploits like this.

5

When a DVD is inserted into a drive, your computer will look for a file called autorun.inf in the root directory of the DVD. It’s a text file containing a list of commands, similar to a .bat file.

By default it will run whatever it finds in this file, unless the autoplay setting has been turned off.

So you don’t even have to view the contents. Simply inserting the DVD can cause a malicious program to run.

6

I think a specially crafted .ini file would still work. (It’s a way of changing the meaning of a folder). It doesn’t depend on anything particular being broken, and doesn’t depend on autoruns, just on looking at the folder using Windows Explorer. I don’t remember that the functionality was removed.

7

If we extend the definition of “virus” to encompass all malware, then you need look no further than the infamous Sony rootkit. This was a copy protection measure on certain CDs produced by Sony BMG. Upon insertion, the CD would install software that would modify the OS to interfere with CD copying. It would also phone home about what the user was listening to.

8

Modern versions of Windows ask what to do when new media is inserted. It is possible for somebody to have selected “always do whatever the media wants.” In that case, yes a simple autorun.ini virus could install something.

Windows has recently had flaws in it’s jpeg decoding software. It’s not clear that those flaws could be used to infect a system, but it’s within the realm of possiblity. The example would be something like (as mentioned above) a nefarious image or movie is on a DVD. A flaw in the Windows software which creates the thumbnail images to display in Windows Explorer is exploited, and another flaw used to elevate the privileges, and then a virus installed before any file is opened by the user (though it was opened by the operating system to draw the thumbnails).

The “Thunderspy” family of thunderbolt attacks might interest you. In order to be fast, thunderbolt devices can do things like directly access system memory. Because of that, they are supposed to be lots of security features. Those particular flaws involve live rewriting of the computer’s thunderbolt controller’s firmware, and then connecting a rogue device to take over the computer. This obviously is an evil maid type attack–the attacker needs physical access to the machine. (Imagine an encrypted or locked system, so simple physical access isn’t enough to get into it.)

It is also entirely possible that flaws exist in the thunderbolt controller which allow a rogue device to take over the computer simply by being plugged in, without having to hijack the thunderbolt controller first. I’m not aware these flaws exist, but again, it’s not some SciFi attach which is impossible.

I’m using Windows here as an example. All operating systems have exploitable bugs. Which does not mean that all are equally easy to infect, or all are equally likely to be exploitable.

So, if the question is, did inserting a DVD from a friend into your computer give you a virus, even though you didn’t actually run anything on the DVD? The answer is probably no.

If the question is, can you make this work plausibly in your spy novel, then the answer is probably yes.

The disk labeled “Alice sessions 2008-11–2009-02” was left where Bob was sure to find it, and the sleeve saying “Carol’s intimate photography” was going to make the disk irresistible to Bob. His prurient nature would overcome his best opsec insticts. Little did he know of the zero day exploit in the Windows UDF filesystem driver would mean his computer was already owned before the thumbnails had finished loading.

(But actually well written, and stuff.)

9

NB: There is a technical difference between AutoRun and AutoPlay. They are not the same thing.

AutoRun is a layer between AutoPlay and the Shell Hardware Detection service.

The dialog box that pops up to ask you what to do is for AutoPlay - but from Windows Vista onwards AutoRun will also pop up an AutoPlay box by default.

But the user may simply choose to run an autorun.inf file - or to always run such files - without understanding the potential danger.

Any user can configure AutoPlay to make various decisions for them; by checking the appropriate box in the AutoPlay dialog, running flash drive malware becomes silent and automatic.

See:

10

The last serious Macintosh virus was the AutoStart Worm which spread by exploiting the Mac equivalent of autorun as applied to removable media. We learned to shut off the option in the Control Panel.

Unlike a lot of previous Mac viruses, which did silly things like rename your hard drive to “trent” or pop up a message saying “Greetings from the great beyond” or equivalent, this one erased digital image files from people’s hard drives.

It was a MacOS 8 vintage virus.

11

Um…no.

Intego reckons that one in ten Mac computers is infected with the so-called Shlayer virus

Malwarebytes added that: “Mac detections per endpoint increased from 4.8 in 2018 to a whopping 11.0 in 2019, a figure that is nearly double the same statistic for Windows. This means that the average number of threats detected on a Mac is not only on the rise, but has surpassed Windows”.

12

Once again, it comes down to the definition of “virus.”
All viruses are malware, but not vice-versa.

13

True. As far as it goes, which IMO isn’t far. Unless it’s two security experts talking to each other, IMO we can / should assume “virus” is used as a 100% synonym for “malware”.

The OP is very clearly not a technical person. So we should apply the non-technical interpretation to their use of “virus”.

14

Eh, at least some level of distinction is necessary. There’s a difference between seeing your computer ask “This executable file is from a source that is not known to be trustworthy. It could potentially carry malware. Are you absolutely certain you want to run it?” and clicking “yes”, and your computer being automatically infected just because you put a disc in the drive and did nothing else. The former sort of malware, we’ll never be rid of, because after all, computers are supposed to do what we tell them to do. The presence of such malware is not a sign of an insecure computer system, but of an insecure user.

15

Very short version, as reasonably succinct as I can make it, with a minimum of technical details.

A virus is a program. In order to work its magic, two conditions have to happen: It has to be loaded into memory, and its instructions have to be executed. Some of its instructions are to self-replicate. One of the first things it may do is modify your computer’s files in such a way that the virus is now automatically loaded when you turn your computer on.

If you were to change the language around, using terms like “cell” and “DNA”, you’d be describing an actual virus: it injects itself into programs, and it (generally) duplicates itself.

Since you as a user are unlikely to just straight-up run a virus program, it has to resort to trickery. In the olden days, the virus would have to find an executable program and inject itself into the code so that when you ran the infected program, you also ran the virus.

Later on, one of the common infection vectors was from “buffer overflow attacks”. The .jpg one was mentioned above. This is challenging to explain briefly and I may need to pass over finer details.

In essence, your computer’s memory is used for both executable code and data that the executable code may refer to. A classic case is the .jpg buffer overflow. When the computer “sees” it’s to deal with an image, it will set aside a portion of memory for the image data (the “buffer”). It does this based on some data at the beginning of the file which informs the computer about the dimensions of the image, amongst other things. The viral payload sits at the end of this data, adding extra information to the image file.

When the computer loads the image data, it fills up the buffer, as predicted. The virus, however, is written “past” the limits of the buffer, into other memory that may have been used for actual running code. This can happen only because the coders who wrote the .jpg reading code trusted the data was going to be safe and didn’t enforce memory limits.

Buffer overflow attacks aren’t limited to just images. CMC’s experience above suggests it was also a buffer overflow attack (though there’s not enough information to hand to do more than guess).

In the case of your (theoretical, I hope) infected DVD, if you have all the autorun stuff turned off (I recall holding down shift while inserting media would prevent autorun) then no code from the disc would run. So long as there’s no attack vector from the file listing itself (and that looks secure), you’d be theoretically safe. If I wanted to be sure, I’d open that disc on another, older computer that contained little of value and was isolated from the network.

This turned out longer than I’d hoped. I hope I didn’t put you to sleep.