Malware in presets?

For discussion and announcements of soundware - patches, presets, soundsets, soundbanks, loop libraries, construction kits, MIDI libraries, etc.
KVRian
893 posts since 27 Apr, 2012

Post Wed Apr 28, 2021 9:56 am

chk071 wrote:
Wed Apr 28, 2021 9:45 am
wangeroge wrote:
Wed Apr 28, 2021 9:37 am
Your DAW is executable and has rights to write on the whole harddrive. The plugins get the same rights.
The plugins don't get general rights to write into system folders...

Apart from that, the plugins also only do the things they're supposed to do (like saving their settings, or presets to the hard disk). I never heard of a plugin which works as a malware through the DAW. If anything, the malware is in the plugin installer's executable.
The way a buffer overflow vulnerability works is you're able to load arbitrary code into memory e.g. via a file like a preset that's read as part of a program's normal operation and then hijack the process to cause it to do what you want by having it execute that code. It doesn't matter what the process is supposed to do, if this type of vulnerability is present you can make it do something else.
Softsynth addict and electronic music enthusiast.
"Destruction is the work of an afternoon. Creation is the work of a lifetime."

User avatar
KVRist

Topic Starter

155 posts since 19 Aug, 2020

Post Wed Apr 28, 2021 11:43 am

Never happened. Ok, that's what I wanted to hear. Yes, I probably know too much because I am a developer. I‘m probably overthinking things. But I am sure these security threats are the reason for Apple to try to change the whole system.

User avatar
KVRist

Topic Starter

155 posts since 19 Aug, 2020

Post Wed Apr 28, 2021 11:58 am

The only reason it never happened is probably because there are so many plugins and they can only infect a few people with free presets.

KVRian
893 posts since 27 Apr, 2012

Post Wed Apr 28, 2021 12:49 pm

wangeroge wrote:
Wed Apr 28, 2021 11:43 am
Never happened. Ok, that's what I wanted to hear. Yes, I probably know too much because I am a developer. I‘m probably overthinking things. But I am sure these security threats are the reason for Apple to try to change the whole system.
I am definitely not the definitive source on what has happened but I've followed audio software-related stuff since 2012 and never once heard of anything like this. It didn't even occur to me as a possibility until I saw this thread.
Softsynth addict and electronic music enthusiast.
"Destruction is the work of an afternoon. Creation is the work of a lifetime."

User avatar
KVRist

Topic Starter

155 posts since 19 Aug, 2020

Post Wed Apr 28, 2021 1:29 pm

Oh, oh. I hope, I haven't opened a can of worms… :?

AnX
KVRAF
9393 posts since 17 Nov, 2015

Post Thu Apr 29, 2021 12:28 am

the presets are safe, guaranteed.

User avatar
KVRian
1051 posts since 13 Mar, 2008 from Arnhem, Netherlands

Post Mon May 03, 2021 11:56 am

AnX wrote:
Wed Apr 28, 2021 9:23 am
so you expect every company to check every free preset on the net?

not gonna happen

try this

https://www.malwarebytes.com/mwb-download/
I think the line of thought is that the synth checks if the parameter settings it's receiving through the preset/fxp are valid values for it.
If not, the file could contain malicious code.
In that case the plugin wouldn't load the code but block it as invalid.

This kind of thing is common in business software applications.
Demo/soundtrack work: https://soundcloud.com/antaln
My post/prog rock band: http://www.sylvium.com

AnX
KVRAF
9393 posts since 17 Nov, 2015

Post Mon May 03, 2021 12:33 pm

Image

KVRer
5 posts since 5 May, 2021

Post Wed May 05, 2021 4:04 pm

AnX wrote:
Wed Apr 28, 2021 8:02 am
wangeroge wrote:
Wed Apr 28, 2021 7:57 am
the link is still on the KVR forum
where?
Best not to touch the files. You don't exactly know what is in those files. You might try talking to professionals about those files before downloading them.

User avatar
KVRAF
15390 posts since 16 Sep, 2001 from Las Vegas,USA

Post Wed May 05, 2021 5:14 pm

Just what kind of "professionals" would you talk to ? The person who made those files has posted in this thread. The files are safe but if you're still concerned run the zip file through VirusTotal:

https://www.virustotal.com/gui/home/upload
None are so hopelessly enslaved as those who falsely believe they are free. Johann Wolfgang von Goethe

AnX
KVRAF
9393 posts since 17 Nov, 2015

Post Wed May 05, 2021 10:07 pm

Down102 wrote:
Wed May 05, 2021 4:04 pm
AnX wrote:
Wed Apr 28, 2021 8:02 am
wangeroge wrote:
Wed Apr 28, 2021 7:57 am
the link is still on the KVR forum
where?
Best not to touch the files. You don't exactly know what is in those files. You might try talking to professionals about those files before downloading them.
sock puppetry :lol:

User avatar
KVRAF
15390 posts since 16 Sep, 2001 from Las Vegas,USA

Post Thu May 06, 2021 5:03 am

What was the clue that gave him away ? I would have never guessed.
None are so hopelessly enslaved as those who falsely believe they are free. Johann Wolfgang von Goethe

User avatar
KVRian
1334 posts since 1 Aug, 2006 from Italy

Post Sun May 09, 2021 3:44 pm

Anyway, why would anybody use presets for a vst plugin for such purposes? I mean: it looks like a very narrow target (the user base of a specific plugin with a vulnerability would have to downlad a certain preset...) and probably not really worth the effort...
I think a cyber criminal would rather use an unsafe website/hosting service and take advantage of browser's vulnerabilities, or perhaps add some "unwelcome surprises" to "the forbidden word you know what I mean" software.

Cyber criminals either target a specific person/organization (for very specific reasons/goals - and then they will do whatever it takes to reach their goals) or they go fishing in the middle of the mass. In this second case, they'd better be "effective", so it's not that smart for them to target a small user base and to have as a requirement the execution of a very specific/unlikely behaviour (downloading a certain preset and opening it), maybe also in a reasonable amount of time (not just a user every few months)... reaching a selected/small group of people may be a smart way to fly under the radar, but I think a cyber criminal would probably look for something more effective. That's not to say that cyber criminals will never do something like this (they may want to just prove a point), but usually they are money-driven, so it's more likely they focus their effort on things that may reach a lot of people in a reasonable amount of time and bring them money.


As a rule of thumb, if you don't know/trust the source, you'd better avoid downloading/interacting in any way. Instead, if you know/trust the source, then you should apply all the usual safety measures (look if there's something looking suspicious, scan for "unwelcome surprises"...) without lowering your attention (using knowledge/trust is a common strategy to make you do things you wouldn't usually do).

Return to “Soundware”