Here’s an interesting infection vector, used by a new malware: it’s a QuickTime movie!
McAfee VirusScan detects the malware as JS/SpaceTalk Trojan. The description for this malware is empty, your guess of the characteristics of this malware is as good mine.
Interested in the details? Read on!
This Myspace page (of a French rockband) has an embedded QuickTime movie. Here’s the EMBED HTML tag in the source (I changed the formatting to make it more readable):
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
The syntax for an HREF track is simple, here’s an example that automatically loads the page http://www.google.com 1 minute into the movie:
Let’s take a look inside the tys4.mov QuickTime movie. First we use the strings command to dump all strings contained in this QuickTime file.
Here is what we see at the end of the dump:
The script is simple: it creates a script tag and adds it to the HTML page, thereby downloading and executing a new script from the profileawareness server:
It’s this script that is detected by McAfee (at the moment of writing, McAfee was the only antivirus on VirusTotal to detect this script).
The QuickTime fileformat is a binary, hierarchical stream of atoms.
Qtatomizer is a tool to display this hierarchy of atoms.
The QuickTime movie is what is known as a Downloader, but AV programs do not detect it.
The downloaded script is just Spyware, it will collect data about the Myspace user viewing the page and upload it to the profileawareness server.
To summarize the actions:
• You visit a website
• It plays a hidden QuickTime movie