Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    QuickTime Player (version 7.6.6) allows movie files to trigger the download of files and cybercriminals are using this to download malware from malicious websites.

    Trend Micro threat research engineer Benson Sy encountered two .MOV files (salt dvdrpi [btjunkie][xtrancex].mov and 001 Dvdrip Salt.mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files.

    When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. We are still investigating whether the malware is exploiting a vulnerability or using a known functionality to download other malware.

    The first .MOV file connects to http://{BLOCKED}.{BLOCKED}.53.196/stat1/pix1.php, which redirects to http://{BLOCKED}.{BLOCKED}.8.120/cms/976/1/QuickTime_Update_KB640110.exe. It then asks the user to save or run the file. Trend Micro detects this as TROJ_TRACUR.SMDI.

    Click for larger view

    On the other hand, the second .MOV file connects to http://play.{BLOCKED}nstaller.com/0.c, which points to http://player.{BLOCKED}nstaller.com/d77.php. It then downloads a file that Trend Micro detects as TROJ_DLOAD.QWK. Similarly, it asks the users to save or run the file.

    Click for larger view

    Trend Micro users are protected from this attack via the Trend MicroTM Smart Protection NetworkTM that blocks the malicious URLs to prevent the download of malicious files onto the system.

    Update as of July 30, 2010, 1:57 p.m. (UTC):

    Trend Micro detects the two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [btjunkie][xtrancex].mov) as TROJ_QUICKTM.A. As of this writing, we’ve contacted Apple regarding this issue.

    Update as of July 30, 2010, 8:07 p.m. (UTC):

    Upon execution, TROJ_DLOAD.QWK downloads a .CAB file, which installs the Tango Toolbar and its components. The said file also contains binaries that Trend Micro detects as TROJ_DLOADR.TAN and TROJ_DLOADR.GAB, respectively.

    Update as of July 30, 2010, 8:42 p.m. (UTC):

    According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia.”

    Update as of August 2, 2010, 1:00 p.m. (UTC):

    According to Threats Analyst Brian Cortes, these malicious files appear to be using a feature in the Quicktime specification known as wired actions, which allows Quicktime files to take certain actions–in this case, go to a URL. This is roughly analogous to the /launch feature in PDF files that was abused by malware earlier this year.

    However, this feature does not appear to be implemented in all media players that are compatible with Quicktime files. Testing with the VLC media player indicates that this particular feature is not implemented.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice