Last week, we reported a new kind of attack that uses specially crafted .MOV files and a certain feature in QuickTime to trick users into downloading malware. The said attack raised some questions on how it was done and whether or not an exploit was used. To clear things up, here are the answers to some questions you may have in mind:
Where was this type of threat initially found?
Trend Micro encountered the QuickTime .MOV files from peer-to-peer (P2P) networks such as LimeWire and torrent portals.
What happens when the user opens the .MOV files using QuickTime? How about when using other media players?
Opening the said .MOV files using QuickTime triggers the loading of certain URLs, which lead to the download of malicious files detected by Trend Micro as TROJ_TRACUR.SMDI and TROJ_DLOAD.QWK. The said .MOV files are detected as TROJ_QUICKTM.A. The functionality to load URLs from .MOV files does not appear to be implemented in all media players that are compatible with QuickTime files. Testing with the VLC media player indicates that this particular feature is not implemented.
Was this done through an exploited vulnerability?
This did not exploit a vulnerability, contrary to speculations. It instead abused an existing feature in QuickTime to open URLs while playing the .MOV files back. This feature exists in QuickTime for the purposes of interactivity and has the same level as the scripting controls (better known as “wired actions”) in replaying the movie from the start, going to the end, skipping forward or back, or setting the movie volume.
Wired actions are set to be triggered by specific events while the movie is played or by interacting with the user. In this attack, the wired action was connecting to the URL while the event used to trigger it was the loading of a movie frame. Thus, the URL will be accessed whenever the .MOV file is loaded.
This threat is similar to the ones that used the PDF /launch feature, as it also used a valid feature for malicious purposes. As in the /launch incidents, the fact that this used a valid feature makes it a more relevant threat. Creating .MOV files that connect to URLs does not require any special technical knowledge and can easily be done. Cybercriminals can thus very easily create a construction kit for this from which malicious QuickTime movies can be easily generated in batches.
What are the common characteristics of threats similar to this?
This type of threat greatly relies on social engineering techniques to urge users to download and view the file and to prevent them from suspecting that any malicious activity is going on. It makes use of the latest movie attraction as file name, in this case, “Salt” starring Angelina Jolie as well as keywords such as DVDrip, xtrancex, and btjunkie, which are possible top search tokens in torrent or P2P sharing sites. It then displays text like “Please install Media Song Player” or “Error:codec update is required” in the window title once the user loads the file using QuickTime so that the users will allow the download and execute it.
What should users do to prevent system infection?
Since this kind of malicious file is and will typically be deployed through P2P sharing sites, users are advised to refrain from downloading files from illegal file-sharing sites. Aside from the fact that it is illegal, the files that are shared in these portals are unregulated and may contain unverified and possibly malicious components.
Users should also double-check the legitimacy of product updates before downloading and installing them. If there is a product update for QuickTime, as what the malware in this case suggests, Apple should provide official information on its website. If no patch or update announcement has been made, do not install it.
Do you have any other questions about this threat? Just put them in the comment box below this post and we will try our best to address them.