Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Marco Dela Vega (Threats Researcher)

    QuickTime Player (version 7.6.6) allows movie files to trigger the download of files and cybercriminals are using this to download malware from malicious websites.

    Trend Micro threat research engineer Benson Sy encountered two .MOV files (salt dvdrpi [btjunkie][xtrancex].mov and 001 Dvdrip that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files.

    When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. We are still investigating whether the malware is exploiting a vulnerability or using a known functionality to download other malware.

    The first .MOV file connects to http://{BLOCKED}.{BLOCKED}.53.196/stat1/pix1.php, which redirects to http://{BLOCKED}.{BLOCKED}.8.120/cms/976/1/QuickTime_Update_KB640110.exe. It then asks the user to save or run the file. Trend Micro detects this as TROJ_TRACUR.SMDI.

    Click for larger view

    On the other hand, the second .MOV file connects to http://play.{BLOCKED}, which points to http://player.{BLOCKED} It then downloads a file that Trend Micro detects as TROJ_DLOAD.QWK. Similarly, it asks the users to save or run the file.

    Click for larger view

    Trend Micro users are protected from this attack via the Trend MicroTM Smart Protection NetworkTM that blocks the malicious URLs to prevent the download of malicious files onto the system.

    Update as of July 30, 2010, 1:57 p.m. (UTC):

    Trend Micro detects the two .MOV files (001 Dvdrip and salt dvdrpi [btjunkie][xtrancex].mov) as TROJ_QUICKTM.A. As of this writing, we’ve contacted Apple regarding this issue.

    Update as of July 30, 2010, 8:07 p.m. (UTC):

    Upon execution, TROJ_DLOAD.QWK downloads a .CAB file, which installs the Tango Toolbar and its components. The said file also contains binaries that Trend Micro detects as TROJ_DLOADR.TAN and TROJ_DLOADR.GAB, respectively.

    Update as of July 30, 2010, 8:42 p.m. (UTC):

    According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia.”

    Update as of August 2, 2010, 1:00 p.m. (UTC):

    According to Threats Analyst Brian Cortes, these malicious files appear to be using a feature in the Quicktime specification known as wired actions, which allows Quicktime files to take certain actions–in this case, go to a URL. This is roughly analogous to the /launch feature in PDF files that was abused by malware earlier this year.

    However, this feature does not appear to be implemented in all media players that are compatible with Quicktime files. Testing with the VLC media player indicates that this particular feature is not implemented.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice