Monday, March 19, 2007

MySpace problems with QuickTime.

With the sophistication of attacks used by malware these days on the rise, the bad guys are continuously looking for newer infection vectors. Every new attack is tailored to the attacker’s needs in terms of choosing who the targets will be, the social engineering techniques employed to lure the victim and as well as which exploit would be used. And the latest target is unsuspecting fans of the French rock band MAMASAID who upon visiting a MySpace account promoting the music group get a trojan JS/SpaceStalk installed on their computers via a known insecure feature in QuickTime called HREF Tracks. The technique used here does not rely on vulnerability but rather on a feature present in the QuickTime player that allows for links to be opened automatically when the movie is run. This link could be misused to point to malicious websites hosting exploit code. A detailed view of the rigged QuickTime file shows that it will automatically execute JavaScript script hosted on an external website when the movie is played. Once executed it transmits personal information of the visiting MySpace user to the attacker. As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions. Very few people hesitate to view a movie file. And given that QuickTime is a popular application used on the web, the return on investment for malware authors make it an attractive target using it as an infection vector. At this moment it seems that the latest Quicktime doesn't have this feature anymore!