Quicktime,malicious movies and Angelina Jolie

No, I'm not casting aspersions about the acting ability of Ms Jolie.

Yesterday I blogged on the independent Mac Virus site about a threat making use of .MOV (movie) files. That blog refers to a report by Trend Micro's Marco Dela Vega that criminals are making use of the fact that Quicktime Player 7.6.6 allows movie files to trigger file downloads.

The original report concerns two files (“001 Dvdrip Salt.mov” and “salt dvdrpi [btjunkie][xtrancex].mov”) using interest in Angelina Jolie’s movie “Salt” to trick victims into downloading malware masquerading as a codec update or another player installation.

Our labs have also been working on this malware, and the following is a summary of information provided by Head of Lab Juraj Malcho.

 In addition to the two files mentioned above a number of others that were discovered during subsequent analysis: they're detected by ESET as MOV/Exploit.QuickTime.A. .

The movies download a configurable Trojan downloader, which in turn downloads:

1. other movies-exploits that point to downloader binaries, each movie pointing to a unique file
2. torrents/archives with the binary downloader inside a zip archive with some fake info

We detect the binaries generically as Win32/Kryptik.FTZ trojan, but individual binaries may also be detected more specifically as Win32/TrojanDownloader.Agent.QCZ, Win32/TrojanDownloader.Agent.PDY, and even the Win32/Dursg.B Trojan (Win32/Dursg.A made it into the July ThreatSense report about to be published here as number 8 in the Top Ten threats). .

Analysis of the configuration files obtained so far suggests that there are a number of substrings that can be used to generate names for malicious .MOV files. These will be part of the actual filenames used rather than the full filename. Here's a partial list:

[BuBanee].mov
[rogercc].mov
[xxSmokExx].mov
[DaLvaL_696].mov
[spicemix].mov
.[mjabba].mov
.DjLeaK].mov
.[SCTV83].mov
[zibbik].mov
[btjunkie][xtrancex].mov
[Club.World.Music][mininova].mov
[monova][dr.hass].mov
(less_mucca).mov
.(DeepStyleZ).mov
(kimmiboi).mov
[lull00657].mov
[ClydeL].mov
[DMXCrew].mov
(joethehob0).mov
[ShoalinMac29].mov
.[DjLellone].mov
.[neonrainbow].mov
.[FalconFour].mov
[Piradoxlanieve].mov
[f_crewger].mov
[tural1992].mov
[dragan555].mov
(David_PL99).mov
.(fernand4563).mov
(bullmonk).mov
.Horrorspoke.mov
lilazzhole.mov
wakotheklown.mov
Jesper.sv.mov
zurera.mov
jainmehul.mov
frapper.tpb.mov
peck1234.mov
TechKiing.mov
LBChicago.mov
raveenf.mov
luvingfreeedom.mov

Strings used for torrent files are also present, but so generic that there's little point in listing them. However, several of them seem to be aimed at the segment of torrent users who are interested in dubious (and risky) items such as cracks and keygens.

Juraj tells us that the volume of reports picked up our ThreatSense.Net® telemetry suggests the likelihood of significant prevalence, though by no means an epidemic right now.

 Trend quotes Apple as saying that the .MOV files (or at any rate the two reported by Trend) do not make use of an exploit,, “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia.”

[Tip of the hat to Ivan Macalintal for drawing my attention to this issue in the first place.]

David Harley CITP FBCS CISSP
ESET Senior Research Fellow