December 3rd, 2007
QuickTime zero-day attacks intercepted
Researchers at Symantec have intercepted two different in-the-wild malware attacks targeting an unpatched code execution vulnerability in Apple’s QuickTime media player.
Honeypots in Symantec’s DeepSight Threat Management System captured the first known case of exploit exploitation of the flaw on December 1st, 2007. The company has since confirmed that the attack — which plants a malicious rootkit on Windows machines — exploits a stack buffer overflow vulnerability in the way QuickTime handles the RTSP (Real Time Streaming Protocol) Content-Type header.
[ SEE: Apple QuickTime under siege ]
The flaw, publicly known since November 23, dings Windows XP SP2 and Vista, as well as Mac OS X 10.4 (Tiger) and 10.5 (Leopard). Internet Explorer, Firefox, Opera, and Safari can all facilitate exploitation via Quicktime plug-ins or protocol association.
The skinny on the attacks, via Symantec DeepSight (Warning: beware of potentially malicious sites mentioned below):
One of the observed attacks is being hosted on 85.255.117.212, which resolves to both 2005-search.com and 1800-search.com. This host is running both a web server containing malicious script code, as well as a malicious RTSP server that carries out exploitation of the Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability. Although exploitation is possible over any port, this RTSP server is using the default TCP port of 554.
The attack also appears to target the more common Windows MDAC and ANI vulnerabilities, observed in the wild on a regular basis.
The host 85.255.117.213, resolving from search-biz.org, has also been seen serving the attack. This host is responsible for carrying out exploitation of the well-known Windows ANI vulnerability. Victim users appear to be redirected to this server by the host 216.255.183.59, which resolves to ourvoyeur.net. It appears that the ourvoyeur.net host is the root of this particular attack. It is possible that the domain was compromised and the embedded iframes referencing 85.255.117.213 were injected by an attacker. It’s likely that this URL is being distributed through online delivery mechanisms such as email, instant messages, and blog comment spam.
Successful exploitation executes an application called loader.exe, which is used as a backdoor to download a malicious rootkit and additional malware files.
Another attack is being hosted on the IP address 58.65.238.116. This attack involves slightly more redirection
and also involves IP addresses 208.113.154.34 and 69.50.190.135.
The discoveries come as researchers warn that QuickTime has emerged as a big target for vulnerability researchers and malicious hackers. Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007. Last year, the QuickTime patch count was 28. Five were documented in 2005.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
