Sunday, October 21, 2007

Advertisement Malware Alive and Well

Early this week, my girlfriend called and told me that her Anti-virus had popped up a red warning...about a detected exploit named "qt.php". I told her that it was most likely a Quicktime exploit and that she should block it.

I had updated her Quicktime the day before...so I knew it wasn't a problem.

Fast forward to today. While browsing on TinyPic.com, I get the same Anti-virus warning...so I disable the AV and did a little research.



The page was loaded with images and this green banner at the top. I wanted to isolate the vector so I kicked each image into its own tab...no warning. Bringing the focus to the green banner ad.



I looked at the HTML source code of the page and found the piece that was injecting the random banner ad. I started up Firefox with Paros Proxy and started to hit refresh like a mad man. Finally I hit the correct ad, so I move over to Proxy to see what was going on...





Not only was the ad doing some funny Quicktime stuff, it was doing some funny Windows Media Player stuff as well.



A little DNS check shows the IP is based in Russia. No shocker here.





I wget'd the qt.php file and opened it up with HexView - just to confirm that it was a Quicktime exploit.



Yep, the well known Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow, released almost 9 months ago as the first bug of the Month of Apple Bug.

For good measure, I reported the file to CastleCops's MIRT team.

Moral of the Story - Keep your software updated. Even if an exploit is old and well known, it will be used.

I really like using FileHippo's Update Checker & Secunia's Software Inspector to check for missing security patches.

No comments:

Post a Comment