QuickTime zero-day attacks intercepted

QuickTime zero-day attacks intercepted

Summary: Researchers at Symantec have intercepted two different in-the-wild malware attacks targeting an unpatched code execution vulnerability in Apple's QuickTime media player.

SHARE:

QuickTime zero-day under attack by malware authorsResearchers at Symantec have intercepted two different in-the-wild malware attacks targeting an unpatched code execution vulnerability in Apple's QuickTime media player.

Honeypots in Symantec's DeepSight Threat Management System captured the first known case of exploit exploitation of the flaw on December 1st, 2007.  The company has since confirmed that the attack -- which plants a malicious rootkit on Windows machines -- exploits a stack buffer overflow vulnerability in the way QuickTime handles the RTSP (Real Time Streaming Protocol) Content-Type header.

[ SEE: Apple QuickTime under siege ]

The flaw, publicly known since November 23,  dings Windows XP SP2 and Vista, as well as Mac OS X 10.4 (Tiger) and 10.5 (Leopard). Internet Explorer, Firefox, Opera, and Safari can all facilitate exploitation via Quicktime plug-ins or protocol association.

The skinny on the attacks, via Symantec DeepSight (Warning: beware of potentially malicious sites mentioned below):

One of the observed attacks is being hosted on 85.255.117.212, which resolves to both 2005-search.com and 1800-search.com. This host is running both a web server containing malicious script code, as well as a malicious RTSP server that carries out exploitation of the Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability. Although exploitation is possible over any port, this RTSP server is using the default TCP port of 554.

The attack also appears to target the more common Windows MDAC and ANI vulnerabilities, observed in the wild on a regular basis.

The host 85.255.117.213, resolving from search-biz.org, has also been seen serving the attack. This host is responsible for carrying out exploitation of the well-known Windows ANI vulnerability. Victim users appear to be redirected to this server by the host 216.255.183.59, which resolves to ourvoyeur.net.  It appears that the ourvoyeur.net host is the root of this particular attack. It is possible that the domain was compromised and the embedded iframes referencing 85.255.117.213 were injected by an attacker. It's likely that this URL is being distributed through online delivery mechanisms such as email, instant messages, and blog comment spam.

Successful exploitation executes an application called loader.exe, which is used as a backdoor to download a malicious rootkit and additional malware files.

Another attack is being hosted on the IP address 58.65.238.116. This attack involves slightly more redirection and also involves IP addresses 208.113.154.34 and 69.50.190.135.

The discoveries come as researchers warn that QuickTime has emerged as a big target for vulnerability researchers and malicious hackers.   Not counting silent (undocumented) fixes, Apple has patched at least 32 security flaws affecting QuickTime in 2007.   Last year, the QuickTime patch count was 28.   Five were documented in 2005.

Topics: Mobility, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • This anti-Apple bias must stop

    This story is false. It must be false because the Apple zealots have always told us that Apple is better than Microsoft because Apple patches [b]before[/b] there are exploits in the wild and here we have (yet another) case where ZDNet is reporting that there is an exploit of an Apple vulnerability with [b]no patch in sight[/b]. I refuse to believe that the Apple zealots would have lied about Apple's patching prowess so I would kindly ask that ZDNet retract this article.

    Thanks you,
    A concerned citizen who believes everything Apple zealots say
    NonZealot
    • LOL

      snicker, smirk...
      Confused by religion
    • I couldn't agree more.

      Heh.
      silent.griffin
    • Aren't you out of straw yet....

      ...to make all your strawmen?
      RealNonZealot
  • Symantec rates Downloader as "very low" risk - NT

    NT
    raycote
  • RE: QuickTime zero-day attacks intercepted

    Quote:
    It???s likely that this URL is being distributed through online delivery mechanisms such as email, instant messages, and blog comment spam


    ...any example?
    Eeem
  • Root Kit? Apple?

    I guess no one is perfect eh?
    htotten
    • The rootkit is for Windows

      Although the vector is QuickTime (an Apple product), this attack has no effect on
      Macs. So QuickTime joins the thousands of other vectors that are used to attack
      Windows (including Windows itself).
      RealNonZealot
      • Did you actually READ the article?

        [i]The flaw, publicly known since November 23, dings Windows XP SP2 and Vista, [b]as well as Mac OS X 10.4 (Tiger) and 10.5 (Leopard)[/b][/i]

        Also if you go to the link provided in that statement you will also read that it clearly states OS X is vulnerable. Here, I'll make it easy for you:
        http://www.us-cert.gov/cas/techalerts/TA07-334A.html

        But of course, you're still free to bask in your delusion of invulnerability.

        PS: I'll give you that the article first says only Windows is affected before it states that Tiger & Leopard are also affected. A little confusing there.
        tikigawd
  • intercepted or created to sell more of their products? NT

    NT
    sos10@...
  • Symantec can shove this where the sun don't shine

    This is all a ploy so Symantec can create more sales
    not only for Windows but also Leopard. Yeah I'm
    going to buy Norton Anti-virus or Internet Security
    for my Leopard. Not. Norton is a virus.
    Pug466
    • I assume that since you are accusing ...

      ... Symantic of criminal behavior that you are willing to show us proof that they infact are guilty. Otherwise you can shove your post where the sun don't shine.
      ShadeTree
      • Come on Shadetree you're better than that.

        So where is the Symantec's proof? I can make up
        stories, too. It looks like they got you hook,line
        and sinker. Come on Shadetree. You're smarter
        than that. They need you to buy their product so
        they can buy Vontu.
        Pug466
      • Here's the proof

        Yeah I have proof. I never had a single virus using a
        Mac. I don't even use any antivirus. I couldn't say
        the same thing using Windows. So where's this
        zero-day attack that suppose to be running out in
        the wild?
        Pug466
        • You proved nothing!

          I never was infected by the blaster worm does that mean it doesn't exist? Had you bothered to look Symantec provided the details about this exploit.

          http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html.
          ShadeTree
          • Symantec webpage as proof?

            Oh so take me to their webpage as proof. Like I
            said show me the virus or malwar that's supposely
            exist on a Unix tank called OS X.
            Pug466
          • Far more proof then what you offer.

            You have nothing but speculation on your side. Where is the denial from Apple? If this exploit doesn't exist then Apple would be protesting and threatening to sue.
            ShadeTree
          • Mac no way

            I can see this happening on a Windows platform but on a Mac I don't think so. Even if this was remotely true a good firewall will help prevent this so call malware from getting onto your Windows.
            Pug466
        • No Virus

          You don't necessarily know that you have never had a virus if you are not running an Anti virus scanner, now do you? After a good portion of virus infections are not obvious without an Anti virus or Anti Spyware program. For all you know you could have a key logger or root kit on your machine that is quietly and by stealth doing its job.
          Computer_User_1024
    • The Bus?

      I think the bus left eulc on your forehead..
      supercharlie