Content

JS/SpaceStalk

Type
Trojan
SubType
Script
Discovery Date
02/07/2007
Length
varies
Minimum DAT
4958 (02/07/2007)
Updated DAT
4958 (02/07/2007)
Minimum Engine
5.1.00
Description Added
02/07/2007
Description Modified
03/16/2007 2:57 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
--

The JavaScript detected as JS/SpaceStalk is executed using a known insecure feature in QuickTime called HREF Tracks.

Information on the vulnerability which is being exploited by this script can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0059

When an infected site is viewed, a hidden embedded QuickTime movie is played which takes advantage of the HREF Tracks features in QuickTime to download and execute a JavaScript file from an external site. The script collects data about the user viewing the page and uploads it back to the author.

The sample was recently noticed in the wild being hosted on the MySpace page of a French rock band. Upon visiting the site, a hidden embedded QuickTime movie is played from the following URL:

  • http://profileaware[Removed].com/tys4.mov

As the movie is played, it automatically executes a JavaScript from the URL:

  • http://profileaware[Removed].com/logs4/sqltrack.js

The executed script collects the data about visiting MySpace user and uploads it to the following sites:

  • http://stalkertrack.com/[Removed]/connect.php
  • http://profileaware[Removed].com/logs4/connect.php

Information transmitted includes:

  • MySpace Username
  • Other logins used by the same user
  • FriendID
  • Current page url
  • Referrer of current page etc.

Note: As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Symptoms

Upon execution, the script attempts to contact either of the following domains:

  • http://stalkert[Removed].com
  • http://profileaware[Removed].com

Method of Infection

This trojan can get installed while viewing websites hosting a malicious QuickTime movie.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The JavaScript detected as JS/SpaceStalk is executed using a known insecure feature in QuickTime called HREF Tracks. When an infected site is viewed, a hidden embedded QuickTime movie is played which takes advantage of the HREF Tracks features in QuickTime to download and execute a JavaScript file from an external site.

Information on the vulnerability which is being exploited can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0059

The script collects data about the user viewing the page and uploads it back to the author.
As the website being communicated to is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Note: This threat is proactively detected with the 4958 dats onwards.

 

Characteristics

Characteristics -

-- Update March 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
--

The JavaScript detected as JS/SpaceStalk is executed using a known insecure feature in QuickTime called HREF Tracks.

Information on the vulnerability which is being exploited by this script can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0059

When an infected site is viewed, a hidden embedded QuickTime movie is played which takes advantage of the HREF Tracks features in QuickTime to download and execute a JavaScript file from an external site. The script collects data about the user viewing the page and uploads it back to the author.

The sample was recently noticed in the wild being hosted on the MySpace page of a French rock band. Upon visiting the site, a hidden embedded QuickTime movie is played from the following URL:

  • http://profileaware[Removed].com/tys4.mov

As the movie is played, it automatically executes a JavaScript from the URL:

  • http://profileaware[Removed].com/logs4/sqltrack.js

The executed script collects the data about visiting MySpace user and uploads it to the following sites:

  • http://stalkertrack.com/[Removed]/connect.php
  • http://profileaware[Removed].com/logs4/connect.php

Information transmitted includes:

  • MySpace Username
  • Other logins used by the same user
  • FriendID
  • Current page url
  • Referrer of current page etc.

Note: As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Symptoms

Symptoms -

Upon execution, the script attempts to contact either of the following domains:

  • http://stalkert[Removed].com
  • http://profileaware[Removed].com

Method of Infection

Method of Infection -

This trojan can get installed while viewing websites hosting a malicious QuickTime movie.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A