Using Quicktime to Spam in P2P Land

| | Comments (4)

Quicktime's "HREFtracks" feature (a method used to embed url links into moviefiles that will open at a specific point in time) is being used by an enterprising individual to pop open adverts for adult dating services from movie files obtained via P2P Networks. The HREFtrack feature contains URL information that can be opened interactively or automatically, and in this case, files found on the Gnutella network are using this functionality (here's an example of someone getting hit while using Limewire). From the Quicktime site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

In the example we have below, the movie file is called "Sex Monica Bellucci Malena". Of course, opening the movie up reveals something entirely different - what appears to be someone dancing to music:

http://blog.spywareguide.com/upload/2006/08/monbel1-thumb.jpg
Click to Enlarge

About three quarters of the way through the clip (once it hits the "trigger"), an affiliate link for Adultfriendfinder.com pops open via your browser (in this case, Firefox):

http://blog.spywareguide.com/upload/2006/08/monbel2-thumb.jpg
Click to Enlarge

The observant people out there will have noticed the videoclip in the above screenshot is still at the start - that's simply because by the end of the clip, most of her clothes have fallen off. If you wind the videoclip back and forth with your mouse, you'll continue to repeatedly pop open the same advert manually as you scroll. Of course, the HREFtrack feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake "promotional video" for a bank that pops open a "security check" Phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear-shaped...

Blog Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Vinayak Palankar, Software Engineer

4 Comments

Nice article, however one problem :) "found on both the Limewire and Gnutella networks" last time I checked Limewire was still a Gnutella-client.

...doh, thanks for pointing that out, I meant to correct that earlier and forgot about it - that was a leftover from an earlier draft and should've actually linked to a forum where someone using Limewire got nailed, instead of the goof you saw. Corrected!

How about coding a small program that scans Quicktime files for HREFtracks (and maybe even cleans them) ?

I've noticed tons of 1MB porn files, why can't Limewire get rid of it:(

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 3, 2006 3:02 AM.

Did Digg cause the Zango / Warner Brothers Rift? was the previous entry in this blog.

The AIM Screen Name Hacker - Beware or Be Snared! is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.