P2P / File Sharing: August 2006 Archives

Quicktime's "HREFtracks" feature (a method used to embed url links into moviefiles that will open at a specific point in time) is being used by an enterprising individual to pop open adverts for adult dating services from movie files obtained via P2P Networks. The HREFtrack feature contains URL information that can be opened interactively or automatically, and in this case, files found on the Gnutella network are using this functionality (here's an example of someone getting hit while using Limewire). From the Quicktime site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

In the example we have below, the movie file is called "Sex Monica Bellucci Malena". Of course, opening the movie up reveals something entirely different - what appears to be someone dancing to music:

http://blog.spywareguide.com/upload/2006/08/monbel1-thumb.jpg
Click to Enlarge

About three quarters of the way through the clip (once it hits the "trigger"), an affiliate link for Adultfriendfinder.com pops open via your browser (in this case, Firefox):

http://blog.spywareguide.com/upload/2006/08/monbel2-thumb.jpg
Click to Enlarge

The observant people out there will have noticed the videoclip in the above screenshot is still at the start - that's simply because by the end of the clip, most of her clothes have fallen off. If you wind the videoclip back and forth with your mouse, you'll continue to repeatedly pop open the same advert manually as you scroll. Of course, the HREFtrack feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake "promotional video" for a bank that pops open a "security check" Phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear-shaped...

Blog Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Vinayak Palankar, Software Engineer

About this Archive

This page is a archive of entries in the P2P / File Sharing category from August 2006.

P2P / File Sharing: May 2006 is the previous archive.

P2P / File Sharing: February 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.