Security researchers warn of an increasing trend of cyber criminals using maliciously crafted .MOV files. The rogue files are being distributed through file sharing websites and attempt to trick users into download malware by claiming that a special codec or QuickTime update is required to play them.
One of the most recent attacks employing this social engineering technique has been reported by Trend Micro. Malware analysts from the antivirus vendor intercepted two .MOV files, that leverage people's interest into “Salt”, the latest Angelina Jolie movie, which premiered two weeks ago.
The files, called “salt dvdrpi [btjunkie][xtrancex].mov” and “001 Dvdrip Salt.mov”, are being distributed from file sharing and torrent websites, as also suggested by their names. When opened in QuickTime, the videos direct users to malicious pages in order to download an allegedly required fake player update or codec.
The executable files served from these websites, for example QuickTime_Update_KB640110.exe, are installing computer trojans. In turn, the trojans serve as distribution platforms for additional malware and adware, like the Zango toolbar.
Meanwhile, security researchers from ESET have come across a flurry of similar rogue .mov files being touted as full movies of music videos. All of them employ similar social engineering to trick users into downloading and installing trojan downloaders.
"We detect the binaries generically as Win32/Kryptik.FTZ trojan, but individual binaries may also be detected more specifically as Win32/TrojanDownloader.Agent.QCZ, Win32/TrojanDownloader.Agent.PDY, and even the Win32/Dursg.B Trojan (Win32/Dursg.A made it into the July ThreatSense report […] as number 8 in the Top Ten threats)," David Harley, a senior research fellow at ESET, writes.
Meanwhile Apple has dismissed rumors that these files exploit a currently unpatched vulnerability in QuickTime, which was disclosed last week as a zero-day. "They rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia," the company told Trend Micro.
You can follow the editor on Twitter @lconstantin