Current quicktime and client side exploits

A long list of porn sites currently are attacking recent quicktime and some other older browser side vulnerabilities. Unfortunately, it looks like some of our users are getting hit with this stuff in the wild — these exploits and malware are prevalent.

It looks as though the purpose is to download, install, and run a service that acts as a trojan clicker. Clickers like this one continue to fetch web pages from related porn sites and their banner ad links in the background, without the user noticing (although your network card and cpu might appear to be pretty busy!). This activity turns into revenue for the individuals hosting the sites that the clickers are fetching pages from. Here is what an infected system with the installed service looks like:

We’ll update the post with more info soon…patch your system and QuickTime, or just lay off the porn sites. Geesh.

UPDATE: The Quicktime rtsp streams appear to be down for the moment. But the CVE-2005-4560 wmf files targeting the Microsoft Gdi vulnerability of long ago continue to be delivered, as are the .ani files targeting Microsoft vulnerabilites as well.

UPDATE2: Threatfire continues to stop the component delivery. If your system isn’t patched for the .ani and .wmf exploits that the sites deliver, TF stops the BoF exploit. If the exploit delivered components somehow end up on your system, TF detects the components as a Trojan clicker. These Trojan.Clicker.Syspose components are delivered from a couple web sites hosted in the Ukraine.

This entry was posted in Virus News and tagged . Bookmark the permalink.

2 Responses to Current quicktime and client side exploits

  1. Robotbaby says:

    Wow, I thought I had this service! But it was the one above it, the copy provider. Phew!

  2. ThreatFire Blogger says:

    Well, now, that is a relief robotbaby. Nice to see that you checked.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>