MySpace QuickTime Worm
It seems that on December 1st, a cross-scripting worm was discovered to be infecting MySpace accounts. The JS/Qspace, as it has been called, is a worm that uses a vulnerability in Apple’s QuickTime Media Player HREF feature in order to redirect visitors to a phishing site. Once on the site, the users are asked to put in their information where it is then gathered.
The vulnerability is a two part attack. First, it uses the before mentioned vulnerability in QuickTime in order to take advantage of the vulnerability in MySpace, which can allow the automatic modification of an account, even from a Web site. This modified account then becomes a trap for other unsuspecting users, by creating an appealing page, complete with a .mov file to view.
The MySpace part of this attack comes in the form of being able to modify MySpace accounts from an outside location and being able to modify accounts in bulk, without any sort of system security intervention. This allows the second half of the infection, which is the assimilation of the infected user’s account, to ensnare other members. Some of the modifications include the embedded QuickTime movie and the modification of all the links on the page. The page itself gets a new look with a blue navigation bar, among other things, that are not usually present on a MySpace user account page.
The infected user will also attempt to gather up some business by spamming all the users in the infected user’s contact list. The spam appears to have an attached movie, but it actually redirects you to a porn site where a company called Zango, Inc. takes over. Zango, Inc. is formerly known as 180 Solutions, which is a company that coincidentally settled for three million dollar deal with the Federal Trade Commission a month ago in an AdAware case, in which they were accused of adding software without proper user consent.
There are over 73 million registered users on MySpace and in an unofficial security scan of 150 MySpace users, it was revealed that one third of all the users were infected. That could potentially be some huge numbers. MySpace has reported, however, that they have already shut down all of the infected accounts, so everyone should be safe now.
This isn’t the first time there has been an attach on the MySpace Web service and in fact, there were a couple of variations of this worm floating around the site as well. On top of taking advantage of the unlatched vulnerabilities, the reason this particular virus was so successful is because of the fact that people think movies are always safe. Well, they obviously aren’t, so keep that in mind. Also, the fact that with MySpace, the account seems to timeout quite often, prompting the users to log in from time to time, makes things questionable. This makes the QuickTime movie file login seem like it belongs, so unsuspicious users would log right in, coughing up their information to the attackers.
In short, watch what you’re clicking on in MySpace. This holds especially true with any QuickTime .mov files and any suspicious messages from your contacts, complete with links. If MySpace asks for your account login information, be suspicious and recheck the actual address.
Until next week, stay safe out there.
~ Chad Stelnicki