MySpace Worm Infects 1 in 3 Users
Weaknesses in both Myspace.com’s html coding and Apple’s Quicktime for Windows has produced a malicious worm that may have infected as many as 1/3rd active profiles on MySpace.com according to some security experts. So if you use Myspace and have at least two friends other than Tom, chances are one of you have this worm.
The worm uses a cross site scripting attack along with a weakness in Quicktime to install a fake menu bar across the top of the user’s Myspace profile. If someone clicks the menu expecting to read the user’s blog or see some photos, they are instead redirected to a fake MySpace login screen. If the myspace user types in his username and password to myspace, his own profile is then hijacked and the worm is installed on his own page, causing friends visiting his site to also become infected. In addition, the login page takes the user to a porn site where he is infected with Zango spyware. For the grand finale of the worm, all of the contacts from the infected myspace page will begin to receive spam.
From Macworld here:
The social networking site MySpace.com is under what one computer security analyst calls an amazingly virulent attack caused by a worm that steals log-in credentials and spreads spam that promotes adware sites.
The worm is infecting MySpace profiles with such efficiency that an informal scan of 150 found that close to a third were infected, said Christopher Boyd, security research manager at FaceTime Communications.
The worm works by using a cross-scripting weakness found around two weeks ago in MySpace and a feature within Apple’s QuickTime multimedia player.
The exploit starts with a user who visits a MySpace profile infected with an embedded QuickTime movie. The movie loads JavaScript code that overlays a row of menu options on a MySpace profile with a bogus menu.
If an option in the bogus menu is clicked, the user is directed to a fake log-in page hosted on another server where the person s log-in details are captured.
Additionally, the worm places an embedded QuickTime movie on the user’s profile, which will then repeat the infection process for anyone who visits the profile.
The worm has another malicious function. Once a profile is infected, the worm sends spam to other people in the user’s contact list.
Those spam messages contain a file that appears to be a movie but instead is a link to a pornographic site that also hosts adware from Zango, Boyd said. Zango, formerly 180 Solutions, settled last month with the U.S. Federal Trade Commission for $3 million over complaints it didn’t properly ask the consent of users before its adware was installed.
So our friend Zango is back. For more goodness on these badguys of Spyware, click here.
Note that worms such as this rarely stay the same before another malicious hacker modifies the worm. Next up will likely be a version that will install botnet software.