MySpace Video Worm Pimps Adult Content
A password-stealing computer worm broke out in the Myspace social-networking universe over the weekend, with the perpetrators using hijacked accounts to blast out junk messages seeking to gin up traffic to several porn sites, including some sponsored by an adware company that just last month settled a landmark $3 million consumer deception case brought by the Federal Trade Commission.
The worm steals victims' usernames and passwords by transparently replacing the links in the victim's blog that a MySpace user would normally click on to log into and out of their accounts. Upon clicking one of those links, an unknown number of Myspace users were redirected to multiple third-party sites that hosted fraudulent copies of MySpace login pages.
All that a MySpace user needs do to fall victim to the scam is visit an infected user's "about me" page. According to the FaceTime Security Labs blog, a victim's profile page will be altered with an odd, blue site navigation banner at the top with all of the links pointing to the same fake MySpace user login pages. Infected profiles also are seeded with a copy of the malicious video.
Hovering over any of the navigation links in the "about me" page of a Myspace account still compromised by this attack shows that they all try to take the user to the same bogus user login pages. (Screenshot by Brian Krebs) This scam is powered in part by an ill-conceived feature included in Apple's QuickTime video player software that allows embedded video files to load Web content from other sites. This attack also apparently involved a recently disclosed programming flaw on Myspace's site, which allowed for the manipulation of MySpace users' profile pages.
Even infected Myspace blogs whose authors have the poisoned QuickTime video and malicious links scrubbed from their pages can expect to get reinfected when other Myspace users on their "friends" lists get hit by the worm, says this alert sent out by MySpace administrators. Victims should remove infected blogs from their "friends" lists until those MySpace users take action to clean up their own pages. Myspace users who notice odd changes to the MySpace site navigation bar, or unapproved messages being mass-spammed from their accounts, should consider their accounts stolen and change their passwords.
I read on one MySpace forum about how infected MySpace accounts sent spam messages promoting pornographic Web sites to random user accounts every six seconds. Such an aggressive attack has the potential to spread quite rapidly among MySpace's 80 million-or-so users.
Users who enter their credentials into one of these password-stealing sites may soon find their accounts being used to blast out junk messages to others advertising the online adult content. Included with the messages, says FaceTime, is a screenshot of a pornographic film that if clicked leads the visitor to a porn site that links to a bunch of other porn sites sponsored by embattled adware purveyor Zango. This new fiasco can't look good for them. Just a month ago Zango agreed to pay $3 million to settle Federal Trade Commission charges that it profited through deceptive distribution methods.
Allowing QuickTime videos to silently load interactive Javascript content and commands seems like a pretty bad idea from a user-protection perspective. Allowing QuickTime vids to be embedded like that in massive social networking sites strikes me as an invitation to disaster.
I clicked on a bunch of the navigation links on one infected Myspace blog that I found, and it looks like the links to the scam login pages are presently unreachable. But the bad guys behind this attack are probably already adapting. A MySpace blog called "Burnt Pickle" has an engaging account of the cat-and-mouse game between Myspace administrators and the fraudsters behind this attack, as the bad guys kept adjusting their attacks based on changes the admins were making to the system. The Burnt Pickle says we can expect attacks like these to continue as long as MySpace allows embedded QuickTime files.
"This is just a temp fix though. They'll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis."
The Pickle may be right. Online scam artists just don't seem to pass up these kinds of opportunities anymore, I'm afraid.
Anyway, Firefox users can use add-ons like "noscript" to block sites from loading Javascript unless specifically allowed. But the problem is that noscript works on a per-domain basis, so if a Myspace user decides to permanently allow Myspace to load Javascript because he wants to see some wacky MySpace blog that requires it, he's effectively trusting that the other 79 million-odd users on Myspace aren't trying any funny business with Javascript.
If anyone knows of a noscript equivalent add-on for Internet Explorer 7, please drop me a line or leave a comment below with more information. The AdBlock add-on for Firefox also can help users block certain file types -- all .".mov" (Quicktime) files, for example -- from automatically opening or playing when you merely browse a MySpace page.
By Brian Krebs |
December 4, 2006; 12:12 PM ET
Latest Warnings
Previous: Federal Reserve E-Banking System Outages |
Next: How Not to Distribute Security Patches
Posted by: Michael | December 4, 2006 1:01 PM
I like the noscript add-on in Firefox, but I would prefer some way of filtering javascript to allow for innocuous javascript, whilst banning functions that are possibly exploitable. Surely Math.random() is never going to hurt me, by itself. So why disallow all simple javascripting that is commonly used? Would it be possible to white-list built-in functions and block all others?
Posted by: Michael | December 4, 2006 1:19 PM
Michael, most of the Javascript functions that are used in attacks of this sort are by themselves perfectly innocuous. The same Javascript features that allow you to change an image on the fly for a mouse rollover can be used to change the post action of a web form. Dynamic HTML content revolves around modifying the active document object model by setting properties on objects representing the document nodes. Distinguishing which of these modifications are somehow safer than others might be possible for a given web page, but I believe doing it for the general case is practically impossible.
The underlying problem is really cross-site scripting, and fixing that is up to the site engineers. In this case, it looks from Brian's description as if this problem is complicated by features in Quicktime. The Myspace paradigm suffers, however, from a perpetual conundrum of transitive trust. Marketing and security would seem to be directly opposed here, and every time there's a bad call, chaos breaks out. Myspace somewhat reminds me of a medieval village that is peridically stricken by St. Vitus's dance.
Cue Peter Gabriel's "Moribund The Burgermeister"...
Posted by: antibozo | December 4, 2006 1:38 PM
Just to be clear, this isn't a Javascript problem, but a problem with Apple's Quicktime.
Thats right, Apple.
You can prevent it by going through the inconvenience of preventing scripting, but that entails enduring some other problems, as described about.
Posted by: DBH | December 4, 2006 2:49 PM
Is it VU#921193 ?
(note "CVE Name" at the bottom.)
Posted by: GTexas | December 4, 2006 4:52 PM
Long time no see, Texas. I think the Apple Quicktime setting exploited here is not a flaw but a Quicktime "feature," according to Apple.
QuickTime lets embedded video have its own
"special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window."
Read more about HREF tracks here:
http://www.apple.com/quicktime/tutorials/hreftracks.html
Posted by: Bk | December 4, 2006 5:19 PM
QuickTime HREF Tracks are well-documented and obey the browser "same-origin policy". QuickTime movies are no more "unsafe" than HTML pages, CSS, Flash, or whatever other web content. They can not be used to effect cross-site scripting attacks. The fact is that MySpace really, um, stretches the limits of web site security by serving up the content of millions in the same domain. Notice that past worms have used completely legitimate HTML, CSS, JavaScript, and Flash to propagate through MySpace. This is just one more instance of the "black list" approach failing.
Posted by: QuickTime | December 4, 2006 10:34 PM
QuickTime> QuickTime HREF Tracks are well-documented and obey the browser "same-origin policy".
What same-origin policy would that be? The one that governs the Java applet "sandbox" perhaps? That has no governance over Javascript. Javascript, especially armed with an XMLHttpRequest object, can do pretty much anything the user can do as far as the DOM and the network are concerned:
http://en.wikipedia.org/wiki/Ajax_(programming)
QuickTime> QuickTime movies are no more "unsafe" than HTML pages, CSS, Flash, or whatever other web content. They can not be used to effect cross-site scripting attacks.
They are unsafe if embedding a remote Quicktime movie means implicitly allowing the person controlling the Quicktime movie's origin to execute Javascript in the context of the viewer's page--a typical example of cross-site scripting. This is different from, for example, embedding a remote image using an IMG element, since images can't include script. And an embedded Java applet would run in a sandbox. The descriptions of this attack appear to involve Javascript, which has no sandbox model, being delivered via embedded Quicktime. Perhaps you can provide a reference for the controls you say Quicktime imposes...
QuickTime> The fact is that MySpace really, um, stretches the limits of web site security by serving up the content of millions in the same domain.
That I agree with, though I'd say it's a lot worse than that...
Posted by: antibozo | December 5, 2006 2:06 AM
"says this alert sent out by MySpace administrators."
That wasn't sent out by "MySpace administrators". I can assure you that the last thing they would ever post is a recommendation to install AdBlock. It blocks all of their banner ads. ;-)
Posted by: LoLo | December 5, 2006 5:25 AM
Last week, after reading Burnt Pickle's blog, and his request for someone to create a blog to help the newbies on MySpace, I was moved to assist. I promptly posted a blog video tutorial (http://blog.myspace.com/observative) on how to install AdBlock. This might look like a concern for the MySpace advertising. If you properly use AdBlock, you will not block the banner ads on MySpace or any other site. After all it is their revenue generator. That's why my tutorial only blocked the *.mov files and not all of the banner ads (annoying and provocative as they are).The main point is that everyone needs to make their own effort to sensor the content they view. With the proper tools, like AdBlock and others, you can achieve the desired results.Since Google proudly powers MySpace, perhaps they will also assist in the posting of safe videos to MySpace. I would think that Google, with all their abilities, would be able to power a solution for uploading and translating the videos into a safe format we can all enjoy on MySpace.
Posted by: Observative | December 5, 2006 6:14 AM
My wife went to one of these pages and her Firefox 2.0 flashed a warning message when she clicked on the scam link. It said this was a suspected scam site. I was impressed.
Posted by: John | December 5, 2006 8:30 PM
I have always treated Quicktime Movies as possibly malicous due to this 'feature'.
Posted by: David Taylor | December 6, 2006 7:45 AM
So the way I read this is, anyone's profile can get infected, and even if you click the faulty links and realize you're at a phish site, as long as you don't enter your login and password you're account is still safe?
Posted by: Pete | December 6, 2006 12:07 PM
To antibozo:
*This* same-origin policy.
http://www.mozilla.org/projects/security/components/same-origin.html
http://en.wikipedia.org/wiki/Same_origin_policy
Nothing to do with Java applets. Try again.
Posted by: QuickTime | December 6, 2006 1:12 PM
QuickTime> *This* same-origin policy.
Interesting. You learn something new every day. But the referenced descriptions of that behavior are not correct, and the name seems to be a misnomer.
For example, the mozilla.org reference states, "The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin." Yet I can put a page on the domain "one.example.com" that uses a <script src='http://other.example.com/x.js'> tag to load script from a different domain, and the foreign script can modify properties on the document's DOM, even though the script's origin clearly differs from the document's.
On the other hand, I didn't mean to suggest that script can reach outside the current window to change properties on an arbitrary document in another window.
But I think the meat of you're saying, which I didn't get the first time I read it, is that because all the pages are in www.myspace.com, an XSS vulnerability in QuickTime isn't needed for script executed by the embedded QuickTime object to modify properties in the current document, as long as the QuickTime document itself is hosted on www.myspace.com.
That may be, but the way I read the references Brian provided, they seem to be suggesting that QuickTime does not enforce a so-called same origin policy. I don't have any way of testing that, but if you do, I'd be interested in any result.
Posted by: antibozo | December 7, 2006 3:12 AM
This has been going on for a long time. Phished accounts are the primary means of advertising for many adult sites on MySpace. They are also very popular for promoting myspace rip-off sites as the userbases are very similiar for example this site http://www.webscutest.com
Posted by: D Parent | December 12, 2006 7:25 AM
Best wallpaper and screen saver!: BestWP.ru
Posted by: Wallpaper | December 20, 2006 10:08 AM
The comments to this entry are closed.
"If anyone knows of a noscript equivalent add-on for Internet Explorer 7, please ... leave a comment below"
I use Safari on OS X and Firefox on Windows myself and wouldn't like to chance anything else, but it is certainly possible to approach the web with a ban-everything-and-whitelist policy in IE. What you do is to take advantage of IE's security zones. Set IE to deny all active content in the Internet Zone - move the slider to high and make any other adjustments manually that you need to. Go *at least* as tough as this - and probably tougher:
http://windowssecrets.com/comp/061026/#story1
Then, whenever you find a site that needs JavaScript (or any other active content) to work, but that you nevertheless trust - e.g., Amazon - you paste the URL into IE's trusted zone. There's a fuller description here:
http://www.grc.com/sn/SN-038.htm
In effect, this is doing the same as "NoScript" - banning everything and whitelisting what you trust. The reverse in all its forms - "Default Permit" - has been called one of the six "dumbest ideas" in computer security:
http://www.ranum.com/security/computer_security/index.html