|Home » Industry Watch
QuickSpace: A Worm in the Apple?
Apple's OS X may not be the target of a worm outbreak but their QuickTime technology is.
It starts with an advisory at the Computer Academic Undergound on 16 November 2006.
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
Advisory ID: CAU-2006-0001
Release Date: 11/16/2006
Title: MySpace.com Trojaned Navigation Menu
Application/OS: MySpace.com Website
Topic: MySpace.com's navigation menu can be replaced with a
malicious menu via CSS code in the attacker's profile.
Vendor Status: Not Notified
Attributes: Remote, Passive
Advisory URL: http://caughq.org/advisories/CAU-2006-0001.txt
Author/Email: int3l <int3l (at) caughq.org>
I)ruid <druid (at) caughq.org>
MySpace.com provides a site navigation menu near the top of every page. Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called 'Home' which navigates back to the user's personalised MySpace page which is essentially the user's 'home base' when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user's profile pages.
A content replacement attack coupled with a spoofed MySpace login page can be used to collect victim users' authentication credentials. By replacing the navigation menu on the attacker's MySpace profile page, an unsuspecting victim may be redirected to an external site of the attacker's choice, such as a spoofed MySpace login page. Due to MySpace.com's seemingly random tendency to expire user sessions or log users out, a user being presented with the MySpace login page is not out of the ordinary and does not raise much suspicion on the part of the victim.
Users are unexpectedly redirected to a website of the attacker's
Users may be tricked into revealing their authentication credentials.
CSS code can be first inserted into web pages to disable the default navigation menu.
The attacker can now insert a phishing menu instead which redirects users to external sites spoofing MySpace. As MySpace users know the portal will intermittently demand they re-authenticate, no eyebrow is raised.
But that's only the half of it.
With technology like that at their fingertips, it's a wonder it took the hackers so long.
Using QuickTime to Spam in P2P Land
'It's not an exploitable feature I believe.' - 'benzene' at the AppleInsider forums
There's an excellent tutorial from August 2006 on spreading spam through QuickTime at the Spyware Guide blog. A movie called 'Sex Monica Belucci Malena' shows a female torso gyrating to music.
About three quarters of the way through the clip, at the point the dancer takes her t-shirt off, the clip is 'triggered' to pop up affiliate links to Adult Friend Finder in your browser.
Of course, the HREF track feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake 'promotional video' for a bank that pops open a 'security check' phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear shaped.
Somebody pushed the button.
MySpace the Pimp
A password stealing worm broke out at MySpace last weekend. The perps used hijacked accounts to blast out junk messages promoting porn sites. The worm stole victims' user names and passwords by using CAU-2006-0001 described above. 'All that a MySpace user needs to do to fall victim to the scam is visit an infected user's 'about me' page', writes Brian Krebs.
And according to an alert sent out by MySpace administrators, even infected MySpace blogs whose authors have the poisoned QuickTime video and malicious links scrubbed from their pages can expect to get reinfected when other MySpace users on their 'friends' lists get hit by the worm.
There are some reports the worm had infected accounts sending out new spam messages every six seconds. 'Such an aggressive attack has the potential to spread quite rapidly among MySpace's 80 million or so users', comments Krebs.
The number of infected accounts is currently in the 'tens of thousands'. Krebs comments again.
But that's still only the half of it.
The Worm & The Apple
Now here comes the fun part, for MySpace fix their own end of things and then wait on Apple to do their bit with QuickTime.
But when Apple have their fix ready it's called a 'temporary fix' only and it's distributed not through the Apple website but through the MySpace website.
'You could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid', writes Krebs in his followup.
'To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute their patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of malicious software by disguising it as official looking security updates.'
'Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without the feature?
'I put a query in to Apple, and will update this blog when I receive more information', concludes Krebs.
He's still waiting.
Security Fix: MySpace Video Worm Pimps Adult Content
Security Fix: How Not to Distribute Security Patches
CAU-2006-0001: MySpace.com Trojaned Navigation Menu
Burnt Pickle: Phishing Accounts and Spreading Zango Porn
Spyware Guide: Myspace Phish Attack Leads Users to Zango Content
GhettoWebmaster: Demographic Info From 26,000 Phished MySpace Accounts
CyberKnowledge: Analysing 20,000 MySpace Passwords
Spyware Guide: Using Quicktime to Spam in P2P Land
Virus Bulletin: MySpace Hit by Worm, Adware And Phishing
Apple: QuickTime HREF Tracks
Apple: Give Your Movies the Smarts
Websense: Malicious Website / Malicious Code: MySpace XSS QuickTime Worm
CNET: Worm uses QuickTime to spread on MySpace
MySpace to Apple: Fix that worm
IT Week: QuickTime flaw could go beyond MySpace
TechWeb: Unpatched QuickTime Bugs Strike Both Windows And Mac OSes
InformationWeek: Unpatched QuickTime Bugs Strike Both Windows And Mac Operating Systems