About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

QuickSpace: A Worm in the Apple?

Apple's OS X may not be the target of a worm outbreak but their QuickTime technology is.


It starts with an advisory at the Computer Academic Undergound on 16 November 2006.

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/

                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory

===============/========================================================
Advisory ID:    CAU-2006-0001
Release Date:   11/16/2006
Title:          MySpace.com Trojaned Navigation Menu
Application/OS: MySpace.com Website
Topic:          MySpace.com's navigation menu can be replaced with a
                malicious menu via CSS code in the attacker's profile.
Vendor Status:  Not Notified
Attributes:     Remote, Passive
Advisory URL:   http://caughq.org/advisories/CAU-2006-0001.txt
Author/Email:   int3l <int3l (at) caughq.org>
                I)ruid <druid (at) caughq.org>
===============/========================================================

Overview
========

MySpace.com provides a site navigation menu near the top of every page. Users generally use this menu to navigate to the various areas of the website. The first link that the menu provides is called 'Home' which navigates back to the user's personalised MySpace page which is essentially the user's 'home base' when using the site. As such this particular link is used quite frequently and is used to return from other areas of the website, most importantly from other user's profile pages.

A content replacement attack coupled with a spoofed MySpace login page can be used to collect victim users' authentication credentials. By replacing the navigation menu on the attacker's MySpace profile page, an unsuspecting victim may be redirected to an external site of the attacker's choice, such as a spoofed MySpace login page. Due to MySpace.com's seemingly random tendency to expire user sessions or log users out, a user being presented with the MySpace login page is not out of the ordinary and does not raise much suspicion on the part of the victim.

Impact
======

Users are unexpectedly redirected to a website of the attacker's choice.

Users may be tricked into revealing their authentication credentials.

CSS code can be first inserted into web pages to disable the default navigation menu.

<style type='text/css'>
div,font,table,td{display:none;}
</style>

The attacker can now insert a phishing menu instead which redirects users to external sites spoofing MySpace. As MySpace users know the portal will intermittently demand they re-authenticate, no eyebrow is raised.

But that's only the half of it.

HREF Tracks

Apple have a curious technology built into QuickTime immediately reminiscent of Microsoft's penchant for scripting (as found during the ILOVEYOU worm crisis). It's namely possible to inject JavaScript code into QuickTime media files.

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

An HREF track is not meant to be displayed; it simply contains link information. The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie's display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

With technology like that at their fingertips, it's a wonder it took the hackers so long.

Using QuickTime to Spam in P2P Land

'It's not an exploitable feature I believe.' - 'benzene' at the AppleInsider forums

There's an excellent tutorial from August 2006 on spreading spam through QuickTime at the Spyware Guide blog. A movie called 'Sex Monica Belucci Malena' shows a female torso gyrating to music.

About three quarters of the way through the clip, at the point the dancer takes her t-shirt off, the clip is 'triggered' to pop up affiliate links to Adult Friend Finder in your browser.

Of course, the HREF track feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake 'promotional video' for a bank that pops open a 'security check' phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear shaped.

Somebody pushed the button.

MySpace the Pimp

A password stealing worm broke out at MySpace last weekend. The perps used hijacked accounts to blast out junk messages promoting porn sites. The worm stole victims' user names and passwords by using CAU-2006-0001 described above. 'All that a MySpace user needs to do to fall victim to the scam is visit an infected user's 'about me' page', writes Brian Krebs.

And according to an alert sent out by MySpace administrators, even infected MySpace blogs whose authors have the poisoned QuickTime video and malicious links scrubbed from their pages can expect to get reinfected when other MySpace users on their 'friends' lists get hit by the worm.

There are some reports the worm had infected accounts sending out new spam messages every six seconds. 'Such an aggressive attack has the potential to spread quite rapidly among MySpace's 80 million or so users', comments Krebs.

The number of infected accounts is currently in the 'tens of thousands'. Krebs comments again.

'Allowing QuickTime videos to silently load interactive JavaScript content and commands seems like a pretty bad idea from a user protection perspective. Allowing QuickTime vids to be embedded like that in massive social networking sites strikes me as an invitation to disaster.'

But that's still only the half of it.

The Worm & The Apple

Now here comes the fun part, for MySpace fix their own end of things and then wait on Apple to do their bit with QuickTime.

But when Apple have their fix ready it's called a 'temporary fix' only and it's distributed not through the Apple website but through the MySpace website.

'You could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid', writes Krebs in his followup.

'To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute their patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of malicious software by disguising it as official looking security updates.'

'Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without the feature?

'I put a query in to Apple, and will update this blog when I receive more information', concludes Krebs.

He's still waiting.

See Also
Security Fix: MySpace Video Worm Pimps Adult Content
Security Fix: How Not to Distribute Security Patches
CAU-2006-0001: MySpace.com Trojaned Navigation Menu
Burnt Pickle: Phishing Accounts and Spreading Zango Porn
Spyware Guide: Myspace Phish Attack Leads Users to Zango Content
GhettoWebmaster: Demographic Info From 26,000 Phished MySpace Accounts
CyberKnowledge: Analysing 20,000 MySpace Passwords
Spyware Guide: Using Quicktime to Spam in P2P Land
Virus Bulletin: MySpace Hit by Worm, Adware And Phishing
Apple: QuickTime HREF Tracks
Apple: Give Your Movies the Smarts
Websense: Malicious Website / Malicious Code: MySpace XSS QuickTime Worm
CNET: Worm uses QuickTime to spread on MySpace
MySpace to Apple: Fix that worm
IT Week: QuickTime flaw could go beyond MySpace
TechWeb: Unpatched QuickTime Bugs Strike Both Windows And Mac OSes
InformationWeek: Unpatched QuickTime Bugs Strike Both Windows And Mac Operating Systems

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.