Attack Of The MySpace QuickTime Worm

Discussion in 'Apple' started by derekcurrie, Dec 15, 2006.

  1. derekcurrie

    derekcurrie Guest

    CHAPTER 1

    Once upon a time, like circa 1999, QuickTime version 3 was born. Among
    its new mutations was something called Text Tracks. Basically, it
    allowed users to add text to their .MOV files for a variety of purposes
    including subtitles, chapter titling, and metadata. With time its
    functionality grew to include the use of scripting, including the
    ability to have hot links appear on a .MOV window. This particular
    functionality is built into a part of Text Tracks called HREF tracks.
    You can read about HREF at:
    <http://www.apple.com/quicktime/tutorials/hreftracks.html>

    And they all lived happily every after.... Until one day, here in the
    present, crackers discovered how to use HREF tracks for nefarious
    purposes. The method was published on the Internet here:
    <http://www.gnucitizen.org/blog/backdooring-quicktime-movies/>

    To quote the article:
    In other words, QuickTime movies are able to be used as a container for
    malware that can be activated within vulnerable contexts. Happily Mac
    OS X and Windows have not so far been vulnerable contexts, so no one
    has bothered worrying about this potential problem.

    November 16, 2006 MySpace revealed vulnerabilities in their web
    interface that made it vulnerable to nefarious HREF Track script code.
    This vulnerability is knows as a 'cross-site scripting flaw.'
    <http://seclists.org/fulldisclosure/2006/Nov/0275.html>

    Two weeks later the 'MySpace QuickTime Worm' appeared and rapidly ate
    its way across MySpace. The website is estimated to have 73 million
    registered users. A survey of MySpace, just after the worm was
    discovered, revealed that as many as one third of its user's profile
    pages were already infected.
    <http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708>

    The most unique feature of this worm is that it never enters your
    operating system. It lives entirely on MySpace and nowhere else. Here
    is how it works:
    1) The initial infection file, in the form of a QuickTime .MOV file,
    has to be embedded on a MySpace spawning profile page. This is simple
    to do.
    2) The cracker then runs the QuickTime file on their spawn page, by
    way of the QuickTime plug-in used by all web browsers, so that the .MOV
    embedded code will create a 'social engineered' temptation link for
    visitors to click on when they visit the page. The link leads directly
    to a phishing site that will attempt to fool the user into revealing
    private information.
    3) The cracker then waits for someone to visit.
    4) Each time someone visits a spawn page the QuickTime .MOV file
    automatically plays. This executes the nefarious script code hidden in
    the HREF track. The code performs two processes:
    A) It tracks back to the visitor's own MySpace profile page and
    creates a complete duplicate of the infection .MOV file. This file is
    triggered to run automatically when someone visits that person's site
    as well. Thus the worm spreads from one visitor to another, to page
    after page.
    B) New phishing site links replace links previously on each user's
    profile page.
    5) Meanwhile the cracker, or one of his paying clients, waits for
    foolish people to click on the phishing site links and give up their
    private information. This could be IDs, passwords, credit card numbers,
    PIN numbers, addresses, phone numbers, email addresses, etc. The
    cracker and his clients make money, fulfilling their purpose in life as
    parasites.

    This worm has been running rampant on MySpace. The easiest way to know
    if a page has been infected is if it has an embedded empty QuickTime
    movie window. And, if the page you are visiting is not yours, sorry but
    you just infected your own page. (It is not possible for anyone but
    MySpace members to visit any MySpace member pages).


    CHAPTER 2

    December 4, 2006, MySpace administrators figured out what was going on
    and asked Apple for an update to the web page media player software
    that was automatically running the infection .MOV files.
    <http://www.zdnetasia.com/news/security/0,39044215,61972663,00.htm>
    <http://www.usatoday.com/tech/products/cnet/2006-12-05-myspace-worm_x.htm>

    Wednesday, December 3, 2006, Apple released a temporary patch that
    would stop the spread of the worm for users of Internet Explorer. The
    promised that a comprehensive fix would be forthcoming. MySpace in turn
    blocked all the known phishing links created by the worm.


    CHAPTER 3

    Meanwhile, third party fixes for the problem started to appear around
    MySpace. December 12, 2006 the SANS Institute reported, in their
    announcement regarding the worm:

    CHAPTER 4

    ....Is yet to be written. As of today, MySpace is waiting for a final
    solution from Apple.

    And what about a final solution from MySpace itself? Not a peep has
    been heard. This leaves MySpace open to exactly the same kind of attack
    through some other web scripting execution vector. IYAM, expect this
    same story all over again in the near future.

    Get your act together MySpace! You're being very naughty. :p

    :-D
     
    derekcurrie, Dec 15, 2006
    #1
    1. Advertisements

  2. derekcurrie

    tom_elam Guest

    Which just goes to show that Apple does not take security seriously.
    Next time post some news.
     
    tom_elam, Dec 15, 2006
    #2
    1. Advertisements

  3. derekcurrie

    Sandman Guest

    Which just goes to show that Apple does not take security seriously.[/QUOTE]

    Yet is more secure than the sinking boat you're sitting on... :)
     
    Sandman, Dec 15, 2006
    #3
  4. Yet is more secure than the sinking boat you're sitting on... :)[/QUOTE]

    Bien sur. fu set.

    lsmft
     
    John McWilliams, Dec 16, 2006
    #4
  5. derekcurrie

    Wes Groleau Guest

    You've got it backwards. _I_ have tried to teach
    _them_ why those sites are undesirable.
    They think I'm excessively paranoid. One son
    whined and pouted for weeks when I blocked a
    "game" that was sucking up a lot of bandwidth
    when nobody was even logged in.
     
    Wes Groleau, Dec 16, 2006
    #5
  6. derekcurrie

    Király Guest

    Király, Dec 19, 2006
    #6
  7. derekcurrie

    derekcurrie Guest

    This article refers to Apple Security Update 2006-008, which is
    specific to a vulnerability in Quartz Composer related to QuickTime for
    Java. This fix is unrelated to the HREF feature in QuickTime.

    Also note that the big fat gaping security hole in this situation is
    not QuickTime. Malicious code in HREF is inert without a breeding
    ground where it can spawn. MySpace's cross-site posting capability is a
    ready made tunnel for worms to grow and spread now and forever until
    their code designers get the clue to close it. Will they?

    :-D
     
    derekcurrie, Dec 22, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.