Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Monday, December 04, 2006

Roundup on the Myspace Worm

Well, this story has now splattered across the Internet like an old, blind man driving a 16 wheel juggernaut that's using mangled bodies for wheels and a fifteen foot brick wall for an airbag.

I'm sure you want to see some interesting talky-type stuff about it, so here's a big pile of links which will probably be updated, assuming I'm not squished by the old blind guy.

SCMagazine: Malicious attackers steal these credentials to send out spam to "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," Boyd said.

SecurityFocus: "The case looked like simple MySpace phishing, but it wasn't obvious to us how the profiles were modified," Mikko Hypponen, chief research officer for F-Secure, stated on the company's research blog. "After investigating a bit further, it seems that we have a MySpace worm on our hands, using a malicious Quicktime MOV file to spread."

ComputerWorld: Boyd said he has heard anecdotal stories of users removing the worm's JavaScript manually from their profiles, but the worm reappears after some time if one of their friend's profiles is infected.

ZDNet: An infected MySpace page will include links to the fraudulent Web sites and a blue navigation bar that is not typically found on MySpace pages, according to researchers at FaceTime Security Labs.

Macfixit: The current manifestation of this flaw involves MySpace user profiles. When user A is logged into MySpace and plays a malicious QuickTime movie stored in user B's profile, JavaScript code is executed that makes changes to User A's profile -- embedding links that lead to phishing sites and placing a copy of the malicious QuickTime file on user A's profile page.

Washington Post: Allowing QuickTime videos to silently load interactive Javascript content and commands seems like a pretty bad idea from a user-protection perspective. Allowing QuickTime vids to be embedded like that in massive social networking sites strikes me as an invitation to disaster.

Labels: ,

posted by paperghost at 8:31 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.