Retrospectacle: A Neuroscience Blog

Nasty Virus Moving Through MySpace

I like MySpace, it brought me over from Friendster and now I use it almost exclusively. I’ve found old friends, new friends, and also a nasty virus which hijacked my profile last week and used my name to post a bunch of crapola ads on the Message Boards. I wondered what the heck happened, how did someone get my login info to post something under my name, and at 3am no less? Now, I have an answer and its a bit scary.

(Continued under the fold!)

According to PC World:

The social networking site MySpace.com is under what one computer security analyst calls an “amazingly virulent” attack caused by a worm that steals log-in credentials and spreads spam that promotes adware sites.

The worm is infecting MySpace profiles with such efficiency that an informal scan of 150 found that close to a third were infected, said Christopher Boyd, security research manager at FaceTime Communications.

One-third???? How is this not a higher-profile issue on MySpace? They have my email, why not email me about the threat and what I can do about it?

MySpace, owned by News Corp., is estimated to have at least 73 million registered users.

Which suggests there are more than 24 million infected users. What a massive phish scam!

The worm works by using a cross-scripting weakness found around two weeks ago in MySpace and a feature within Apple’s QuickTime multimedia player.

The exploit starts with a user who visits a MySpace profile infected with an embedded QuickTime movie. The movie loads JavaScript code that overlays a row of menu options on a MySpace profile with a bogus menu.

A QuickTime function, called the HREF track, can direct the player to use JavaScript commands to load Web pages into a browser frame or window.

The JavaScript feature in QuickTime has legitimate uses, “but there are a lot of legitimate uses for technology that can be misused,” said Ross Paul, senior product manager with Websense.

The simple fix seems to stop using QuickTime on MySpace, until the JavaScript code can be examined and the virus isolated. Or, just disable the HREF track that seems to be most troublesome.

If an option in the bogus menu is clicked, the user is directed to a fake log-in page hosted on another server where the person’s log-in details are captured. This phishing-style maneuver is similar to another recent attack aimed at MySpace users.

Websense has posted a screenshot of the fake log-in page.

Lesson? Don’t login to MySpace if it looks even the least bit suspicious (could be a fake page). The problem there is that legitimately MySpace requires that you periodically login after a while, or to change a feature. So, its hard to determine ‘real’ login queries from the scam ones. And to how it spreads?

Additionally, the worm places an embedded QuickTime movie on the user’s profile, which will then repeat the infection process for anyone who visits the profile.

The worm has another malicious function. Once a profile is infected, the worm sends spam to other people in the user’s contact list.

The (possible) group behind the worm has already been fined by the Federal Trade Commission. Not surprising.

Those spam messages contain a file that appears to be a movie but instead is a link to a pornographic site that also hosts adware from Zango, Boyd said. Zango, formerly 180 Solutions, settled in November with the U.S. Federal Trade Commission for $3 million because of complaints it didn’t properly ask the consent of users before its adware was installed.

Also, beware of profiles set up JUST to spread the virus. If a young, pretty girl wants to be friends with you out of the blue, chances are it might be a scam. So, until resolved, you’ll just have to be more careful about who you approve as a friend. If the profile looks pretty generic (walks on the beach anyone?), also beware.

(Hat tip Bob Abu)

Comments

  1. #1 Roy
    December 6, 2006

    Wait.
    You mean “h0t_jung-thang69″ “pErKy4y0u” and “SXXY-DOLL” aren’t *really* interested in “getting to know (me) better”?
    =(
    I thought it was weird that they all had the same profile picture, but I figured “Hey, maybe they’re triplets.”

    Really, though, you don’t even want to click their profiles. Even if you don’t add them as a friend, you can still pick it up, just by visiting.
    As far as I can see, MySpace’s only response so far has been a big message basically saying “if someone is posting messages on your account, it’s because they have your password, stupid!” and a message that I noticed yesterday telling people to make sure that they have the most recent quicktime update.

  2. #2 Mustafa Mond, FCD
    December 6, 2006

    Speaking of nasty viruses:
    Analysis contradicts AIDS accusations

    By MALCOLM RITTER, AP Science Writer
    .
    NEW YORK – Scientists say they have found new evidence that a Palestinian doctor and five Bulgarian nurses at a Libyan hospital did not deliberately infect hundreds of children with the AIDS virus.

    that’s the “Tripoli Six” case they’re talking about.

  3. #3 Shelley Batts
    December 6, 2006

    Thanks Mustafa, I think that deserves a post of its own.

  4. #4 AgnosticOracle
    December 6, 2006

    I don’t use MySpace, I haven’t graduated from LiveJournal yet. However I when it comes to reloging in requests I do have a good rule of thumb to suggest.

    Whenever you are requested to log in to access a special feature, instead of loging in where the login is requested, return to the main page of the site and login from there (following the login link off that page). Once you are relogged in go back to the page you wanted to get too.

    There a probably a couple places this won’t work such as places where you need to enter an old password to change your password. However, it will help you avoid most fake login screens.