For the love of strippers and one dollar bills, you would think that the QuickTime mess over at MySpace would be over by now. Well, it’s not. Here we are with a new QuickTime worm over 30 days after MySpace and Apple completely botched up their security patch effort which resulted in a goofy blame game and MySpace Tom getting Pwned. About the only thing it didn’t result in was a patch that actually worked. The kicker about this “new” worm is that it’s anything but new. It’s using the exact same JavaScript from the last worm.
How do you know it’s the same JavaScript???
Because it still has comments in the code made by Billy Hoffman of SPI Dynamics from when he posted it.
Meaning exactly what?
The lamer behind this worm swiped the code from a site whose purpose in posting it was to “learn more about these types of worms and help other online applications and communities protect themselves”. In all fairness to Billy Hoffman and crew: they didn’t even post the code until after MySpace had supposedly patched the issue.
To add even more unoriginality to this worm, it added some text to everyone’s Hero section who got infected:
Sorry Nathan, but you ain’t no Samy. Adding a couple snippets of code and removing a few from someone else’s scripting doesn’t make you a super hacker genius. It does make MySpace look like total retards though. lolz
As of right now, this worm has been neutrilized by MySpace. They added the current url the files are sitting on to their filter list (crosssiterequest.somee.com). Of course they had just finished getting all those files pulled from a free 110mb.com hosting account. So, this kid will likely just keep jumping from free host to free host with this crap.
“MySpace Still Plagued By QuickTime Worms”
Yeah, I put that “s” in the title of this post on purpose. This isn’t the first “new” worm I’ve noticed on MySpace. They had one going around that added “Anthony G is my Hero” with the “G” linked to a MySpace profile. And, another one that was/is changing people’s display names. And, and, and… I haven’t been on MySpace much lately, but I’m sure there have been others.
A few weeks back I posted this blog entry predicting that QuickTime embeds would be used for upcoming MySpace worms and other evilness. Sure enough, ten days later I broke the story of the latest worm to hit MySpace. After my buddy PaperGhost wrote about it on his personal and company blogs it exploded all over the interwebz.
The cleanup process has been laughable at best so far. Brian Krebs over at the Washington Post slammed Apple and MySpace for the “yes, we is be retarded” move of having MySpace distribute a patch for QuickTime. And, MySpace has been playing the blame game by insinuating that Apple is at fault for the worm.
Read more…
Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.
Read more…
After getting hit with the Flying Spaghetti Monster Worm (NSFW-ish link), 9/11 Worm, and approximately a gazillion billion members were infected with adware by downloading some garbage after being auto-redirected to fake MySpace IM & Porn Sites; MySpace implemented their Flash 9 security update in July. Sure, this was a major blow to the legit companies who feed the MySpace beast with widgets, but at least it slowed down the MySpace-to-SpamSpace morph. Since that time, MySpace has been hit by a number of small worms that employed Javascript workarounds, but those only required small patches to send them the way of the dinosaurs.
Now, spammers have found a new best friend: QuickTime Embeds that auto-redirect to the url of their choosing. This morning I logged into my MySpace and saw the following bulletin:
Title:
OMG!! UNLIMITED ringtones for ur phone!!!d0244
Body:
This site is a fukin ringtone GOLDMINE!!! I have no idea how they get away with this!!! Click on the link below to check it out!
http://profile.myspace.com/(url-truncated)&friendid=2a690aa49d
—
The bulletin was not posted by the owner of the account which it was sent from. The spammer posted it from his account after phishing him.
Read more…
A few weeks back I read this blog entry “Analyzing 20,000 MySpace Passwords” after seeing it on the homepage of Digg. The information presented is neat in that “I’m a nerd so I find this interesting” kinda way, but it didn’t reveal all that much. After being sent the url of a spoof MySpace log-in page, I checked the root and sure enough over 26,000 e-mail addresses and MySpace passwords were sitting there in a text file.
I sent the file over to my buddy Rabbit who aside from being a Sidekick 3 guru can toss together php scripts with ease. I asked him to run similar reports on the info as the other guy had done with his list of 20,000 passwords. After getting that knocked out, he wrote a little data scraping script to get demographic information on the phished accounts via the MySpace search for user by e-mail address function. Whenever you search for someone via e-mail you get some basic info along with a link to their MySpace profile: gender, age, sexual orientation, etc. Search Example
Read more…