A new worm has been found on MySpace (a social networking website) that takes advantage of Apple QuickTime movie’s HREF Track feature and MySpace’s XSS vulnerability to successfully propagate and execute its malicious actions. The malware author also intends to steal other MySpace user logins by setting up a phishing site where its url was being advertised by the worm accomplice.
The menace starts when a MySpace user views a malicious embedded QuickTime movie file (.mov). Yes, a movie file… but we are not talking of a vulnerability in QuickTime but rather a special feature built into QT movie file called HREF Track.
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that loads QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
…
The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.
This movie file loads a malicious javascript file which actually does the necessary modification to the user’s profile page by replacing the navigational links on the page with the fake ones (points to the MySpace phish on the same domain) through some CSS and HTML codes. This approach is possible due to MySpace’s XSS vulnerability. After that, here comes the ‘wormy’ part of the malicious javascript, it adds the malicious QuickTime movie file to the user’s “Interests” sections to further propagate the copy of the worm and the phishing attack. Any MySpace user who visits an infected user’s profile will also have his navigational menus trojanized.
What is also noticing about this worm is its capability to send a random message to users with id’s from 80000000 to 105000000. The worm selects one of the six subjects below to send to random user every 6 seconds.
- what else is there to do on a Sunday.?…….
- You better not forget about this..
- Hehe that was so funny..
- better see this one last time lol..
- omg did you see this last nite..
- whos coming to the party tonight.?..
The body of the message is supposed to be a file named ‘youtubedt7rf2.jpg’ but I unfortunately wasn’t able to get a copy because the source url is no longer available.
Trend Micro has given the detection name JS_QSPACE.A for the malicious javascript.