Threat Level: green Handler on Duty: Chris Mohan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Few Thoughts on the Recent MySpace Worm

Published: 2006-07-26
Last Updated: 2006-07-26 02:02:19 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
As we mentioned in the July 17th handler's diary, a powerful worm hit MySpace about 1.5 weeks ago.  There have been a few confusions regarding this and other recent MySpace incidents. The purpose of this note is to clarify these confusions.

MySpace is a social networking site that is popular among those who are young in spirit and have an affinity for music. According to a recent announcement by Hitwise, MySpace has become the #1 most popular destination on the Web. Netcraft ranks MySpace as the 77th most popular desgination, though.

An unusual aspect of this worm was that it resided purely on MySpace pages, rather than installing itself on personal computers of its victims. The essential component of the worm, which Symantec called ACTS.Spaceflash, was a Flash object that was embedded in the victims' profile pages on MySpace. The offending code resided in the redirect.swf file, and looked like this, according to the person who analyzed the worm's code:

getURL("http://editprofile.myspace.com/index.cfm?
fuseaction=blog.view&friendID=93634373&blogID=144877075", "_self");


The viewer of the Flash object was redirected to a page that, through clever scripting, modified the victim's profile. As a result, whenever someone viewed the victim's profile, the viewer's profile would also get infected.

The same MySpace weakness has been exploited since at least February 2006 to harvest logon credentials of MySpace users. This redirecting technique was referenced on Digg.com, which pointed to a password-harvesting toolkit whose description is still in Google cache.

Essentially, the weakness that these attacks exploited was the ability of users to embed active content in the form of Flash objects in MySpace pages.

Note that this weakness is not related to the recent issue that Macromedia fixed in Flash Player, despite what many stories reported. Macromedia's patch corrected a memory corruption condition that could allow an attacker to execute arbitrary code on a vulnerable system, according to US-CERT. (If you haven't already, you should upgrade your Flash Player to version 9 to fix this vulnerability.)

Coincidentally, MySpace addressed the weakness that the worm exploited by requiring that MySpace users who wish to view Flash objects hosted on MySpace upgrade to Flash Player 9. The reason is because Flash Player 9 supports a new tag that allows MySpace to disable the URL-redirecting feature. The new tag, briefly described in Marcomedia's documentation, looks like this:

allowNetworking="internal"

MySpace started automatically adding this tag to all Flash objects that it hosts. The unfortunate side effect is that many third-party Flash wrappers, such as YouTube, rely on the URL-redirecting functionality to bring viewers to its site and sponsors. As pointed out by TechCrunch, this move "will likely do serious damage to the cottage industry of flash widgets in MySpace."

This is not the first worm that hit the MySpace site. The Sammy or JS.Spacehero worm took advantage of a cross-site scripting (XSS) flaw in MySpace to affect over a million users about 9 months ago. Also, note that these incidents are  distinct from the MySpace ad-based attack that also affected about persons in the span of the last month. The ad attack took advantage of the seven-month-old WMF exploit that targeted website visitors through a banner ad; if you haven't applied the WMF patch yet, you really should. Finally, do not confuse these issues with the power outage that knocked MySpace off-line along with several other popular websites for a few days this weekend.

Well, I think that about sums it up for now.

-- Lenny

Lenny Zeltser
www.zeltser.com


Keywords:
0 comment(s)
Meet Lenny Zeltser at SANSFIRE!
Diary Archives