 |
» |
|
|
|
On Friday, Dec. 1, 2006, the social networking site MySpace was infected with a self-propagating JavaScript/Ajax worm. This worm infects the user’s profile, serves pornographic material and launches a phishing attack to steal user names and passwords. This worm is significant because it highlights three security concerns:
- Criminals are increasingly using Web application worms for financial gain.
- Attackers are using malicious or malformed files rather than normal user input.
- Criminals are quickly adopting new techniques that are currently being discussed on Web security sites.
The attack vector
MySpace allows users to embed movies and other multimedia into their user profiles. Apple’s Quicktime movies have a feature known as HREF tracks that allow users to embed a URL into an interactive movie. The attacker inserted malicious JavaScript into this Quicktime feature so that when the movie is played, the evil code is executed.
When a user views a page with the malicious movie, the JavaScript inside downloads and runs the full worm. Next, the worm uses Ajax to make requests to infect that user’s profile with the malicious movie without the user’s knowledge. The worm also injects HTML that hijacks the top menu of MySpace, replacing it with an identical-looking menu. When users click on a link in this fake menu, they are sent to a phishing site that presents them with a phony log-in screen. This is used to steal user names and passwords of MySpace users.
Finally, the worm attempts to send instant messages containing a pornographic image and link to a pornographic Web site. These messages are sent to four randomly selected MySpace users. This appears to be a ploy by the authors to earn revenue from both advertising impressions and by trying to install the adware package Zango.
A second version of the worm has appeared that is functionally identical to the first version. However this new version stores the full worm code, the infected Quicktime movie, and the fake log-in page for phishing on different Web servers around the world. Each time the worm runs, it randomly selects a server to retrieve all the content. This allows the second version of the worm to propagate until all the servers are shut down or MySpace fixes the issue.
Analysis
SPI Labs has acquired and analysed the source code for the worm. It is more sophisticated than previous worms that attacked MySpace, such as the Samy worm or SpaceFlash worm, or the worm that attacked Yahoo, the Yamanner worm. The MySpace Quicktime worm makes use of advanced features such as object subclassing, regular expressions and multiple server hosting, none of which have been seen before.
More troubling, both the technique of attacking a Web site through a malicious Quicktime movie, as well as the vulnerability to replace MySpace’s menu, have been discussed on various security mailing lists and Web sites over the last three months. It appears that criminals are now actively monitoring Web security resources for new attack vectors and Web site vulnerabilities. As a result, the MySpace Quicktime worm has become the first widespread Web application worm that uses new attack theories so quickly after their discovery and disclosure.
Solution
This worm is capable of executing because Quicktime movies are not validated by MySpace to ensure that HREF tracks do not contain JavaScript code. While MySpace does not allow users to upload Quicktime movies directly to its servers, MySpace is not verifying that links to multimedia files hosted on external sites do not contain malicious code.
The correct way to sanitise input is via a white listing approach. White listing refers to the practice of only allowing safe content, as opposed to black listing, which disallows potentially dangerous content. For example, blacklisting might disallow such an HREF track URL from starting with “javascript”, but would allow “JaVaScRiPt” or “vbscript.” Instead of creating a list of disallowed input, the best solution to verify that any HREF track inside a Quicktime movie only contain URLS that start with “http” or “https”. Everything else would be blocked, including the technique of putting executable code inside of a movie.
Additional information about this attack can be found here:
» Infecting Quicktime movies with malicious JavaScript
» Myspace.com Trojaned Navigation Menu
Learn more
» BTO software
» Application Security
» Application Security Center |
|
|
|
|
Druckversion
