MySpace QuickTime Worm Follow-up

Thu, 07 Dec 2006 03:05:27 GMT

MySpace was hit by a worm in a semi-automatic manner. This time the worm propagated via a QuickTime flaw found a couple of months ago. This shouldn't be a surprise to anyone. It is quite serious that this attack vector was picked up by Apple so late.

In this post I am not going to explain how this particular MySpace hack works but rather to send a reminder to the security community that another QuickTime XSS vector was found right after the first one. This vector can be used in a similar way although, IMHO, the impact is greater. I guess Apple should fix both issues NOW: we don't want MySpace worms spreading around again, although this is very utopic to say.

Here is a brief reminder of what the XSS issue was all about.

The problems is caused by a quite useful feature called QuickTime Media Link (.qtl). The whole point of these QuickTime Media Link files is to provide means of playing media files in a more accessible way. In this respect the developer can create a .qtl file which holds information about the media content that needs to be played plus recommended dimensions, accessibility features, control features etc...

.qtl files can contain malicious JavaScript code that can takeover some important network device when executed for example. That's not the end of the story though. Because of its flexibility QuickTime doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or even .mov extension...

This is a quite big problem especially in default configurations of iTunes. The iTunes installation wizard installs the QuickTime player and QuickTime browser plugins and associates various media files with its components. If you open an mp3 file from the desktop it will be played in iTunes player by default, however if you open it from some website it will be played in the QuickTime player browser plugin. In this respect, users who are previewing mp3 and other media files from the Internet are vulnerable.

GNUCITIZEN » Backdooring MP3 Files

To sum up, and put into context, attackers can use QuickTime Media Links to imitate popular media files and as such trick the user into opening malicious content that could lead to their (MySpace) account or their browser being compromised. Lets look at the following hypothetical situation:

Evil Hacker decides to overtake MySpace in order to DoS He/she finds that MySpace allows users to supply links in their posts and comments. He spends some time to research the 1000 most popular MySpace members where he will post links to media files titled or myconfession.mp3 or even prankster.avi. Once an unaware user clicks on the link, a phishing page is presented asking the current user to enter their MySpace details to see the private content. If the user is tricked, their credentials will be on their way to the specifically designed for that operation collection point where another automatic process overtakes their user account installing the same malicious file or simply hijack other media files by wrapping them up in QuickTime Media Links the same way it is described in the article mentioned above. The process repeats when another users falls into the trap. When enough number of accounts are compromised Evil Hacker will launch his/her DDoS against Google's AdSense server farm.

This is it!

Nick DImopoulosNick DImopoulos
I joined Myspace just over a week ago now and I got a message saying that it was found that my system had QUICKTIME PLAYER and that I neede an update in order to watch movies. I stupidly installed it thinking this message was coming from the techs at myspace. A day or so later mt windows XP shut down - blue screen saying it closed down and some figures etc. It did so a few times and then I concentrated where I was on the web when it stopped. Well it is everytime I go to Myspace site. Not necessarily into my account but even if I'm just browsing at Myspace window XP stopps with an error message. Exasperating stuff. Is there any I can do to overcome or rid me of this problem? Thanks Nick D Where can I read a response to this? Can someone email me please.
Nick DImopoulosNick DImopoulos
I know where to read a response - pardon my ignorance
i didnt click on any quicktime thingy. but i get an error page whenever i try to log on to myspace. i can browse but i cant click on anyones pics/ comments ect .....i get a server error/systems error page everytime. I have to go to internet cafs to log on now. I tried using a different server but still the same thing.I'm on a mac, so its very doubtful its a virus...if anyone has any clues, they would be much appreciated!
i get plagued by phished people everyday. even ads that are less then legal. quiet a majority of the phished people i encounter actually still have access to there account, and are unaware that some phisher is sending ads around to there friends, i would certainly hate to find out that im in trouble because a phisher was making my accouunt send ilegal ads out to everyone. all phishing sites where they ask for your login to steal dont actually say but they usually look extremely similar. such as system errors caused by a website are virtually impossible without C++. and C++ cant just be used normally like html or java in the first place. You may want to consider the possibility of a virus or major program corruption, such as quicktime is corrupted. i would just like to point out that a mac is much more insecure then a windows machine. ive worked with macs before and they are pathetic security wise. windows recieves probrably 80/100 bad hacker being the leading computer in the market, i think mac would crash and burn in windows place right now. in other words its in your best interest to have good virus protection on a mac too.