In case you hadn’t heard MySpace has been hit by a number of worms recently. The most recent two have used the QuickTime Vulnerability that pdp found that allows users to back door the movie file with XSS. Billy Hoffman from SPI Dynamics has a good writeup on the worm and how it functions as first described by Websense here. Billy also included along with it the source code to the worm.

His writeup is pretty accurate. I’d only make one more comment. One of the major issues with these types of worms is that they cannot move with the victim. That’s not entirely true with things like the data: directive, but for the most part, moving the file from page to page is not possible, requiring that the attacker stores it on a remote server. Finding and killing those servers is significantly easier than something that has no centralized command and control structure (which also makes it way harder to stop if you are a bad-guy).

Understanding command and control structure is pretty critical to understanding how these worms propagate. Good writeup and I’m glad people are paying attention to this, as it’s nasty. Too bad MySpace has so many issues, but it looks like at least QuickTime has taken notice of these issues.

This entry was posted on Thursday, December 7th, 2006 at 11:17 am and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.