Feeds

MySpace-hosted malware exploits QuickTime flaw

French band wants to know its fans better

The essential guide to IT transformation

A security researcher has documented malware that uses a vulnerability in Apple's QuickTime movie player to make a computer download and run a Javascript. A MySpace account promoting a French music group is exploiting the flaw to siphon information about users visiting the page and send it to a remote server.

(Note: The hole was patched in a recent QuickTime update. An early version of this story mistakenly identified the flaw as a zero day.)

The perpetrators pull off the feat by embedding into their page an invisible QuickTime video that uses one Javascript to download and execute a second Javascript. It's this second script that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.

Stevens says McAfee VirusScan will flag the first script as malware and identify it as JS/SpaceTalk Trojan. Both the QuickTime movie file, titled tys4.mov, and the second script are downloaded from a server at profileawareness.com. That's also the site that collects the user data.

Apple and MySpace have both suffered their share of security lapses in the recent past. Last week Apple released an update that squashed a variety of bugs in QuickTime, including eight security vulnerabilities. MySpace has also faced a series of exploits which have often been the result of rogue Javascripts. In 2005, for instance, a user named Samy inserted a script into his profile page that allowed him to scoop up millions of friends. And in July, a banner ad posted on the social networking site infected more than a million users with spyware.

We contacted both companies for comment late on Thursday but did not hear back.

According to Stevens, McAfee was the only antivirus provider to detect the script at the time he posted his finding. McAfee provides a reference of the Trojan, but the description was blank at the time of writing. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.