Feeds

MySpace-hosted malware exploits QuickTime flaw

French band wants to know its fans better

Internet Security Threat Report 2014

A security researcher has documented malware that uses a vulnerability in Apple's QuickTime movie player to make a computer download and run a Javascript. A MySpace account promoting a French music group is exploiting the flaw to siphon information about users visiting the page and send it to a remote server.

(Note: The hole was patched in a recent QuickTime update. An early version of this story mistakenly identified the flaw as a zero day.)

The perpetrators pull off the feat by embedding into their page an invisible QuickTime video that uses one Javascript to download and execute a second Javascript. It's this second script that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.

Stevens says McAfee VirusScan will flag the first script as malware and identify it as JS/SpaceTalk Trojan. Both the QuickTime movie file, titled tys4.mov, and the second script are downloaded from a server at profileawareness.com. That's also the site that collects the user data.

Apple and MySpace have both suffered their share of security lapses in the recent past. Last week Apple released an update that squashed a variety of bugs in QuickTime, including eight security vulnerabilities. MySpace has also faced a series of exploits which have often been the result of rogue Javascripts. In 2005, for instance, a user named Samy inserted a script into his profile page that allowed him to scoop up millions of friends. And in July, a banner ad posted on the social networking site infected more than a million users with spyware.

We contacted both companies for comment late on Thursday but did not hear back.

According to Stevens, McAfee was the only antivirus provider to detect the script at the time he posted his finding. McAfee provides a reference of the Trojan, but the description was blank at the time of writing. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.