Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] >>: [WEB SECURITY] Analysis, Source-code of the MySpace Quicktime worm



: Billy Hoffman [mailto:Billy.Hoffman@xxxxxxxxxxxxxxx]
: , 07.12.2006 18:56
: Web Security
: [WEB SECURITY] Analysis, Source-code of the MySpace Quicktime worm



I wrote up a little analysis of the MySpace Quicktime worm, and also have a 
copy of the source code which I cleaned up and heavily commented.



Source Code: 


To really appreciate this worm, compare it to the source of Samy 
(http://namb.la/popular/tech.html) or Yamanner 
(http://archives.neohapsis.com/archives/incidents/2006-06/0028.html). This worm 
subclasses native JavaScript objects, has good use of functions, no wasted or 
unnecessary globals, pulls source from multiple server, etc. On top of that the 
MySpace vuln to include the menu with Phishing is only two weeks old, while the 
backdoored Quicktime movie vector is a few months old. Just like attackers wait 
for MS patch Tuesday to write malware, it seems people are actively reading web 
security resources and using them to generate worms. It is also interesting 
that more and more worms, from Space Flash to Yamanner, to this, are being used 
to try and generate revenue instead of simply deface.


Billy Hoffman


Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com <http://www.spidynamics.com/> 

Phone:  678-781-4800

Direct:   678-781-4845



Copyright © Lexa Software, 1996-2009.