[WEB SECURITY] Analysis, Source-code of the MySpace Quicktime worm

Billy Hoffman Billy.Hoffman at spidynamics.com
Thu Dec 7 10:56:07 EST 2006


Folks,

 

I wrote up a little analysis of the MySpace Quicktime worm, and also
have a copy of the source code which I cleaned up and heavily commented.

 

Brief:
http://www.spidynamics.com/spilabs/education/articles/MySpace-QuickTime%
20Worm.html

Source Code:
http://www.spidynamics.com/spilabs/education/articles/MySpace-Quicktime-
Worm.zip

 

To really appreciate this worm, compare it to the source of Samy
(http://namb.la/popular/tech.html) or Yamanner
(http://archives.neohapsis.com/archives/incidents/2006-06/0028.html).
This worm subclasses native JavaScript objects, has good use of
functions, no wasted or unnecessary globals, pulls source from multiple
server, etc. On top of that the MySpace vuln to include the menu with
Phishing is only two weeks old, while the backdoored Quicktime movie
vector is a few months old. Just like attackers wait for MS patch
Tuesday to write malware, it seems people are actively reading web
security resources and using them to generate worms. It is also
interesting that more and more worms, from Space Flash to Yamanner, to
this, are being used to try and generate revenue instead of simply
deface.

 

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/> 

Phone:  678-781-4800

Direct:   678-781-4845

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061207/a0f73f95/attachment.html>


More information about the websecurity mailing list