Some time ago, I became engaged in a rather interesting discussion with… lets just call them a neophyte where JavaScript is concerned. In any event, my contention at the time was, JavaScript can be used to deliver malicious code due to its tight coupling with the DOM.
Those of us who hail from the Usenet group, alt.hackers.malicious, know full well just what can be done with a few judiciously placed JavaScript routines. So the individual was already on the losing end of the debate before it even began. That was about two years ago. Today Brian Krebs who writes the Security Fix blog for the Washington Post, penned an article regarding a MySpace worm. And it was delivered in an apple, no less. That is, via Apples program, QuickTime, which Mr. Krebs notes, “allows video files to load web content.”[1]
Er… wha…?
While I have long griped about people jumping on the JavaScript bandwagon without really knowing what they were doing, this latest bit admittedly defies logic. And while this particular situation can be blamed on an overzealous, albeit, shortsighted, programmer, MySpace has been combatting malicious code insertion issues for quite some time. Their “combatting” if one can legitimately characterize it as such, leaves something to be desired–they utilize rather crude pattern matching routines to clean up content that people use to “Pimp out” their profile pages. This recent fiasco no doubt had coders scrambling. Again. This time truncating “OBJECT” tags, in hopes of rendering the embedded content inoperable. That is, for MSIE users. And while MySpace may be able to douse this particular fire (or would that be, squish this particular worm?) this time around, as long as they allow users to write their own content, they will continue to have problems. Why? Lets take a look at their poorly thought-out model.
Basically, one need only go into the Interests & Personality section, and enter their CSS and/or HTML in any of the sections provided. MySpace programs then attempt to scrub the CSS and HTML source, in hopes of removing malicious code. In the meantime, hackers continue to devise ways to get around said scrubbing. So what you end up with is MySpace coders playing catch-up to hackers. The latter will always be a step ahead in this scenario, simply because the coders are doing nothing more than addressing resulting symptomology, while ignoring the rather glaring hole. And this isnt about attempting to outfox cunning hackers either. After all, open-ended pattern matching can be quite challenging. In this case, browsers help that bit along by removing white noise, thereby reconstructing the munged content that manages to slip past the pattern matching algorithms. Thus, by the time Joe user sees the pages, the embedded JavaScript commands, if they made it through the scrubbing process, are set to do whatever damage they are designed to do. Or otherwise put, MySpaces model for allowing consumer branding was doomed from the beginning.
Since branding is, to some degree, the draw, at some point MySpace will be forced to consider another approach. That, or their whole site will come tumbling down in one cacophonous roar. One possibility is to “make up” their own language, which would then be parsed by a server side pseudo-compiler. The result would be renderable, yet clean and virus free content. The social networking site, LiveJournal does just that. And while LiveJournals implementation comes with its own set of limitations, the least of which involves learning a new language, so to speak, the risk to consumers is reduced by more than an order of magnitude. This bit is, of course, a moot point as MySpace is not in any way, shape, or form, even close to designing, much less, implementing, such a beast.
So… back to the problem at hand. What exactly happened, anyway? The worm basically replaces valid links with malicious links, which in turn redirects users to fake login pages. At that point, an unwary user hands over their username and password to a site that then uses their account to spam pornography to other MySpace users. This is loosely referred to as phishing, by the way. So, if youre a MySpace user, do read this article. Additionally, youll want to look for the ” peculiar blue bar” as described by Mr. Krebs. Also, pay attention to the URL in your browsers address bar. If you do not see the following:
http://something.myspace.com/something
…then youve probably stumbled upon the worm. Heres an example of what a “bad” URL could look like:
http://something.myspacer.com/something
If you look closely, youll see that “r” tacked on to the URL. This, of course, is but an example of what a bad URL might look like. Or, the munged link may simply take you to a nothing page, as myspace appears to be in the process of trapping it on its way back to your browser (which is a good thing for you).
And finally, if your profile is infected, you need to clean out your cache, disable your JavaScript, and then go to the correct login page. Once you are there, you should log in, get rid of the infected file (which will be nothing more than an embedded link to a QuickTime movie), change your passoword, and turn comment moderation on. Oh and. Go to profile settings (under account settings), and check disable html for all comment sections (i.e. profile comments, pic comments & blog comments). In summary, this is not a worm that will infect your computer, rather it will mess up your MySpace account and use it for spamming porn. So, even if you do not see the “blue bar” on your profile page you may want to check out your code to make sure all is well.