Saturday, September 2, 2006

Myspace and WMF Exploits

Myspace is the devil, we all know it. It kills productive and wastes a crap load of time, but it is a good way of keeping in touch with old friends and perhaps make a few new ones along the way. Strange friend request are all too common, but this morning I had one with a twist.

A profile that was linking to a WMF trojan.


Strange Friend Request



Trojan Hosted in the US and linked by Myspace profile

The profile ID and the IP address have been reported to the parties involved at the time of my writing.

This is just one example and this isn't a new. Myspace and the other social sites have become easy picking grounds for wrong doers. Corporations, schools and people must not be tricked by the false sense of community created by these sites.

I would bet 100 dollars that Mr Greenlee Lite is in my "Extended Network" on Myspace. Why and how?

Because Tom is automatically added as your friend upon sign-up, which in turns means everyone with Tom as a friend is automatically in your Extended Network. Even if you delete Tom, if one of your friends or one of their friends has Tom as a friend...it is still useless.

So why does the "Extended Network" even exist? To create a false sense of safety and community. Period.

Moral of the Story - Be careful out there, dangers are around every corner...

5 comments:

  1. Are you sure this was in an invite? I was getting the same warnings Saturday (or Sunday?) while visiting a few MySpace pages. None involved invitations.

    I assumed it was some rogue 3rd party advertiser abuse much as we saw earlier this summer. I didn't really think much more about it until I saw your blog mentioned on Sunbelt's.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Hey OldOnliner

    The invite was just being used as bait to open the profile. The WMF exploit file was being linked on the profile itself.

    Later in the day, I discovered another WMF exploit being used. I didn't grab a copy of that one. It was being hosted from a different IP address, however it had the same "adrun" directory structure.

    My first gut feeling pointed to some bad guy wanting to make some money on ad/spyware installs or some rogue ad company doing something underhanded. But again, I did not dig into the collected smaple file. It was submitted to NOD32 and submitted to Sunbelt.

    Either way it isn't right and should be pointed out.

    ReplyDelete
  4. All the pages I looked at were close friends - people I work with - and nothing else.

    I'm thinking a 3rd party (or further down the food chain) rogue advertiser.

    I used to investigate this stuff more often, but I've got better things to do with my time these days.

    Still... with MySpace's wide-open attitude towards active content and their penchant for sleazy advertisers... this crap is expected.

    ReplyDelete
  5. Agreed, but as security professionals we must point it out and make a fuzz or Myspace will NEVER do anything about it.

    Myspace doesn't even post a valid secuirty e-mail contact on their site, so I just sent it in as a picture issue or something stupid.

    ReplyDelete